CSI Computer Forensics – Real Cases From Burgess Forensics #12 – Case of the Computer That Got Lost

The stories are true; the names and places have been changed to protect the potentially guilty. A few years ago, Debby Johnson, an attorney from a large firm based in Kansas City, contacted me about a relatively simple matter. I was to travel to offices in Sacramento from my San Francisco-area labs, copy a computer's…

The stories are true; the names and places have been changed to protect the potentially guilty.

A few years ago, Debby Johnson, an attorney from a large firm based in Kansas City, contacted me about a relatively simple matter. I was to travel to offices in Sacramento from my San Francisco-area labs, copy a computer's disk drive, and locate emails sent by the petitioner to his brothers and sisters, of which he had nine. The case was a product liability law for an amount in the tens of millions of dollars. The plaintiff claimed that his health had been damaged by an international firm's defective product, although he was symptom-free at the moment. What was the product? Let's say it was coffee.

From the cool Bay Area in summer, I traveled to downtown Sacramento, where it was a balmy 106 degrees. I knew I was sweating, but inside I was cool. I surprised if someone else would be in hot water soon.

It is not unusual for me to never meet my client, for computers can be shipped to me at my lab, but Debby was there in the law offices of the plaintiff's attorney. In an oak-paneled conference room we met with counsel for “the other side” and with the stainiff himself. He sat smugly with his shiny computer on the conference table, friendly enough in spite of his contentment that I would never find the offending emails he had allegedly sent years before. My client believed that this fellow had sent emails to his siblings that would disprove his contention – that would show him to be making up a case to snag a cool few ten millions.

I removed the hard disk from our man's system to make a forensic copy to work with and analyze. I was surprised to find that the hard disk was 100GB in size. A drive of that capacity was fairly new and unusual to see in a case this soon after it had come on the market. I was prepared for a much smaller disk drive, as I had been told I'd be seeing one about 20% the size. Fortunately, there was an electronics superstore nearby, so I doffed my suit jacket, cranked up the air conditioning on my minivan / lab wagon (that beauty just turned over 200,000 miles on the day I'm writing this), and headed on over for a bit of new gear. Forty-five minutes and a bit of melted rubber later I came back at the scene to forensically clean the new disk drive by writing letters to every sector ..

Once cleared to my satisfaction, I set up the copy process. In those days, while I was partial to Diskology's Disk Jockey, the version I had then did not seem to be able to handle what was such a large drive for the time. I probably used Byte Back on a forensic Intel box I had just in case. I began the copy process and it went without a hitch. But while the copy was proceeding, I was to wonder – was not this a pretty big drive to have been around at the time of the claimed emails? And for that matter, this computer was not very fast for its age. And did Windows XP really come on the market before these emails were to have been written? I was beginning to suspect that the game was rigged, and that I never would find the flawless deleted emails on that computer.

I discussed the matter with Debby. I guessed that the claim was right about the task being futile – because I guessed that the offending emails were never on this computer. I said I'd be willing to look for them, but I did not want to waste my client's cash. Debby asked me to look into the matter of the components' age when I got back to HQ. A few inquiries with the manufacturer and a couple of Google searches later, I was pretty well convinced that the fellow had never written those emails on this computer. Windows XP was almost too new, the disk drive was a couple of weeks too modern, and the computer was a month or two younger than those emails.

Debby called opposing counsel – who had no idea why this might not be the original system … until he checked with his man. Turns out he had “set it on the curve for trash pickup” because it was not working. ” The attorneys were not happy. The court was not happy. The only solution was for me to go to the nine brothers and sisters in four states to copy their personal computers and sift through those for the offending emails.

Do you think they were happy to hear from me? Would you be if your brother put you on the spot like that? Each of them had to agree that a perfect stranger – one who was working against their beloved brother – could come into their homes and look through everything on their personal computers. The most telling example of their displeasure was from one brother, a former Viet Name-era Green Beret, who – in response to my phone call asking when there would be a good time to show up – said “I did not spend two years marching up and down the God ** m Ho Chi Minh Trail for this s ** t! ” I understood.

