Computer Forensics FAQ
Computer forensics is the analysis of information contained within and created by computer systems. It is typically performed in the interest of figuring out what happened, when it happened, how it happened, and who was involved. The Certified Computer Forensics Examiner’s first step is to clearly determine the purpose and objective of the investigation. They will then take several careful steps to identify and extract all relevant data on a subject’s computer system. Computer forensic analysis will extract the data that can be viewed by the operating system, as well as data that is invisible to the operating system. During the forensic examination, the analyst will image, protect and preserve the evidence from any possible alteration, damage, data corruption, or virus introduction. Our examiners make the assumption that every case or situation could end up in the legal system. Therefore, it is their role to ensure evidence is not damaged, tainted or in any other way rendered inadmissible in court.
The Certified Computer Forensics Examiner also addresses the legal issues associated with electronic evidence, such as relevant case law, how to navigate the discovery process, protection of privilege, and in general, working with attorneys and other professionals.
In addition, an examiner will work to uncover all files on the subject’s system. This includes existing active files, invisible files, deleted yet remaining files, hidden files, password-protected files, and encrypted files. In many cases, information is gathered during a computer forensics examination that is not typically available or viewable by the average computer user, such as fragments of data that can be found in the space allocated for existing files (known by computer forensics practitioners as “slack space”). Special skills and tools are needed to obtain this type of information or evidence.
In computer forensics, there are three types of data that we are concerned with — active, archival, and latent.
Active data is the information that typical users can see. This is the easiest type of data to obtain.
Archival data is data that has been backed up and stored. This could consist of backup tapes, CDs, floppies, or entire hard drives, to cite a few examples.
Latent (also called ambient) data is the information that one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten.
A computer forensics expert can recover all deleted files and other data that has not yet been overwritten. As a computer is used, the operating system is constantly writing data to the hard drive. From time to time, the operating system will save new data on a hard drive by overwriting data that exists on the drive, but is no longer needed by the operating system. A deleted file, for example, will remain present on a hard drive until the operating system overwrites all or some of the file. Thus, in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The ongoing use of a computer system may destroy data that could have been extracted before being overwritten. Fortunately, the costs for acquisition are very reasonable, and the process is not disruptive.
A computer forensics expert analyzes all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as slack space in a file (the unused space at the end of a file, in the last assigned disk cluster, that may be a possible site for previously created and relevant evidence).
At the conclusion of an examination, a computer forensics expert provides a detailed analysis of the computer system. They will also provide the client a copy of all relevant data, parsed in a format which can be readily integrated into your legal theories and strategies.
The answer to this question is that any potential victim of a computer crime can benefit from computer forensic services. The computer has invaded our very existence, become a part of our lives, and is an integral part of almost every case, from complex litigation and class actions, to contract disputes. Computer crimes are crimes in which computers are used as a tool to facilitate or enable an illegal activity, or have been a target of criminal activity. It is estimated that over 85% of all crimes and infractions committed today contain a digital signature.
Computer forensics services can be used by anyone who thinks a crime or breach of policy or a wrong has been done. They may also be utilized by someone who is defending or protecting themselves, or another party, and are looking for evidence to prove or disprove the commitment of a crime or breach of information.
The statistics are familiar; 85% of all corporate data is stored electronically, 93% of new data is stored electronically, and approximately 75% of this information is never printed. Consequently, in almost every legal matter, critical and relevant evidence will be stored electronically. Proper collection and examination of this evidence is critical to avoid spoliation, to preserve the evidence, and to manage costs. Computer forensics is the methodology used to ensure that electronic evidence is properly acquired and handled so that it may maintain its evidentiary status.
It is well documented in the media that computer or digital evidence has been the “smoking gun” in many high profile cases. With the majority of new information in businesses of all sizes being created and stored on computer systems, it is indisputable that digital evidence should be considered a primary source of evidence. It is certainly not in anyone’s best interest to ignore potentially relevant sources of evidence in any case, including computer evidence.
In the past, computer forensics examinations could run tens of thousands of dollars because of the manpower necessary to thoroughly examine a hard-drive. With the advancement of technology in the computer forensics arena, that is no longer the case. The cost of a computer forensics examination varies greatly, depending on the number of computers involved and the complexity of the recovery of evidence. A complete computer forensics examination is an examination of the entire computer media, and includes a detailed written report. A complete examination of a single 80 GB hard drive can have over 18,000,000 pages of electronic information and may take between 15 to 35 hours or more to examine, depending on the size and types of media. A reasonable quote can be obtained prior to the examination’s start. This time could increase or decrease, depending upon the type operating system used, the type of data contained within, and the size and amount of data in question. Computer forensic examinations have an unusually high return on investment. The total computer forensics price can average from $250 to $350 an hour, and the process involves basically three steps:
1) Acquisition or harvesting of all electronic information. Acquisitions usually cost less than $500.00 (plus expenses). 2) Investigation and examination of all information; this depends on the type and size of the equipment and the nature of your case. The third and final step of an examination is 3) Reporting. In most instances, examination and reporting can be completed in less than 15 hours, and the total analysis usually totals less than $5,000.00. We do not charge clients for ordinary machine time if our personnel are not actively involved in that process.
