Forensic Discoveries FAQ

What is Computer Forensics?

Computer Forensics is the science of retrieving and analyzing data from electronic storage systems in a manner that does not alter or compromise the integrity of the target systems.

What can a Computer Forensic examination provide?

    • Recovery of deleted computer files
    • Data recovery even after a hard drive has been reformatted or repartitioned
    • In many cases encrypted files can be decrypted
    • Determination of web sites that have been visited
    • Determination of what files have been downloaded
    • Determination of when files were last accessed
    • Determination of when files were deleted
    • Discovery of attempts to conceal or destroy evidence
    • Discovery of attempts to fabricate evidence
    • Discovery of hidden text that was removed from the final printed version of a document
    • Discovery of faxes sent or received on a computer
    • Discovery of email messages and attachments even if previously deleted
    • Discovery of other types of communications strings (Instant Messaging)

    What is the procedure of a computer investigation?

    It's a detailed science. However, very broadly, the main phases are sometimes considered to be: secure the subject system (from tampering during the operation); take a copy of hard drive (if applicable); identify and recovery all files (including those deleted); access/copy hidden, protected and temporary files; study 'special' areas on the drive (ex: residue from previously deleted files); investigate data/settings from installed applications/programs; assess the system as a whole, including its structure; consider general factors relating to the users activity; create detailed report. Throughout the investigation, it is important to stress that a full audit log of activities is maintained.

    How can Computer Forensics help me?

    Today’s computers maintain extremely large amounts of data, attorneys and businesses are finding information that is relevant to situations and cases can be found in a digital format. In addition, “hidden” evidence (metadata) can be found through forensics that is difficult, if not impossible, to find using ordinary procedures. This information can be crucial in litigation and discovery. A sound computer forensic investigation will find data that is “hidden” from the operating system and computer users. Computer forensics can also often recover evidence files that were accidentally or malicious destroyed.

    In what situations is it helpful?

    - Employee internet abuse
    - Asset discovery
    - Unauthorized disclosure of corporate information and data (accidental and intentional)
    - Industrial espionage
    - Damage assessment (following an incident)
    - Criminal fraud, sexual harassment, and deception cases
    - More general criminal cases (many criminals simply store information on computers, intentionally or unwittingly) and many Civil cases

    What do I do if I have a machine that has evidence?

    Call a computer forensic specialist to image the hard drive on that computer to preserve all data on the drive -- both active and inactive (deleted) data – as of the current point in time. Do not boot the computer or use it in any way before the Computer Forensic specialist acquires the hard drive image.

    Can deleted files and e-mail be recovered?

    For files, there is a very good chance that a Computer Forensics investigator can recover deleted files from the subject hard drive. When a file is deleted using standard methods, the contents of the file are not erased from the hard drive. The "deleted" file is just made invisible to the user.

    For e-mail, ‘Yes’ is the answer to this question the majority of the time. But there are various scenarios that aid and can impede this ability. One major factor is whether or not the e-mail is stored on a centralized e-mail server or stored locally. When all e-mail is stored locally, all e-mail should be available for recovery. The chances of recovery are less when the mail is stored on a server. There are also configurations in which a hybrid approach is used (some stored on server but offline copy exists). Finally, there is the possibility of someone using a web-based e-mail service (e.g. Yahoo, gmail, Hotmail, etc.) in which case many e-mails that were sent or received from the computer may be recovered by combing through the hard drive's temporary internet files.

    Can you guarantee the recovery of deleted files and e-mail?

    No. Several factors can affect the ability to recover deleted data from a computer hard drive. After a file has been deleted it may be overwritten and become unrecoverable through regular operation of the computer. Also, there are commercially available drive-wiping utilities that can render deleted files unrecoverable.

    Can Instant Message communications be uncovered?

    In some cases, Yes.

    What could potentially hold information?

    • Computers
    • Cell Phones
    • MP3 music players
    • Digital Camera
    • PDAs (Personal Digital Assistants)
    • Blackberrys
    • CD-Roms
    • Backup Tapes

    Can passwords be recovered from encrypted documents?

    In most cases, Yes. Password Recovery (cracking) can be considered an art as much as a science. Some password mechanisms can be quickly deciphered using our tools and some very strong encryption mechanisms are "mathematically impossible within a reasonable timeframe" . However, the majority of typical files that are encrypted (password protected) can be recovered.

    What is meta-data?

    Many computer forensic investigations revolve as much around the timing of document creation, modification or deletion as around the contents of the documents themselves. Meta-data is information about a file (such as last modification date and time) that is saved automatically by the computer operating system. Whereas a user can easily forge a date on a document; the document's meta-data can reveal the true date and time that the document was created or modified.

    What do I receive after a computer investigation?

    Forensic Discoveries will provide a detailed report that explains the processes taken in acquiring and securing the electronic evidence, the qualifications of the examiner, the scope of the examination, the findings of the examination, and the examiner's conclusions. The format of the findings section can vary depending on the goals of the investigation. The findings section may include file listings including file date/timestamps, document printouts, e-mail printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results. The examiner's conclusions may be the most critical component of the final report. These conclusions based upon the examiner's expertise and experience in the field of computer forensic technology often form the basis for expert testimony in a court proceeding or for the filing of an affidavit.

    Why can we not use our local computer experts?

    The following information is very important. There are very distinct differences between Computer Professionals and the specialized Computer Forensic examiner. While both work with computers, the focus and training is drastically different. Normal hardware and software knowledge in no way equates to the specificity level of a Computer Forensics expert. The ability to safely and thoroughly examine computers or any kind of digital evidence for digital evidence is a highly specialized skill set that requires enormous amounts of training and meticulous procedures. If anyone other than a qualified Computer Examiner does as little as power on the computer or insert the media into a computer, evidence could be destroyed and unusable.

     

     
ForensicDiscoveries.Com © 2006 | Privacy Policy