Computer Forensics FAQ's

1. What is Cyber Forensics?

2. What is Cyber Crime?

3. Why is Computer Forensics utilized?

4. When should I consider using Computer Forensics?

5. How else might Computer Forensics be employed?

6. What is involved in Computer Forensics and does the process work?

7. Are there any actions that should be avoided during an investigation?

8. Do you guarantee recovering the data I am seeking if I order a Computer Forensics investigation and analysis from you?

9. If I think that evidence exists, is it O.K. if my technology expert takes a look for the information before I get in touch with a Computer Forensics Expert?

10. What risks are there if I don’t consult a Computer Forensics Expert at the start of a problem?

11. How do I calculate and determine my Return on Investment (ROI) by contracting Computer Forensic Services?

12. How can a Computer Forensic Company help us reduce loss and liability?

13. How much do Computer Forensic Investigations typically cost?

14. Why do you require a $2,000.00 nonrefundable base fee?

15. I have heard that attorneys may be liable for malpractice if they don't consider computer evidence as a part of a case. How realistic is this?

16. I think that a computer in my organization may contain important evidence. What do I do now?

17. How should I ship my computer/hard drive to TCG for a Computer Forensics Investigation?

18. Does anything that you do in the process of acquiring the data change the hard drive?

19. Why should we choose you to examine our computer?

20. You're located in Iowa . Wouldn't it be cheaper for me to get someone who is local to my area?

21. Can my employee qualify in court as an expert in the forensic examination of a computer?

22. We don't plan on going to court. We're just looking for what an employee has been doing on a computer. Isn't it O.K. to use in-house computer personnel to do this?

23. We are working with another Private Investigative company. Why can't they examine computers for us?

24. What is Data Recovery?

25. How is Computer Forensics different from Data Recovery?

26. Can we use a Data Recovery firm for doing Computer Forensics?

27. We already have a relationship with a major accounting firm that says they can do computer forensics. Why can't they examine computers for us?

28. What qualifications should we look for in a Computer Forensic Examiner?

29. What evidence can be found on a computer?

30. Where is information stored on a computer?

31. What happens when you 'delete' a file?

32. Can you recover deleted data from a computer?

33. Who can allow a computer to be searched for evidence?

34. What does a Computer Forensic Analyst do?

35. What should be included in a Forensic Examination Report?

36. I have a computer that I suspect has evidence on it. What should I do now?

37. What happens in the event that the matter goes beyond your organization?

38. Can I monitor the e-mail, instant messages and Web access of others who use my computer(s)?

39. Can you determine who sent an e-mail?

40. Can you determine who wrote or printed a computer document?

41. What is hashing and how can we use it in forensics?

42. Who can use Computer Forensic evidence?

43. What is an Anton Piller order? How does it relate to Computer Forensics?

44. What if I provide my computer’s hard drive to you for analysis and you find that it has been wiped clean of all data?

1. What is Cyber Forensics?

A classical definition is, "Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law." Generally speaking, computer forensics, also known as cyber forensics, is considered to be the use of analytical techniques to identify, collect, preserve, and examine evidence/information which is magnetically stored or encoded using the application of scientifically proven methods to gather, process, interpret, and to use digital evidence to provide a conclusive description of cyber crime activities. Cyber forensics also includes the act of making digital data suitable for inclusion into a criminal investigation. Today, cyber forensics is a term used in conjunction with law enforcement, civil litigation, in organizations and private investigations such as domestic matters. Cyber forensics and related courses are also being offered as courses at many colleges and universities worldwide.

2. What is Cyber Crime?

Cyber c. Additionally, cyber crime also includes traditional crimes conducted through the Internet. For example, hate crimes, telemarketing and Internet fraud, identity theft, and credit card account thefts are considered to be cyber crimes when the illegal activities are committed through the use of a computer and the Internet. Although not necessarily criminal in nature, civil torts committed via a computer are also considered cyber crime.

3. Why is Computer Forensics Utilized?

This process is normally used to acquire and provide digital evidence of a specific or general activity. The forensic investigation itself can be initiated for a wide variety of reasons. While the most high profile cases are usually in the area of criminal investigation or in high-visibility civil litigation cases, forensic techniques can be of value in a wide variety of situations, including, simply tracking what happened on a computer system when data has been lost.