There is no reason that computer forensics analysis needs to disrupt any business. Making an “image” of a computer system (even if several computers are involved) can be done during non-business hours, at night, or over a weekend. In many cases, the image can be acquired in less than 5 or 6 hours.
San Francisco Computer Forensics is able to help you determine if you have a case or not. Our Quick Analysis service allows us to analyze your data for a reasonable one-time fee of $1595.00 to see if incriminating evidence is readily found.
Computer forensics differs from data recovery, which is the recovery of electronic data after an event affecting the physical data, such as a hard drive crash. Computer forensics goes much further, involving a complete computer examination, with analysis as the ultimate goal. In any case where a computer or information system is available, computer forensics can be used as a tool to (1) determine the facts from your employee/ client, (2) discharge your duty to avoid spoliation, (3) obtain all relevant evidence from the opposing party in a manner similar to using a Request for Production of Documents, and (4) determine whether computers were used as the instrument of a tort, crime, or violation of policy.
To determine facts, you must have all the information relevant to a matter, not only to construct effective legal strategies, but also to focus your expectations and efficiently budget your services. There is nothing more difficult to address than a case that has become complicated by new facts, where you expected the matter to proceed smoothly and without significant cost. Knowing all the facts early on in a matter allows you to better prepare for those cases that will require significant legal expertise to manage.
In response to pending litigation, analyzing your relevant computers is an excellent way to discharge your duties to preserve evidence and avoid spoliation. It also allows you to acquire all relevant information essential to your legal theories and strategies. Similarly, as part of critical business decisions, forensically analyzing relevant computers can provide essential information. For example, analyzing the computers of corporate officers or employees as part of the termination process can alert you to possible litigation issues, such as violation of non-compete agreements, improper copying of intellectual property, etc.
In litigation, an attorney must determine whether a Request for Production of Documents will obtain all relevant evidence. You might simply ask yourself whether you want to discover part of the relevant information (i.e. that seen by your opponent’s operating system) or all of it (i.e. deleted, hidden, orphaned data, etc). It is not unrealistic to believe that information that is helpful to a matter would be saved on a computer, while that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is not unusual to discover deleted emails and other data invisible to the operating system that significantly affects the case. Computer forensics analysis extracts all the emails, memos, and data that can be viewed with the operating system, as well as all invisible data. In many cases, the invisible data completely changes the nature of a claim or defense, leading to early settlement and avoidance of surprises during litigation.
In any situation in which one or more computers may have been used in an inappropriate manner, it is essential to call a forensic expert. Only a computer forensics analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use. Taking the wrong steps in these circumstances can irrevocably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.
Companies that fall victim to computer crime may be inadvertently destroying evidence in their efforts to find the perpetrators. You only have one opportunity to collect the evidence you need to prove your case.
Human Resources departments often send in well-meaning IT staff that do not know what they are doing, and who inadvertently ruin the evidence. Although the internal IT staff is often highly knowledgeable regarding their working environment and the technology employed within, computer forensics examinations are best performed by outside certified experts. Due to the nature of the forensic analysis process, coupled with the requirements in preserving evidence and chain-of-custody requirements, the court system requires that examinations are performed by certified professionals. What we frequently see is IT experts going in and doing what you see on every bad crime film: they muddy the waters. Therefore, it is a wise business decision to consult a professional certified computer forensics team as soon as possible.
Additionally, using in-house personnel can raise issues related to authentication that can increase the cost of admitting evidence. In-house personnel may be put through a challenge that could threaten the admissibility of critical evidence. If there is a remote chance that the matter could end up in court, best practices strongly suggest having the data analyzed by a computer forensics expert. The cost of expert analysis will almost always be far less than the cost of defeating a challenge to the admission of critical evidence.
Most in-house technology experts are concerned with mission-critical data and recovery from catastrophic data loss. They are not experienced in the acquisition and preservation of data rendered invisible to the operating system. Even the most well-intentioned technology expert can damage the fragile information that is stored on a computer, especially when the operating system does not recognize the data. The simple act of turning the computer on or looking through files can potentially damage the very data you’re looking for. Dates can be changed, files overwritten and evidence can be corrupted.
Accusations of evidence tainting are not rare in cases involving computer data when the party who owns or acquires the computer data also analyzes it. Issues such as accessibility to the data by other parties, experience and credentials of the person who acquired and reviewed the data, as well as other questions along these lines are typical. For these reasons, it is not advisable for an employer, employee, friend, etc. to perform the function of acquiring and reporting evidence that has any chance of being litigated by any party.
Professional, third-party companies like San Francisco Computer Forensics are experienced in this type of work. Their involvement in the matter is neutral and unbiased. Evidence obtained and submitted by certified professionals is likely to carry much more weight in front of opposing counsel, corporate management, a jury, or any other party.
