Getting Your Money’s Worth – Deliverables to Request from your Computer Forensic Examiner

A vast majority of corporations utilize high technology to conduct everyday business. Because of the widespread use and adoption of technological innovations by these companies, electronic information has become ever more crucial to resolving litigation disputes.

Since electronic evidence may contain the smoking gun, you really should be equipped with the knowledge of just how many ways you can obtain the information you need (and be sure to exhaust every possibility). Deciding on a reputable forensic expert is of course the first step in finding the proverbial smoking gun without spoliation of evidence.

To preserve electronic evidence, an expert forensically images the suspect electronic media or hard drive, which is a process that involves creating a bit stream copy of the original media device. This copy is authenticated as genuine by generating and comparing something known as a hash value for both the original and copy. Once your expert has an exact copy to work with, the original drive can be stored and sealed while the expert performs all search and recovery functions on the copy. This will reduce the risk of evidence spoliation.

Assuming the forensic copy has been made, the next step is equally essential – knowing what to ask from your expert. Having a printout of ALL of the data on the computer is one way to go, but do you really have the time to sift through possibly millions of pages of information? With the right requests, the production can be quite manageable and much less daunting. For example, if you’re investigating an employee who’s suspected of downloading pornography, perhaps asking for every file on the computer may not be the most effective method in locating these incriminating pictures. What would make more sense is to target the Internet history of the computer user, which resembles a spreadsheet list of all websites visited showing the relevant dates and times of access.

The following is a list of some of the deliverables you can request from your computer forensics expert:

  1. Recover erased / deleted partitions and files:If there is suspicious activity, chances are, they will not be found in the obvious places like the Desktop or the user’s personal folder. More than likely, incriminating activities will be deleted. Therefore, having your expert recover deleted partitions and files is the most logical first step. From here, you can have a list of all deleted activity, as well as all deleted files burnt to CD, and you just might be able to find the company’s intellectual property that never should have been on the computer in the first place.
  2. Generate file hash values:In essence, hash values are electronic fingerprints. Without going into the nitty gritty of the MD5 hash, know that there are two constants: a good computer forensic expert will know what a hash value is and that these hash values can be used to uniquely identify electronic files. When hash values are generated using a computer forensic software, you can de-duplicate files (eliminating redundancies, hence minimizing costs) and find matching files in other computer media. For example, if a hash value is generated for a file containing proprietary blueprints that are confidential, the expert can use this value to find a match in the suspect hard drive. If there is a match, it is evident that the file was saved to the computer in an unaltered state. Proprietary information that is suspected to be misappropriated can be burnt to a CD, then all files on the CD can have their hash values calculated and added to a hash set. A hash set is very similar to the federal government’s known felons fingerprint database, only the hash set uniquely identifies electronic files. These hash sets help to quickly find files on a computer that has been forensically imaged.
  3. Request file listing inventory:Having a list of everything you need to know about a file (e.g. name, file extension, physical location, access date, create date, etc.) will help narrow your focus. For example, if you know an employee’s last day of employment is the 6th of August, 2004, you will want to start your search with all files accessed/modified/deleted the two weeks prior to that to monitor any suspicious/anomalous activities that might occur just before the employee’s departure.
  4. Request DAT file report for Internet history:A review of the Internet history of a user can help you and your examiner quickly focus a search on the computer user’s personal web mail account. Additionally, a review of the Internet history may help you to determine if the user was accessing pornography, researching how to erase a hard drive of all activities, searching for how to successfully commit a fraud, or sending proprietary information to a competitor. This step should be taken prior to a general keyword search of the media imaged.
  5. After reviewing all of the above, most often referred to by our staff as the “round one production,” you can begin to target specifics:Key files of interest
  6. Relevant time frame files were created, modified, deleted
  7. Key individual organizations involved
  8. Generate keyword list for filtering of files (key addresses, web mail accounts, key terms, etc.)
  9. Image files (.jpg, .gif, etc.) that tell a story:Once you visit a website, most of the data that appears on your screen has likely been saved somewhere on your computer’s hard drive, even if you didn’t deliberately save it onto your hard drive. A review of image files can be very revealing and will often indicate what programs were recently installed or used on the computer.
  10. Search the unallocated space and native files:For most investigations, we find that focusing on the unallocated or empty part of the hard drive yields the best information. Because the computer will cache much of what is displayed on your computer screen to the hard drive in the unallocated portion of the hard drive, a review of this area is more likely to yield a smoking gun. Electronic discovery vendors routinely neglect to search this portion of a hard drive. Only computer forensics allows you to search the unallocated space. A search of the native files that exist on the computer is also important and crucial to a search but deceptive activities are often found only in unallocated space. When deception is involved, always insist on searching the unallocated space.
  11. Every program leaves a trace. Look for .lnk files:Most programs and documents leave link files or shortcuts throughout the hard drive. These link files can help establish when a file was last used on the computer and if it still exists. Even if scrub software was used and uninstalled, a link file may still be resident on the computer that can prove it was once there.

Read More Articles…

Back to Resources…