It turns out that opposing counsel had never gotten around to telling this group that a computer forensics guy would be calling them and they needed to cooperate. I found that out when I told Debby of the righteous resistance I had come up against. She straightened it out with counsel and the next set of phone calls I made to the sibs was a lot more congenial.

The next several days, traveling from state to state, town to town, brother to sister to brother and on and on to copy the private data of nine innocent family members had its challenges. But that's a story unto itself … I'll spare you most of the details. Upon my return, the protocol called for me to search all of the data for any correspondence from – let's call him “The Brother” that mentioned his struggles with … we're calling it Coffee. I was then to print out the references I found, and send a copy both to the judge and to opposing counsel for privilege and relevance review. Debby and her firm were not to get a look at the data until anything either private or irrelevant had been taken out, and only the reminder produced.

What did I find? Around the time of the claimed emails, lo and behold, I found actual emails. The whole family was talking about The Brother's struggle with Coffee, their individual investigations into Coffee, and the upcoming lawsuit about Coffee. At one point, one email pointed out that this guy Burgess was going to be looking into everyone's email, and would not it make sense not to talk about Coffee? They agreed. They now spoke only of … “the C-Word.”

What else did I find when I performed my electronic discovery and digital forensic analysis? Well, for the most part, I just can not talk about it. There are some things on your computer you would not want me talking about, I'm sure. There are things on my computer I would not want me talking about either! E-discovery often has to be a pretty private process.

But there was one particular interesting finding. When I called the Green Beret Brother (GBB) from his sister's place across town, and asked for permission to head on over to make the copy of his computer, he obligingly told me it was okay. When I got there, he first asked me to read and sign a statement that I would not hold him liable for any damage to me or my equipment – unintentional or otherwise. Well that was a little scary coming from a guy trained in the arts of stealth, war, and undutely the garrote. But as the paper did not seem like a legal document, I signed it, if that was what would get me in to do my work. He was pleasant enough, the music he had on was good, and the copy went without a hitch. And I left alive and undamaged – a plus, indeed!

Once in my lab, I discovered the last thing that had happened on his computer. About one minute after my phone call for permission to go over, GBB had sent himself an email and then immediately deleted it. The subject, all in caps, was “COFFEE!” No “C-Word” fooling around for him. The message in the body was simple and succinct: “If you find this email, F *** YOU !!!!!” It's nice when a person knows how he feels and is able to express it freely. There was also a deleted photograph attached to the deleted email. Upon recovering same, it turned out to be a very recent photo of an extended middle finger – presumably GBB's finger. Visual aids are always helpful in understanding the subject matter, do not you think?

In the end, I produced about 75 pages of documentation I thought relevant. Of course, I had to include GBB's missive. As expected opposing counsel called everything honorable or privileged. Also as expected, the judge allowed all of the documents I had produced – with a number of lines redacted – to be delivered to my client. Everyone's favorite was the literate bit produced by GBB.

As for The Brother – the court decided that not only was he not very honest, due to the destruction of the most important data in the case – his original computer – but the evidence and the relevant emails showed him to be apparently undamaged by the Coffee . The case went to defeat, Debby and her firm were happy, and GBB became a legend.

This is just one of the many “CSI * – Computer Forensics Files: Real Cases from Burgess Forensics”. Stay tuned for more stories of deceit uncoformed by computer forensics.

* The Free Dictionary lists more than 160 definitions for CSI at acronyms.thefreedictionary.com. We choose Computer Scene Investigation.

Improving Awareness of Computer Forensics Services

Given the situation, there have been some attempts on the part of the government to spread awareness of computer crime, but not on a mass scale. It will be possible to spread awareness of computer forensics only after consciousness about computer crimes increase. The attempt should be two pronged – to dissipate ignorance – and…

Given the situation, there have been some attempts on the part of the government to spread awareness of computer crime, but not on a mass scale. It will be possible to spread awareness of computer forensics only after consciousness about computer crimes increase. The attempt should be two pronged – to dissipate ignorance – and to clear misconceptions. It is no point talking of what comes after the crime to people who do not even know what a crime is. This makes life much harder for computer forensics specialists, as they have to deal with clients who get the evidence tampered and covered without any idea of ​​what they are doing. Online crimes have shaken the UK repeatedly during the past three years, but most home users still do not update their antiviruses. Very few companies have security measures in place, and in the lack of a comprehensive and forceful application of data protection laws, will probably continue being callous, bringing down a lot of misery on themselves and their clients.