4. When should I consider using Computer Forensics?

If you personally or your organization owns a computer, you will likely need computer forensics services at one point or another. The computer has become a part our daily lives and very existence and is an integral part of almost every case we investigate. In any case, where a computer or information system is or was available, we use computer forensics as a tool to determine the facts from a case or other matter, assist in response to pending litigation, assist in existing litigation and in any situation in which one or more computers may have been used in an inappropriate or illegal manner.

A. Determining Facts

You must have all the information relevant to issues in a matter, not only to construct effective strategies, but also to focus your expectations and efficiently budget your services. There is nothing more difficult to address than a matter or case that has become complicated by new facts, where you expected the matter to proceed smoothly and without significant cost. Knowing all the facts early in a case or matter allows you to better properly prepare for and manage the case.

B. Response To Pending Litigation

Our analyzing your relevant computers is an excellent way to discharge your duties to preserve evidence and avoid spoliation, while also acquiring all relevant information essential to your legal theories and strategies. Similarly, as part of critical business decisions, forensically analyzing relevant computers can provide essential information. For example, analyzing the computers of corporate officers or employees as part of the termination process can alert you to possible litigation issues such as violation of non-compete agreements, improper copying of intellectual property, etc.

C. Support During Litigation

In litigation, it is particularly important for an attorney to determine whether a Request for Production of Documents will obtain all relevant evidence as a part of the discovery process (also called e-discovery). You might simply ask yourself whether you want to discover part of the relevant information (i.e. that seen by your opponent’s operating system) or all of it (deleted, hidden, orphaned data, etc). It is realistic to anticipate that information contained on a computer system that is helpful to a matter would be saved, while that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is common to discover deleted e-mail messages and other data invisible to the operating system that significantly affects the case. Computer forensic analysis can extract all the emails, memos, and data that can be viewed with the operating system, as well as all invisible data. In many cases, the invisible data completely changes the nature of a claim or defense, leading to early settlement and avoidance of surprises during litigation.

D. In Any Situation Involving Computers Being Used In An Illegal Or Inappropriate Manner

Whether the case may be a domestic matter where one wants to see what is happening with their mate’s / partner’s secret life or an employer who may need to know what a particular employee is doing, it is essential to call a forensic expert. Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate or illegal use. Taking no steps or the wrong steps in these circumstances can irretrievably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.

5. How else might Computer Forensics be employed?

Computer Forensics may also be used in cases of unauthorized disclosure or copying of sensitive business data, such as customer databases, price lists and employee payrolls, whether by accident or by intent; fraud and deception; Internet abuse by employees including downloading of pornography; industrial espionage by "crackers" and subsequent damage assessment; recovery of data thought to be deleted; revelation of data hidden or included in temporary or swap files; access to encrypted, password-protected data.

In general, as computers have moved into the mainstream, they are employed in more instances where sensitive information is sent by e-mail, instant messaging, FTP or copied on disk. Computer Forensics investigators can help validate the integrity of this computer data and interpret it.

6. What is involved in Computer Forensics and does the process work?

Computer Forensics includes the acquisition, examination, identification, analysis and interpretation of electronic data commonly created and used by computers and related digital devices. The process can be used to support both civil and criminal litigation as well as to enhance overall corporate information technology security. In general, Computer Forensics provides digital evidence to support allegations of certain activity in which computers are involved.

The forensic investigator’s first step is to clearly determine the purpose and objective of this Investigation. Then, the forensic investigator will take several careful steps to identify and extract all relevant data on a particular computer system or systems. Forensic analysis will extract the data that can be viewed by the operating system, as well as data that is invisible to the operating system. The investigator will discover all files on the subject's system. This includes existing active files, and invisible files; deleted yet remaining files, hidden files, password-protected files, and encrypted files. In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files - known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence.

TCG’s analysis and investigation work is conducted using the highest level of forensic scrutiny. We follow known forensic procedures and use only open and verifiable programming techniques. Our methodologies are transparent and, in legal cases, we encourage the Court and opposing sides to dissect our work because we stand behind its admissibility 100%.

7. Are there any actions that should be avoided during an investigation?

It is certainly important to avoid changing time or date stamps (typically of files) or, of course, changing data itself. The same applies to the overwriting of unallocated disk space (e.g.: which can happen on re-boot). 'Study, don't change' is an important catch-phrase. A critical point to remember is once evidence is destroyed or contaminated, it is gone forever and cannot be reconstructed.

