Q: What is computer forensics and how does the process work?
A: Computer Forensics is the analysis of information contained within, and created with computer systems, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. This being said, computer forensic techniques and methodologies are used for conducting investigations - again, in the interest of figuring out what happened, when it happened, how it happened, and who was involved.
During a typical digital investigation, a certified forensics investigator will:
First, clearly determine the purpose and objective of the investigation. Then they will take several careful steps to identify and extract all relevant data on a subject's computer system. Forensic analysis will extract the data that can be viewed by the operating system, as well as data invisible to the operating system.
Image, protect and preserve the evidence during the forensic examination from any possible alteration, damage, data corruption, or virus introduction ,insuring evidence is not damaged, tainted or in any other way rendered inadmissible in court.
Use forensically sound protocols at all times during the investigation to ensure the information obtained is admissible in court. It must be assumed that every case/situation could end up in the legal system. If your computer forensics examiner doesn't make that assumption, find someone else.
Address the legal issues at hand in dealing with electronic evidence, such as relevant case law, how to navigate the discovery process, protection of privilege, and in general, working and communicating with attorneys and other professionals involved in the case.
Discover all files on the subject's system. This includes existing active files, and invisible files; deleted yet remaining files, hidden files, password-protected files, and encrypted files. In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files - known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence, but it is often a treasure trove of relevant information.
In computer forensics, there are three types of data that we are concerned with - active, archival, and latent.
Active data is the information that can be readily seen, like data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
Archival data is data that has been backed up and stored. This could consist of backup tapes, CDs, floppies, digital storage devices, or entire hard drives, to cite a few examples.
Latent (also called ambient) data is the information one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten.
When it comes to digital evidence, getting a certified computer forensic examiner involved early will increase the chances of recovering all deleted files, and other data which has not yet been overwritten. As a computer is used, the operating system is constantly writing data to the hard drive. From time to time, the operating system will save new data on a hard drive by overwriting data resident on the drive but no longer needed by the operating system. A deleted file, for example, will remain resident on a hard drive until the operating system overwrites all or some of the file. Thus, in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten. Fortunately, the costs of acquisition are very reasonable, and the process is not disruptive.
A skilled forensic examiner will analyze all possibly relevant data found, including in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly still a repository of previous data that may potentially be relevant), as well as 'slack' space in a file (the unused space at the end of a file) which is another possible site for previously created and relevant evidence.
When the analysis is completed, the forensic examiner will provide a report analysis of the computer system, as well as provide you a copy of all relevant data, parsed, formatted and arranged to be integrated into your legal theories and strategies.
GDF's analysis and investigation work is performed using the highest levels of forensic scrutiny, always following proven forensic procedures and using only open and verifiable programming techniques. Our methodologies are transparent - we encourage the court and opposing sides to dissect our work because we stand behind its admissibility 100%. We use NO PROPRIETARY or secret methods or programs when doing our analysis. Instead, we use our programming skills to build tools and software specifically for the task at hand. And of course, we always fully document everything and open our work to scrutiny by all parties involved.
Q: When should I consider using computer forensics?
A: If any form of digital information is even remotely involved in a case or legal situation, a computer forensic examination will be required. Digital information has invaded virtually every aspect of our day-to-day existence, having become a basic component of our lives, from computers, to smartphones, to social networking, digital information plays a crucial role in almost every case.
Computer forensics differs from data recovery, which is, recovery of data after an event affecting the physical data, such as a hard drive crash. Computer forensics goes much further. Computer forensics is a complete computer examination with intricate analysis of digital information being the ultimate goal.
In any case where Electronically Stored Information (ESI) is involved, computer forensics is used as a tool to (1) determine the facts and relevant data (2) discharge your duty to avoid spoliation, (3) obtain all relevant evidence from the opposing party in a manner similar to using a Request for Production of Documents, and (4) determine whether computers or other digital devices were used as the instrument of a tort or crime, or in a violation of policy.
For a successful forensics examination, you must have all the information relevant to a matter, not only to construct effective legal strategies, but also to focus your expectations and efficiently budget your services. There is nothing more difficult to address than a case which has become complicated by new facts, where you once expected the matter to proceed smoothly and without significant cost. Knowing all the facts early in a matter, allows you to better prepare for those cases that will require significant legal expertise to manage.
In response to pending litigation, analyzing your relevant ESI is an excellent way to discharge your duties to preserve evidence and avoid spoliation, while also acquiring all relevant information essential to your legal theories and strategies. Similarly, as part of critical business decisions, forensically analyzing relevant computers and devices can provide essential information. For example, analyzing the computers of corporate officers or employees as part of the termination process can alert you to possible litigation issues such as violation of non-compete agreements, improper copying of intellectual property, etc.
