A. Computer Forensics is the analysis of information contained within and created with computer systems, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. This being said, computer forensic techniques and methodologies are used for conducting investigations - again, in the interest of figuring out what happened, when it happened, how it happened, and who was involved.

The Certified Computer Forensics Investigators first step is to clearly determine the purpose and objective of this Investigation. Then they will take several careful steps to identify and extract all relevant data on a subject’s computer system. Forensic analysis will extract the data that can be viewed by the operating system, as well as data that is invisible to the operating system.

Image, protect and preserve the evidence during the forensic examination from any possible alteration, damage, data corruption, or virus introduction insuring evidence is not damaged, tainted or is in any other way rendered inadmissible in court.

Use Forensically Sound protocols at all times during the investigation to ensure that the information on the computer is admissible in court. Assume that every case/situation could end up in the legal system. If your Computer Forensics Examiner doesn’t make that assumption, find someone else

Address the legal issues at hand in dealing with Electronic Evidence, such as relevant case law, how to navigate the discovery process, protection of privilege, and in general, working/communication with attorneys and other professionals.

Discover all files on the subject's system. This includes existing active files, and invisible files; deleted yet remaining files, hidden files, password-protected files, and encrypted files. In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files - known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence.

In computer forensics, there are three types of data that we are concerned with - active, archival, and latent.

Active data is the information that you and I can see. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain.

Archival data is data that has been backed up and stored. This could consist of backup tapes, CD's, floppies, or entire hard drives to cite a few examples.

Latent (also called ambient) data is the information that one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten.

Recover all deleted files and other data not yet overwritten. As a computer is used, the operating system is constantly writing data to the hard drive. From time to time, the operating system will save new data on a hard drive by overwriting data resident on the drive but no longer needed by the operating system. A deleted file, for example, will remain resident on a hard drive until the operating system overwrites all or some of the file. Thus, in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten. Fortunately, the costs of acquisition are very reasonable, and the process is not disruptive.

Analyze all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as 'slack' space in a file (the unused space at the end of a file, in the last assigned disk cluster, that may be a possible site for previously created and relevant evidence).

Report Analysis of the computer system, as well as provide you a copy of all relevant data, parsed in a format and arranged to be integrated into your legal theories and strategies.

GDF’s analysis and investigation work is performed using the highest level of Forensic scrutiny. We follow known forensic procedures and use only open and Verifiable programming techniques. Our methodologies are transparent - we encourage the Court and opposing sides to dissect our work because we stand behind its admissibility 100%. We use NO PROPRIETARY or secret methods or programs when doing our analysis. Instead we use our programming skills to build tools and software specifically for the task at hand. And of course we always notate everything and open our work to scrutiny by all parties involved.

Provide Expert consultation and/or testimony, as necessary. Top of Page

Q. When should I consider using Computer Forensics?

A. If your client/employee has a computer, they need computer forensics. The computer has invaded our very existence, become a part of our lives, and is an integral part of almost every case.

Computer Forensics differs from data recovery, which is, recovery of data after an event affecting the physical data, such as a hard drive crash. Computer forensics goes much further. Computer forensics is a complete computer examination with analysis as the ultimate goal.

In any case where a Computer or Information system is/was available use Computer Forensics as a tool to (1) determine the facts from your employee/ client, (2) discharge your duty to avoid spoliation, (3) obtain all relevant evidence from the opposing party in a manner similar to using a Request for Production of Documents, and (4) determine whether computers were used as the instrumentality of a tort or crime, or violation of Policy.

Determine Facts you must have all the information relevant to a matter, not only to construct effective legal strategies, but also to focus your expectations, and efficiently budget your services. There is nothing more difficult to address than a case that has become complicated by new facts, where you expected the matter to proceed smoothly and without significant cost. Knowing all the facts early in a matter, allows you to better prepare for those cases that will require significant legal expertise to manage.

