Macomb County Bar Association Computer Forensics: Understanding Computer Forensic Evidence and its use in Civil and Criminal Law

Macomb County Bar Association Computer Forensics: Understanding Computer Forensic Evidence and its use in Civil and Criminal Law

Presented March 27, 2006

• Hard Drives
• Back-up Storage Media
• Databases
• E-mail Servers
• Web Servers
• Internet Sites
• Personal Digital Devices (Blackberries and cellular telephones)
• Digital Cameras
• Zip Drives
• Fax Machines
• Digital Answering Machines

19 USC § 1337 has now expanded to include infringements on patents, cybersquatting, web traffic diversion, theft of trade secrets, copyright issues, and a variety of other intellectual property rights. Computer forensics tools help IP owners stop harmful activity and provide powerful evidence in court.

How we locate and capture this evidence is dependent upon the specifics of the case and is largely driven by what our client’s believe occurred. Often, a specific computer, e-mail account or website is the focus of the investigation. When evidence is believed to be located in multiple formats, in multiple places, the investigation will involve multiple types of evidence collection in multiple locations. We pride ourselves at being one of the very few companies in the industry to be fully portable. In our labs, we have constructed very powerful computers into briefcases, and this gives us the flexibility to travel by any means at a moment’s notice. It also means that the client does not have to wait great lengths of time for set up.

Internet Profiling

When the evidence is believed to reside “on the web”, our investigation will usually involve locating it. We employ state of the art tools and cutting edge in-house techniques to locate, record and document the information. Frequently, the source of the evidence (who put it on the web) then becomes necessary to document. This can lead to a more traditional form of investigation that has nothing to do with computer technology and far more to do with traditional private investigative work.

E-Mail Tracing

Proving who sent a particular e-mail or who owns or controls a particular e-mail account is an investigation into and of itself. This can involve tracing down the origins of the e-mail, identifying an anonymous e-mail account’s owner and trying to determine who was physically at a specific computer when the e-mail was sent. Like internet profiling noted above, frequently an e-mail trace requires employing other types of investigative procedures to collect all of the evidence required to succeed. Our success rates are some of the highest in the business, owing to methodology and techniques that we have developed over time.

Forensic Data Investigation

Many times, when you have control of the computer that your evidence maybe located on, we are able to conduct a forensic investigation of that computer to locate whatever information is on that computer or storage device. This type of investigation should not be confused with the type of search the average I.T. employee or computer consultant can conduct. It is specifically aimed at locating any and all relevant information or traces of same that may exist on that computer or storage device. This includes things like e-mails viewed but not “saved”, websites visited, deleted documents, uninstalled software, etc. The great news about this type of data is that unlike a piece of paper, which only shows us what we can see, electric data can have information about it’s creation, multiple versions or it, it transmission, history of use, etc. We are proud to say that if a piece of information exists on a computer or storage device, we will be able to locate it and produce it for inclusion in evidence. Many of our clients, as well as the opposition, are often surprised at what we are able to find that was thought to be deleted or erased.

Our investigations are conducted in a forensically sound manner, thus preserving the integrity associated with that piece of electronic evidence. As licensed private detectives, we are in a better position to find evidence, than the office I.T. guy or other companies, because we already have the investigative knowledge, training, and mindset. We have a multitude of court recognized software programs and tools to employ along with our vast experience in both the technological aspects as well as generally accepted investigation practices. This combination is vital to preventing any corruption of the evidence. Make no mistake, one does not learn how to conduct this type of investigation in a classroom alone. Microsoft does not certify people to conduct this type of investigation. We are unique and if you end up encountering us in court, you may learn that the hard way.

For all forensic data investigations, we make an exact and complete copy of the media. This “bit-for-bit” copy is used in the investigation, thus preserving the actual evidence. We then liaison with the client to establish parameters for the investigation. This can include an e-mal address, product number, last name or anything else. As you can likely imagine, any computer will contain immense amounts of information such as this. The process of culling through all of the information that our search develops can be a very time consuming process and much of the expense in conducting such an investigation is derived from this part of the process. You can literally keep such a search going for months depending on how many terms are of concern. The more general the search term, the more time (and expense) required. This can lead to the generation of large amounts of useless data if conducted too broadly.

Printed copy, Hard drive, CD-Rom, DVD, Removable storage, Micro drives, Email, Website

One of the most common questions we receive is how the evidence will look. As much as possible, the evidence is provided in the original format it was found. In other words, if the original piece of evidence was a Microsoft Word document, the client will receive it as a Microsoft Word document. If it was an email, the evidence will be provided as an email. In any event, the client need only double click on the icon we provide and he or she will be viewing the evidence.

Most importantly, we can stand up in court and explain what we found, how we located the evidence and when it was created/modified/accessed, etc. This is far more important than might be initially understand. There are a number of so-called “forensic specialists” that, with no prior background, attended a training class for a certain piece of forensic software, and then hang out a shingle professing to be qualified. Being able to use a particular piece of forensic software is entirely different than being able to explain the history of a piece of data, or how various file systems may affect preservation of data. Although there may be a number of forensic specialists emerging in the field now, we are uniquely positioned in the industry through our complete and solid understanding of how a computer works in any environment. They may be able to tell you when the file got there, but we can tell you how.

All material presented here is protected by copyright and NOT to be copied, duplicated or distributed without the express written permission of the owners.

For questions about this presentation or to discuss a case with one of our investigatigators, please call us today at 888-677-9700