Computer Forensics Blog

Computer forensics is a field that many people do not realize they need until it is too late. This is why some firms are now offering their services in advance of crisis. Proactive protections that computer forensic pros can provide are excellent for companies, government agencies and even individuals.

So, what can a computer forensic pro do when a crime hasn’t happened? A whole lot!

Computer forensics experts are uniquely qualified to assist hiring clients in a number of ways even if a crime hasn’t happened. The reasons why some choose to hire forensic computer investors include:

Network security – Computer forensics experts spend a great deal of their time dealing with the aftermath of network security flaws. When they are hot on the trail of a hacker or thief, they get to see exactly how and why security measures fail. This gives them incredible insight for helping clients shore up security in advance of a problem happening.

Document disposal and filing measures – Computer forensic experts tend to be very well versed in methods that can help companies and agencies protect their documents from prying eyes and how they can safely store them on a computer network. They also have the ability to assist in the creation of electronic files from paper reports.

Employee training and procedures – Forensic computer experts are also often willing to help companies and agencies make sure their employees are well trained on security-related issues. They might also be brought in to help a company set policies for electronic document disposal and storage.

Hiring a computer forensics pro in advance of a problem is considered a very wise move for many reasons. While there is no way to protect files from every eventuality, these professionals are uniquely qualified to understand and seek out the same backdoors and security leaks that bad guys look for.

Popularity: 77% [?]

Share This

Web-catchers, keystroke loggers, spyware…whatever you call it, the software is designed to track what a computer is used for. Most of these programs are designed to run in stealth mode, completely covert, and some of them are very good at what they do. Some are not. These programs are not used for strictly nefarious purposes. They do have legitimate uses, such as monitoring a child’s Internet activity, or tracking employees’ time. For example, a recent PCWorld magazine advertisement reported that every day the average employee spends 81 minutes of their work day in non-employment related activity on the Web (PCWorld March 2008, pg. 17). Eighty-one minutes! Also, research shows that some 13% of employees regularly and habitually spend two or more hours each day conducting personal business on the Internet.

However, the use of this type of program is not without a price. Allegations of privacy violations, the loss of trust, and the reluctance of one party to be “sneaky” are all downsides, and the situation may not warrant the use of the program until the situation is already out of hand.

So what is the alternative? It may be computer forensics. A well-certified and experienced forensic computer examiner is trained to uncover evidence that would otherwise escape the employer, parent or spouse. Computer forensic science is the examination of a computer for artifacts that are not available to someone without special training, experience and knowledge.

A word to the wise: Computer forensics means computer forensics, not your local mom-and-pop computer techie, or one of the plethora chain stores that sell computers, and TVs, cameras, videos, etc. Choose a forensic computer examiner who can answer your questions, target the search, and retrieve the evidence you need for you specific circumstances.

Popularity: 78% [?]

Share This

Hiring a computer forensic expert to help with business network security, a criminal case or even a civil case can be a very big step. Individuals, company owners and legal teams all find themselves in need of this type of expertise from time to time. Making the decision to hire a pro and actually finding one that can get the job done can take a little time. Knowing what to look for in a reputable computer forensic expert or firm can help.

The trademarks of a good computer forensics firm will include:

Experience – The computer forensic field takes time and effort to master. The process of becoming a skilled investigator does not happen over night. The best individual forensic computer investigators have a little experience under their belts or work with firms that have a combined experience level that involves time in the trade.

Training – Computer forensic investigations marry computer and investigative sciences. To ensure the best trained and skilled professional is hired for a job, make sure training and certifications are in place. Some of the best investigators make sure they have IACIS certification, HTCN certification, state licensing and more. Many even hold law enforcement credentials. In many cases, a forensic computer investigator will also have law enforcement training and/or experience, as well. This can lend to credibility and greatly help with the investigative process.

Ethics – The reputation and ethical standing of a computer forensic professional or entire firm should also be a very big consideration. In order for evidence to stand up to scrutiny, the investigator involved must be able to hold up, as well. Look for firms that have excellent reputations in the field and a track record for closing cases satisfactorily.

There is more to computer forensic investigation than just knowing one’s way around a computer. Hiring a skilled professional should involve some background research.

Popularity: 74% [?]

Share This

There is more to becoming a forensic computer pro than meets the eye. Beyond having advanced skills in computer research, repair and handling, experts in this field must undergo a variety of investigative training programs. Making sure the combination of credentials is in place can be vital for launching a career. It is also seen as essential to those who make the decision to hire experts to help them out in criminal and civil cases.

Forensic computer professionals require multifaceted training for a number of reasons. They include:

The nature of cases – Computer forensics experts are often called in on civil and criminal cases. If a “pro” doesn’t have the proper training, evidence can be lost, overlooked or damaged. If evidence is not handled correctly, even if it is found, it simply might not hold up in court.

