Which data location should a digital forensic investigator be concerned with losing first?

• What is “Computer Forensics”?
• What types of digital media devices can potentially hold data?
• What are the common situations in which Computer Forensics is used?
• What can a Computer Forensic examination provide?
• Can deleted emails be recovered?
• If someone uses a webmail account like Gmail, Yahoo or Hotmail, is it possible to find that email?
• Can deleted files be recovered?
• Can password protected files be accessed?
• What is does the term “metadata” mean?
• I think that a computer in my company may contain important evidence. What do I do?
• I think that a cellphone in my company may contain important evidence. How should I handle it?
• What are the cons to NOT calling a Computer Forensic expert immediately?
• We have no plans to take anyone to court and merely want to make sure that an employee is not violating our company policy. Can’t we just have our in-house IT staff take a look?
• What if we have already utilized our in-house IT staff and the recovery didn’t go as planned —can you still assist us?
• How does Computer Forensics differ from data recovery?
• What types of data do you focus on in your investigations?
• How does the Certified Computer Forensic Investigators’ recovery process work?
• What do I receive after a computer investigation?
• What does a computer forensic examination cost?

Have a question that isn't on our FAQ?  Contact Andrew Donofrio our Director of Cyber Security & Digital Forensics

What is “Computer Forensics?”
Computer Forensics, also known as Digital Forensics, is a scientific examination by a certified computer forensic specialist, which includes the identification, collection, preservation and analysis of all forms of Electronically Stored Information (ESI), (aka digital information or electronic data), in such a way that the information obtained can later be used as evidence in a court of law.
This Electronically Stored Information (e.g. email messages, digital images, network log files, etc.) can be found on computer hard drives, servers and other digital storage media (e.g. computers, thumb drives, DVD, CD-ROM, mobile phones). It includes any device that has a digital “brain” to store information.
Computer Forensics is used to create a digital picture or Image of the ESI, therefore the examiner can later look for digital evidence on the acquired Image and attempt to re-create a time-line of how the data was used in relation to the matter under investigation.

Computer forensics is a specialized service that provides and documents digital evidence for possible use in litigation. A computer forensic investigation is highly disciplined and the results can be repeated and proven to be accurate, which is crucial for any digital evidence to be admissible in court.
back to top

What types of digital media devices can potentially hold data?

• Computers
• iPads and laptops
• Smartphones and most other cell phones
• MP3 music players, iPods
• Hard Drives
• Digital Cameras
• USB Memory Devices
• PDAs (Personal Digital Assistants)
• Backup Tapes
• CD-ROMs & DVD’s

back to top

What are the common situations in which Computer Forensics is used?

• Unauthorized disclosure of corporate information
• Theft of intellectual property or trade secrets
• Employee Internet abuse or other violations of a computer policy
• Other Workplace Misconduct
• Damage assessment and analysis (post incident)
• Industrial espionage
• Negligence, sexual harassment, and deception cases
• Evidence collection for future employee termination
• Criminal fraud and white-collar crime
• More general criminal cases and many civil cases

back to top

What can a Computer Forensic examination provide?

• Data Recovery of deleted, encrypted or hidden computer files even after a hard drive has been reformatted or repartitioned
• Passwords for password protected or encrypted files
• Determination of:
  • Web sites that have been visited
  • Files that have been uploaded or downloaded
  • When files (docs, pictures, etc) were last accessed/deleted
  • User login times and passwords
• Discovery of:

  • Attempts to conceal, destroy, or fabricate evidence

  • Text that was removed from the final document version

  • Faxes sent or received on a computer

  • Email, texts webmail, and attachments, even if deleted

  • Other types of communications strings (IM chat logs)

back to top

Can deleted emails be recovered?
Deleted emails can be recovered in the majority of cases, but there is no guarantee. Deleted emails can be recovered depending on the type of email client (Outlook, Entourage, Thunderbird, etc.) and how the server (Exchange, Lotus Notes) is configured.

When emails are deleted from your Inbox there is still a chance that they reside on the server or in other areas of a computer. Computer forensic tools and methods allow for the data extraction and examination of email storage including information that had been previously deleted.

back to top

If someone uses a webmail account like Gmail, Yahoo or Hotmail, is it possible to find that email?
Web-based email programs such as these do offer the ability to recover information even when the computer is not on the Internet. Web browsers (Internet Explorer, Firefox, Chrome, Safari, etc.) store temporary internet files on the computer that can later be retrieved by computer forensics.

