Digital Forensics

CORE COMPETENCIES

Natsar has experience conducting forensic acquisitions and analysis on nearly every digital platform and operating system, whether it is in the cloud or on a device. Our expert analysis of data has been used by prosecutors, defense attorneys, civil attorneys, organizations, and individuals to uncover facts and support investigations ranging from murder cases to employee misconduct.

Many “forensic” companies simply rely on their software tools and provide a data dump to the client. Some of our competitors are skilled in IT or took a college class in digital forensics, but have never presented their findings in a courtroom or possess the level of training, experience, and certifications that Natsar does. While we use software to help us with our analysis, we independently validate the software’s findings instead of blindly relying on it. We also test and validate everything we use and ensure our theories and opinions are backed up by our findings.

Find more information below on our capabilities, experience, case studies, and use cases for digital forensics. Natsar is licensed by the New York Department of State, is bonded, and staff involved in forensic analysis are licensed as a private investigator.

Traditional Device Forensics

Microsoft Logo
MICROSOFT OPERATING SYSTEM

We have forensically analyzed hundreds of systems running the Microsoft Operating System (OS) from Win98 to Win11 and on nearly every form factor. Additionally, we have experience analyzing servers utilizing Microsoft Server OS.

MAC OPERATING SYSTEM

Natsar specializes in Mac forensics and have examined Mac systems in cases ranging from homicide to network intrusion by a foreign adversary. Macs require specialized knowledge, skill, ability, and software to expertly analyze them.

LINUX OPERATING SYSTEM

Red hat, Ubuntu, Cent OS, Debian, Fedora – you name the flavor of Linux and we have probably examined it. Most frequently, we examine Linux servers that have been compromised or the target of insider threat activity. We have also examined Linux virtual machines and desktops used by people trying to be covert while committing cybercrime.

MOBILE DEVICES

Cell phones and tablets contain a wealth of data and are frequently submitted for forensic analysis. Information such as text messages, call logs, images and videos, web history, device location history, and saved documents can be critical to an investigation. We analyze all types of devices including iOS, Android, and many other smart and feature phones.

REMOVABLE MEDIA

Removable media is submitted in nearly every case and can include thumb drives, zip drives, pen drives, CDs, DVDs, Blu-Ray, external hard drives, MicroSD, SD, compact flash, and other flash media cards, digital cameras, video cameras, and other media storage devices.

NON-STANDARD DEVICE FORENSICS

The prevalence of Internet connected everything and the ability of most electronic devices to store data gives more potential sources of evidence during investigations. Below are some examples of non-standard items Natsar has experience examining.

Internet of Things
Most data resides in apps, however IoT devices may contain data. Some could be: medical devices, sensors, alarm systems, cameras, thermostats, Amazon Echo, Google Home, and other smart home systems
Digital Cameras
Examination of internal storage and removable memory of cameras and camcorders for images, video, and audio
MP3 Players and eReaders
Analysis of devices such as iPods, Kindles, Nook for evidence such as subscriptions, images, documents owner information and more
Gaming Consoles
Connection information and history, pictures, video, communications with other players, event logs
Network Devices
Onsite or remote acquisition of logs, or review of exported logs from routers, switches, firewalls, taps, and other network devices
Smart Watches / Fitness Trackers
Geolocation, images, videos, SMS, music, purchase history, and more
GPS Forensics
Potential evidence may, but not limited to: include waypoints, track logs, routes, favorite locations, and planned trips
Drone Forensics
Depending on model, Natsar may be able to ascertain flight paths, serial number, launch and landing locations, video, photos, and more

DATA ACQUISITION & FORENSICS

Frequently our clients need data analyzed that has been obtained elsewhere (such as eDiscovery), without the need for an actual device to be examined. Other requests from clients include the acquisition of data that resides within a third party or must be forensically acquired over the Internet. Some examples of data analysis requests are below.