8. Do you guarantee recovering the data I am seeking if I order a Computer Forensics investigation and analysis from you?

No. However, we do guarantee our absolute best effort and are highly confident that we can recover the data that is recoverable. The reason for this is because what data may or may not reside on the hard disk drive of a computer is literally unknowable to us in advance of an investigation. For that reason, we do not know, in advance of an examination, what data may or may not be able to be recovered.

9. If I think that evidence exists, is it O.K. if my technology expert takes a look for the information before I get in touch with a Computer Forensics Expert?

Who conducts a forensic investigation and how that investigation is conducted are critical elements to a successful outcome. Organizations that fall victim to computer crime may be inadvertently destroying evidence in their efforts to find the perpetrators. The hard reality is, you will have only one opportunity to collect the evidence you need to prove your case or discover crucial information in a matter.

Human resources or other managers sending in well-meaning IT staff that do not know what they are doing only serve to ruin or otherwise contaminate evidence. Although an organization’s internal IT staff may be highly knowledgeable regarding their working environment and the technology employed within, computer forensic investigations are best performed by outside certified experts. Specifically, the nature of the forensic analysis process, coupled with the requirements in preserving evidence and chain-of-custody requirements that are required by courts, necessitates that computer forensic investigations are performed by external entities equipped with authorized forensic technology and trained to observe forensic protocols. You need a professional certified computer forensic team in there as soon as possible.

Additionally, using in-house personnel can raise issues and challenges related to authentication. This can increase the cost of admitting evidence. In-house personnel may be put through a challenge that could threaten the admissibility of critical evidence. If there is a remote chance that the matter could end up in court, best practices strongly suggest that it is critical to have data analyzed by a computer forensic expert. The cost of expert analysis will almost always be far less than the cost of defeating a challenge to the admission of critical evidence.

The fact is that most in-house technology experts are concerned with mission critical data and recovery from catastrophic data loss. They are not expert in the acquisition and preservation of data rendered invisible to the operating system. Even the most well intentioned technology expert can damage the fragile information that is stored on a computer, especially when the operating system does not recognize the data. The simple act of turning the computer on or looking through files can potentially damage the very data you’re looking for. Dates can be changed, files overwritten and evidence can be corrupted. Accusations of evidence tainting are common in cases involving computer data when the party who owns or acquires the computer data also analyzes it. Issues such as accessibility to the data by other parties, experience and credentials of the person who acquired and reviewed the data, as well as other questions along these lines are typical.

For the above reasons it's not advisable for an employer, employee, friend, etc. to perform the function of acquiring and reporting evidence that has any chance of being litigated by any party. Professional, third-party companies like TCG are experienced in this type of work and considered neutral and unbiased. Evidence obtained and submitted by certified professionals like TCG’s is likely to carry much more weight in front of opposing counsel, corporate management, a jury or any other party. TCG certified investigators employ the proper hardware and software to identify, isolate, and preserve electronic information in a court admissible manner. They possess the expertise and experience vital to efficiently analyze electronic information and uncover electronic evidence while relying upon essential training and experience to ensure the court admissibility of electronic evidence.

10. What risks are there if I don’t consult a Computer Forensics Expert at the start of a problem?

The most frustrating aspect of forensic analysis is that the computer’s operating system randomly “overwrites” deleted data on the hard drive. This means that the longer a computer is used, the more likely it is that older evidence will be lost. Fortunately, the operating system frequently records evidence in several places simultaneously. So if the data is overwritten in one area, it may still reside in another. It is impossible to know, however, whether the data that is most important to you will survive the constant use of the computer. Indeed, the simple act of turning the computer on or looking through files can potentially damage the very data you are seeking. The dates that files were created can be changed, files can be overwritten and evidence can be corrupted. The safest practice is for us to acquire an image of the computer’s hard drive as soon as possible. Time normally kills the amount of deleted data that is recoverable.

