877-DATA-EXAM [877-328-2392]
When Your Data Really Matters.

A TECHNICIAN IS NOT AN INVESTIGATOR

An attorney once told me, "If you need an electrician, don't hire a plumber." Truer words were never spoken. If you need a forensic computer examiner, retain the services of a forensic computer examiner-not your local computer guy. Computer forensics is a science; it requires specialized training, experience, and equipment.

COMPUTER FORENSICS EXPLAINED

The two questions I am most frequently asked have to do with the definition of computer forensics, and how to choose a forensic computer expert.

Computer forensics is a science, a discipline, and an art, all involving the identification, preservation, extraction, documentation, and interpretation of computer data. At times it is more science than art, another time it is more art than science, but it is always a discipline that follows industry-standard methodologies and procedures, while allowing flexibility and experimentation with validation.

This means not only recovering deleted files (documents, graphics, etc.), but also searching the slack and unallocated space on the hard drive-places where a plethora of evidence regularly resides.

It is tracing Windows artifacts-those tidbits of data left behind by the operating system-for clues of what the computer has been used for, and more importantly it's knowing how to find the artifacts and what value the information holds.

Computer forensics is being able to run a string-search for e-mail, when no e-mail client is obvious. A forensic computer examiner will be able to tell you Internet usage, recover data, and do a full examination even after the computer has been defragged and/or formatted.

If this is the type of computer examination you need, then contract with a forensic computer examiner; after all, most people wouldn't go to a general practitioner for a heart operation!

I most often work within the L.A., Orange County, San Diego and Riverside county area-block; however, we're always ready to travel, maintain a complete mobile forensics laboratory, and offer significant discounts for extended travel.

This may not be practical for everyone, so I'll offer the following suggestions in choosing an expert:

  1. Training and certifications-specific to "computer forensics." This speaks to credibility and involvement in the computer forensics-community.
  2. Background, education, and experience. How many computers have they done? Is he/she prior law enforcement? Litigation experience? Qualified expert testimony?
  3. References (both notable and plentiful).
  4. Equipment-tools of the trade...are they running a full forensic lab, or making-do with whatever computer equipment was handy?
  5. Reports and exhibits provided in a timely and demonstrably understandable format?

If you get positive answers to the above inquiries, you're probably on the right track.

Don't get me wrong here: Your IT people, MSCEs, most other OS- or MS-trained, etc., are very good at what they do, but they are not forensic computer examiners-they are specialists within their own field.

Look for a person with the qualifications to do the job. Think of it this way: Would you hire a carburetor mechanic to fix your transmission?

To recover deleted files is the simplest of chores, but discovering the significance of those files takes the expertise of an investigator.

ONE POTENTIAL CLIENT RECENTLY WROTE

I have a fiduciary responsibility to find the best option for my client, as I am sure you can appreciate. We've been talking with [Brand-X company]. They promise to retrieve all deleted material and provide it to us on a readable CD ROM. If you are familiar with their service, can you tell me how what you offer differs from them in anyway? In other words, do you offer anything they don't?

MY ANSWER EXPLAINED WHY IT IS SO IMPORTANT TO USE A TRAINED FORENSIC COMPUTER EXAMINER. I WROTE,

There is a tremendous difference, and it is frequently overlooked.

If all you're looking for are deleted files, that is no trick, and any number of services can do that for you.

The difference is in the investigation; a technician is not an investigator, nor does the technician have the tools/knowledge to discover the hidden data.

What you need recovered may not be found in simple deleted files as such, but may be hidden in HTML e-mail entries, MM256 files, MM2048 files, or other data (.dat) files. There is recoverable information in the swap file (sometimes called Virtual Memory), slack space, or Recycle Bin Info file, and many other locations-none of which are available to the technician, and all of which hold information. Technicians do not do keyword searches, and if they do, they do not generally have the tools to search slack space. Web-based e-mail, such as Hotmail and Yahoo, are generally disregarded by IT people as being irretrievable; however, there are a number of ways to salvage a significant portion of these messages.

We do forensic computer examinations, only. The training received by our forensic examiners is the same that is provided to, and by, State and Federal agencies. All of our examiners come from the public sector; they bring years of training, experience and knowledge to the service of our clients. And, of course, our equipment is state-of-the-art, always.

In addition, we are generally faster than most other services because we have the tools to target what needs to be processed, pull it off the suspect hard drive, and then process it once it is copied to our own forensic hard drive.

We never work from original media, which means there is always a 2- to 3-hour hard drive cloning process before the investigation even begins. This is a MUST, otherwise you take the chance of destroying data on the original HDD, changing date stamps, and overwriting slack space. For example, every time Windows boots, it can write to 600 to 1,500 different files...this has the potential of destroying a lot of information. We will never boot the original HDD.

Please pardon my vernacular, the above was only intended to be a private e-mail, but the content serves a point-that being: A TECHNICIAN IS NOT AN INVESTIGATOR.

A WORD OF CAUTION

There has been a plethora of so-called "forensic computer experts" rise up from the mud out there recently. Most have neither the training nor the equipment to do even a basic competent job. Several have called me for advise on cases because they bought one piece of software, and now can't do the job. For your own protection, always verify my above listed suggestions in choosing an expert.

And please, never hesitate to ask us for references. We are happy to supply you with a list of prior clients; however, we do ask them for permission before releasing that information. As you can understand, some of the investigations tend to be very private.