banner ad
Experts Logo


Computer Sleuth: Beating Down The Evidence Trail With Computer Forensics

As similarly published in California CPA, March /April 2003

By: Robert P. Green, CPA/CITP and Scott Cooper, CMC
Tel: 310-466-8600 Fax: 310-466-8601
Email Scott Cooper:

Profile on

Think Sherlock Holmes sans the goofy hat and magnifying glass. Today's digital sleuths enlist the tactics that once were only the purview of FBI and police investigators.

The tools of computer forensics play a vital role in resolving matters in the corporate world and litigation process by enhancing the evidence pool, establishing truths otherwise left undiscovered and, consequently, contributing to more efficient and rapid resolution, judgments or settlements.

But as computer forensics and electronic discovery--its legal-oriented practice subset--are becoming more a part of the litigation fabric, lawyers, CPA s and other professionals are exclaiming, "I wish I understood this a month ago. We really could have used these tools!"

Well, your wish has come true. The following is a guide to computer forensics-- what it is and when it should be used.


Put simply, computer forensics focuses on the acquisition, restoration and analysis of digital data.

In the business world, computer forensics can be used to restore corrupted or lost data, resurrect outdated systems and software environments, and analyze common security breach activities.

Such steps are generally taken when, despite a company's prudent efforts, something has gone wrong in its computing environment.

Also, attorneys use computer forensicbased methods, or electronic discovery, when they are searching for digital evidence that will help them with their case.

For CPAs, computer forensics can be used with forensic accounting practices to provide a more thorough, corroborated evidence position.


Digital data is electronic information that is created in, and utilized by, computer systems and their related applications. Such data is found in everything from hard drives, laptops and PDAs (such as Palm Pilots and iPaqs), to backup tapes, e-mail servers, CDs, DVDs and other computer network components.

This data is found in "active" files, such as e-mails and documents stored on hard drives. Typically, these files are ones that can more easily be accessed and are those that employees tend to use most often.

Data also lives in other forms that are not so simple to find. Think hitting the "delete" button has purged that e-mail forever? Think again.

Computer forensics can track down deleted files, hidden files, files created by the system or by software that users are not aware of (such as an automatic backup of a document), or fragmented files that are scattered throughout the storage devices we use.


When digital data is compromised--either lost, stolen, deleted or otherwise manipulated--and can be of evidential value for a potential lawsuit, electronic discovery practices come into play.

Electronic discovery is accomplished through several steps, including:
  • S t r a t e g i z i n g: Collaborating with counsel, CPAs, corporate officers and others to understand the objectives of the claim, learn the specifics of the computing environment and determine how to best use computer forensics. This strategy can include digitally corroborating nondigital findings, such as paper evidence, as well as drafting discovery requests related to the information technology of an enterprise and participating in related depositions.

  • A c q u i r i n g : Gathering the digital data that supports the objectives of the issue at hand or claim. Acquisition targets should include all "states" of data--active files, as well as hidden or deleted files, and backup files.

  • S e a r c h i n g : Seeking attributes, patterns or other key data elements, such as keywords, phrases or patterns that are consistent with the objectives of the claim or issue at hand.

  • A n a l y z i n g : Strategically deploying proprietary and other tools and methodologies to accomplish agreed-upon objectives.

  • R e p o r t i n g : Combining the written, oral, and expert witness presentation of findings tosupport engagement objectives.


From a risk perspective, two factors are key: the timing of the acquisition of the digital data in question, as well as the quality of the acquisition.

With regard to the timing risk, be aware that computer systems aren't picky about what deleted or other nonactive data is written over when drive space is required for an active file. Thus, it is critical that the components of the computer environment which hold the digital data in question be taken "offline" from other system activities as soon as computer forensic activities are initiated and until the data can be acquired.

With regard to the quality risk, courts have held that when digital data was not acquired in the proper manner, it may not be considered the strongest or best evidence. Always consult an expert before sending out a nearby office network administrator who is not familiar with computer forensics tools and data search and retrieval.


The following are brief summaries of sample cases in which electronic discovery has played a successful role:

Accounting Revenue Recognition Dispute--In advancing funds under a credit facility, an entity's lending institution relied upon the consistent application of revenue recognition policies, including those related to the shipment of products, as reported in the internal financial statements produced by the entity.

A dispute arose about whether or not certain shipments by the entity occurred within a certain accounting reporting period.

Computer forensics and forensic accounting tools were deployed to resurrect the accounting systems in place at the time of the dispute and ultimately discovered that the entity had intentionally not complied with its stated revenue recognition policies. Rather they had accelerated the recording (and thus the reporting) of certain transactions related to product shipments so as to obtain funding earlier.

Contract Dispute--A plaintiff argued that, based on certain correspondence, he was owed a certain percentage of the proceeds from the sale of a business. The defendant argued that the percentage was significantly less than the plaintiff contended.

Through deposition inquiries surrounding digital data and use of computer forensics tools to analyze nonactive and active files, evidence was discovered that provided proof of correspondence and a percentage to support the claim.

Sexual Harassment and Termination of Executive--Electronic discovery techniques provided proof that a terminated high-ranking executive was indeed engaging in pornographic and other nontasteful activities during business hours and on business premises.

Marital Dispute--A wife claimed that prior to the divorce, the husband was actively involved with a company that, subsequent to the divorce, filed a registration statement with the SEC for a large sum of capital. Electronic discovery techniques, combined with effective discovery requests surrounding the relevant digital data, helped determine the merit of the wife's claim.


Computer forensics and electronic discovery services often are provided in a "baby step" approach, and can range from several thousands of dollars to hundreds of thousands of dollars.

The initial steps--acquisition, initial inspection and general strategy--usually require several thousand dollars to target a single computer. After initial findings, the extent of hourly services depends on how much forensic activity is necessary.


Computer forensics and electronic discovery have proven to be valuable tools for the business community and litigators. They are most effective when performed by professionals who collaborate with executives and their professional advisers from both a technological and business perspective.

This expertise can ultimately provide evidentiary matter that otherwise would go uncovered and is crucial to resolving issues and claims.

Robert Green, CPA/CITP, and Scott Cooper, CMC, were principals at INSYNC Consulting Group Inc., at the time of the publication of this article, an information technology professional services firm.

©Copyright 2003 - All Rights Reserved


Related articles


11/16/2004· Computer Forensics

Proactive Forensics in the Workplace

By: Paul Taylor

The benefits of computer forensics have been seen over and over again in the criminal and civil courts throughout the world in the past two decades. If there is ever a case involving accounting or communication between key witnesses then computer forensics will be involved in some form


11/16/2005· Computer Forensics

How to Successfully Obtain Computer-Based Discovery in 10 Steps

By: SETEC Investigations

Identifying pertinent evidence on computer systems is essential to the discovery process in today's world, as it is believed that over 70% of information stored in computer systems is never reproduced in hard copy form


8/4/2004· Computer Forensics

Drilling-Down To The Truth From Computer Evidence

By: Dr. Stephen Castell

Disputes over failed software construction projects raise interlinked technical and legal issues which are complex, costly, and time-consuming to unravel – whatever the financial size of the claims and counterclaims, the facts and circumstances of the contract between the parties, or the conduct of the software development

; broker Movie Ad

Follow us

linkedin logo youtube logo rss feed logo