11. How do I calculate and determine my Return on Investment (ROI) by contracting Computer Forensic Services?

Return on Investment (ROI) is an important measurement tool. If you are thinking about conducting this type of work yourself, using your corporate IT department or local computer technician, consider the internal dollar cost and possibility of your evidence being tossed out of court because of the method in which it was acquired, the qualifications of those who worked on it, or personal and business associations your staff might have with the subject. The internal cost is not only the time you or other people spend performing this work but also taking them away from their assigned responsibilities and the time spent in writing reports, (a 40 GB hard drive can have over 9,101,420 pages of data) possible interrogatories & depositions, other internal issues, gossip spreading and loss of work productivity. All these may occur and can affect you, your business and most importantly: the outcome of your case or situation.

12. How can a Computer Forensic Company help us reduce loss and liability?

Consider the following: it is estimated that each year, billions of dollars are lost through employee theft, fraud and sabotage. This is the direct cost only. Add to it billions more in investigation and litigation costs, lost productivity, and the future value of Intellectual Property lost. The list goes on as do the billions of dollars lost. Now, add the cost of the publicity surrounding employee malfeasance: Loss of reputation, employee morale, a depressed stock price.

Finally, the new regulatory and litigation environment we are now entering, places a new, heightened level of personal responsibility and liability on the backs of corporate executives and directors for the activities of their employees and organizations. How many are willing to take that risk? In civil cases, the evidence that we find may likely cause the other side to seek settlement.

Often, the cost to use professional Computer Forensic Certified, third-party firms like TCG, far outweigh the internal costs both in dollars and in winning your case. In addition, our rates are competitively priced while delivering fast aggressive service anywhere, anytime in the world.

13. How much do Computer Forensic Investigations typically cost?

In the past, Computer Forensic Examinations could run tens of thousands of dollars because of the manpower necessary to thoroughly examine a hard drive. With the advancement of technology in the Computer Forensics arena, that is no longer the case. The software and hardware available now make the price of Computer Forensics affordable and well worth the investment. Average costs nationally range from $350 an hour to upwards of $700.00 per hour.

As a part of the basic investigation, TCG will forensically examine a hard drive and search for up to Ten (10) keywords that you supply. We will then forward to you a report that includes every instance of the keywords, whether it is in a deleted file, e-mail message, viewed web page, Word document, or any other active or deleted file that resides on the hard drive. This initial step will help determine if you have a case and if further examination is warranted. The total cost of a Computer Forensics investigation is based upon an hourly rate plus expenses incurred. The total cost will depend upon the complexity of the issues and the time involved. More time is usually required in the analysis and interpretation phase than in the initial acquisition of the data.

We charge $200.00 per hour for forensic analysis and require a $2,000.00 minimum fee for ordinary cases (a single PC or Mac with up to a 50 gigabyte hard drive). The fee beyond a forensic analysis is based on our hourly fee and is billed in 15-minute increments. Why do we have a 10-hour minimum? It is because an average examination takes a minimum of 10 hours to complete. Factors that effect the amount of time required include, the amount of data to search (i.e.: hard drive size, number of diskettes, etc.); volume of material; encryption; data hiding; and attempts at destroying the data.

Advice about your investment in forensic analysis: Counting pennies should not be a consideration when you need a proper forensic analysis completed. Consider what you stand to lose if your investigation is not handled properly and by a trained professional. The cost of a professional computer forensics firm far outweighs the internal costs, both in terms of dollars and in terms of winning your case. Our best advice is to not be “penny wise and pound foolish.”

14. Why do you require a $2,000.00 nonrefundable base fee?

We are often asked to perform less than a complete analysis or to limit our hours in an effort to minimize the cost. While it is human nature to invest the minimum amount of money possible to attain a given result, we are not able to accommodate such requests. Doing so would cause us to conduct a less than thorough analysis and would shortchange our client. The result of this would be that we would likely not be able to obtain all of the evidence that is sought because of insufficient time being allocated to the examination. It would also place our reputation in jeopardy. If we do not find evidence that is present, it could reflect poorly on us, even though our client asked us to limit our hours.

As stated above, in our experience, a basic examination of a computer’s hard disk drive is going to take at least 10 hours and can take 20 or more hours for in depth searches. There is no "typical" case, so each case takes as long as necessary to be thorough. If the potential client is unwilling or unable to invest this minimum amount, then we are not the correct firm for them to retain for this work.

15. I have heard that attorneys may be liable for malpractice if they don't consider computer evidence as a part of a case. How realistic is this?

