+ Can you get deleted data back on a Mac?

YES, provided it has not been overwritten. Once deleted, the names and dates associated with that file on the computer get lost, but the data is still recoverable. When a file gets deleted (put in the “Trash” and emptied), the file’s information gets disassociated from the file and the file’s space on the hard drive gets marked as available. Unless another file gets written to the same space, the file is recoverable. Its name and timestamps are lost however. (What is not lost are the dates embedded in the file, such as a Word document or a photograph with EXIF data).


+ Can you get deleted data back on a PC (Windows based computer)?

YES, with its dates (created, accessed, modified) intact if it has not been overwritten. When a file gets deleted, the hard drive space that the file occupied gets marked as available in the Master File Table (MFT). Unless another file gets written to that space, that file is fully recoverable provided the MFT entry has not been overwritten. Then the date and time is recoverable as well. Even if the file gets partially overwritten, parts of the file may still be recoverable.


+ Can you get deleted text back from a cell phone?

You can on an iPhone and Android devices, provided it has not been overwritten. On a Blackberry, the answer is no. Text messages are stored in a database on iPhones and Android phones, and unless the records have been overwritten, the data is recoverable. Depending on how much the database is used, how old the phone is, what operating system it uses, if the operating system has been updated, how long ago was the text deleted, etc, all or some of the message may still be available. At times the date will get lost. On iPhones there is another database (“recent”) that may show if a message was sent on a certain date between certain users. If the deleted text message is not found, there may be other sources that this information can be obtained from. This would include backups to a computer or to the Cloud.


+ Can you tell if files were copied to a USB drive from a Mac?

Yes, more often than not. This is an important and always prevalent question when it comes to wanting to know if an employee has taken confidential information or intellectual property files by copying it to a USB drive. On a Mac the kernel.log, system.log, sidebar.plist, and spotlight files will be of help when determining if a certain USB was inserted and files viewed/copied. The USB device serial number can often be recovered as well.


+ Can you tell if files were copied to a USB drive from a PC?

Yes, more often than not. On a PC there are a number of artifacts that can help paint a picture whether files were copied to an external USB device. The analysis of LNK (link) files, Shellbags, and the Registry combined will help in determining whether files have been copied off of the computer.


+ Can you help to make sure that the data is securely deleted from our devices and network to satisfy the opposing side and/or Court Order?

Yes. We have assisted in many legal cases where it was necessary to delete the intellectual property improperly obtained. We then certified to the opposing side these files were forensically eliminated.


+ Can you tell what sites the user visited even if it is not in recent history and can you tell what search terms the user might have typed in?

Yes, if the data hasn’t been overwritten. We have tools and expertise to recover and interpret Internet history related artifacts, including website visits, search engine search terms, chats, and webmail and more.


+ Can you tell where/when a file came from on a Mac?

Yes, depending on the artifact. Macs track files that were downloaded from the Internet, emails and some other sources. It records when and where the file was downloaded from.


+ Can you tell where/when a file came from on a PC?

It is far more difficult on a PC than a Mac, however, you can make certain assumptions to answer the question. If the file is located in the temporary internet files, it is a safe assumption to assume that it came from the internet. If it is located in the Appdata folder associated with a particular program, you can make the assumption that it came as a result of that application. Pictures can be examined for their metadata to give an understanding of what device, date and time they were taken. This is also true for videos.


+ Can you show what the computer looked like for the user?

Yes. Sometimes it’s helpful to show what a computer looked like or what certain settings were, especially in criminal cases. We have virtualized both PC’s and Macs to simulate the user experience, while preserving the evidence.