In response to pending litigation, analyzing your relevant computers is an excellent way to discharge your duties to preserve evidence and avoid spoliation, while also acquiring all relevant information essential to your legal theories and strategies. Similarly, as part of critical business decisions, forensically analyzing relevant computers can provide essential information. For example, analyzing the computers of corporate officers or employees as part of the termination process can alert you to possible litigation issues such as violation of non-compete agreements, improper copying of intellectual property, etc.

In Lieu of Request for Production of Documents. In litigation, an attorney ought to determine whether a Request for Production of Documents will obtain all relevant evidence. You might simply ask yourself whether you want to discover part of the relevant information (i.e. that seen by your opponent’s operating system) or all of it (deleted, hidden, orphaned data, etc). It is not unrealistic to anticipate that information contained on a computer system that is helpful to a matter would be saved, while that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is not unusual to discover deleted emails and other data invisible to the operating system that significantly affects the case. Computer forensic analysis extracts all the emails, memos, and data that can be viewed with the operating system, as well as all invisible data. In many cases, the invisible data completely changes the nature of a claim or defense, leading to early settlement and avoidance of surprises during litigation.

In any situation in which one or more computers may have been used in an inappropriate manner, it is essential to call a forensic expert. Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use. Taking the wrong steps in these circumstances can irretrievably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.

Top of Page

Q. If I think that evidence exists, is it ok if my technology expert takes a look for the information before I get in touch with a Computer Forensics Expert?

A. Companies that fall victim to computer crime may be inadvertently destroying evidence in their efforts to find the perpetrators. "You only have one opportunity to collect the evidence” you need to prove your case.

"Human resources send in well-meaning IT staff that doesn’t know what they are doing and ruin the evidence. Although the internal IT staff is often highly knowledgeable regarding their working environment and the technology employed within, computer forensic investigations are best performed by outside certified experts Specifically, the nature of the forensic analysis process coupled with the requirements in preserving evidence and Chain-of custody requirements the court system necessitates that computer forensic investigations are performed by external entities equipped with authorized forensic technology and trained to observe forensic protocols. "What we see is well-meaning IT professionals going in and doing what you see on every bad crime film: they muddy the waters. You need a professional certified computer forensic team in there as soon as possible."

Additionally, using in-house personnel can raise issues related to authentication that can increase the cost of admitting evidence. In-house personnel may be put through a challenge that could threaten the admissibility of critical evidence. If there is a remote chance that the matter could end up in court, best practices strongly suggests having the data analyzed by a computer forensic expert. The cost of expert analysis will almost always be far less than the cost of defeating a challenge to the admission of critical evidence.

Most in-house technology experts are concerned with mission critical data and recovery from catastrophic data loss. They are not expert in the acquisition and preservation of data rendered invisible to the operating system. Even the most well intentioned Technology expert can damage the fragile information that is stored on a computer, especially when the operating system does not recognize the data. The simple act of turning the computer on or looking through files can potentially damage the very data you’re looking for. Dates can be changed, files overwritten and evidence can be corrupted.

Accusations of evidence tainting are not rare in cases involving computer data when the party who owns or acquires the computer data also analyzes it. Issues such as accessibility to the data by other parties, experience and credentials of the person who acquired and reviewed the data, as well as other questions along these lines are typical.

For the above reasons it's not advisable for a employer, employee, friend, etc. to perform the function of acquiring and reporting evidence that has any chance of being litigated by any party.

Professional, third-party companies like GDF are experienced in this type of work and considered neutral and unbiased. Evidence obtained and submitted by certified professionals like GDF’s is likely to carry much more weight in front of opposing counsel, corporate management, a jury or any other party.

GDF certified investigators employ the proper hardware and software to identify, isolate, and preserve electronic information in a court admissible manner. They posses the expertise and experience vital to efficiently analyze electronic information and uncover electronic evidence while relying upon essential training and experience to ensure the court admissibility of electronic evidence.

