What is “Computer Forensics”?
Computer Forensics is a scientific examination that includes the identification, collection, preservation and analysis of all forms of Electronically Stored Information (ESI), also known as digital information, in such a way that the information obtained can later be used as evidence in a court of law.
This Electronically Stored Information (e.g. email messages, digital images, network log files, etc.) can be found on computer hard drives, servers and other digital storage media (e.g. computers, thumb drives, DVD, CD-ROM, mobile phones). It includes any device that has a digital brain to store information.
Computer Forensics is used to create a digital picture of the ESI, therefore the examiner can later look for digital evidence on the acquired media and attempt to re-create a time-line of how the data was used in relation to the matter under investigation.
Computer forensics is a specialized service that provides and documents digital evidence for possible use in litigation. A computer forensic investigation is highly disciplined and the results can be repeated and proven to be accurate, which is crucial for any digital evidence to be admissible in court.
What types of digital media devices can potentially hold data?
What are the common situations in which Computer Forensics is used?
-
Unauthorized disclosure of corporate information (by accident or design)
-
Employee Internet abuse or other violations a computer policy
-
Damage assessment and analysis (post incident)
-
Industrial espionage
What can a Computer Forensic examination provide?
o Web sites that have been visited
o Files that have been uploaded or downloaded
o When files (docs, pictures, etc) were last accessed/deleted
o User login times and passwords
o Attempts to conceal, destroy, or fabricate evidence
o Text that was removed from a document's final version
o Faxes sent or received on a computer
o Email, texts webmail and attachments, even if deleted
o Other types of communications strings (IM chat logs)
Can deleted emails be recovered?
Deleted emails can be recovered in the majority of cases, but there is no guarantee. It depends on the relevant factors. For example, if the emails have not been completely overwritten, then the email should be recoverable, but if they have been partly overwritten, the possibility is lessened. Additionally, if the file was fragmented before it was deleted, recovery may be very difficult, but it is possible.
Can deleted files be recovered?
There is a very good chance that a Computer Forensics investigator can recover deleted files from the subject’s hard drive. When a file is deleted using standard methods, the contents of the file are not erased from the hard drive.
Contrary to popular belief, digital files are not vaporized when the delete button is pushed, and therefore, such files are usually recoverable and usable.
I think that a computer in my company may contain important evidence. What do I do?
Most importantly, let’s begin with what you should NOT do:
Do NOT use the computer or attempt to search for evidence, as any further use of the computer may damage and taint any evidence that might exist on the device.
Do NOT turn it on. If the suspected computer is turned off - leave it off.
If the computer is on, Do NOT go through a normal “Shut Down” process. If you must shut down the computer, unplug it from the back of the tower or the outlet.
Do NOT type on the keyboard or move the mouse.
Do NOT allow the internal IT staff to conduct a preliminary investigation.
Do NOT remove any USB Drives/Devices, SD cards, or other devices that are connected to the computer.
But in addition, always be sure you DO complete the following:
Do store the computer in a secure place, and if possible secure the area in which the computer is located.
Do keep a detailed log of
-
who had/has access to the computer
-
what was done, if anything
-
when was it done
-
where the computer been stored since the incident
Do photograph the screen if computer is “on” and something is displayed on the monitor.
Do contact MSA Investigations immediately.
I think that a cellphone in my company may contain important evidence. How should I handle it?
Cell phones, iPads, digital cameras and other mobile devices store data directly to internal memory that is more volatile, and can be lost when the device is shut off or the battery is depleted (or removed). Please follow these guidelines to secure these devices for future examination:
If the device is “off”, do not turn it “on”.
If the device is on, leave it on. Shutting down the device could enable password, thus preventing access to evidence and/or result in the loss of data evidence.
Photograph device and screen display (if available).
Label and collect all cables and transport with the device.
Keep the device charged.
If the device cannot be kept charged, analysis by a specialist must be completed prior to battery discharge or the data may be lost.
Document all steps involved in the seizure of the device and its components.
What are the cons to NOT calling a Computer Forensic expert immediately?
It is essential to understand that the operating system of a computer continually overwrites data on the hard drive, and does so in a random pattern. This means that the longer a computer is used, the more likely it is that evidence will be lost. Fortunately, the operating system frequently records evidence in several places simultaneously. So if the data is overwritten in one area, it may still reside in another. However, it is impossible to tell whether the data that is most important to you will survive the constant use of the computer. It’s true that the simple act of turning the computer on or looking through files can potentially damage the very data you’re seeking. The file creation dates can change, files can be overwritten, and evidence can be corrupted. But all of these risks can be lessened by contacting a Computer Forensics expert immediately, and acquiring an image of the computer as quickly as possible without destroying or altering any valuable evidence.