Virtualized Systems
Forensic acquisition and analysis of virtual machines from cloud service providers such as Oracle, Azure, AWS, or an organization.
Cloud Data
Forensically acquiring structured and unstructured data in the cloud, from providers such as Dropbox, Box, iCloud, Azure, AWS, Google Cloud and more.
Email
Indexing obtained email for keyword searching, extracting attachments, converting files to HTML, PDF, or other usable format, reviewing email for evidence.
Call Detail Records
Obtaining and analyzing CDRs for geographic location information, incoming/outgoing calls, text messages, data usage, etc.

There are several options to get your evidence to Natsar for analysis. You may choose to securely mail evidence to us through a commercial courier (USPS, UPS, FedEx, etc.), such as hard drives, USB devices, and other items; evidence may be uploaded to our secure cloud environment; or we can download the evidence if it is available online.

In some cases, onsite acquisition of digital evidence may be necessary. With permission from the client, we may use a trusted partner from our network of forensic analysts to acquire the evidence for us. If it is not possible or advisable to use an analyst from our network, Natsar staff can travel to the location to acquire evidence.

OUR TRAINING & EXPERIENCE

Natsar’s highly trained and experienced staff has been involved in an array of investigations and cases. Here is a representative sample of the types of cases on our resume.

  • Homicide
  • Suicide
  • Child Abuse
  • Child Sexual Exploitation and Child Pornography*
  • Sexual Harassment & Abuse
  • Narcotics
  • Major Traffic Crashes
  • Fraud / Forgery
  • Theft of Intellectual Property
  • Employee Misconduct
  • Intrusions / Hacking
  • Identity Theft
  • Arson
  • Computer Crime
  • Kidnapping / Missing Persons
  • Stalking
  • Terrorism and Threats of Violence
  • Domestic Violence
  • Coercion
  • Civil Disputes
* Natsar does not investigate or accept any cases involving child sexual exploitation or child pornography. Natsar will consult with attorneys on child exploitation cases to answer questions about technology, legal implications, or processes, however no forensic analysis will be conducted.

We have been recognized as an expert in and out of the courtroom. Frequently used by authors as a technical expert and requested to speak across the country to government and private organizations, Natsar has the expertise necessary for the most complex cases.

You can learn more about Natsar on the About Us page and below is a summary of our training, education, and experience.

TRAINING AND EDUCATION
  • Master’s Degree in Information Security and Assurance
  • Certified Advanced Windows Forensic Examiner (CAWFE)
  • Certified Electronic Evidence Collection Specialist (CEECS)
  • Certified Ethical Hacker (CEH)
  • Certified Forensic Computer Examiner (CFCE)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Hacking Forensic Investigator (CHFI)
  • Certified Network Defense Architect (CNDA)
  • Digital Forensic Certified Practitioner (DFCP)
  • GIAC Security Essentials Certification (GSEC)
  • GIAC Certified Intrusion Analyst (GCIA)
  • GIAC Certified Forensic Analyst (GCFA)
ORGANIZATIONS TRAINED WITH
  • AccessData
  • Center for Internet Security (CIS)
  • Department of Energy (DOE)
  • FBI
  • Gartner
  • International Association of Computer Investigative Specialists (IACIS)
  • Internet Crimes Against Children (ICAC)
  • ISC2
  • National White Collar Crime Center (NW3C)
  • SANS
  • Splunk

WHAT TO EXPECT

Natsar will help every step of the way and keep you aware of the status of the case. As part of the process, you will be given access to our online portal (accessed through Natsar.com) to ask questions of the analyst, upload files, and download the final report and any artifacts.

As soon as Natsar obtains the evidence being submitted in the case, we will make a forensically sound copy of the original evidence and our work is done on the forensic copy. We ensure no changes are made to the evidence whenever possible and any changes that must be made are thoroughly documented. The forensic copy is then analyzed by our experts based on what information was provided by the client. If requested, a thorough report is generated by Natsar and provided to the client, documenting our steps and findings.

