Digital forensics involves the collection, retrieval, and investigation of data found on devices and accounts that store electronic data. It is a branch of forensic science that analyzes devices such as servers, email accounts, social media accounts, web-based storage accounts, wearable technology, computers, tablets, smartphones, and Internet-connected devices (Internet of things) among others.

It is very common that the terms “computer forensics” and “digital forensics” are used interchangeably since fields of work that cover almost the same areas and with similar tools, but there are differences since our industry covers more types of devices and cybernetic technology, networks, etc. This makes the analysis more precise and adapted to current technological needs.

What are forensic images? They are the process of verifying and creating exact copies of data stored on hard drives and other electronic storage devices. In the case of smartphones, forensic images are verifiable copies of the maximum amount of data that phone models and associated operating systems can copy, and as such, work done on phones is often more accurately named forensic collections. Forensic images are bit-by-bit copies of all the data stored on computer hard drives. For specific collections, forensic images are verifiable exact copies of selected files.

These are some examples: In the event that you or an attorney need to collect evidence in a lawsuit to meet discovery obligations and help evaluate your case. In the case of wanting to file a lawsuit and you need to collect data to analyze your claims. In the case of you want to know if the former employees who had access to confidential data were taken to use them in a new company. In the case of litigation for the verification of electronic information, analysis of data treatment, rescue of deleted data, etc. In the case of treatment or rescue of large volumes of data and its exhaustive analysis of identification of key evidence.
Clients hire outside computer forensic experts for any of the following reasons: IT staff is typically staff with more generic and often non-existent computer forensic knowledge. For this reason, it is important to have experts specialized in computer forensics since they are able to communicate highly technical concepts in an understandable way and recognize problems quickly. Without the proper forensic software, collecting data can expose you to legal risk from a possible alteration or omission of key data. Having your company protected by external experts is a solid business reinforcement for the coverage of a possible problem that may arise in your company. A reputable expert will make your argument sound based on expert data and arguments and this is priceless for a company.

Although there is no single certification body in the computer forensics industry, one of the most prestigious and rigorous vendor certifications is EnCase Certified Examiner (EnCE), in which you must pass a multiple-choice exam, a practical exam that it requires examining digital evidence and creating an associated report, and ongoing training is required to stay active and up-to-date.


  • The different stages of eDiscovery:Information governance: The information governance stage is the eDiscovery planning process and the management of electronically stored information (“ESI”) to better manage the risks and costs of eDiscovery. Identification: at this stage the scope of ESI for an issue is determined, such as custodians who own ESI, data categories and ESI storage locations. Conservation: this is the stage in which it is guaranteed that the ESIs will not be destroyed or unduly altered. Generally, this should occur when litigation is reasonably anticipated. Collection: The collection stage involves copying the ESI for use later in the discovery process by using a digital forensics provider that can verifiably collect ESI without altering potentially relevant metadata. Processing: This stage generally includes reducing the volume of ESI through automated means, such as search terms and the application of date restrictions, and converting the ESI into a format that is easy for review and analysis. The review: at this stage the responsiveness such as discovery requests and the privilege of the ESI are reviewed. Efficient document review platforms such as Relativity, iConect and others are used by many lawyers to do more efficient document reviews. Production – This stage consists of handing over relevant non-privileged ESIs for review by other parties, ideally based on agreed production specifications. The presentation: this stage shows the ESI already reviewed in various forums, such as declarations, hearings, mediations and / or trials. Electronic evidence can be presented to assist witness testimony, demonstrate key facts, or persuade the finder of fact.

It is a good way to decrease time and costs. Technology such as predictive coding and advanced machine learning is used by Assisted review to apply reviewers’ coding decisions to a broader data set.

It is a process of dividing data sets into groups for review or processing, often organized by a single custodian or problem.

Bates stamps are alpha-numeric identifiers for produced documents.

This tool connects phrases or sets of keywords with a single query, such as AND / OR / NOT. These types of searches can be an effective technique to identify documents of interest more effectively in cases where a single word or phrase generates an unexpectedly large number of results.

