Q. What are Computer Forensics and how does the process work work?
A. Computer Forensics is the analysis of information contained within and
created with computer systems, typically in the interest of figuring out what
happened, when it happened, how it happened, and who was involved. This being
said, computer forensic techniques and methodologies are used for conducting
investigations - again, in the interest of figuring out what happened, when it
happened, how it happened, and who was involved.
The Certified Computer Forensics Investigators first step is to clearly
determine the purpose and objective of this Investigation. Then they will take
several careful steps to identify and extract all relevant data on a subject’s
computer system. Forensic analysis will extract the data that can be viewed by
the operating system, as well as data that is invisible to the operating system.
Image, protect and preserve the evidence during the forensic examination from
any possible alteration, damage, data corruption, or virus introduction insuring
evidence is not damaged, tainted or is in any other way rendered inadmissible in
Use Forensically Sound protocols at all times during the investigation to ensure
that the information on the computer is admissible in court. Assume that every
case/situation could end up in the legal system. If your Computer Forensics
Examiner doesn’t make that assumption, find someone else
Address the legal issues at hand in dealing with Electronic Evidence, such as
relevant case law, how to navigate the discovery process, protection of
privilege, and in general, working/communication with attorneys and other
Discover all files on the subject's system. This includes existing active files,
and invisible files; deleted yet remaining files, hidden files,
password-protected files, and encrypted files. In many cases, information is
gathered during a computer forensics investigation that is not typically
available or viewable by the average computer user, such as deleted files and
fragments of data that can be found in the space allocated for existing files -
known by computer forensic practitioners as slack space. Special skills and
tools are needed to obtain this type of information or evidence.
In computer forensics, there are three types of data that we are concerned with
- active, archival, and latent.
Active data is the information that you and I can see. Data files, programs, and
files used by the operating system. This is the easiest type of data to obtain.
Archival data is data that has been backed up and stored. This could consist of
backup tapes, CD's, floppies, or entire hard drives to cite a few examples.
Latent (also called ambient) data is the information that one typically needs
specialized tools to get at. An example would be information that has been
deleted or partially overwritten.
Recover all deleted files and other data not yet overwritten. As a computer is
used, the operating system is constantly writing data to the hard drive. From
time to time, the operating system will save new data on a hard drive by
overwriting data resident on the drive but no longer needed by the operating
system. A deleted file, for example, will remain resident on a hard drive until
the operating system overwrites all or some of the file. Thus, in order to
preserve as much relevant data as possible on a computer system, you must
acquire relevant computers as soon as possible. The on-going use of a computer
system may destroy data that could have been extracted before being overwritten.
Fortunately, the costs of acquisition are very reasonable, and the process is
Analyze all possibly relevant data found in special (and typically inaccessible)
areas of a disk. This includes unallocated space on a disk (currently unused,
but possibly the repository of previous data that is potentially relevant), as
well as 'slack' space in a file (the unused space at the end of a file, in the
last assigned disk cluster, that may be a possible site for previously created
and relevant evidence).
Report Analysis of the computer system, as well as provide you a copy of all
relevant data, parsed in a format and arranged to be integrated into your legal
theories and strategies.
GDF’s analysis and investigation work is performed using the highest level of
Forensic scrutiny. We follow known forensic procedures and use only open and
Verifiable programming techniques. Our methodologies are transparent - we
encourage the Court and opposing sides to dissect our work because we stand
behind its admissibility 100%. We use NO PROPRIETARY or secret methods or
programs when doing our analysis. Instead we use our programming skills to build
tools and software specifically for the task at hand. And of course we always
notate everything and open our work to scrutiny by all parties involved.
Provide Expert consultation and/or testimony, as necessary.
Q. When should I consider using Computer Forensics?
A. If your client/employee has a computer, they need computer forensics. The
computer has invaded our very existence, become a part of our lives, and is an
integral part of almost every case.
Computer Forensics differs from data recovery, which is, recovery of data after
an event affecting the physical data, such as a hard drive crash. Computer
forensics goes much further. Computer forensics is a complete computer
examination with analysis as the ultimate goal.
In any case where a Computer or Information system is/was available use Computer
Forensics as a tool to (1) determine the facts from your employee/ client, (2)
discharge your duty to avoid spoliation, (3) obtain all relevant evidence from
the opposing party in a manner similar to using a Request for Production of
Documents, and (4) determine whether computers were used as the instrumentality
of a tort or crime, or violation of Policy.