While we are not attorneys and therefore are not qualified to provide legal opinions or advice, it is both well documented in the media and logical that computer or digital evidence has been the "smoking gun" in many high profile cases. With the majority of new information in businesses of all sizes being created and stored on computer systems of all sizes, it is undisputable that digital evidence, be it documents, databases or the omnipresent e-mail should be considered a primary source of evidence. While malpractice is a harsh word, it certainly is not in any client’s best interest to ignore potentially relevant sources of evidence, including computer evidence.

16. I think that a computer in my organization may contain important evidence. What do I do now?

This is a common question. The very first thing to do is stop using the computer. Any use of a suspect computer may damage data and taint any evidence that may exist on that computer. If the suspect computer is turned off, leave it off. If the computer is on, DO NOT go through a normal shut down process. Rather, do not touch the keyboard. Unplug the computer from the power source (power outlet or the UPS ). Do not allow the internal IT staff to conduct a preliminary investigation. If the suspect computer is a notebook (laptop) or a similar portable computer, unplug the computer from the power source and allow the battery to run down until the computer shuts off.

First, all you have is information and data, there is no evidence. Unless your IT staff is certified in Computer Forensics and trained (and very few are) on evidentiary procedures, they have not maintained chain of custody or followed other accepted evidence techniques. Second, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Third, turning on the computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer.

Depending on the damage done by the internal IT staff, a skilled computer forensics vendor may be able to salvage the damaged evidence. This, however, can be an arduous and time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence, especially meta-data timelines, from computers that have been mishandled. A good rule of thumb is to always use a certified external vendor for computer evidence collection.

Computer forensics may be an unknown and mysterious discipline to many, but it is easy to avoid the most common procedural mistakes. Only use a certified computer forensics expert, and do not rely on the internal IT staff for computer forensics investigations. If there is even a 10% chance that evidence from a suspected computer system will be needed in the future for any reason, have TCG conduct a forensic analysis and complete a report.

17. How should I ship my computer/hard drive to TCG for a Computer Forensics Investigation?

Please, before you do anything, call for complete instructions. TCG recommends that you have the disk drive(s) removed by an experienced computer technician and shipped to us. TCG can also talk you through this process. Please do not ship anything to us without contacting us in advance and obtaining a Case Number from us. The Case Number must be written on the shipping label. We will instruct you on further shipping instructions when you contact us. You can download the order form here.

Disk drives are static sensitive. Therefore, we recommend that the drive(s) be placed in an antistatic bag and sealed. Wrap about ½-inch of solid foam or bubble wrap around the disc and tape so all sides are sealed. Make sure the contents will not bounce around in the box you use. If the hard drive is removed from the computer and sent to TCG for a Forensic Examination, make sure to document the date and time in the system and note whether it differs from the current time.

Note: DO NOT USE 'PEANUTS' OR ANY STYROFOAM PACKING MATERIAL - THIS MATERIAL CREATES STATIC ELECTRICITY

18. Does anything that you do in the process of acquiring the data change the hard drive?

There is no damage or alteration of any of the information contained on the original "suspect" source, and all analysis is performed on an image file or a copy. The hard drive is imaged (copied) onto our super computer. The system data is then analyzed from the “imaged” copy of the hard disk drive.

19. Why should we choose you to examine our computer?

We have years of experience in the recovery of computer data, computer forensics, and computer related investigations. Our clients include corporations of all sizes, state and federal agencies. We regularly provide expert testimony in state courts and federal courts concerning computer forensic examinations. We provide training to law enforcement officers (city, county, state, federal, and military) around the country in the investigation of computer crimes and computer forensics. If it is important enough for you to have a forensic analysis completed in the first place, then it is not critical for you to use the best?

20. You're located in Iowa . Wouldn't it be cheaper for me to get someone who is local to my area?

We have clients throughout North America . Most of our cases never require any travel; the client ships the hard drive(s) to us, and we e-mail or overnight our results back to the client. The most important factor in selecting a computer forensic examiner shouldn't be geography. There are very few truly qualified firms across the United States in the computer forensics field. Many of the major cities in the U.S. don't have any qualified individuals in the private sector.

Why pay high East or West Coast prices when we can do the same or a better job for you for a significantly reduced cost?