back to top

Can deleted files be recovered?
Although each situation is unique, there is a very good chance that a Computer Forensics investigator can recover deleted files from the subject’s hard drive. When a file is deleted using standard methods, the contents of the file are not actually erased from the hard drive; the operating system merely erases a pointer to the file so that the file does not appear in the folders or directories, the file is actually still there. Contrary to popular belief, digital files are not vaporized when the delete button is pushed, and therefore, such files are usually recoverable and usable.

back to top

Can password protected files be accessed?
A certified computer forensic examiner has a will have a combination of sophisticated hardware tools and software programs to unlock certain types of password protected files. Depending on the type of file and the speed of the computer, some programs can try hundreds of thousands of passwords per second. However, longer and more complex passwords are more of a challenge to crack.

back to top

What is does the term “metadata” mean?
Metadata is data about the data. Metadata is very important in Computer Forensic investigations as it describes essential aspects of the data (or document) including information about the author of the document, the last print time or when the file was created, accessed or modified. Because metadata is fundamentally data, it requires the same forensic scrutiny as any other form of data and often is not visible unless special tools and methods are used.

back to top

I think that a computer in my company may contain important evidence. What do I do?

Most importantly, let’s begin with what you should NOT do:

Do NOT use the computer or attempt to search for evidence, as any further use of the computer may damage and taint any evidence that might exist on the device.

Do NOT turn it on. If the suspected computer is turned off - leave it off.

A trained computer forensic investigator will use specific methods, tools and procedures to retrieve and preserve critical electronically stored information. By powering on the system you run the risk of changing the data on the computer forever and losing valuable evidence.

If the computer is on, Do NOT initiate a normal “Shut Down” process and shut the computer off. If you must shut down the computer, unplug it from the back of the tower or the outlet.

If a computer is on or running, it is important to collect the information about running programs or applications. When a computer is used or turned off, valuable information will be lost permanently. Also when a computer is turned off, it initiates a set of commands and actions that can change the contents of a hard drive. It is very important when investigating a powered on computer that has been compromised or contains evidence that a live computer forensic examination is performed, if possible

Do NOT type on the keyboard or move the mouse.

Do NOT allow the internal IT staff to conduct a preliminary investigation.

Do NOT remove any USB Drives/Devices, SD cards, or other devices that are connected to the computer.

But in addition, always be sure you DO complete the following:

Do store the computer in a secure place, and/or, if possible secure the area in which the computer is located.

Do keep a detailed log of

• who had/has access to the computer

• what was done, if anything

• when was it done

• where the computer been stored since the incident

Do photograph the screen if computer is “on” and something is displayed on the monitor.

Do contact MSA Investigations immediately.

back to top

I think that a cellphone in my company may contain important evidence. How should I handle it?
Cell phones, iPads, digital cameras and other mobile devices store data directly to internal memory that is more volatile, and can be lost when the device is shut off or the battery is depleted (or removed). Please follow these guidelines to secure these devices for future examination:

If the device is “off”, do not turn it “on”.

If the device is on, leave it on. Shutting down the device could enable password, thus preventing access to evidence and/or result in the loss of data evidence.

Photograph device and screen display (if available).

Label and collect all cables and transport with the device.

Keep the device charged.

If the device cannot be kept charged, analysis by a specialist must be completed prior to battery discharge or the data may be lost.

Document all steps involved in the seizure of the device and its components.

back to top

What are the cons to NOT calling a Computer Forensic expert immediately?
The longer a computer or digital device is used or awaits inspection, the higher probability that the digital evidence will be tainted or lost. It is essential to understand that the operating system of a computer continually overwrites data on the hard drive, and does so in a random pattern. This means that the longer a computer is used, the more likely it is that evidence will be lost. Fortunately, the operating system frequently records evidence in several places simultaneously, so if the data is overwritten in one area, it may still reside in another.

It’s also true that the simple act of turning the computer on or looking through files can potentially damage the very data you’re seeking. The file creation dates can change, files can be overwritten, and evidence can be corrupted. But all of these risks can be lessened by contacting a Computer Forensics expert immediately, and acquiring an image of the computer as quickly as possible without destroying or altering any valuable evidence.

back to top

We have no plans to take anyone to court and merely want to make sure that an employee is not violating our company policy. Can’t we just have our in-house IT staff take a look?

There are four main reasons why in-house IT is not the best choice for such a task:

• Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use. Taking the wrong steps in these circumstances can irretrievably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.

• Even if proper evidence handling techniques have been used by in-house IT, the collection process itself has altered and has likely tainted the data collected. We have seen it happen. We often receive computers to examine after a company's computer personnel have attempted to recover evidence from it. In their attempts they have destroyed important evidence such as the date that files were last accessed.