Determine Facts you must have all the information relevant to a matter, not only
to construct effective legal strategies, but also to focus your expectations,
and efficiently budget your services. There is nothing more difficult to address
than a case that has become complicated by new facts, where you expected the
matter to proceed smoothly and without significant cost. Knowing all the facts
early in a matter, allows you to better prepare for those cases that will
require significant legal expertise to manage.
In response to pending litigation, analyzing your relevant computers is an
excellent way to discharge your duties to preserve evidence and avoid
spoliation, while also acquiring all relevant information essential to your
legal theories and strategies. Similarly, as part of critical business
decisions, forensically analyzing relevant computers can provide essential
information. For example, analyzing the computers of corporate officers or
employees as part of the termination process can alert you to possible
litigation issues such as violation of non-compete agreements, improper copying
of intellectual property, etc.
In Lieu of Request for Production of Documents. In litigation, an attorney ought
to determine whether a Request for Production of Documents will obtain all
relevant evidence. You might simply ask yourself whether you want to discover
part of the relevant information (i.e. that seen by your opponent’s operating
system) or all of it (deleted, hidden, orphaned data, etc). It is not
unrealistic to anticipate that information contained on a computer system that
is helpful to a matter would be saved, while that which is harmful would be
deleted, hidden, or rendered invisible. For example, in sexual harassment cases,
it is not unusual to discover deleted emails and other data invisible to the
operating system that significantly affects the case. Computer forensic analysis
extracts all the emails, memos, and data that can be viewed with the operating
system, as well as all invisible data. In many cases, the invisible data
completely changes the nature of a claim or defense, leading to early settlement
and avoidance of surprises during litigation.
In any situation in which one or more computers may have been used in an
inappropriate manner, it is essential to call a forensic expert. Only a computer
forensic analyst will be able to preserve, extract, and analyze the vital data
that records the “tracks” left behind by inappropriate use. Taking the wrong
steps in these circumstances can irretrievably destroy the vestiges of wrongful
use that may result in litigation or criminal prosecution.
Q. If I think that evidence exists, is it ok if my technology expert takes a
look for the information before I get in touch with a Computer Forensics Expert?
A. Companies that fall victim to computer crime may be inadvertently destroying
evidence in their efforts to find the perpetrators. "You only have one
opportunity to collect the evidence” you need to prove your case.
"Human resources send in well-meaning IT staff that doesn’t know what they are
doing and ruin the evidence. Although the internal IT staff is often highly
knowledgeable regarding their working environment and the technology employed
within, computer forensic investigations are best performed by outside certified
experts Specifically, the nature of the forensic analysis process coupled with
the requirements in preserving evidence and Chain-of custody requirements the
court system necessitates that computer forensic investigations are performed by
external entities equipped with authorized forensic technology and trained to
observe forensic protocols. "What we see is well-meaning IT professionals going
in and doing what you see on every bad crime film: they muddy the waters. You
need a professional certified computer forensic team in there as soon as
Additionally, using in-house personnel can raise issues related to
authentication that can increase the cost of admitting evidence. In-house
personnel may be put through a challenge that could threaten the admissibility
of critical evidence. If there is a remote chance that the matter could end up
in court, best practices strongly suggests having the data analyzed by a
computer forensic expert. The cost of expert analysis will almost always be far
less than the cost of defeating a challenge to the admission of critical
Most in-house technology experts are concerned with mission critical data and
recovery from catastrophic data loss. They are not expert in the acquisition and
preservation of data rendered invisible to the operating system. Even the most
well intentioned Technology expert can damage the fragile information that is
stored on a computer, especially when the operating system does not recognize
the data. The simple act of turning the computer on or looking through files can
potentially damage the very data you’re looking for. Dates can be changed, files
overwritten and evidence can be corrupted.
Accusations of evidence tainting are not rare in cases involving computer data
when the party who owns or acquires the computer data also analyzes it. Issues
such as accessibility to the data by other parties, experience and credentials
of the person who acquired and reviewed the data, as well as other questions
along these lines are typical.
For the above reasons it's not advisable for a employer, employee, friend, etc.
to perform the function of acquiring and reporting evidence that has any chance
of being litigated by any party.