To prepare for litigation, an attorney ought to determine whether a Request for Production of Documents will obtain all relevant evidence. A simple question to ask is whether you want to discover part of the relevant information (i.e. visible by your opponent's operating system) or all of it (deleted, hidden, orphaned data, etc). It is not unrealistic to anticipate that information contained on a computer system which is helpful to a matter would be saved, while that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is not unusual to discover deleted emails and other data invisible to the operating system that significantly impacts the case. Computer forensic analysis extracts all the emails, memos, and other data that can be viewed with the operating system, as well as all invisible data. In many cases, the invisible data completely changes the nature of a claim or defense, often leading to early settlement and avoiding surprises during litigation.
In any situation in which one or more computers may have been used in an inappropriate manner, it is essential to call a forensic expert. Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the "tracks" left behind by inappropriate use. Taking the wrong steps in these circumstances can irrevocably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.
Q: If I think evidence exists, is it ok if my technology expert takes a look for the information before I get in touch with a computer forensics expert?
A: Companies that fall victim to computer crime may be inadvertently destroying evidence in their efforts to find the perpetrators themselves. You only have one opportunity to collect the evidence needed to prove your case.
For example, Human Resources sends in well-meaning IT staff that doesn't know sound forensic procedures and they ruin the evidence. Although the internal IT staff is highly knowledgeable regarding their working environment and the technology employed within, computer forensic investigations are always best performed by outside certified experts. The very nature of the forensic analysis process, coupled with the requirements of preserving evidence and strict chain-of custody rules enforced by the courts, necessitates that computer forensic investigations are performed by external entities equipped with authorized forensic technology and are trained to observe forensic protocols. Otherwise, it is much like well meaning firemen trampling on evidence at a crime scene. You need a professional certified computer forensic team in there as soon as possible.
Additionally, using in-house personnel can raise issues related to authentication that can increase the cost of admitting evidence. In-house personnel may be put through a challenge that could threaten the admissibility of critical evidence. If there is even a remote chance the matter could end up in court, best practices strongly suggest having the data analyzed by a computer forensic expert. The cost of expert analysis will almost always be far less than the cost of defeating a challenge to the admission of critical evidence.
Most in-house technology experts are concerned with mission critical data and recovery from catastrophic data loss. They are not experts in the acquisition and preservation of data rendered invisible to the operating system. Even the most well intentioned technology expert can damage the fragile information stored on a computer, especially when the operating system does not recognize the data. The simple act of turning the computer on, or just looking through files, can potentially damage the very data you're looking for. System dates can be changed, files overwritten and evidence can be corrupted.
Accusations of evidence tainting are not rare in cases involving ESI when the party who owns or acquires the data also analyzes it. Issues such as accessibility to the data by other parties, experience and credentials of the person who acquired and reviewed the data, as well as other questions along these lines are typical and could prove problematic and costly.
For the above reasons, it is not advisable for an employer, employee, friend, etc. to perform the function of acquiring and reporting evidence if there is any chance of it being involved in litigation.
Professional, third-party companies like GDF are experienced in this type of work and considered neutral and unbiased. Evidence obtained and submitted by certified professionals like GDF's, is likely to carry much more weight in front of opposing counsel, corporate management, a jury or any other party.
GDF certified investigators employ the proper hardware and software to identify, isolate and preserve electronic information in a court admissible manner. They posses the expertise and experience vital to efficiently analyze electronically stored information and uncover electronic evidence while relying upon essential training and experience to ensure the court admissibility of electronic evidence collected.
Q: What risks are there if I don't consult a computer forensics expert at the start of a problem?
A: The most frustrating aspect of forensic analysis is that the operating system randomly overwrites data on the hard drive. This means the longer a computer is used, the more likely it becomes that evidence will be lost. Fortunately, the operating system frequently records evidence in several places simultaneously. So, if the data is overwritten in one area, it may still reside in another. It is impossible to tell, however, whether the data most important to you will survive the constant use of the computer. In fact, the simple act of turning the computer on or looking through files can potentially damage the very data you're looking for. The dates that files were created can be changed, files can be overwritten and evidence can be corrupted. The safest practice is to acquire an image of the computer as soon as possible; however, in the hands of a skilled forensics examiner, it may still be possible to find relevant data even after years of use.
Top of Page
Q: How do I figure out the ROI on contracting computer forensic services?
A: If you are thinking about performing this type of work yourself, or using your corporate IT department or local computer technician, consider not only the internal dollar cost , but also the possibility of your evidence being tossed out because of the method in which it was acquired, the qualifications of those who worked on it, or personal and business associations your staff might have with the subject.
The internal cost is not only the time you or your staff spend performing this work, but the double-barrel effect of also taking them away from their assigned responsibilities. Then of course there is the time spent in writing reports, (a 40 GB hard drive can have over 9,101,420 pages of data) possible interrogatories and depositions, other internal issues, gossip spreading and the resulting loss of work productivity. All these may occur and can affect you, your business and most importantly, the outcome of your case or situation.
Top of Page
Q: How can a computer forensics help us reduce loss and liability?