Top of Page

Q. What risks are there if I don’t consult a Computer Forensics expert at the start of a problem?

A. The most frustrating aspect of forensic analysis is that the operating system randomly overwrites data on the hard drive. This means that the longer a computer is used, the more likely it is that evidence will be lost. Fortunately, the operating system frequently records evidence in several places simultaneously. So if the data is overwritten in one area, it may still reside in another. It is impossible to tell, however, whether the data that is most important to you will survive the constant use of the computer. Indeed, the simple act of turning the computer on or looking through files can potentially damage the very data you’re looking for. The dates that files were created can be changed, files can be overwritten and evidence can be corrupted. The safest practice is to acquire an image of the computer as soon as possible; however, it may be possible to find relevant data even after years of use.

Top of Page

Q. How do I figure out the ROI on contracting Computer Forensic Services?

(Return on Investment)

A. If you are thinking about performing this type of work yourself or using your corporate IT department or local computer technician, consider the internal dollar cost and possibility of your evidence being tossed out because of the method in which it was acquired the qualifications of those who worked on it, or personal and business associations your staff might have with the subject.

The internal cost is not only the time you or other people spend performing this work but also taking them away from their assigned responsibilities and the time spent in writing reports, (a 40 GB hard drive can have over 9,101,420 pages of data) possible Interrogatories & depositions, other internal issues, gossip spreading and loss of work productivity. All these may occur and can affect you, your business and most importantly: the outcome of your case or situation.

Top of Page

Q. How can a Computer Forensic Company help us reduce loss and liability?

A. Consider the following: it is estimated that each year, billions $$$ are lost through employee theft, fraud and sabotage. This is the direct cost only. Add to it billions more in investigation and litigation costs, lost productivity, the future value of Intellectual Property lost…the list goes on as do the billions of dollars lost. Now, add the cost of the publicity surrounding employee malfeasance: Loss of reputation, employee morale, a depressed stock price.

Finally, the new regulatory and litigation environment we are now entering places a new, heightened level of personal responsibility and liability on the backs of corporate executives and directors for the activities of their employees and organizations. How many are willing to take that risk?

Often, the cost to use professional Computer Forensic Certified, third-party firms like GDF far outweigh the internal costs both in dollars and in winning your case. In addition our rates are competitively priced while delivering fast aggressive service anywhere, anytime in the “World”

It may be beneficial to you to review GDF’s “Quick Analysis” program.

Top of Page

Q. How much do Computer Forensic Investigations typically cost?

A. In the past, Computer Forensic Examinations could run tens of thousands of dollars because of the manpower necessary to thoroughly examine a hard-drive. With the advancement of technology in the Computer Forensics arena that is no longer the case. The software and hardware available now make the price of Computer Forensics affordable and well worth the investment. The prices can range from $250 and hour to $350 and hour and the process involves basically three steps: Acquisition, Investigation, and Reporting. Acquisitions usually cost less than $500.00. Investigation and Reporting, of course, depend on the nature of your case. In most instances, searching and reporting can be completed in less than 15 hours and the total analysis is usually less than $4500.00.

There is no reason that computer forensic analysis needs to disrupt any business. Making an “image” of a computer system (even if several computers are involved) can be done during non-business hours, at night, of over a weekend. In many cases, the image is acquired in less than 5 or 6 hours.

Global Digital Forensics is able to help you determine if you have a case or not. Our "Quick Analysis" service allows you to analyze your data for a “Flat fee” to see if incriminating evidence is readily found.

GDF will forensically examine a hard drive and search for up to Ten (10) keywords that you supply. We will then forward to you a report that includes every instance of the keywords, whether it is in a deleted file, e-mail message, viewed web page, Word document, or any other active or deleted file that resides on the hard drive. This initial step will help determine if you have a case and if further examination is warranted.