Evidence Received and Assessed
Evidence Acquisition
Evidence Analysis
Documentation and Reporting

Ready to get started or have more questions? Please contact us or submit an online inquiry. Natsar is transparent with our fees and they are provided further down on this page.

OUR TESTIMONIALS

Parole and Probation Department
Parole/Probation Officer

I called Mr. Moulin for assistance after my client was expelled from a local community college for behaving inappropriately with a female student. My client admitted to making numerous text messages to this female and I received his consent to search his cell phone. Mr. Moulin did an exhaustive examination of my client’s cell phone and then prepared a lengthy and highly professional report which included helpful information including photos and phone contacts. Careful review of sex offenders in the community is of huge importance to my department.

City Government
HR Director

Earlier this month, I faced a particularly difficult challenge when I needed to conduct a disciplinary investigation involving computer use and interview employees about technical matters for which I am not well versed. You stepped in and conducted the interviews and collected and examined City equipment, which made a significant difference in the information obtained from the investigation. Your combination of interviewing skills, investigative abilities, and computer knowledge provided a thorough, effective, and accurate investigation of the personnel matter.

International Brotherhood of Teamsters Union
Labor Representative

Mr. Moulin was assigned to conduct computer forensics on city equipment. His investigation resulted in obtaining critical information that led to two employees voluntarily resigning their positions with the city. His efforts also brought to light problems that need to be addressed to assure that the integrity of the Information Services Department is not compromised in the future. His investigation provided me with critical information to properly advise my client as to their options.

Individual
Father

Our daughter received threatening emails which went way beyond teenager pranks. Mr. Moulin was able to take our information and determine a responsible party. He obtained a confession and the school was able to take over from there. Please pass along our special thanks to Mr. Moulin.

Fire District
Board Member

A 16 year-old boy went into cardiac arrest and was resuscitated by high school staff using an Automated External Defibrillator (AED). The local fire chief was scrambling to find someone with the ability to download the AED data and ultimately went to Mr. Moulin. With assistance from Moulin, the data was downloaded and provided to the boy’s doctors. They apparently already decided to release the boy, but upon reviewing the AED data, they readmitted him and implanted a defibrillator – as it was apparent he had a life threatening heart rhythm. Had they not received the AED data provided by Moulin, the boy may very well have been released without a defibrillator and could have died.

Cleared Defense Contractor
Chief Financial Officer

For the first time in our history, computer forensic evidence from Mr. Moulin has been used in legal hearings and provided proof of employee misconduct. To date, 100 percent of our cases have resulted in successful resolutions for our company, potentially saving thousands of dollars in unemployment and other legal claims.

DIGITAL FORENSIC FEES

ii
The Report Comes Standard
When you hire Natsar for a forensic analysis, a detailed report is part of the deliverable. We won't charge you extra for the answers you already paid us to uncover.
UU
No Limit to Keyword Searches
We don't limit keyword searches you can submit. Our examinations are only as good as the information our client provides.
No Storage Costs
Some companies will charge hundreds of dollars each month to store evidence. We believe storing your evidence until your matter is resolved is the cost of doing business and we don't pass that on to you.
No Charge for Processing Time
Natsar doesn't charge for the time our computers forensically copy or process evidence. You can't control that time and shouldn't have to pay for it.

At Natsar, we believe in full transparency about our fees and pledge to never surprise our clients. Many of our competitors will show lower initial rates or a relatively inexpensive retainer, only to charge high hourly rates that seem to never end. This makes budgeting and forecasting difficult for clients. Many forensic companies also charge clients “machine time” meaning an hourly rate for the time it takes to make a forensic copy of the original evidence and then process that copy for analysis. In reality, the majority of cases only take a few minutes of time to set this task up and then the rest is dependent on the size of the source evidence, the speed of the forensic computer, and the connection between the two. We don’t feel right about charging our customers for that, so we don’t. We give accurate estimates and always remain in communication with our clients.

