banner ad

Share |

DataChasers Inc. - Computer Forensics Experts

If your client has a computer, they need computer forensics. They may not know it; they may dismiss the logic; they may decline the service; but they still need it-every examination that I do emphasizes this truth. The computer has invaded our very existence, become a part of our lives, and is an integral part of almost every case.

Nearly all of my clients are like you-attorneys, practicing in all areas of law. Trial lawyers, civil attorneys, intellectual property, probate, patent, family law, plaintiff or defense-whatever, if your client has a computer it probably plays a role in the proceedings. My task is to best assist you, and to do that I must first create an awareness of being able to satisfy a need.



MAKING THE DECISION...

The first step in this process is explaining the discipline of computer forensics. This differs from data recovery, which is, as the name implies, recovery of data after an event affecting the physical data, such as a hard drive crash. Computer forensics goes much further. Computer forensics is a complete computer examination with analysis as the ultimate goal.

This means not only recovering deleted files (documents, graphics, etc.), but also searching the slack and unallocated space on the hard drive-places where a plethora of evidence regularly resides. It is tracing Windows artifacts-those tidbits of data left behind by the operating system-for clues of what the computer has been used for, and, more importantly, knowing how to find the artifacts, and evaluating the value of information. Forensic exams allow the processing of hidden files-files that are not visible or accessible to the user-that contain past usage information. It is reconstructing and analyzing the date codes for each file-determining when each file was created, last modified, last accessed and when deleted.

Computer forensics is being able to run a string-search for e-mail, when no e-mail client is obvious. An analysis will reveal Internet usage, recover data, and accomplish a full analysis even after the computer has been defragged and/or formatted. It is using industry-standard methodology, and supplying you with a concise report with clearly demonstrable results, something you can understand that is organized in a manner to make your job easier.

If any of this applies to your case, it's time to call a forensic computer expert.

WHAT'S IT WORTH...

Another factor to consider is the value of your case. There are several considerations to this. In the vast majority of cases an analysis will be successful, and much of the time it will be very successful. However, regardless of what you have been told, each case is different, and sometimes the desired evidence is not going to be on the computer. If that is the case, you have a right to be told so, and an experienced examiner will be able to advise you regarding the possibility and probability of finding what you're looking for.

For example, an attorney who needed the recovery of instant messages, which have, generally, a low probability of success, recently contacted me. I told him so, "Save your money, it's not worth it." He'd been given different advice-that there would be no problem-and went for it, much to his chagrin. However, on a different case, it might have been the right decision.

What's it worth? That depends. I use the analogy of a poker game. If it's a small pot, and you have a great hand, you'll call the raise-little risk. If it's a big pot, even if you have a poor hand, you may still call the raise because there is so much to be gained. But, if it's a small pot, you've got a mediocre hand, and it's a large raise, you'll probably fold-it's not worth the risk. This is much the same for a forensic computer exam. If there is a lot at stake, it's worth taking a chance to recover those instant messages. If it's a small pot, let it go.

WHAT TO DO, WHAT TO DO...

Billy Crystal, in City Slickers, talked about a "do-over." This may be a good thing in the movies, but it's a lousy idea in forensic computer analysis. I can make few guarantees, but among them is that if an examiner has to do an analysis after the computer has already been worked on, it will be more expensive to do-over, and the probability of good results will be compromised.

Also, you get what you pay for. You can fly to Europe in a prop-job, or you can fly on the Concord-if you are paying the same hourly rate, the Concord is obviously less expensive. But is the Concord worth more per hour? Maybe. The same applies in picking your forensic computer examiner. Compare certifications, experience, training, background, education, and experience. Ask for references. Query their equipment-is it state-of-the-art? If you get positive answers to the above inquiries, you're probably on the right track.

DON'T DESTROY YOUR OWN EVIDENCE...

I recently completed a case for a very large corporation. Unfortunately, in their haste to assist me, they actually hindered the process by allowing their in-house IT personnel to "help." The subsequent results were less than satisfactory. Here is how the conversation went with the CEO:

CEO: "Why can't you testify to the date that file was looked at?"

Me: "Because the date-stamps show the file was accessed several days after you confiscated the computer from the employee."

CEO: "You can tell that!"-embarrassed pause-"What difference does it make?"

Me: "Did your own people try to view the file, after it was confiscated?"

CEO: "Of course not!"

Me: "According to the forensics, somebody accessed that file after the computer was no longer in the hands of your employee. You've given them a defense."

At this point, there is generally a big sigh of resignation that says (although not in so many words), "We really screwed up, didn't we?" Had the question been spoken, my answer would be that they had, indeed, really screwed up.

The client made two mistakes. They did not bring counsel into the process soon enough (something I always encourage), and they allowed the evidence to be corrupted. In forensic computer exams, the biggest favor you can do for a client is to preserve the integrity of the computer, thus preserving the evidence for an experienced forensic computer examiner.

MAINTAIN COMPUTER DATA INTEGRITY...

  • If the computer is ON, leave it on; if it is OFF, leave it off. Each time an operating system boots up it writes to several hundred files, and overwrites data crucial to the investigation. I use tools specifically designed to acquire the data without booting into Windows. This data is retrievable if it is not over-written by the boot process.
  • Never allow company personnel to access the computer. This changes the date that files were last accessed and/or written to, stores contaminated data in files that are only accessible by forensic experts, and taints the evidentiary value of all data. I never boot into Windows; there is no way to do so and insure the hard drive's integrity as Windows writes to several hundred files during each boot process.
  • Never allow a copy to be made of the hard drive. A forensic copy differs from a Windows or DOS copy, which only copies existing, logical files-not the entire physical hard drive. We make a bit-copy of the entire physical hard drive, including slack (that data remaining in the unused portion of each cluster) and unallocated space (that space not assigned a FAT-File Allocation Table), where much of the needed data resides.

By following these simple suggestions you allow us to insure a thorough forensic examination that can be testified to at a later date.

Share |


DataChasers, Inc., is a select, exclusive computer forensics and e-discovery company. Our examiners find the evidence, interpret it, evaluate its importance, and articulate those facts to a jury. Computer forensics and e-discovery is our only business, and we welcome your inquiries about the process, or our procedures.

See DataCahsers' Listing on Experts.com.

©Copyright - All Rights Reserved

DO NOT REPRODUCE WITHOUT WRITTEN PERMISSION BY AUTHOR.