San Francisco Computer Forensics examiners employ the proper hardware and software to identify, isolate, and preserve electronic information in a court admissible manner. They posses the expertise and experience necessary for efficiently analyzing electronic information. They also have the ability to uncover electronic evidence while relying upon essential training and experience to ensure the court admissibility of electronic evidence.
The most frustrating aspect of forensic analysis is that the operating system may randomly overwrite data on the hard drive. This means that the longer a computer is used, the more likely it is that evidence will be lost. Fortunately, the operating system frequently records evidence in several places simultaneously. This means that if the data is overwritten in one area, it may still reside in another.
It is impossible to tell, however, whether the data that is most important to you will survive the constant use of the computer. Indeed, the simple act of turning the computer on or looking through files can potentially damage the very data you’re looking for. The dates on which files were created can be changed, files can be overwritten, and evidence can be corrupted. The safest practice is to acquire an image of the computer as soon as possible; however, it may be possible to find relevant data even after years of use.
If you are thinking about performing this type of work yourself, or using your corporate IT department or local computer technician, we encourage you to reconsider. You must consider the internal dollar cost and the possibility of your evidence being tossed out because of the method with which it was acquired. In addition, you need to take into account the qualifications of those who worked on it, or any personal and business associations your staff might have with the subject. The internal cost is not only the time you or other people spend performing this work, but also the cost of taking them away from their assigned responsibilities. There is also the time spent writing reports (a small, by today’s standards, 40 GB hard drive can have over 9,101,420 pages of data), possible interrogatories and depositions, other internal issues, the spread of gossip, and loss of work productivity. All of these situations may occur and can affect your staff, your business, and most importantly, the outcome of your case or situation.
The first step one should take in this situation is to immediately cease any and all use of the computer in question. Further use of this computer may damage any relevant evidence. If the suspected computer is turned off, it should remain off. Be sure to secure the computer at this point to prevent persons from unknowingly using it.
If the computer is on, it is important that you do not go through a normal shutdown process. Instead, call San Francisco Computer Forensics for immediate instructions on what to do next. It is also imperative that you do not allow the internal IT staff to conduct a preliminary investigation. At this point, all you have is information and data; there is no evidence. Unless your IT staff is certified in computer forensics and trained on evidentiary procedures, they have not maintained chain of custody or followed other accepted evidence techniques. Secondly, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Lastly, the act of turning on the computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer.
Even if extensive damage is done by the internal IT staff, a skilled computer forensics vendor may be able to salvage the damaged evidence. This, however, can be an arduous and time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence, especially meta-data timelines, from computers that have been mishandled. A good rule of thumb is to always use a certified external vendor for computer evidence collection. You will also want to keep a detailed log of who had access to the machine in question, what was done to it, and where the computer has been stored since the dates in question. When the hard drive is removed and sent to San Francisco Computer Forensics for a forensic examination, be sure to document the date and time in the system and note whether it differs from the current time. Computer forensics may be an unknown and mysterious discipline to many, but with the right training, it is relatively easy to avoid the most common procedural mistakes. Only use a certified computer forensics expert, and do not rely on the internal IT staff for computer forensics investigations. If there is even a small chance that evidence from a suspected computer system will be needed, have San Francisco Computer Forensics perform a Quick Analysis to forensically collect and report on any potential evidence.
We highly recommend that you call us for complete instructions prior to making any shipments, and we will take you through the process step-by-step. San Francisco Computer Forensics recommends that you have the disk drive(s) removed by an experienced computer technician and shipped to us. We can also provide onsite acquisition service at your location for an additional cost.
Please do not ship anything to us without contacting us in advance and obtaining a Case Code. The Case Code must be written on the shipping label. We will also instruct you to the closest available lab for the quickest service possible.
Since disk drives are static-sensitive, we recommend that the drive(s) be placed in an antistatic bag and sealed. Wrap about 1/2-inch of solid foam or bubble wrap around the disc and tape so all sides are sealed. Make sure the contents will not bounce around in the box you use.
PLEASE DO NOT USE PACKING PEANUTS OR ANY STYROFOAM PACKING MATERIAL – THIS MATERIAL CREATES DAMAGING STATIC ELECTRICITY.
Yes, evidence can be extracted from desktop hard drives, personal computers (laptops), tablets, PDA’s, smartphones and cell phones, tapes, DVD’s, CD’s, digital cameras, and other electronic devices.
The burden of discovery costs generally falls on the responding party. However, in some cases, these costs may be shifted and allocated to the requesting party as the courts see fit. This depends on case precedents and whether the court views these discovery costs as being an ‘undue burden or expense’ on the responding party.
Free Consultations
If you’re a professional with a computer forensics application, why not get answers and information from a live person? Please call us at 1 (415) 413-0192, or click the big green button below to schedule a free consultation. There’s no charge and no commitment.