Instead of complicated fee structures and hidden fees, we don’t charge extra for administrative time, acquisition or machine time, evidence storage, or report writing. In some cases when specialized hardware or software must be procured to complete an investigation, those costs may be passed to the client, but only after their approval.

Our fees for in-lab services includes the time it takes to conduct an analysis, based on our training and experience. The cost includes the acquisition, processing, analysis, artifact export, detailed report generation, and debrief of findings with the client. After the agreed upon deliverables are provided to the client, further requests for follow up analysis, consultation, travel, or testimony are charged at our hourly rates. If Natsar must travel to acquire evidence, have another examiner in our network acquire evidence on our behalf, or do analysis onsite, additional fees would apply.

This includes Windows, Mac, or Linux computers.
This is a deep-dive forensic analysis and usually required for any case that may go to court. Includes laptops, desktops, and virtual machines, regardless of the form factor or operating system. Cost for servers may be additional, depending on the type of server. A specific quote would be required for server analysis.
Most systems can be thoroughly examined in 15 – 40 hours, which includes the creation of a detailed analysis report. This analysis includes things such as drive indexing and keyword searching, recovery of deleted files, timeline generation of user activity, event and system log file review, registry analysis (Windows), Internet history, review of documents, spreadsheets, images, videos, application data, and more.
Includes:
  • One system (systems with multiple hard drives may incur additional fees depending on configuration)
  • Administrative costs
  • Acquisition of evidence
  • Professional analysis by certified analyst
  • Detailed reports of findings
  • Storage of evidence
  • Hours include analysis, report writing, and consults
  • Teleconference or video conference to debrief and explain findings
This includes Windows, Mac, or Linux systems.
Targeted analysis is typically requested when the client knows exactly what they are looking for on a system. An example is when an employer wants to know whether or not an employee possessed a certain file, or sent a file to another person. Sometimes a client would like to know what websites an individual has visited, or whether or not they have violated the terms of an agreement (by a counselor, parole or probation, etc.). These cases usually begin with a very specific question and we analyze the evidence within the the boundaries of the request.
Includes:
  • One system (systems with multiple hard drives may incur additional fees depending on configuration)
  • Administrative costs
  • Acquisition of evidence
  • Professional analysis by certified analyst
  • Detailed reports of findings
  • Storage of evidence
  • Time includes analysis, report writing, and consults
  • Teleconference or video conference to debrief and explain findings
Logical, physical, or manual acquisition depending on the capabilities of our forensic hardware and software and client requirements.
This includes a full analysis done of the contents of the phone and may include recovery of deleted files and entries. Typical examination includes the analysis of incoming/outgoing calls and SMS, photos, videos, audio and voice mail, contacts, app data, system logs, geographic locations of the device, Internet history, and more. If the device is submitted with other evidence in a case (such as a computer) evidence and searches will be done across everything submitted.
Includes:
  • Administrative costs
  • Acquisition of evidence
  • Professional analysis by certified analyst
  • Detailed reports of findings
  • Storage of evidence
  • Time includes analysis, report writing and consults
Natsar will obtain the most data possible based on the device model and available software. This DOES NOT include any analysis, but a logical, physical, or manual extraction provided directly to the client.
We will provide the extracted results to the client via our secure cloud portal, or it can be placed on media (encrypted USB) and shipped for an additional fee. Typically the extraction includes all files recovered and organized for easy viewing and can be provided in a number of formats (HTML, xlsx, PDF, and others).
Includes:
  • Forensic acquisition and storage of forensic copy
  • Report generation in format requested by client (options include PDF, HTML, XLSX, and others)
  • Attempt to recover deleted files
  • Attempt to extract all relevant files including images, videos, SMS (text and multimedia messages) documents, web history, calendar events, emails, app data, geographical locations, call records, and more
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.