Computer Forensics FAQ

What is Computer Forensics?

Computer Forensics is the science of retrieving and analyzing data from an electronic storage system in a manner that does not alter or compromise the integrity of the target systems.

Should I attempt my own investigation?

There are very distinct differences between a computer professional and a specialized Computer Forensic examiner. While both work with computers, the focus and training is drastically different. The ability to safely and thoroughly examine computers, or any other kind of digital information, for digital evidence is a highly specialized skill set that requires intensive training and meticulous procedures. If anyone other than a qualified Computer Examiner does as little as power on the computer or insert media into a computer, evidence could be destroyed and unusable.

What can a Computer Forensics examination provide?

  • Recovery of deleted computer files
  • Data recovery even after a hard drive has been reformatted or repartitioned
  • Determination of websites that have been visited
  • Determination of what files have been downloaded
  • Determination of when files were last accessed
  • Determination of when files were deleted
  • Discovery of attempts to conceal or destroy evidence
  • Discovery of attempts to fabricate evidence
  • Discovery of hidden text that was removed from the final printed version of a document
  • Discovery of faxes sent or received on a computer
  • Discovery of email messages and attachments, even if previously deleted
  • Discovery of other types of communications strings (i.e., Instant Messaging)

How can Computer Forensics help me?

Today’s computers maintain extremely large amounts of data; therefore, attorneys and businesses are finding more and more information that is relevant to situations and cases in digital formats. In addition, “hidden” evidence (metadata) can be found through forensics that is difficult, if not impossible, to find using ordinary procedures. This information can be crucial in litigation and discovery. A sound computer forensic investigation will find data that is “hidden” from the operating system and computer users. Often computer forensics can recover evidence files that were accidentally or maliciously destroyed.

In what situations is it helpful?

  • Employee internet abuse
  • Asset discovery
  • Unauthorized disclosure of corporate information and data (accidental and intentional)
  • Industrial espionage
  • Damage assessment (following an incident)
  • Criminal fraud
  • Sexual harassment
  • Deception cases
  • General criminal cases (many criminals simply store information on computers, intentionally or unwittingly)
  • Many civil cases

Can deleted files and email be recovered?

There is a very good chance that a Computer Forensics investigator can recover deleted files from the subject’s hard drive. When a file is deleted using standard methods, the contents of the file are not erased from the hard drive. Most of the time emails can be recovered. However, there are various scenarios that can aid and impede this ability.

Can you guarantee the recovery of deleted files and emails?

No. Several factors can affect the ability to recover deleted data from a computer hard drive. After a file has been deleted it may be overwritten and become unrecoverable through the regular operation of the computer. Also, there are commercially available drive-wiping utilities that can render deleted files unrecoverable.

Can Instant Message communications be uncovered?

In some cases, Instant Message communications can be uncovered.

What could potentially hold information?

  • Computers
  • Cell Phones
  • MP3 music players
  • Digital Cameras
  • PDAs (Personal Digital Assistants)
  • Blackberrys
  • CD-ROMs
  • Backup Tapes

Can passwords be recovered from encrypted documents?

In most cases passwords can be recovered from encrypted documents.

What is meta-data?

Many computer forensic investigations revolve as much around the timing of the document creation, modification or deletion, as around the contents of the documents themselves. Meta-data is information about a file (such as last modification date and time) that is saved automatically by the computer operating system.

What do I receive after a computer investigation?

Forensic Discoveries provide a detailed report that explains the processes used to acquire and secure the electronic evidence, the qualifications of the examiner, the scope of the examination, the findings of the examination, and the examiner’s conclusions. The format of the findings section can vary depending on the goals of the investigation. The findings section may include file listings including: file date/time stamps, document printouts, email printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results. The examiner’s conclusions may be the most critical component of the final report. These conclusions, based upon the examiner’s expertise and experience in the field of computer forensic technology, often form the basis for expert testimony in a court proceeding or for the filing of an affidavit.