Professional, third-party companies like GDF are experienced in this type of
work and considered neutral and unbiased. Evidence obtained and submitted by
certified professionals like GDF’s is likely to carry much more weight in front
of opposing counsel, corporate management, a jury or any other party.
GDF certified investigators employ the proper hardware and software to identify,
isolate, and preserve electronic information in a court admissible manner. They
posses the expertise and experience vital to efficiently analyze electronic
information and uncover electronic evidence while relying upon essential
training and experience to ensure the court admissibility of electronic
Q. What risks are there if I don’t consult a Computer Forensics expert at the
start of a problem?
A. The most frustrating aspect of forensic analysis is that the operating system
randomly overwrites data on the hard drive. This means that the longer a
computer is used, the more likely it is that evidence will be lost. Fortunately,
the operating system frequently records evidence in several places
simultaneously. So if the data is overwritten in one area, it may still reside
in another. It is impossible to tell, however, whether the data that is most
important to you will survive the constant use of the computer. Indeed, the
simple act of turning the computer on or looking through files can potentially
damage the very data you’re looking for. The dates that files were created can
be changed, files can be overwritten and evidence can be corrupted. The safest
practice is to acquire an image of the computer as soon as possible; however, it
may be possible to find relevant data even after years of use.
Q. How do I figure out the ROI on contracting Computer Forensic Services?
A. If you are thinking about performing this type of work yourself or using your
corporate IT department or local computer technician, consider the internal
dollar cost and possibility of your evidence being tossed out because of the
method in which it was acquired the qualifications of those who worked on it, or
personal and business associations your staff might have with the subject.
The internal cost is not only the time you or other people spend performing this
work but also taking them away from their assigned responsibilities and the time
spent in writing reports, (a 40 GB hard drive can have over 9,101,420 pages of
data) possible Interrogatories & depositions, other internal issues, gossip
spreading and loss of work productivity. All these may occur and can affect you,
your business and most importantly: the outcome of your case or situation.
Q. How can a Computer Forensic Company help us reduce loss and liability?
A. Consider the following: it is estimated that each year, billions $$$ are lost
through employee theft, fraud and sabotage. This is the direct cost only. Add to
it billions more in investigation and litigation costs, lost productivity, the
future value of Intellectual Property lost…the list goes on as do the billions
of dollars lost. Now, add the cost of the publicity surrounding employee
malfeasance: Loss of reputation, employee morale, a depressed stock price.
Finally, the new regulatory and litigation environment we are now entering
places a new, heightened level of personal responsibility and liability on the
backs of corporate executives and directors for the activities of their
employees and organizations. How many are willing to take that risk?
Often, the cost to use professional Computer Forensic Certified, third-party
firms like GDF far outweigh the internal costs both in dollars and in winning
your case. In addition our rates are competitively priced while delivering fast
aggressive service anywhere, anytime in the “World”
It may be beneficial to you to review GDF’s “Quick Analysis” program.
Q. How much do Computer Forensic Investigations typically cost?
A. In the past, Computer Forensic Examinations could run tens of thousands of
dollars because of the manpower necessary to thoroughly examine a hard-drive.
With the advancement of technology in the Computer Forensics arena that is no
longer the case. The software and hardware available now make the price of
Computer Forensics affordable and well worth the investment. The prices can
range from $250 and hour to $350 and hour and the process involves basically
three steps: Acquisition, Investigation, and Reporting. Acquisitions usually
cost less than $500.00. Investigation and Reporting, of course, depend on the
nature of your case. In most instances, searching and reporting can be completed
in less than 15 hours and the total analysis is usually less than $4500.00.
There is no reason that computer forensic analysis needs to disrupt any
business. Making an “image” of a computer system (even if several computers are
involved) can be done during non-business hours, at night, of over a weekend. In
many cases, the image is acquired in less than 5 or 6 hours.
Global Digital Forensics is able to help you determine if you have a case or
not. Our "Quick Analysis" service allows you to analyze your data for a “Flat
fee” to see if incriminating evidence is readily found.
GDF will forensically examine a hard drive and search for up to Ten (10)
keywords that you supply. We will then forward to you a report that includes
every instance of the keywords, whether it is in a deleted file, e-mail message,
viewed web page, Word document, or any other active or deleted file that resides
on the hard drive. This initial step will help determine if you have a case and
if further examination is warranted.
