Frequently Asked Questions

What types of evidence can be found on computer systems?

User files, deleted files, e-mail messages, hidden data, encrypted data. Other examples of evidence: file copying, attempted data destruction, internet usage and other questionable activities.

Where is information stored on a computer?

Information is normally stored in plain sight on the internal hard drive of a computer. While some criminals are dumb enough to store incriminating evidence like this, most data of interest to forensic investigators is not the normal type.

Where else can evidence be found on a computer?

Deleted files yield the most evidence, since most people actually think files disappear when you delete them. An area of disk drives known as 'slack space,' which the Operating System thinks is empty can also hold data put there by the suspect.

What happens when you 'delete' a file?

Think of a card catalog in a library. When you delete something, all that you are doing is throwing out the card from the card catalog. The book remains on the shelf. The computer has only been told that the space on the shelf is available for use if necessary. If the computer does use that space, then the old file is overwritten and is gone. Often the 'old book' is still there to be found by the trained professional investigator.

What should be included in a forensic examination report?

As with the examination of any evidence, a well-documented chain of custody is a must. The report should detail the hardware examined, the procedures and software used in the examination and any evidence found. Often the volume of evidence is so large it will not be included in printed form, but will be included in electronic form (most often on CD-ROM). A good report is complete and written so that a layman can understand it. It can eventually be included as evidence in court.

Who can use Computer Forensic evidence?

Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists:

• Criminal Prosecutors use computer evidence in a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record keeping, and child pornography.
• Civil litigations can readily make use of personal and business records found on computer systems that bear on: fraud, divorce, discrimination, and harassment cases.
• Insurance Companies may be able to mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman's compensation cases.
• Corporations often hire computer forensics specialists to ascertain evidence relating to: sexual harassment, embezzlement, theft or misappropriation of trade secrets and other internal/confidential information.
• Law Enforcement Officials frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment.
• Individuals sometimes hire computer forensics specialists in support of possible claims of: wrongful termination, sexual harassment, or age discrimination.
  

How long does it take to acquire the data from the hard drive?

It usually requires from 6 to 10 hours time to "clone" the source in order for it to be analyzed. This procedure is best performed in our office but can be performed "in the field" if absolutely necessary.

How long does it take to analyze the data once acquired?

The initial evaluation and obtaining of general information from the "cloned" source will require approximately 20-30 hours of the investigator's time. However, there is no "typical" case, so each case takes as long as necessary to be thorough.

Does anything that you do in the process of acquiring the data change the hard drive?

There is no damage or alteration of any of the information contained on the original "suspect" source and all analysis is performed on an image file or a copy.