21. Can my employee qualify in court as an expert in the forensic examination of a computer?

Probably not. Assuming their findings were not suppressed, they would only be allowed to testify to facts. They would not be allowed to testify to opinions or conclusions. Our expertise has already been recognized by state and federal courts around the country. We often receive computers to examine after a company's computer personnel have attempted to recover evidence from it. In their attempts, they have destroyed important evidence such as the date that files were last accessed. The forensic processes and hardware that we utilize are designed to safeguard every bit of evidence.

22. We don't plan on going to court. We're just looking for what an employee has been doing on a computer. Isn't it O.K. to use in-house computer personnel to do this?

If your concerns are strong enough to warrant a forensic examination of a computer, then it really is important enough for you to do it correctly. If the employee is fired or disciplined as a result of the examination, civil litigation follows in many cases. We can provide you with the documentation and expert testimony that are necessary to substantiate your actions based on the independent evidence we may obtain through the forensic investigation process. Our vast experience allows us to not only find the evidence, but to interpret and articulate its meaning.

23. We are working with another Private Investigative company. Why can't they examine computers for us?

While there are many tens of thousands of Private Investigators around the country, the examination of computers is far beyond the skills and training of all but a limited few. There are many specialties in Private Investigation. However, just because an investigator has excellent credentials for conducting general investigations, does not mean that they are qualified to examine computers. If you are going to pay someone to recover computer evidence, our advice is to pay a professional examiner. With our expertise and tools, we can recover evidence that others wouldn't even know to look for as a part of an examination.

24. What is Data Recovery?

Again, a classical definition is that data recovery is the process of retrieving the data from damaged disk drives, media, computers, peripherals or operating systems or recovering lost or deleted data from media.

25. How is Computer Forensics different from Data Recovery?

Electronic media that has become, for whatever reason, unavailable to the user requires data recovery services. The reason for the data being unavailable could be due to accidental deletion, intentional deletion, hacker or virus activity, a hard drive crash, etc. Data recovery seeks to restore the missing data so the user can access and use that data again.

Computer forensics deals with analyzing electronic media as part of an investigation into an incident or suspected activity. Computer forensics seeks to determine and uncover the evidence that verifies or denies a suspicion about a series of events or activities. Recovering deleted files is a large part of computer forensics but the purpose for restoring that deleted or lost data is completely different from simple data recovery.

26. Can we use a Data Recovery firm for doing Computer Forensics?

Some data recovery firms may have qualified forensic examiners; most do not. While some of the same skills and software are used in both computer forensics and data recovery, computer forensics requires extensive additional knowledge and experience. Remember, a forensic examiner is not only finding the data but is also providing expert analysis of what they find. This expert opinion must be capable of standing up under intensive cross-examination. Likewise, you need to know the qualifications of the person(s) that will actually perform the examination rather than the collective qualifications of all of the examiners at the company. When it comes time for testimony, the individual examiner's qualifications, not the company's, will be under scrutiny.

27. We already have a relationship with a major accounting firm that says they can do computer forensics. Why can't they examine computers for us?

There are some excellent forensic examiners working for the major accounting firms. However, there are also some unqualified individuals being passed off as qualified. As with a data recovery firm or any other firm, the qualifications of every individual that will be involved in your case must be known in advance. Besides, using an accounting firm to do a computer forensics examination is like a person going to a veterinarian for a medical checkup. That would not make sense in the same way that using an accounting firm for computer forensics does not make sense. That is why they are called “accounting” firms and not computer forensics firms.

28. What qualifications should we look for in a Computer Forensic Examiner?

There are an ever increasing number of people hanging out their shingle as computer forensic examiners. Some are among the most qualified individuals in the country; others are opportunists, lacking expertise, who believe they can make fast money. Certainly, a factor to consider is whether technicians are professionally certified to conduct forensic examinations. Professionally certified examiners are accustomed to operating at a proof level of beyond a reasonable doubt.

While computer forensics requires the ability to think logically, it also requires investigative instincts. Examiners that are seasoned investigators have honed these skills. An examiner that does not have an investigative background may think logically, but probably lacks the investigative instincts. An examiner who possesses critical investigative instincts can be the difference between a case being solved and not being solved.

Another issue is the forensic processing software used by the examiner. Some firms are using dated analysis methods that result in their examinations taking significantly more time than firms using state-of-the-art methods. Greater examination times mean far greater investment to the client. This is one of the reasons TCG has a modern computer forensics lab.