This agreement is a mechanism to recover privileged documents produced inadvertently and to prevent their use.

For an easy classification and search of documents, this one is used that enters information fields of a document in a database. Encoding can be subjective or objective. Subjective coding is a coding that requires understanding the document, such as the legal issues that are dealt with, and objective coding is a coding applicable to anyone capable of reading the language of a document, such as the date for example.

Microsoft Outlook OST and PST files, ZIP files, and forensic imaging evidence files are examples of container files. These are single files that contain multiple files or documents inside, often in a compressed format. Since a single container could contain thousands of files, if the container files are not expanded before generating such counts, the file counts in eDiscovery may be underestimated.

This process limits ESIs after collection, but prior to review, generally through automated means such as applying search criteria and indexing the data.

A custodian refers to an individual from whom ESI has been or will be collected, who possesses potentially relevant data.

Refers to the extraction of searchable data and information fields from documents, so that they can be completed in a review database.

There are companies that work with multiple law firms and can find particularly useful data maps, quickly informing attorneys where potentially relevant data might reside and streamlining the eDiscovery identification process. Data mapping creates a “map” for identifying and recording the locations and types of information within an organization.

This process compares electronic records based on their characteristics to identify and eliminate duplicate records from data sets to increase coding consistency and reduce review time.

As compiled by the National Institute of Standards and Technology (NIST), it is the process of filtering files that appear in file lists that are common to all operating systems and programs. The NIST lists include non-user generated file fingerprints, which can be compared to eDiscovery data sets to remove known irrelevant files prior to review.

In this process, potentially relevant evidence is collected, processed, reviewed and produced. eDiscovery is that process with respect to electronically stored information.

This process compiles the emails into a review tool so that all emails in a thread can be viewed together as a single conversation.

This method performs an initial review of potentially relevant data in a cost-effective manner in order to get an initial idea of the potential merits and costs associated with a legal matter.

“EDiscovery” is a process of identifying, collecting, processing, reviewing and producing potentially relevant electronically stored information.

ESI (Electronically stored information) is information that exists in electronic (i.e. not paper) format, such as presentations, word processing documents, emails, spreadsheets and text messages, among a wide range of categories.

The process of using certain parameters to identify or exclude documents is called filtering and is generally used to identify a smaller set of documents to review. Filtering often requires indexing data and then using search criteria such as keywords, phrases, Boolean expressions, proximity expressions, dates, and custodians as mechanisms to narrow down the universe of documents to be reviewed.

Hash values are calculated to deduplicate documents. Examples of hash algorithms include MD5 and SHA1. It can be described as a fingerprint of a document created using a standard algorithm, so that in any analysis of the document using different systems, their hash values will match.

Hosting data through an eDiscovery provider enables legal teams to review large amounts of data remotely efficiently, without the need to purchase their own software / hardware or employ staff with experience managing such environments. This process of uploading electronically stored information to a review platform, often provided by an eDiscovery hosting provider.

We can define as the temporary interruption of a company’s document retention and / or destruction policies for data that could be relevant to a lawsuit.

It is a database created using eDiscovery software that allows processed information stored electronically to be uploaded to a review tool so that it can be classified and searched.

Electronic data contains descriptive information or microdata that can become very relevant in litigation. This data is called metadata. Some metadata are: dates, file names, authors …

It is the format in which any file is originally created. A native file format supports metadata and other details that may be missing when documents are converted to other formats, such as conversion to PDF and TIFF images.

these documents contain a high percentage of the same content. To speed up the review of similar documents, we have review tools that allow their identification. It is not advisable to delete this type of document, since content that seems duplicated is not the same as the same document, so it is advisable to save them for review.

