Computer Usage Analysis

Forensicon assists clients every day by performing usage analysis to determine what specific user actions took place during a specific time period. Forensicon is known for its detailed timeline analysis which helps understand whether a device has been used in a normalized way.
Forensicon assists clients every day by performing usage analysis to determine what specific user actions took place during a specific time period. Forensicon is known for its detailed timeline analysis which helps understand whether a device has been used in a normalized way.

Computer forensics has the ability to help reveal the exact actions taken by a user.  It is often necessary to perform computer forensic usage analysis to be able to identify what activities recently took place on a computer.  Activities may be  a result of user actions or may be systematic and part of normal computer usage.  In some instances, other individuals inside or outside the organization may connect to a computer in an effort to perform rogue activities that may reflect negatively on the normal user of the computer.  Obtaining the facts and an expert’s interpretation and opinion regarding those facts can provide you the validation and confidence you need before taking action.

There are many types of questions that forensic examiners are often asked to research and respond to.  Some of these may include any of the following:

  • Were any external storage devices recently connected to the computer?
  • Are there indicators that show that a computer user copied or transferred company files, trade secrets and other sensitive data to external sources?
    • Internet based cloud storage (Google® Drive®/Docs®, Dropbox®, iCloud®, FTP, or other)
    • USB Storage Devices (External Hard Drives, Jump drives, Thumb Drives, etc.)
    • Cell Phones & SIM Cards
    • Disk Media
    • Webmail or email
    • iPads or tablet-based computing device
  • What specific actions took place on a key date and time by the user?
  • Did the user run or install programs that are designed to obfuscate or cover their tracks?
  • What files were deleted by the user?
  • Did the employee engage in bad faith and provide information to outside parties?
  • Did the employee break the company policy regarding standards of acceptable computer usage?
  • Is the document produced really as it appears?
  • Did anyone else access the computer who may be trying to frame the suspect or perpetrator?

Computer forensic activity and usage analysis can help tell the story about what actions took place.  Analysis of the computer registry and other artifacts including link files, USB device history, Windows® restore points, unallocated space, deleted files, recently run programs as indicated by the Windows Prefetch, among others, can help piece together the story of what transpired.  In some instances, the computer user may perform actions on the computer that complicate a forensic investigation by purging many of these sources of information beyond recovery or detection.

In circumstances where deliberate efforts were taken to purge and destroy data beyond recovery, Forensicon can often use our years of experience to help demonstrate that the computer lacks the normal pattern of data that exists on a computer in regular use.  Proving usage of scrub software is a more challenging undertaking in many instances and often requires an experienced expert to persuade a court of law to accept an opinion that deliberate user initiated actions took place specifically for the purpose of concealing potentially relevant data from the legal discovery process.  Forensicon has appeared in court or testified via affidavit regarding the alleged usage of data scrubbing software.  Forensicon experts have achieved successful outcomes where scrub software was used and has supported counsel with obtaining remedies from the courts.

Selecting an experienced outside independent forensic firm to forensically image the suspect’s computer and perform forensic activity analysis in an attempt to validate management’s initial suspicions can help mitigate risk and provide objective proof to suspicions and allegations that may require disciplinary action of the employee.  Before considering terminating, suspending or reporting an employee to legal authorities, companies and organizations should conduct a forensic investigation of the employee’s computer to understand what facts exist that may validate or rebut management’s initial suspicions.  Having a trustworthy and experienced forensics firm at your side can help your organization avoid unnecessary and costly employment litigation.

Please contact Forensicon today at 888-427-5667 for a complimentary consultation of your computer forensics investigation needs.