29. What evidence can be found on a computer?

A lot of information is stored in a computer of which most users are unaware. We can usually tell what a computer was used for, when it was used, what the user has done on the Internet (and when), and recover much of what the user wrote, read or viewed on the computer. Deleted files yield the most evidence, since most people actually think files disappear when you delete them. An area on disk drives known as 'slack space’ is an area where the operating system “sees” the area as empty. However, this area can also hold data put there by the suspect.

Evidence can be found in many different forms: financial records, word processing documents, diaries, spreadsheets, databases, e-mail messages, Websites visited, passwords, pictures, movies, sound files, etc. Ultimately, anything that can be entered into or stored on a computer system can be recovered. Often, computer forensics is invoked to recover hidden files, damaged files, corrupted files, deleted files, password protected files, encrypted files, email and web mail correspondence, evidence of web browsing and internet chat data.

30. Where is information stored on a computer?

Information is normally stored in plain sight on the internal hard drive of a computer. While some criminals are dumb enough to store incriminating evidence like this, most data of interest to forensic investigators is not the normal type.

31. What happens when you 'delete' a file?

One of the best analogies to use is to think of a card catalog in a library. When you delete something, all you are doing is throwing out the card from the card catalog. The book remains on the shelf. The computer has only been told that the space on the shelf is available for use if necessary. If the computer does use that space, then the old file is overwritten and is literally gone. With our specialized skills and software tools, we can find those 'old books' still on the shelves. Often, the 'old book' is still there to be found by the trained professional investigator. And, even if we can't get the entire book, we can normally get substantial parts of it.

32. Can you recover deleted data from a computer?

If they have not been completely overwritten, yes. If partly overwritten, maybe. If the file was fragmented before it was deleted, recovery may be very difficult. On whole, we can recover many instances of deleted data. The probability of success depends upon the specific circumstances. These include the type of data, the length of time since its deletion and the activity on the computer since its deletion, among other factors.

In general, full recovery or partial recovery of text data is easier than binary data, such as images. Data deleted in the past few days is easier to recover than data deleted many months ago. Data from a relatively inactive computer which stores little information is easier to recover than data from an actively used system that's approaching its full capacity.

33. Who can allow a computer to be searched for evidence?

The owner of a computer can grant permission for it to be examined. A business may grant permission for a search on any of their computers, regardless of the user. In a civil dispute, the parties can agree to an examination or the court can order an examination. In a criminal case, the computer will usually first be seized by law enforcement. The opposing attorney can often request copies of the seized material and the report of its examination or request an examination by a private computer forensics lab.

We can only conduct a computer forensics investigation on a computer or media that is provided to us by the owner of that system or media, or an authorized representative of the owner, and a system or media that has been ordered to be examined by the court of law.

34. What does a Computer Forensic Analyst do?

The first rule of computer forensic evidence analysis is to never alter the evidence in any way. The simple act of turning on a computer can alter or destroy any evidence that might be there. The search for evidence on a computer should only be done by a trained and experienced computer forensic examiner. The examiner will document all work, write-protect all media, make copies of media (often referred to as a mirror image), perform an examination and analysis on the copies, and prepare a written report. Extra copies of the mirror images are often prepared for other investigators, attorneys or the opposing side. You may get the copies on CD-ROMs, tapes or some other media. Even these copies will need to be analyzed by an experienced professional.

35. What should be included in a Forensic Examination Report?

A. As with the examination of any evidence, a well-documented chain of custody is a must. A forensic analysis should include notes taken by the examiner. These notes may not be included in a final written report, but they can and do get included in discovery requests. The report should detail the hardware examined, the procedures and software used in the examination and any evidence found. Often, the volume of evidence is so large it will not be included in printed form but will be included in electronic form (most often on CD-ROM). A good report is complete and written so that a layperson can understand it. It can eventually be included as evidence in court.

36. I have a computer that I suspect has evidence on it. What should I do now?

The best thing to do is to pick up the phone and call us immediately. We will walk you through the steps to deal with the situation. How you handle the computer from the moment you suspect an incident until we arrive on the scene will make or break your case. If the computer is powered off, LEAVE IT OFF! If the computer is powered on, remove the network cable from the Ethernet card or remove the phone cable from the modem (or both) and LEAVE THE COMPUTER ON! From this point on, do not let anyone touch the computer until you call and talk with us about what to do next.