OCR (Optical Character Recognition) is the optical character recognition for the identification and extraction of texts that allows searching electronic files, such as PDF files and TIFF images. OCR can often be limited by the quality and nature of documents that lack searchable text. Even so, it is used to increase the efficiency of text searches. Although OCR can lead to more documents being identified, the OCR application process can increase the time and / or cost of eDiscovery processing.

is the relationship between a file (the parent) that contains one or more subfiles (the children). For example, in an email the message would be the parent and the attachments of the message would be the child. Together, father and son make up what can be called a family of documents.

It is the process of reducing review time and cost and combines machine learning technology, workflows, and human review to apply decisions about the relevance of reviewed documents to a larger set of non-reviewed documents.

It is the extraction of data and metadata from the collected information stored electronically and its assembly in databases of load files, in this way the data can be searched and classified more easily within the review software.

It is the delivery of documents and information stored electronically to other parties in litigation, often performed after a relevancy and privilege review. Productions often include bates-stamped PDF or TIFF files with an eDiscovery upload file attached.

When a single word or phrase generates an unexpectedly large number of results, proximity searches can be an effective technique to identify documents of interest more effectively. This process connects sets of keywords or phrases to a single query based on the number of separate words in which they appear in a document, e.g. Eg electronics w / 2 discovery.

It consists of deliberately covering parts of documents that are considered privileged, confidential or proprietary, so that the redacted parts cannot be seen or searched.

It is the alteration or destruction of relevant evidence. The cost of litigating evidence looting issues is usually much higher than the costs that are necessary to properly collect and protect stored electronic information.

It is data stored in a structured format, or what is commonly called a database.

It is an electronic file that is part of a program or an operating system. These files are usually excluded from processing and / or removed during NIST removal, so only user-generated file types are searched.

It is an assignment of classifications, such as by relevance or privilege, to one or more documents.

A PDF file can serve an equivalent function to a TIFF file (Tagged Image File Format) since it is a common graphic file format used when scanning printed documents.

It is the process of assembling individually scanned pages into documents. Unification can be physical, such as through the use of staples and folders, or logical, which involves human review to determine which pages belong together as a single document.

it is electronically stored information that is not stored in a database format. Examples include emails, word processing files, spreadsheets, presentations, and various other documents.


It is the process of reviewing cybersecurity risks within an organization that is the subject of a possible merger or acquisition, in order to assess whether said risks require changes in the terms of the deal and create a plan if required. Cybersecurity M&A due diligence is a must-have component today and one that is often overlooked. It may include reviewing policies and procedures, interviewing personnel, conducting updated vulnerability and penetration tests, and evaluating previously used security tests. Its function of minimizing risk, reducing costs and identifying possible breakdown factors are factors that make it an extremely important process in these cases.

It is an assessment of the vulnerability of systems connected to the Internet against external hackers and prioritizes the associated repair.

It is an evaluation of the firewall systems of devices such as computers and laptops in the network, and identify possible security vulnerabilities to prioritize the corresponding solutions. Internal vulnerability assessments do not involve attempting to exploit identified vulnerabilities and penetrate company systems, unlike penetration testing.

Today cyber threats undergo changes and constantly evolve and it is therefore necessary that cybersecurity experts are constantly updating their knowledge to combat external threats. Normally a company does not have professional personnel specialized in this sector, since its team of computer technicians prioritize other issues. These factors make it essential for the security of your company that you hire an external company that fulfills these functions in a focused and professional way to identify vulnerabilities and combat them. It is proven that companies that have these services perform their business much better since it not only provides security, but also efficiency. With a relatively low cost, the benefit that is obtained is very small and can make the difference between one company and another. Information is an extremely valuable asset and any company worth its salt has to preserve it from harm.

Vulnerability assessments are an affordable means of identifying potential cybersecurity risks and subsequently remediating them. In the cybersecurity landscape, both in threats and solutions, there is constant evolution and it is therefore essential to carry out periodic evaluations to eradicate any security weakness in an organization. Poor security can ruin an established business.

It refers to the evaluation of your websites, the security of your network or other computer systems through simulations of potential attacks on your security. Penetration testing can be performed with a combination of automatic and manual tools. These types of tests are authorized and previously planned with the consensus of the clients.