We have no plans to take anyone to court and merely want to make sure that an employee is not violating our company policy. Can’t we just have our in-house IT staff take a look?
There are four main reasons why in-house IT is not the best choice for such a task:
-
Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use. Taking the wrong steps in these circumstances can irretrievably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.
-
Even if proper evidence handling techniques have been used by in-house IT, the collection process itself has altered and has likely tainted the data collected. We have seen it happen. We often receive computers to examine after a company's computer personnel have attempted to recover evidence from it. In their attempts they have destroyed important evidence such as the date that files were last accessed.
-
In addition to the lack of skills, hardware, and software, using an in-house employee can make you vulnerable to allegations of fabricating evidence and other impropriety. We are an independent firm and integrity is the keystone of our company.
-
It is unlikely your employee qualify in court as an expert in the forensic examination of a computer. As non-experts, they would only be allowed to testify to facts, and would not be permitted to testify to opinions or conclusions as an expert would.
In summary, an in-house IT staff may have a considerable amount of knowledge and experience with computers—perhaps even data recovery—it is highly unlikely that they have the requisite knowledge of the forensic protocols that must
be observed to find all of the evidence, protect the data, and ensure the admissibility of evidence in civil or criminal trials. We take steps to safeguard the computer data, and we have the training, experience, and tools to conduct a thorough examination of computer data and interpret what we find. Additionally, if an employee is terminated as a result of the investigation, and litigation does ensue at a later date, you almost certainly will have the e-evidence necessary to support your case in court.
What if we have already utilized our in-house IT staff and the recovery didn’t go as planned —can you still assist us?
Depending on the damage done by the internal IT staff, a skilled computer forensics vendor may be able to salvage some of the damaged evidence. However this can be an arduous and time-consuming process that often costs several times more than the original analysis would have cost.
How does Computer Forensics differ from data recovery?
The goal of data recovery procedures is solely to recover the files and folders lost from damaged disk drives, media, computers, peripherals or operating systems due to disk or system failure, unintentional deletion, or other unexpected circumstance, without monitoring the usage of the device. Generally, data recovery could be considered the first step in gathering evidence in a computer forensics investigation.
When digital media is imaged (an exact replica of the original), all files and folders are recovered along with deleted data. Also, the ability to view any hidden or un-partitioned space is gained as well. Computer Forensics is a service that is concerned with providing evidence (or proving a lack of evidence) regarding how a computer was used, what files were accessed and at what time, and who had accessed them. Computer Forensics investigators are able to find, assemble, analyze, and explain large amounts of digital information that would not be particularly helpful for data recovery services, but are invaluable in a court of law.
What types of data do you focus on in your investigations?
In computer forensics, there are three types of data that we are concerned with - active, archival, and latent.
-
Archival data is data that has been backed up and stored. This could consist of backup tapes, CD's, floppies, or entire hard drives to cite a few examples.
How does the Certified Computer Forensics Investigators’ recovery process work?
The first step is to clearly determine the purpose and objective of the Investigation. Then they will secure the subject system from tampering or unauthorized changes during the investigation.
Next, the investigation discovers all files on the subject's system. In many cases, information gathered during a computer forensics investigation is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files (known by computer forensic practitioners as slack space). Special skills and tools are needed to obtain this type of information or evidence.
Then, the investigation copies, protects and preserves the evidence from any possible alteration, damage, data corruption, or virus introduction that may render the evidence inadmissible in court.
Then, the investigation recovers all deleted files and other data not yet overwritten. A deleted file will remain resident on a hard drive until the operating system overwrites all or some of the file. So in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten.
Finally, the investigation includes an analysis of all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as 'slack' space in a file.
What do I receive after a computer investigation?
The computer forensic expert will provide a detailed report that explains the:
Please note, the findings section may include file listings including file date/timestamps, document printouts, e-mail printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results.
The examiner’s conclusions may be the most critical component of the final report. These conclusions based upon the examiner’s expertise and experience in the field of computer forensic technology often forms the basis for expert testimony in a court proceeding or for the filing of an affidavit.
What does a computer forensic examination cost?
We charge $325/hour for forensic analysis and require a $5,000 retainer for ordinary cases (a single PC or Mac with an 80 gigabyte hard drive or less). An average examination generally takes a minimum of 15 hours, though this can vary greatly for any given situation.
The cost includes the three basic components of the full investigation: Acquisition, Investigation, and Reporting. On their own, acquisitions usually cost about $750.00. Investigation and reporting, of course, depend on the nature of your case. In most instances, searching and reporting can be completed in less than 15 hours and the total analysis is usually less than $6,500.