37. What happens in the event that the matter goes beyond your organization?

Suppose you confront the employee with whatever evidence you find and then discipline that employee. What if the employee then decides to sue you and the organization for the action you took against him or her? If your computer personnel did not take the appropriate steps to maintain and protect the original media, it will not be admissible in court, and you will likely not be able to prove your case. Even if the evidence you recovered is admissible in court, your employees will only be allowed to testify to the facts of the matter, and not to their opinions or conclusions. Why risk this liability? Why not do it right the first time by hiring TCG to do a proper forensic analysis for you so you do not run into complicated and costly problems later on?

38. Can I monitor the e-mail, instant messages and Web access of others who use my computer(s)?

Yes, you can. The best solution to carry this out depends upon the number of computers and computer users. For a few PCs, software-based monitoring installed on each computer is usually the most cost-effective solution. The right monitoring software can track e-mail sent and received, including Web-based e-mail services such as Microsoft's Hotmail. Instant messages can be saved. The software can also record Web sites visited and, if required, block access to specified Web sites, such as those with pornographic content.

This type of individualized computer monitoring software may be used by a small business to track employee usage. It may also be used on a home PC to monitor computer use by others in the household, such as children. We can provide Internet surveillance and monitoring solutions. For larger corporate installations with many PCs and users, a centralized network-based solution is usually the most efficient and easy to administer. Typically, this will include a configurable hardware-based firewall and data vaulting capabilities to comply with Sarbanes-Oxley requirements.

39. Can you determine who sent an e-mail?

Our examination of the complete contents of an e-mail message will usually show the path it traveled over the Internet to reach its destination. This will give clues to the e-mail's origin, which may be traced back to an ISP (Internet Service Provider) or a corporate network. Sometimes, the information will include sufficient detail to link the e-mail to the specific computer which probably sent it.

40. Can you determine who wrote or printed a computer document?

In many cases, we can determine the probable author of an electronic document, such as a word processor file, by examining the document data file. We may be able to determine who printed a paper document using a computer. Some computer printers encode data in the printed document. After decoding, this data can provide information such as the serial number of the printer and the date and time of the printout. This information may be sufficient to determine the owner or user of that computer printer.

41. What is hashing and how can we use it in forensics?

Cryptographic hashes are a family of mathematical functions that reduce an input down to a small, fixed size output. They can be used to fingerprint known good or bad files and then compare those fingerprints against unknown files. Any new files that match the known good files can be eliminated from further analysis. Any files that match the known bad files should be noted and investigated.

42. Who can use Computer Forensic evidence?

Many types of criminal proceedings and civil proceedings can and do make use of evidence revealed by computer forensics specialists:

Criminal Prosecutors use computer evidence in a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record keeping, and child pornography.

Civil litigations can readily make use of personal and business records found on computer systems that pertain to fraud, divorce, discrimination, and harassment cases.

Insurance Companies may be able to mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman's compensation cases.

Corporations often retain computer forensics specialists to ascertain evidence relating to: sexual harassment, embezzlement, theft or misappropriation of trade secrets and other internal or confidential information.

Law Enforcement Officials frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment.

Individuals sometimes hire computer forensics specialists in support of possible claims of wrongful termination, sexual harassment, or age discrimination.

43. What is an Anton Piller order? How does it relate to Computer Forensics?

An Anton Piller order typically authorizes the collection of specific data related to a specific civil court action. Anton Piller orders were formerly rarely used, but have recently become more commonplace in matters where computer data is critical. Computer data can be quickly erased if there is knowledge of a pending legal search. The defendant should have no prior knowledge of the Anton Piller order until the plaintiff's representatives arrive on location. We can assist in implementing Anton Piller orders and, in other circumstances, challenging the need for such an order.

44. What if I provide my computer’s hard drive to you for analysis and you find that it has been wiped clean of all data?

The absence of data on a computer’s hard drive or other piece of electronic media that should contain data, but does not, is normally attributable to one of three causes. These three causes are physical damage to the hard drive or media, static shock that magnetically “wipes” the hard drive or media, or intentional wiping of the hard drive or media.

The practice of intentionally deleting data or otherwise attempting to erase a hard drive are common practices by individuals who are attempting to cover their tracks. In fact, the absence of data on a hard drive, in and of itself, can be used to show intent and used as evidence to help impeach someone or used as evidence in a criminal or civil investigation.