Penetration testing is a proactive and effective formula for testing network security. It is a realistic strategy to identify the possible impact and the best way to repair damage to the network. Vulnerability assessment and penetration testing go hand in hand. To do the penetration test, a vulnerability assessment is necessary first, so these procedures are complementary.

Black box testing simulates an attack by someone who is unfamiliar with the system and does not assume any prior knowledge of the infrastructure to be tested. Testers must first determine the location and extent of the systems before beginning their analysis.

A successful penetration test will reveal an existing problem as they focus on verified serious vulnerabilities. This is the best starting point for prioritizing repair.

The white box tests are a simulation of possible internal work events or after a leak of confidential information, where the attacker has access to network designs, source code and possibly some passwords. These tests provide testers with complete knowledge of the structure to be tested and the relevant information needed (may include network diagrams, source code, and IP address information)

A penetration test attempts to exploit vulnerabilities to determine if unauthorized access or other malicious activity is possible, while a vulnerability assessment identifies and reports observed vulnerabilities, prioritizing areas to repair.

Proper planning and scheduling minimize the risks involved in any IT activity. Penetration testing focuses on vulnerabilities that allow command execution. Many of the command execution vulnerabilities are buffer overflows, which run the risk of blocking computers or services.

Penetration testing works by running a series of exploits that are chosen based on the target’s operating system and running services. An exploit is a program designed to expose a specific vulnerability, usually by executing commands on the target. There are three basic types of exploits: (1) Client: exploitable when a user is tricked into uploading a file provided by an attacker. (2) Local – elevation of privilege; exploitable by an attacker already on the system (3) Remote: an initial theft exploitable by a remote user via a network service.

The best way to resolve an exploit depends on the nature of the exploit and your computer systems and can be prevented or countered through host-based intrusion prevention systems, properly maintaining firewalls and a variety of other preventive methods.

RCS consultants offer advice on prioritizing identified vulnerabilities and can provide quality, detailed reports with their assessments, so you can better prioritize your resources and remediate those identified vulnerabilities. You can count on our team for any questions or doubts that may arise.

These tests include common firewall bypass tests and firewall configuration tests, as well as full health analysis tests, DNS attacks, IPS evasion, zone transfer tests, routing problems, switching, and other network tests.

RCS offers penetration testing at a very affordable price and we adapt to the needs of your IT structure. Do not hesitate to contact RCS and we will inform you free of charge about our services and prices.

Contact us directly and do not hesitate to ask us about this question. You will have no problem.

The host configuration test includes a full port scan and post-test of all services discovered on a host except applications and custom services. Services such as SSH, MySQL / MSSQL and other database services, SMTP, FTP, etc. are included. Also included are well-known standard web applications, such as Microsoft Outlook login pages, standard administrative interfaces for firewalls, printers, and other standard administrative web pages, which will receive black box testing if discovered. Apps or services you have written or customized are not included. Custom web applications require the purchase of a web application trial.

These tests consist of checking whether the employees of an organization adhere to security policies and procedures, usually through the use of subterfuges or other scams, to determine the level of vulnerability of the organization to the exploit used. The tests provide an organization with information on the ease with which intruders can convince employees to break security rules or provide access to confidential data. Telephone tests could consist of a tester calling employees pretending to be a member of the organization’s IT team, asking for sensitive information like their passwords, and telling them to change them to new ones. Another common method of social engineering is phishing tests that are commonly used to test whether employees open email attachments from unknown sources, which could put a company’s security at risk. Physical tests could involve a tester attempting to enter a secure building, for example during business hours, and checking whether someone is neglecting entry accesses, for example.

It is an organized approach to limit damage, costs and reduce recovery time in an attack already perpetrated. It is a strategy to address and manage the aftermath of a security breach or cyber attack or incident. Incident response involves technology to detect and respond to the attack, people and processes.

