FAQ

What is Computer Forensics?

Computer Forensics is the science of retrieving and analyzing data from an electronic storage system in a manner that does not alter or compromise the integrity of the target systems.

Back to Top

WARNING: Don’t attempt your own investigation

There are very distinct differences between Computer Professionals and the specialized Computer Forensic examiner. While both work with computers, the focus and training is drastically different.

Normal hardware and software knowledge in no way equates to the specificity level of a Computer Forensics expert. The ability to safely and thoroughly examine computers or any kind of digital evidence for digital evidence is a highly specialized skill set that requires enormous amounts of training and meticulous procedures.

If anyone other than a qualified Computer Examiner does as little as power on the computer or insert the media into a computer, evidence could be destroyed and unusable.

Back to Top

What can a Computer Forensic examination provide?

• Recovery of deleted computer files
• Data recovery even after a hard drive has been reformatted or repartitioned
• Determination of web sites that have been visited
• Determination of what files have been downloaded
• Determination of when files were last accessed
• Determination of when files were deleted
• Discovery of attempts to conceal or destroy evidence
• Discovery of attempts to fabricate evidence
• Discovery of hidden text that was removed from the final printed version of a document
• Discovery of faxes sent or received on a computer
• Discovery of email messages and attachments even if previously deleted
• Discovery of other types of communications strings (Instant Messaging)

Back to Top

How can Computer Forensics help me?

Today’s computers maintain extremely large amounts of data, attorneys and businesses are finding information that is relevant to situations and cases can be found in a digital format. In addition, “hidden” evidence (metadata) can be found through forensics that is difficult, if not impossible, to find using ordinary procedures. This information can be crucial in litigation and discovery. A sound computer forensic investigation will find data that is “hidden” from the operating system and computer users. Computer forensics can also often recover evidence files that were accidentally or malicious destroyed.

Back to Top

In what situations is it helpful?

• Employee internet abuse
• Asset discovery
• Unauthorized disclosure of corporate information and data (accidental and intentional)
• Industrial espionage
• Damage assessment (following an incident)
• Criminal fraud, sexual harassment, and deception cases
• More general criminal cases (many criminals simply store information on computers, intentionally or unwittingly) and many civil cases

Back to Top

Can deleted files and e-mail be recovered?

For files, there is a very good chance that a Computer Forensics investigator can recover deleted files from the subject hard drive. When a file is deleted using standard methods, the contents of the file are not erased from the hard drive.

For e-mail, ‘Yes’ is the answer to this question the majority of the time. But there are various scenarios that aid and can impede this ability.

Back to Top

Can you guarantee the recovery of deleted files and e-mail?

No. Several factors can affect the ability to recover deleted data from a computer hard drive. After a file has been deleted it may be overwritten and become unrecoverable through regular operation of the computer. Also, there are commercially available drive-wiping utilities that can render deleted files unrecoverable.

Back to Top

Can Instant Message communications be uncovered?

In some cases, yes.

Back to Top

What could potentially hold information?

• Computers
• Cell Phones
• MP3 music players
• Digital Camera
• PDAs (Personal Digital Assistants)
• Blackberrys
• CD-ROMs
• Backup Tapes

Back to Top

Can passwords be recovered from encrypted documents?

In most cases, yes.

Back to Top

What is meta-data?

Many computer forensic investigations revolve as much around the timing of document creation, modification or deletion as around the contents of the documents themselves. Meta-data is information about a file (such as last modification date and time) that is saved automatically by the computer operating system.

Back to Top

What do I receive after a computer investigation?

Forensic Discoveries will provide a detailed report that explains the processes taken in acquiring and securing the electronic evidence, the qualifications of the examiner, the scope of the examination, the findings of the examination, and the examiner’s conclusions. The format of the findings section can vary depending on the goals of the investigation. The findings section may include file listings including file date/timestamps, document printouts, e-mail printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results. The examiner’s conclusions may be the most critical component of the final report. These conclusions based upon the examiner’s expertise and experience in the field of computer forensic technology often form the basis for expert testimony in a court proceeding or for the filing of an affidavit.

Back to Top