Ethics – Computer forensic experts generally come out of the law enforcement field and are expected to uphold a high standard of ethics. The nature of cases, the type of evidence handled and the veracity of information found can all rely heavily on an expert’s use of professional standards and ethics when conducting an investigation.

Presentation ability – Beyond having the ability to dive into a computer and find evidence or prove it simply doesn’t exist, a forensic computer expert must also have the ability to present that evidence in court. This can take time and training to master.

To make sure a forensic computer expert is worth the retainer fee, it is smart to check into background. While most experts undergo the same training law enforcement investigators go through, not all do. At the very least look for IACIS certification and proper state licensing when hiring a computer forensic expert. The best will have a variety of other credentials to their names, as well.

Popularity: 68% [?]

Share This

Computer forensics isn’t the oldest investigative science going, but it is fast becoming a valuable resource for law enforcement and legal professionals. When a forensic computer expert is brought in on a case, there is a reasonably good chance this type of professional will find evidence that others simply would not be able to.

By carefully combing through a computer, its hard drive and its Internet usage history, investigators skilled in computer forensic work are able to piece together clues that would otherwise be missed.

When they’re on a case, computer forensics pros look for such things as:

Deleted files – Files that have been deleted often leave traces behind. It is in the “junk” that evidence often resides. If a computer forensic pro finds necessary evidence among discarded files, it will be restored and prepared for presentation in a case.

Damaged files – Sometimes files that can prove a case one way or another become damaged. This might be intentional or it could happen by accident. Either way, if a damaged file is pertinent to a case, a computer forensic pro will try to restore it to glean the valuable information it contains.

Hidden files – Bad guys often try to hide the evidence on their hard drives. By blocking files from view, password protecting them and so on, they believe they can skirt detection. This is often not the case when a computer forensics expert is brought in to look over a suspect computer.

From documents and spreadsheets to pictures files and beyond, if a particular piece of data can prove or disprove a case, a computer forensics pro will try to find it. Once evidence is found, it will be carefully handled for presentation in court.

As more crimes become computer-based, the value of forensics experts is becoming very clear. The best know exactly where to look and how to proceed to close cases one way or another.

Popularity: 76% [?]

Share This

We’ve all heard the famous line, “The truth, the whole truth, and nothing but the truth.” But it should continue with, “…exculpatory as well as inculpatory.” Computer forensic evidence is as in danger of being corrupted as any other evidence, especially when it deals with the question of revealing inculpatory (incriminating) and exculpatory (exonerating) evidence.

The rule of law in California (California Penal Code, Sec. 4) is: “The rule of the common law, that penal
statutes are to be strictly construed, has no application to this Code. All its provisions are to be construed according to the fair import of their terms, with a view to affect its objects and to promote justice.” In other words: The spirit of the law, not the letter of the law. Computer forensics is no exception.

A true case example involves e-mail from an alleged victim who carried on a submissive/dominate sexual relationship with a near-stranger on several occasions. After a particularly intense session, during which the boyfriend did in fact do what he had promised to do, the woman became irate and filed suit. However, after the incident, the alleged victim also recommended her boyfriend to another woman for spontaneous sex of a similar nature, describing him as “fabulous.”

Forensic computer examiners from the victim’s side failed to disclose the information about the e-mail, even though it should have been obvious from the computer forensics exam. At trial, the opposing expert revealed that during his forensic computer examination of the hard drive, the e-mail was located…and it hadn’t even been deleted.

Can you imagine how embarrassed the original computer forensics “experts” were when this came out in open court?
Inculpatory evidence is important to both sides, as is exculpatory evidence. The truth, the whole truth, and nothing but the truth.

Popularity: 100% [?]

Share This

A computer forensics case recently completed by DataChasers Inc. revealed evidence on a teenager’s computer that indicated she was carrying on steamy sex-chat with a man several years older than she was. When the parents were asked why they weren’t checking what their daughter was doing on the computer, or supervising her e-mail, the teen’s mother answered that she wanted to let her daughter have some privacy.

Privacy is one thing; ignorance another. In any business, passwords and user names are stored in a secure location, for the protection of the company. The same reasoning applies to personal passwords and user names - somebody should know how to access your information in the event of an emergency. The use of computer forensics will probably be successful in retrieving the necessary data, but the time element may be critical.

Here’s an example from an actual case, but we’ll just call the person James. James was a responsible young man; attended junior college, worked 30+ hours a week, only drank socially, and did not use any controlled substances. James joined his junior college classmates on a field trip for a mock trial in Chicago. James never returned to his hotel after one evening event. His parents made the proper reports, the police confiscated James’ computer but never examined it.

A couple of weeks after James disappeared, the computer was returned to James’ parents. Computer forensic examiners were retained, but the computer was heavily passworded, and numerous files were encrypted. Passwords are generally not a problem for a competent computer forensics examiner, but file encryption is—almost always. The parents were certain that clues to their son’s disappearance may have been contained in the computer. Computer forensics was unsuccessful in the recovery of anything meaningful. If the parents were correct, the encrypted files held the key to their son’s disappearance.