A: Consider the following: it is estimated that each year, billions of dollars are lost through employee theft, fraud and sabotage. But this is the direct cost only. Add to it billions more in investigation and litigation costs, lost productivity, the future value of intellectual property lost...the list goes on, as do the billions of dollars lost. Now, add the cost of the publicity surrounding employee malfeasance - the loss of reputation, employee morale, and a depressed stock price.
Finally, the regulatory and litigation environment we are in places a new, heightened level of personal responsibility and liability on the backs of corporate executives and directors for the activities of their employees and organizations. How much of that risk are you willing to take?
Often, the cost advantage of using third-party computer forensic professionals like GDF far outweighs the internal costs, in both dollars and winning your case. GDF's rates are more than highly competitive, and you can count on us delivering fast, aggressive service anywhere in the world - anytime, day or night.
Q: How much do computer forensic investigations typically cost?
A: In the past, computer forensic examinations could run tens of thousands of dollars because of the manpower necessary to thoroughly examine a hard-drive. With the advancement of technology in the computer forensics arena, that is no longer the case. The software and hardware available now make the price of competent, professional computer forensics affordable and well worth the investment. The prices can range from $250 and hour to $350 and hour, and the process involves basically three steps: Acquisition, Analysis, and Reporting. Acquisitions usually cost less than $500.00. Analysis and reporting, of course, depend on the nature of your case. In most instances, searching and reporting can be completed in less than 15 hours, and the total analysis is usually less than $5000.00 USD.
There is no reason for computer forensic analysis needs to disrupt any business. Making an "image" of a computer system (even if several computers are involved) can be done during non-business hours, at night, or even over a weekend. In many cases, the image can be acquired in less than 5 hours.
Q: As an attorney, I often hear that I may be liable for malpractice if I don't consider digital evidence. How realistic is this?
A: It is well known, and consistently proven, that computer or digital evidence is often the "smoking gun" in many high profile cases. Today, in businesses of all sizes, the majority of new information is being created and stored in digital form on computer systems and devices of all sizes. It is indisputable that digital evidence, be it documents, databases or the omnipresent email, should always be considered a primary source of evidence. While malpractice is a harsh word, it certainly is not in any client's best interest to ignore potentially relevant sources of evidence, especially digital evidence.
Q: I think that a computer in my organization may contain important evidence. What do I do now?
A: STOP using the computer or device! Any use of this may DAMAGE, and/or TAINT any evidence present. If the suspected computer is turned off leave it off.
If the computer is on, DO NOT go through a normal "Shut Down" process... Call GDF for immediate instructions.
DO NOT allow the internal IT staff to conduct a preliminary investigation.
First, it is important to recognize that all you have initially is information and data, not evidence. Unless your IT staff is certified in computer forensics procedures and trained on evidentiary procedures (and very few are), they most likely have not maintained a correct chain-of-custody or followed other accepted evidence techniques. Second, even if proper evidence handling techniques have been used, the collection process itself has most likely altered, and/or tainted, the data collected. By opening, printing, and saving files, the meta-data is irrevocably changed. Third, the simple act of just turning on the computer changes caches, temporary files, and slack file space, which along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was present.
Depending on the damage done by the internal IT staff, a skilled computer forensics specialist may be able to salvage the damaged evidence. This, however, can be an arduous and time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is important to bear in mind that it is not always possible to restore evidence, especially meta-data timelines, from computers that have been mishandled. A good rule of thumb is to always use a certified third-party computer forensics company for digital evidence collection.
Keep a detailed log of who had access, what was done and where the computer has been stored since the dates in question.
When the hard drive is removed and sent to GDF for a forensic examination, make sure to document the date and time in the system and note whether it differs from the current time.
Secure the computer.
Be prepared for litigation.
Computer forensics may be an unknown and mysterious discipline to many, but it is easy to avoid the most common procedural mistakes by following the guidelines outlined here. Only use a certified computer forensics expert and do not rely on internal IT staff for computer forensics investigations. If there is even a remote chance that evidence from a suspected computer system or digital device will be needed, contact GDF immediately and get the job done right.
Q: How can I ship my computer and/or hard drive to GDF for a computer forensics investigation?
A: Please, before you do anything, call for complete instructions. GDF recommends that you have the disc drive(s) removed by an experienced computer technician and shipped to us. If necessary, GDF will talk you through the entire process. We can also provide on-site acquisition service at your location(s) for an additional cost.
Please do not ship anything to us without contacting us in advance and obtaining a "Case Code" which must be written on the shipping label. We will also determine and direct you to the closest lab for a quick turn-around.
Remember, disc drives are static sensitive, so we recommend that the drive(s) be placed in an anti-static bag and sealed. Wrap about 1/2-inch of solid foam or bubble wrap around the disc and tape it so all sides are sealed. Make sure the contents will not bounce around in the box you use. DO NOT USE 'PEANUTS' OR ANY STYROFOAM PACKING MATERIAL - THIS MATERIAL CREATES STATIC ELECTRICITY!!!
But first and foremost, get industry professionals like GDF involved as early as possible to dramatically increase the chances of a successful outcome for your case.