“Quick Analysis” – includes: Hard Drive, analysis, active files, deleted files,
hidden files, e-mail, documents, etc
The suspect hard drive is received, and logged.
A proper chain-of-custody log is created
The suspect drive is forensically duplicated (imaged) using court accepted
The original evidence is properly stored in compliance with court approved
GDF interviews principle to gather facts of the case and clear objectives and a
case-specific plan for discovery that is quick and effective
GDF’s Certified Investigators searches the entire hard drive for up to Ten (10)
keywords provided by the principle.
All keyword occurrences are documented in a written Report
GDF assigned lead investigator forwards the complete Report to the principle
GDF’s Investigator explains the findings with the principle and awaits further
the written report will help in determining any evidence or indicators to
determine further disposition
There is no reason that computer forensic analysis needs to disrupt any
business. Obtaining an “Image” of a computer system (even if several computers
are involved) can be done during non-business hours, at night, of over a
weekend. In many cases, the image is acquired in less than 3-5 hours.
Q. I often hear that as an attorney I may be liable for malpractice if I don't
consider Computer Evidence. how realistic is this?
A. It is well documented in the media that computer or digital evidence has been
the "smoking gun" in many high profile cases. With the majority of new
information in businesses of all sizes being created and stored on computer
systems of all sizes it is undisputable that digital evidence, be it documents,
databases or the omnipresent e-mail should be considered a primary source of
evidence. While malpractice is a harsh word, it certainly is not in any clients
best interest to ignore potentially relevant sources of evidence, including
Q. I think that a computer in my organization may contain important evidence,
what do I do now?
A. STOP using the Computer, any use of this computer may DAMAGE, and Taint any
evidence. If the suspected computer is turned off leave it off.
If the computer is on, DO NOT goes through a normal “Shut Down” process... Call
GDF for Immediate Instructions.
Do not allow the internal IT staff to conduct a preliminary investigation
first, all you have is information and data, there is no evidence. Unless your
IT staff is certified in Computer Forensics and trained (and very few are) on
evidentiary procedures, they have not maintained chain of custody or followed
other accepted evidence techniques. Second, even if proper evidence handling
techniques have been used, the collection process itself has altered, and likely
tainted, the data collected. By opening, printing, and saving files, the
meta-data has been irrevocably changed. Third, turning on the computer changes
caches, temporary files, and slack file space which, along with the alteration
of the meta-data, may have seriously damaged or destroyed any evidence that was
on the computer.
Depending on the damage done by the internal IT staff, a skilled computer
forensics vendor may be able to salvage the damaged evidence. This, however, can
be an arduous and time-consuming process which often costs several times more
than the original analysis would have cost. Nevertheless, it is not always
possible to restore evidence, especially meta-data timelines, from computers
that have been mishandled. A good rule of thumb is to always use a certified
external vendor for computer evidence collection.
Keep a Detailed Log of who had access, what was done and where the computer has
been stored since the dates in question.
When the hard drive is removed and sent to GDF for a Forensic Examination make
sure to document the date and time in the system and note whether it differs
from the current time.
Secure the computer
Be prepared for litigation
Computer forensics may be an unknown and mysterious discipline to many but it is
easy to avoid the most common procedural mistakes. Only use a certified computer
forensics expert and do not rely on the internal IT staff for computer forensics
investigations. If there is a 20% chance that evidence from a suspected computer
system will be needed, have GDF do a* “Quick Analysis” and forensically collect
the evidence and complete a report.
Q. How Can I ship my Computer/Hard Drive to GDF for a Computer Forensics
A. Please, before you do anything call for complete instructions. GDF recommends
that you have the disc drive(s) removed by an experienced computer technician
and shipped to us. GDF will talk you through process. We can also provide
on-site acquisition service at your locations for an additional cost.
Please do not ship anything to us without contacting us in advance and obtaining
a Case Code. The Case Code must be written on the shipping label we will
instruct you to the closest available and quickest lab for you.
Disc drives are static sensitive so we recommend that the drive(s) be placed in
an antistatic bag and sealed. Wrap about 1/2-inch of solid foam or bubble wrap
around the disc and tape so all sides are sealed. Make sure the contents will
not bounce around in the box you use. DO NOT USE 'PEANUTS' OR ANY STYROFOAM
PACKING MATERIAL - THIS MATERIAL CREATES STATIC ELECTRICITY !