• In addition to the lack of skills, hardware, and software, using an in-house employee can make you vulnerable to allegations of fabricating evidence and other impropriety. You should avoid conflicts of interest that arise from using your own IT staff by hiring an independent expert. An outside computer forensics expert should be brought in as soon as possible to work with the IT, legal and/or compliance personnel to offer an outside-unbiased perspective. Courts favor use of neutral third-party analysis.

• It is unlikely your employee qualify in court as an expert in the forensic examination of a computer. As non-experts, they would only be allowed to testify to facts, and would not be permitted to testify to opinions or conclusions as an expert would.

In summary, an in-house IT staff may have a considerable amount of knowledge and experience with computers—perhaps even data recovery—it is highly unlikely that they have the requisite knowledge of the forensic protocols that must be observed to find all of the evidence, protect the data, and ensure the admissibility of evidence in civil or criminal trials. We take steps to safeguard the computer data, and we have the training, experience, and tools to conduct a thorough examination of computer data and interpret what we find. Additionally, if an employee is terminated as a result of the investigation, and litigation does ensue at a later date, you almost certainly will have the e-evidence necessary to support your case in court.

back to top

What if we have already utilized our in-house IT staff and the recovery didn’t go as planned —can you still assist us?
Depending on the damage done by the internal IT staff, a skilled computer forensics vendor may be able to salvage some of the damaged evidence. However this can be an arduous and time-consuming process that often costs several times more than the original analysis would have cost.

back to top

How does Computer Forensics differ from data recovery?
The goal of data recovery procedures is solely to recover the files and folders lost from damaged disk drives, media, computers, peripherals or operating systems due to disk or system failure, unintentional deletion, or other unexpected circumstance, without monitoring the usage of the device. Generally, data recovery could be considered the first step in gathering evidence in a computer forensics investigation.

When digital media is imaged (an exact replica of the original), all files and folders are recovered along with deleted data. Also, the ability to view any hidden or un-partitioned space is gained as well. Computer Forensics is a service that is concerned with providing evidence (or proving a lack of evidence) regarding how a computer was used, what files were accessed and at what time, and who had accessed them. Computer Forensics investigators are able to find, assemble, analyze, and explain large amounts of digital information that would not be particularly helpful for data recovery services, but are invaluable in a court of law.

back to top

What types of data do you focus on in your investigations?
In computer forensics, there are three types of data that we are concerned with - active, archival, and latent.

• Active data is the information that you and I can see. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain.

• Archival data is data that has been backed up and stored. This could consist of backup tapes, CD's, floppies, or entire hard drives to cite a few examples.

• Latent (also called ambient) data is the information that one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten.

back to top

How does the Certified Computer Forensics Investigators’ recovery process work?
The first step is to clearly determine the purpose and objective of the Investigation. Then they will secure the subject system from tampering or unauthorized changes during the investigation.

Next, the investigation discovers all files on the subject's system. In many cases, information gathered during a computer forensics investigation is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files (known by computer forensic practitioners as slack space). Special skills and tools are needed to obtain this type of information or evidence.

Then, the investigation copies, protects and preserves the evidence from any possible alteration, damage, data corruption, or virus introduction that may render the evidence inadmissible in court.

Then, the investigation recovers all deleted files and other data not yet overwritten. A deleted file will remain resident on a hard drive until the operating system overwrites all or some of the file. So in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten.

Finally, the investigation includes an analysis of all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as 'slack' space in a file.

back to top

What do I receive after a computer investigation?
The computer forensic expert will provide a detailed report that explains the:

• Processes taken in acquiring and securing the electronic evidence

• Qualifications of the examiner

• Scope of the examination

• Findings of the examination

• Examiner’s conclusions

Please note, the findings section may include file listings including file date/timestamps, document printouts, e-mail printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results.

The examiner’s conclusions may be the most critical component of the final report. These conclusions based upon the examiner’s expertise and experience in the field of computer forensic technology often forms the basis for expert testimony in a court proceeding or for the filing of an affidavit.

back to top

What does a computer forensic examination cost?
We charge $325/hour for forensic analysis and require a $5,000 retainer for ordinary cases (a single PC or Mac with an 80 gigabyte hard drive or less). An average in-depth examination generally takes a minimum of 12 hours, though this can vary greatly for any given situation.

The cost includes the three basic components of the full investigation: Acquisition, Investigation, and Reporting. On their own, acquisitions usually cost approximately $750.00. Investigation and reporting, of course, depend on the nature of your case.

back to top

What is the first phase of investigation in digital forensics?

How does a digital forensic analyst find data in files that may be lost?

Which evidence source should be collected first when considering the order of volatility?

What are the four steps of a digital forensics investigation?