Frequently Asked Questions (FAQ)

Computer forensics is the identification, collection, and analysis of digital evidence. The identification stage involves determining where data of evidentiary value may reside. This may be simple; however, many cases require careful consideration of large corporate network architecture and may involve sophisticated digital triage.

The collection stage typically involves the acquisition and authentication of digital data. This is commonly accomplished by creating a forensic image of the subject media and determining the “electronic fingerprint” of the data. Collection may also involve the securing of records from other entities or capturing “packets” as they travel across a computer network. Proper technique is critical in this step because electronic evidence is fragile and easily compromised by untrained parties. Trained examiners will ensure that potential evidence is properly preserved and verified for admission in legal proceedings.

The analysis stage is where results are realized. Here the competent forensic examiner will perform advanced analysis and data recovery activities. Besides recovering evidence from standard allocated files, evidence is also culled from slack space, deleted files, unallocated space, and swap or paging areas. Critical evidence is also found in encoded container files, system logs, document metadata, and databases.

The following represents a few of the many tasks that can be accomplished by a skilled forensic computer examiner:

• Recover deleted or purposely hidden files and folders
• Determine the source and/or authenticity of an electronic communication
• Reconstruct a sequence of events performed on a computer system - even when measures have been taken to conceal these activities
• Search allocated, unallocated, slack, and hidden areas of computer storage media to locate key words, phrases, and file types
• Recover and track electronic correspondence such as e-mail, chat, and instant messages
• Exploit spool, swap, and temporary files to produce whole or partial copies of documents - including those never intentionally saved to the hard drive
• Identify Internet activity such as browsing habits, file transfers, and newsgroup participation

RETURN TO TOP

What is e-Discovery?

Electronic discovery pertains to the legal discovery of information in digital (or electronic) form. The Federal Rule of Civil Procedure governs the disclosure of “all documents, data compilations, and tangible things” that a party may use to support its claims or defenses. This rule has traditionally dealt with paper media; however,the FRCP was recently amended in 2007 and directly addresses information stored in electronic form. Studies suggest that more than 95% of all documents and communications are produced digitally. A great percentage are never printed to paper media. This information is often buried deep within an organizations computing infrastructure. Here there are many hiding places – including network servers, security systems, storage arrays, backup tapes, databases, removable media, log files, desktop PC’s, laptops, mobile phones, and PDA’s. This is the realm of e-discovery.

In order to protect client interests and to gain strategic advantage, it is imperative that businesses remain well-versed in e-discovery. Effective e-discovery requires that parties fully understand the issues associated with this sometimes complex process. At minimum they should consider:

• the subject network infrastructure and potential stores of discoverable material
• the options for identifying, collecting, preserving, producing, and analyzing electronic data
• the implications of metadata and that critical data may be lost when a document is accessed, printed, or converted
• that electronic documents are easily altered (inadvertently or intentionally) and that there are important forensic procedures that should be employed to identify and counter spoliation

Electronic discovery immediately becomes an issue when an organization learns of, or anticipates pending litigation. At this point, it is necessary to implement a legal hold and suspend the destruction of any relevant electronic records until the litigation is settled. Any purge, planned or otherwise, prior to settlement may result in serious sanctions. In order to comply, the scope, location, and form of potential evidence must be identified. It is important to notify data custodians, issue reminders to ensure that evidence is properly preserved, and prevent access by unauthorized individuals.

Given that electronic data discovery is often a precursor to expert forensic analysis, it is vital that produced evidence be properly supplied. Any unsuitable formatting or handling can severely limit the ensuing forensic examination result in sanctions. As such, e-discovery must be undertaken with caution. Litigants should consider retaining the services of trusted computer forensic experts. These experts work with corporations and attorneys to create an effective e-discovery strategy. Competent forensic computer examiners and e-discovery consultants can:

• assist with the identification of potential discoverable materials
• help prepare for interrogatories and depositions
• carry-out the collection, authentication, analysis, and production of pertinent electronic data

RETURN TO TOP

What is digital evidence?

Digital evidence encompasses any data of evidentiary value that is recorded on computer storage devices, resident in computer memory, stored on a cellular phone, or in transit over computer networks. Evidence can include any document, communication, ambient data, record, data stream, or file that has bearing on a case. Skilled forensic computer examiners are able to retrieve and analyze potential evidence even though it may be deleted, encrypted, hidden, or corrupted.

RETURN TO TOP

Does Digital Evidence require special handling?

Yes. Digital evidence must be properly authenticated prior to introduction as evidence. Because electronic evidence is fragile and easily altered when improperly handled, the forensic expert must collect, preserve, and validate digital data using specialized procedures and tools that have been proven forensically sound. Mistakes in these initial stages can have costly consequences when it comes time to introduce evidence to the court. A trained forensic examiner is mindful of applicable legal standards and able to attest to the validity of their processes and tools. A skilled forensic expert will:

• use non-invasive channels when accessing the original media. This is necessary because even the simple act of turning on a computer system can alter dozens of files and destroy potentially important evidence.
• create a true forensic image of the original media as soon as possible using specialized software. There is similar imaging software that many IT specialists utilize in their duties; however, these software packages DO NOT normally create true forensic images.
• compute a secure hash or “digital fingerprint” of all acquired data and verify it is a true and exact copy of the original.
• ensure that evidence is collected according to standard evidence handling procedures and maintain a proper chain-of-custody.
  

