Your browser is currently set to block JavaScript.

For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

After enabling javascript, please refresh the page to go back to site with full functionality

Would you turn off/on JavaScript?

It's a widely used language that makes the web what it is today, allowing for websites to be more responsive, dynamic, and interactive. Disabling JavaScript takes websites back to a time when they were simple documents without any other features.

What are the advantages of using JavaScript?

Speed. Since JavaScript is an 'interpreted' language, it reduces the time required by other programming languages like Java for compilation. JavaScript is also a client-side script, speeding up the execution of the program as it saves the time required to connect to the server.

banner ad
Experts Logo


Computer Sleuth: Beating Down The Evidence Trail With Computer Forensics

As similarly published in California CPA, March /April 2003

By: Robert P. Green, CPA/CITP and Scott Cooper, CMC
Tel: 310-466-8600 Fax: 310-466-8601
Email Scott Cooper:

Profile on

Think Sherlock Holmes sans the goofy hat and magnifying glass. Today's digital sleuths enlist the tactics that once were only the purview of FBI and police investigators.

The tools of computer forensics play a vital role in resolving matters in the corporate world and litigation process by enhancing the evidence pool, establishing truths otherwise left undiscovered and, consequently, contributing to more efficient and rapid resolution, judgments or settlements.

But as computer forensics and electronic discovery--its legal-oriented practice subset--are becoming more a part of the litigation fabric, lawyers, CPA s and other professionals are exclaiming, "I wish I understood this a month ago. We really could have used these tools!"

Well, your wish has come true. The following is a guide to computer forensics-- what it is and when it should be used.


Put simply, computer forensics focuses on the acquisition, restoration and analysis of digital data.

In the business world, computer forensics can be used to restore corrupted or lost data, resurrect outdated systems and software environments, and analyze common security breach activities.

Such steps are generally taken when, despite a company's prudent efforts, something has gone wrong in its computing environment.

Also, attorneys use computer forensicbased methods, or electronic discovery, when they are searching for digital evidence that will help them with their case.

For CPAs, computer forensics can be used with forensic accounting practices to provide a more thorough, corroborated evidence position.


Digital data is electronic information that is created in, and utilized by, computer systems and their related applications. Such data is found in everything from hard drives, laptops and PDAs (such as Palm Pilots and iPaqs), to backup tapes, e-mail servers, CDs, DVDs and other computer network components.

This data is found in "active" files, such as e-mails and documents stored on hard drives. Typically, these files are ones that can more easily be accessed and are those that employees tend to use most often.

Data also lives in other forms that are not so simple to find. Think hitting the "delete" button has purged that e-mail forever? Think again.

Computer forensics can track down deleted files, hidden files, files created by the system or by software that users are not aware of (such as an automatic backup of a document), or fragmented files that are scattered throughout the storage devices we use.


When digital data is compromised--either lost, stolen, deleted or otherwise manipulated--and can be of evidential value for a potential lawsuit, electronic discovery practices come into play.

Electronic discovery is accomplished through several steps, including:
  • S t r a t e g i z i n g: Collaborating with counsel, CPAs, corporate officers and others to understand the objectives of the claim, learn the specifics of the computing environment and determine how to best use computer forensics. This strategy can include digitally corroborating nondigital findings, such as paper evidence, as well as drafting discovery requests related to the information technology of an enterprise and participating in related depositions.

  • A c q u i r i n g : Gathering the digital data that supports the objectives of the issue at hand or claim. Acquisition targets should include all "states" of data--active files, as well as hidden or deleted files, and backup files.

  • S e a r c h i n g : Seeking attributes, patterns or other key data elements, such as keywords, phrases or patterns that are consistent with the objectives of the claim or issue at hand.

  • A n a l y z i n g : Strategically deploying proprietary and other tools and methodologies to accomplish agreed-upon objectives.

  • R e p o r t i n g : Combining the written, oral, and expert witness presentation of findings tosupport engagement objectives.


