What are Forensic Computer Examinations?                 


Why should you consider using forensic computer examinations and a trained forensic examiner

If the case or issue at hand is important, you should use a trained, experienced forensic computer examiner.  Whether you us or another sufficiently trained and experienced examiner, is your decision.  Any examination of a computer and the data contained on the media conducted by an untrained person, could result in: 

  • Not finding all of the data
  • Not finding or recovering deleted data
  • Not recovering password protected data
  • Not finding or recovering hidden data
  • A loss or corruption of data
  • The destruction of data
  • A total crash of the computer
  • The inadmissibility of the data
  • A valid lawsuit 
     
Many software applications keep temporary records, temporary documents and other temporary data that the user is not aware of, and therefore, the user does not delete the data, password protect the data or otherwise try to hide the data. This data can normally be quickly located and accessed by trained, experienced forensic examiners. 

Windows keeps a swap file that is used when memory resources are low.  This is a dynamic file that grows with use.  This swap file can hold complete files or other data that can significantly help a case. 

Web browsers keep a number of temporary files, including cache and history files that tell where and when web sites were visited and keeps copies of files that were viewed.  These temporary files can be accessed, viewed and copied.  The data contained in these files can be very valuable to a case or investigation. 

The most common method used to hide data is to delete files or format the drive or diskette.  Deleting a file or formatting a drive or diskette, does not necessarily destroy the data.  An experienced forensic examiner can recover the deleted data and draw expert conclusions as to when, how or why the data was deleted or removed from the media. 

Frequently recovering deleted or formatted data and showing which particular files were deleted or removed is a good indication of culpability or valuable insight into what the person was trying to do at the time of the deletions. 

Determining dates and times of deletion or formatting frequently coincides with actions taken by employers and law enforcement,  i.e. the employee formats his hard disk drive one hour after being accused of selling or using company sensitive data. 

Data that is password protected is usually data that the user does not want others to see or access. Password protected data frequently contains relevant information to the investigation or inquiry at hand. An experienced forensic examiner has the knowledge and equipment to unlock passwords and access the data. 

It is relatively simple to alter an operating system or it's internal commands (i.e., DIR, COPY, TYPE, etc.) to do something other than Boot or display the Directory listing, Copy files or Type files. 

Alterations to the operating system or internal commands are usually made by persons who want to conceal or destroy data that they do not want others to see. This is usually the kind of data that will be important to an investigation or inquiry. 

Simply booting a target or suspect's machine will cause the alteration of certain operating system files.  Although this normally will not cause the alteration of user created files.  This will, arguably, cause the alteration of the original media. 

Simply booting a target or suspect's machine may cause the loss or destruction of data or the activation of destructive processes set up by the suspect to occur.  Typing an internal command such as, DIR to see what's on the machine, could activate destructive processes. Any or all of the data on the machine could be completely destroyed and the operating system could be made inoperative.

Valid lawsuits could follow if an untrained person looking at the system crashed the machine or destroyed critical data.  An experienced  forensic examiner will not fall into this sort of trap. 

It is also relatively simple to hide files that normal DOS/WINDOWS commands, such as, DIR and other commands cannot find. The hidden file simply will not be displayed, and its contents will not be found or examined.  An untrained person may not know if a file that appears to contain no data, is corrupted or encrypted or actually contains no data. An untrained person may not know that a file that appears normal, actually contains hidden data. 

Data can be hidden or located in many places on a computer hard disk drive or other media. Untrained persons probably will probably not find the data. 

The use of an untrained person could cause the inadvertent destruction of data, overlook deleted, hidden or encrypted data and could cause inadvertent writes back to and alter the original media. 

Even if the untrained person found relevant data, the data will probably not be legally admissible or unusable. This is because of the untrained person's lack of forensic training and credentials, the use of methods that were not forensically sound and their lack of understanding of the technical
issues involved. 

Law enforcement agencies have been trained in and have used forensic computer examinations for a number of years.   Law enforcement agencies have court proven expertise in computer forensics.  You, your company, your firm or your agency can now benefit from our law enforcement training and our considerable experience and expertise. 
 


 
image
 image