RETURN TO TOP

Can we use our IT staff or technology provider to perform computer forensics and high-tech investigations?

Computer forensics is a highly specialized discipline that requires training and experience to master. Often, unqualified examiners unwittingly destroy or alter electronic evidence. This reduces the probability of recovering relevant data and can have serious consequences during litigation. There are many legal standards that must be met and improper handling by untrained personnel can render any recovered evidence inadmissible.

The authenticity of computer evidence and the reliability of techniques used by the examiner may be subject to challenge.The forensic expert must be prepared to testify to the validity of programs and procedures utilized in the collection and examination of the computer evidence. Some factors to consider include:

• whether the employed technique or theory has been or can be tested
• whether the technique or theory has been subjected to peer review and publication
• whether, concerning a particular technique, there is a high known or potential rate of error
• whether standards controlling the techniques exist and are maintained
• whether the technique or theory is generally accepted by the relevant scientific community

If you are considering using an internal employee or an existing technology provider, be wary of the risks and consider the following questions. Does this individual possess the proper hardware and software to properly process electronic evidence? Can this individual qualify in court as an expert in computer forensic science? Can the individual defend his or her methodology? Does my state require licensing and, if so, is the examiner licensed?

Often computer media is sent to a forensic expert for analysis after a company's computer personnel have already attempted to process it for evidence. In most cases, they have unintentionally altered key evidentiary items, changed file attributes, and greatly diminished the potential of the ensuing expert forensic examination. These second-hand examinations are far more time-consuming (and costly) because the qualified examiner must identify and separate the actions of the untrained inspector.

RETURN TO TOP

What types of digital media and devices can be forensically analyzed?

Any disk, device, cartridge, or system that has the capability of storing binary (digital) data. The majority of computer forensic examinations are performed on hard disk drives and removable storage media; however, any of the various alternative storage mediums are also subject to analysis. These include thumb drives, optical disks (CD/DVD variants), flash memory modules, solid state devices, and magnetic tapes. Additionally, data can be retrieved from several consumer devices such as digital cameras, mobile phones, iPods, DVR's, and PDA’s. New storage devices and media are constantly being developed. A general rule of thumb is if a computer can read from, store to, or interact with an object then a skilled forensic examiner can access the digital data it contains.

RETURN TO TOP

What qualification should we looks for when choosing a forensic computer examiner or high-tech investigator?

As with any highly specialized discipline, there are industry accepted certifications, training vendors, and professional organizations that serve a particular area of expertise. When assessing the credentials of an expert, one should look for a balance between real-world experience, specialized training, and professional certifications. The following areas should be explored when choosing an expert:

• What is the experience level of the forensic computer examiner or investigator? How many and what type of cases have they worked?
• What relevant education and training has the individual had? How current is their training?
• Many states require forensic examiners and investigators to be licensed and insured. Is this required and, if so, is the expert currently licensed?
• Does the individual hold any professional certifications directly relevant to his or her area of expertise? Does the person hold any peripheral certifications that are indirectly related?
• Is the individual affiliated with any professional organizations? Do these organizations provide technical resources, networking opportunities, and/or a knowledge base to the member? Do those organizations endorse and uphold a code of ethics?
• Has the person provided testimony and been recognized as an expert in a court of law?
• Is the individual versed in proper evidence handling procedures? Do they understand the importance of maintaining an accurate chain-of-custody?
• Does the individual utilize currently accepted technology (hardware and software) in their operations? Do they rely on a single software package or do they have an arsenal of appropriate tools at their disposal? Does the individual regularly test and verify the functionality of his or her utilities?

RETURN TO TOP

Will physical damage or mechanical failure of a device prevent successful forensic analysis or recovery of data?

Not necessarily. Although the type and extent of damage affect the probability of success, it is common to recover all or significant portions data once thought lost. Malfunctioning or damaged hard drives can often be repaired once the proper replacement parts are obtained. Additionally, data contained on media that has been exposed to liquid, smoke, or other contaminates is often salvageable. Even intentional damage does not always completely eliminate the partial recovery of data.

RETURN TO TOP

Can encryption or password protection be deciphered or bypassed?

Often yes. Many programs employ encryption algorithms or password protection schemes that can be bypassed with specialized software. Even data protected by very strong cryptographic algorithms may be accessed by exploiting weak user passwords or programming faults.

RETURN TO TOP

Does Ohio require computer forensic examiners and investigators to be licensed?

Yes. The Homeland Security Division of the Ohio Department of Public Safety is charged with licensure enforcement.

As defined in ORC Section 4749.01(B)(1), licensure is required for the conducting, for hire, in person or through a partner or employees, of any investigation relevant to any crime or wrong done or threatened, or to obtain information on the identity, habits, conduct, movements, whereabouts, affiliations, transactions, reputation, credibility, or character of any person, or to locate and recover lost or stolen property, or to determine the cause of or responsibility for any libel or slander, or any fire, accident, or damage to property, or to secure evidence for use in any legislative, administrative, or judicial investigation or proceeding.

RETURN TO TOP