From a risk perspective, two factors are key: the timing of the acquisition of the digital data in question, as well as the quality of the acquisition.

With regard to the timing risk, be aware that computer systems aren't picky about what deleted or other nonactive data is written over when drive space is required for an active file. Thus, it is critical that the components of the computer environment which hold the digital data in question be taken "offline" from other system activities as soon as computer forensic activities are initiated and until the data can be acquired.

With regard to the quality risk, courts have held that when digital data was not acquired in the proper manner, it may not be considered the strongest or best evidence. Always consult an expert before sending out a nearby office network administrator who is not familiar with computer forensics tools and data search and retrieval.


The following are brief summaries of sample cases in which electronic discovery has played a successful role:

Accounting Revenue Recognition Dispute--In advancing funds under a credit facility, an entity's lending institution relied upon the consistent application of revenue recognition policies, including those related to the shipment of products, as reported in the internal financial statements produced by the entity.

A dispute arose about whether or not certain shipments by the entity occurred within a certain accounting reporting period.

Computer forensics and forensic accounting tools were deployed to resurrect the accounting systems in place at the time of the dispute and ultimately discovered that the entity had intentionally not complied with its stated revenue recognition policies. Rather they had accelerated the recording (and thus the reporting) of certain transactions related to product shipments so as to obtain funding earlier.

Contract Dispute--A plaintiff argued that, based on certain correspondence, he was owed a certain percentage of the proceeds from the sale of a business. The defendant argued that the percentage was significantly less than the plaintiff contended.

Through deposition inquiries surrounding digital data and use of computer forensics tools to analyze nonactive and active files, evidence was discovered that provided proof of correspondence and a percentage to support the claim.

Sexual Harassment and Termination of Executive--Electronic discovery techniques provided proof that a terminated high-ranking executive was indeed engaging in pornographic and other nontasteful activities during business hours and on business premises.

Marital Dispute--A wife claimed that prior to the divorce, the husband was actively involved with a company that, subsequent to the divorce, filed a registration statement with the SEC for a large sum of capital. Electronic discovery techniques, combined with effective discovery requests surrounding the relevant digital data, helped determine the merit of the wife's claim.


Computer forensics and electronic discovery services often are provided in a "baby step" approach, and can range from several thousands of dollars to hundreds of thousands of dollars.

The initial steps--acquisition, initial inspection and general strategy--usually require several thousand dollars to target a single computer. After initial findings, the extent of hourly services depends on how much forensic activity is necessary.


Computer forensics and electronic discovery have proven to be valuable tools for the business community and litigators. They are most effective when performed by professionals who collaborate with executives and their professional advisers from both a technological and business perspective.

This expertise can ultimately provide evidentiary matter that otherwise would go uncovered and is crucial to resolving issues and claims.

Robert Green, CPA/CITP, and Scott Cooper, CMC, were principals at INSYNC Consulting Group Inc., at the time of the publication of this article, an information technology professional services firm.

©Copyright 2003 - All Rights Reserved


Related articles


11/16/2004· Computer Forensics

Proactive Forensics in the Workplace

By: Paul Taylor

The benefits of computer forensics have been seen over and over again in the criminal and civil courts throughout the world in the past two decades. If there is ever a case involving accounting or communication between key witnesses then computer forensics will be involved in some form


8/4/2004· Computer Forensics

Drilling-Down To The Truth From Computer Evidence

By: Dr. Stephen Castell

Disputes over failed software construction projects raise interlinked technical and legal issues which are complex, costly, and time-consuming to unravel – whatever the financial size of the claims and counterclaims, the facts and circumstances of the contract between the parties, or the conduct of the software development


11/2/2012· Computer Forensics

How To Get The Discovery You Need From Your Opponent

By: David Nolte

An extraordinary amount of time is incurred in discovery asking for records that may not even exist, or asking for records that do exist, but the other side declines to produce records that were not requested using just the right terms.

; broker Movie Ad

Follow us

linkedin logo youtube logo rss feed logo