Here is a list of possible incidents: Denial of service of a web application Endpoint compromised by malware (via phishing attack) Suspected breach (exposure) of sensitive information (medical records, customer contacts) Unauthorized access to critical resources loss of personally identifiable information (email addresses, usernames / passwords)

It consists of an action policy to deal with an incident. The incident must be acknowledged, who is responsible for responding to the incident within the company, and the process to be followed is specified in detail.

The incident response plan must be clear in identifying the chain of command in the event of an incident and those responsible for it, within the company, which are ultimately senior executives.

The most effective Incident Response Teams are cross-functional and include representatives from senior-level executives to HR, Finance, PR, IT and security teams, as well as outside cyber security experts and law firms, so every chain of command understands how to identify and react to an incident that may affect them. For example, depending on the magnitude of an incident, forensics will be conducted by the security team and corrective actions will be taken by network/system administrators. Business functions such as finance or human resources could have protocols to follow, as confidential financial or employee information is often at risk when there is a cyber-attack.

In order to develop and maintain an effective incident response plan, the planning, testing and execution of the incident response must be promoted from the executive level, maintaining the correct focus and putting the necessary resources to carry out the plan. When the plan is in place, external cybersecurity experts can assist in the process to conduct regular preparation drills (such as fire drills) with the participation of all team members.

Managing storage systems for cloud backups can be convenient but can also pose challenges or problems, such as managing security settings, user accounts, exporting and migrating data, setting up withholdings for litigation and many other challenges. There are a wide variety of cloud-based platforms, and a trained third-party IT provider who offers to manage these services will help you a lot to keep your systems running smoothly and securely.

These services involve meeting the routine information technology needs of an organization by contracting with an external provider. Minimizing risks is the best way to, in turn, increase the efficiency, capacity and profitability of your company. An organization can specify what type of security services it needs and under what conditions, having a functionally and economically adapted service.

It is the hiring of the services of an external provider for the improvement of the security of the sensitive data of a company. These services may vary depending on the needs of the company and the offer of the provider. The services can include from conducting periodic vulnerability assessments and penetration tests, advice, supervision, to reviewing cybersecurity policies and procedures, among others.

Ensuring that it can recover data in the event of a disaster has been paramount for a business. Disaster recovery services may include the review of policies and procedures as well as the implementation of systems that ensure that the business is backed up regularly using various methods.

For cases of theft, fire, flood or other unforeseen events that an organization may suffer, it is necessary to ensure that the computer systems are recovered as soon as possible and in turn the information is recoverable. All this should happen as quickly as possible so that the business can resume its normal activity as soon as possible. A trained IT insurance repair service provider works in conjunction with the insurer and the insured to restore information systems and data to operational state and get the business up and running quickly.

It is an aid for the employees of an organization to solve everyday problems of computers and mobile devices. Hiring a technical service from an external provider allows organizations to focus on their core business, while the technical service provider takes care of the routines associated with the service and the daily needs of the organizations.

It is a way of naming the services offered by an external provider in a more timely manner to fix things that go wrong, according to the demand of the organization.

A third-party software evaluation service provider can help you make the right decisions when choosing from the many software options available that make it very difficult for a company to decide on one of them.

An organization must take into account that, whether or not it has antivitrus, spyware and malware software, it runs the risk of being infected by more current or unknown attacks by an antivirus or it can be infected by various errors that the user may have made. A professional and trained third-party vendor can ensure that viruses, spyware, and malware are removed from a system and can respond to incidents that compromise company data or systems.


RCS provides solutions to reduce the risks associated with hackers, data theft and we provide security in your company so you only have to worry about what is important, your business. We provide personalized services and IT consultancies, giving a quick and professional response. We guarantee to all clients professionalism and speed of action, necessary in critical cybersecurity cases. We focus on having a team of specialized professionals with the approved level of education required to perform their work in the best way possible. Security is a very valuable asset for a company and we are very aware of it.
RCS has been in business since 2003. We have built a loyal following of law firm, corporate, government, and other valued clients by providing highly responsive service and understanding our clients’ needs.