“Quick Analysis” – includes: Hard Drive, analysis, active files, deleted files, hidden files, e-mail, documents, etc

PROCESS:

The suspect hard drive is received, and logged.
A proper chain-of-custody log is created
The suspect drive is forensically duplicated (imaged) using court accepted procedures
The original evidence is properly stored in compliance with court approved procedures
GDF interviews principle to gather facts of the case and clear objectives and a case-specific plan for discovery that is quick and effective

GDF’s Certified Investigators searches the entire hard drive for up to Ten (10) keywords provided by the principle.
All keyword occurrences are documented in a written Report
GDF assigned lead investigator forwards the complete Report to the principle
GDF’s Investigator explains the findings with the principle and awaits further disposition
the written report will help in determining any evidence or indicators to determine further disposition

There is no reason that computer forensic analysis needs to disrupt any business. Obtaining an “Image” of a computer system (even if several computers are involved) can be done during non-business hours, at night, of over a weekend. In many cases, the image is acquired in less than 3-5 hours.

Top of Page

Q. I often hear that as an attorney I may be liable for malpractice if I don't consider Computer Evidence. how realistic is this?

A. It is well documented in the media that computer or digital evidence has been the "smoking gun" in many high profile cases. With the majority of new information in businesses of all sizes being created and stored on computer systems of all sizes it is undisputable that digital evidence, be it documents, databases or the omnipresent e-mail should be considered a primary source of evidence. While malpractice is a harsh word, it certainly is not in any clients best interest to ignore potentially relevant sources of evidence, including computer evidence.

Top of Page

Q. I think that a computer in my organization may contain important evidence, what do I do now?

A. STOP using the Computer, any use of this computer may DAMAGE, and Taint any evidence. If the suspected computer is turned off leave it off.

If the computer is on, DO NOT goes through a normal “Shut Down” process... Call GDF for Immediate Instructions.

Do not allow the internal IT staff to conduct a preliminary investigation

first, all you have is information and data, there is no evidence. Unless your IT staff is certified in Computer Forensics and trained (and very few are) on evidentiary procedures, they have not maintained chain of custody or followed other accepted evidence techniques. Second, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Third, turning on the computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer.

Depending on the damage done by the internal IT staff, a skilled computer forensics vendor may be able to salvage the damaged evidence. This, however, can be an arduous and time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence, especially meta-data timelines, from computers that have been mishandled. A good rule of thumb is to always use a certified external vendor for computer evidence collection.

Keep a Detailed Log of who had access, what was done and where the computer has been stored since the dates in question.

When the hard drive is removed and sent to GDF for a Forensic Examination make sure to document the date and time in the system and note whether it differs from the current time.

Secure the computer

Be prepared for litigation

Computer forensics may be an unknown and mysterious discipline to many but it is easy to avoid the most common procedural mistakes. Only use a certified computer forensics expert and do not rely on the internal IT staff for computer forensics investigations. If there is a 20% chance that evidence from a suspected computer system will be needed, have GDF do a* “Quick Analysis” and forensically collect the evidence and complete a report.

See GDF Quick Analysis Service

Top of Page

Q. How Can I ship my Computer/Hard Drive to GDF for a Computer Forensics Investigation?

A. Please, before you do anything call for complete instructions. GDF recommends that you have the disc drive(s) removed by an experienced computer technician and shipped to us. GDF will talk you through process. We can also provide on-site acquisition service at your locations for an additional cost.

Please do not ship anything to us without contacting us in advance and obtaining a Case Code. The Case Code must be written on the shipping label we will instruct you to the closest available and quickest lab for you.

Disc drives are static sensitive so we recommend that the drive(s) be placed in an antistatic bag and sealed. Wrap about 1/2-inch of solid foam or bubble wrap around the disc and tape so all sides are sealed. Make sure the contents will not bounce around in the box you use. DO NOT USE 'PEANUTS' OR ANY STYROFOAM PACKING MATERIAL - THIS MATERIAL CREATES STATIC ELECTRICITY !

Top of Page

New York ° Washington, DC ° Tampa ° Los Angeles ° Chicago

Boston ° Miami ° Denver ° Albany ° San Francisco ° Los Angeles

Phone 1-800-868-8189
phone 727-287-6000

FAX: 727-287-6011