Data Forensics FAQ
Computer Forensics is the analysis of information contained within computer systems. The Computer Forensics Investigator's first step is to clearly determine the purpose and objective of the investigation in a free consultation. We will work with you to identify where your data is located. We will document the legal chain of custody of the media and we will make a bit by bit copy and preserve the original. The computer forensic analysis will examine and extract the data that can be viewed by the operating system, as well as data that is invisible to the operating system including deleted data that has not been overwritten.
The Computer Forensics Investigator also addresses the legal issues associated with electronic evidence, such as relevant case law, how to navigate the discovery process, protection of privilege, and in general, working with attorneys and other professionals.
In addition, an examiner will work to uncover all files on the subject's system. This includes existing active files, and invisible files, hidden files, password-protected files, and encrypted files. In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as fragments of data that can be found in the space allocated for existing files (known by computer forensic practitioners as “slack space”). Special skills, tools and software are needed to obtain this type of information or evidence.
A Computer Forensics expert can recover all deleted files and other data that have not yet been overwritten. As a computer is used, the operating system is constantly writing data to the hard drive. From time to time, the operating system will save new data on a hard drive by overwriting data that exists on the drive but is no longer needed by the operating system. A deleted file, for example, will remain present on a hard drive until the operating system overwrites all or some of the file. Thus, in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The ongoing use of a computer system may destroy data that could have been extracted before being overwritten. That is why we stress that time may be of the essence. Fortunately, the costs of acquisition are very reasonable, and the process is generally not disruptive.
At the conclusion of an investigation, our Computer Forensics investigator will provide a detailed analysis of the computer system in a written report. We will also provide our clients a copy of all relevant data in digital form.
In the past, computer forensic examinations could run tens of thousands of dollars because of the manpower necessary to thoroughly examine a hard-drive. With the advancement of technology in the computer forensics arena, that is no longer the case. The cost of a computer forensic investigation varies greatly, depending on the number of computers involved and the complexity of the recovery of evidence. A complete computer forensic examination is an examination of the entire computer media and includes a detailed written report. A complete examination of a 100 GB of data on a hard drive can have over 10,000,000 pages of electronic information and may take between 15 to 35 hours or more to examine, depending on the size and types of media. A reasonable quote can be obtained prior to the investigation's start. Remember, computer forensic investigations have an unusually high return on investment!
We have tools that allow us in many cases to perform a rapid analysis of the media to see if we are able to locate indiscriminate evidence quickly thereby, avoiding a full forensic examination.
Cell phone examinations can usually be completed in 5 to 8 hours.
Computer forensics differs from data recovery, which is the recovery of electronic data after an event affecting the physical data, such as a hard drive crash. Computer forensics goes much further and can be used as a tool to (1) determine the facts from your employee/ client, (2) discharge your duty to avoid spoliation, (3) obtain all relevant evidence from the opposing party in a manner similar to using a Request for Production of Documents, and (4) determine whether computers were used as the instrumentality of a tort, crime, or violation of policy.
In response to pending litigation, analyzing your relevant computers is an excellent way to discharge your duties to preserve evidence and avoid spoliation. It also allows you to acquire all relevant information essential to your legal theories and strategies.
In litigation, an attorney must determine whether a Request for Production of Documents will obtain all relevant evidence. You might simply ask yourself whether you want to discover part of the relevant information (i.e. that seen by your opponent's operating system) or all of it (i.e. deleted, hidden, orphaned data, etc). It is not unrealistic to believe that information that is helpful to a matter would be saved on a computer, while that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is not unusual to discover deleted e-mails and other data invisible to the operating system that significantly affects the case. Computer forensic analysis extracts all the e-mails, memos, and data that can be viewed with the operating system, as well as all invisible data. In many cases, the invisible data completely changes the nature of a claim or defense and ultimately effects settlement strategy.
In any situation in which one or more computers may have been used in an inappropriate manner, it is essential to call a forensic expert. Only a computer forensic investigator will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use.
Companies that fall victim to claim or to a computer crime may be inadvertently destroying evidence in their efforts to find the perpetrators. You only have one opportunity to collect the evidence you need to prove your case.
Human resources departments often send in well-meaning IT staff that do not know what they are doing, and who inadvertently ruin the evidence. Although the internal IT staff is often highly knowledgeable regarding their working environment and the technology employed within, computer forensic investigations are best performed by outside certified experts. Due to the nature of the forensic analysis process coupled with the requirements in preserving evidence and chain-of-custody requirements, the court system requires that investigations are performed by certified professionals. What we frequently see is IT experts going in and doing what you see on every bad crime film: they muddy the waters. Therefore, it is a wise business decision to consult a professional certified computer forensic team as soon as possible.
Additionally, using in-house personnel can raise issues related to authentication that can increase the cost of admitting evidence. In-house personnel may be put through challenges that could threaten the admissibility of critical evidence. If there is a remote chance that the matter could end up in court, best practices strongly suggest having the data analyzed by a computer forensic expert. The cost of expert analysis will almost always be far less than the cost of defeating a challenge to the admission of critical evidence.
Professional, third-party companies like Integrated Security Service – Data Forensics are experienced in this type of work. Our involvement in the matter is neutral and unbiased and evidence is collected in a scientific manner. Evidence obtained and submitted by certified professionals is likely to carry much more weight in front of opposing counsel, corporate management, a jury or any other party.
It is impossible to tell, however, whether the data that is most important to you will survive the constant use of the computer. Indeed, the simple act of turning the computer on or looking through files can potentially damage the very data you're looking for. The dates on which files were created can be changed, files can be overwritten, and evidence can be corrupted. The safest practice is to acquire an image of the computer as soon as possible. Depending on the usage however, it may be possible to find relevant data even after years of use.
It is well-documented in the media that computer or digital evidence has been the "smoking gun" in many high-profile cases. With the majority of new information in businesses being created and stored on computers, it is undisputable that digital evidence can be a primary, powerful source of evidence. It certainly is not in any client's best interest to ignore potentially relevant sources of evidence, including computer evidence.
The first step one should take in this situation is to immediately cease any and all use of the computer in question. Further use of this computer may damage any relevant evidence. If the suspected computer is turned off, it should remain off. Be sure to secure the computer at this point to prevent persons from unknowingly using it.
If the computer is on, it is important that you do not go through a normal shutdown process. Instead, call us for an immediate consultation on what to do next. It is also imperative that you do not allow the internal IT staff to conduct a preliminary investigation. At this point, all you have is information and data; there is no evidence. Unless your IT staff is certified in computer forensics and trained on evidentiary procedures, they have not maintained chain of custody or followed other accepted evidence techniques. Secondly, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Lastly, the act of turning on the computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer. Call us immediately for a free consultation.
Yes, evidence can be extracted from many digital devices; desktop hard drives, personal computers ( laptops ), PDA's, cell phones, IPads, tablets, tapes, DVD's, CD's, digital cameras, GPS’s and other electronic devices.