After a couple of months, a body was discovered in the Chicago River. The remains were unidentifiable. Was it James? His parents may never know.

Popularity: 69% [?]

Share This

Every day, civil and criminal cases crop up that are seemingly impossible to prove. With physical evidence lacking and other proofs not forthcoming, bad guys often walk away without recrimination. This revolving door is sometimes shut thanks to the efforts of skilled computer forensics experts.

Computer forensics involves the kind of investigation that can turn up evidence where it is actually hidden. In civil and criminal cases both, the computer is fast becoming the weapon of choice for the bad guys. This simple machine can help facilitate such crimes as:

Copyright thefts and/or violations – When computer forensic experts step in to a case like this, they can often find electronic proof that dates the creation of a work, such as a book, song or so on.

Pornography cases – The Internet is fast becoming the venue of choice for those who traffic in illegal pornography. Offering speed and ease, this platform is one that can be traced and proven by a skilled computer forensic professional.

Financial theft – Thanks to the Internet and the ever-increasing skills of hackers, computers are often used to steal money and other assets. When a computer forensics pro steps in on a case, he or she can often prove how a crime was committed and on what computer.

Identity theft – The Internet makes it fairly easy for bad guys to steal information important to individuals. When a computer forensic pro reviews a subject computer, he or she can easily prove identity theft cases.

Corporate sabotage – Computers are often used to steal corporate secrets, damage important files and so on. When catching the bad guys in this kind of case is important, computer forensics pros can often turn up the evidence.

While the evidence turned up in computer forensics cases might not be a tangible smoking gun, it is considered very viable in court. If a skilled professional handles a case, evidence presented can make all the difference in the world.

Popularity: 72% [?]

Share This

Forensic computer investigations might seem as mystical as DNA testing did a few short years ago. The truth is, however, that these investigations are quite precise and can prove or disprove cases without a doubt.

When forensic computer investigations are more closely examined, the validity of the evidence becomes quite clear. In order to perform a solid computer forensics investigation, experts generally follow a multi-step process. This might include:

Basic review – This is generally the first step in a computer forensic investigation. During a review, a subject computer will be checked in a cursory fashion for traces of evidence or proof that further investigation might reveal what is desired.

Cloning – If a basic review turns up proof that evidence might be found for a civil or criminal case, a skilled forensic computer investigator will then make a complete clone of the subject hard drive. This can be a time consuming process, but it is essential for preserving evidence if it is uncovered.

Detailed review – Once a clone is made, a skilled computer forensic expert will then review the clone drive for evidence. This might include seeking out deleted files and restoring them, repairing damaged data or even finding files that are lost or hidden on a hard drive. In some cases, Internet use will be recreated to search online activities for evidence in a case. If evidence is turned up during a review, it will be documented and preserved for presentation in court. This might also include a very tight security process to ensure that evidence is kept pure prior to a court appearance.

The forensic computer investigations field is not mysticism. It is a rather precise science that calls upon trained professionals to perform. When an investigation turns up proof on a computer hard drive, it can often make or break a case at hand.

Popularity: 66% [?]

Share This

The science of computer forensics is going through something like what happened in the .com era, when .com investments became the “big money” of the day. Now computer forensics is seen in the same light. Techies who, yesterday, were managing small networks are, today, computer forensic experts—with minimal tools, little or no training, meaningless certifications and no expert witness experience in court. Worse, unsuspecting clients are hiring unqualified experts.

Awareness of what to look for in an expert is key.

Training and certifications specific to computer forensics leads the list. It speaks to credibility, and the best trained, best certified computer forensic examiners are prior law enforcement.

Background, education, and experience are very important, and again, law enforcement experience is a plus, if for no other reason than your expert is guaranteed to be an experienced expert witness.

Computer forensic examiners in many states are required to be licensed private investigators. In California, Section 7521 of the Business and Professions (B&P) code list what business activities mandate the computer forensics examiner to be a licensed private investigator.

References (both notable and plentiful) should be readily available to a prospective client seeking a forensic computer examiner.

Computer Forensic examiners should have a fully equipped, state-of-the-art laboratory, running the latest, fastest computers dedicated to computer forensics. Beware of anyone using forensic computers to receive e-mail, surf the web, or use for their child’s homework preparation. Experienced computer forensic companies regularly use fifty or more software applications to insure the correct results.

Submitted reports should be in lay terms, not heavily embedded with computer forensic jargon and techie-terms that will be difficult for the jury to understand.

A computer forensic examiner’s expert witness experience should be for both sides of the table, plaintiff and defense. Too often experts are accused of being a witness for only one side or the other, thus insinuating that they are bought and paid for, rather than an independent expert.

Popularity: 70% [?]

Share This