Government Enterprise

Below is a list of government concerns that deal with computer crimes:

  • The local police force: According to the Home Office, all computer crimes should first be lodged with the local police force, who should be equipped either to deal with it, or pass it on to the appropriate higher authority.
  • SOCA: Serious and Organized Crime Agency is the body to which the former computer crime investigative wing, National High Tech Crime Unit (NHTCU) now belongs.
  • CEOP: Child Exploitation and Online Protection Center attempts to capture online child sexual exploiters and spread awareness among children. They even have an offline campaign.
  • CESG: Communications Electronics Security Group is in charge of IT and communications safety for UK government agencies, including the armed forces.
  • NISCC: National Infrastructure Security Coordination Center works on risk reduction for and safe information sharing among government departments.
  • Others: The home office has a computer crime policy team and the DTI conducts the aforesaid survey; the cabinet has the Central Sponsor for Information Assurance who are running the public awareness campaigns like Get Safe Online, and IT safe.

Computer Forensics and Corporate Houses – the Pros and Cons

With so many bodies to report to, how many of the computer crimes actually get reported every year by corporate houses? Unfortunately, we can only see the tip of the iceberg so far. Most companies are scared to report as they fear public backlash, media firing, client dispersal, and some gleeful comments from rival groups. Just like crime, justice too travels very fast on the internet, and the clients may come to know of the fiasco sooner than the company expects. This has happened to several gigantic concerns in the recent past, and it is hoped that all other companies would learn through their folly. Companies are scared about calling in data recovery professionals as they fear the safety of their data in the hands of the rescuers, and much the same reason is given when it comes to forensics experts too. One can always take the extra precaution of choosing a really reliable company and paying them well enough where high volumes of data have been compromised, and the trail is getting colder every second. It is the duty of a business house to locate and employ proper investigators when so many other people's labors are at stake, and they have to find a way to do it.

An Introduction to Computer Forensics

Computer Forensics is the process of investigating electronic devices or computer media for the purpose of discovering and analyzing available, deleted, or “hidden” information that may serve as useful evidence in supporting both claims and defenses of a legal matter as well as it can helpful when data have been accidentally deleted or lost due…

Computer Forensics is the process of investigating electronic devices or computer media for the purpose of discovering and analyzing available, deleted, or “hidden” information that may serve as useful evidence in supporting both claims and defenses of a legal matter as well as it can helpful when data have been accidentally deleted or lost due to hardware failure.

However, this is a very old technique but now it has been changed a lot because of technological advances, modern tools and software's that makes Computer Forensics much easier for Computer Forensic Experts to find and restore more evidence / data faster and with more accuracy.

Computer forensics has changed the way digital evidence is collected & used as evidence of a crime & it is done using advanced techniques and technologies. A computer forensic expert uses these techniques to discover evidence from an electronic storage device for a possible crime. The data can be from any kind of electronic device like pen drives, disks, tapes, handhelds, PDAs, memory stick, Emails, logs, hidden or deleted files etc.

Most of us think that deleting a file or history will remove it completely from the hard disk drive. In realty, it only removes the file from the location but the actual file still remains on your computer. It is easier to track what has been done on your computer but difficult to say by whatever though it is possible to alter or delete the data completely from your storage device. It depends on computer forensic expert's skills how well he can find and restore the data without any loss or change.

Computer forensics has gained concern during the Enron scandal widely believed to be the largest computer forensics investigation ever. Nowadays Computer Forensics & Electronic discovery is becoming a standard part of litigation of all types, especially large litigations involving corporate matters in which there are large amounts of data.

Computer forensics can be used to conceal a fraud, unauthorized use of a computer, violation of company policies, provide record keeping etc … by tracking e-mails, chat-history, files, tapes, sites people browse or any other form of electronic communications.

Data security is one of the largest issues that the corporate world is facing now by publishing company's internet / policies & consequences for violations, signing of compliance documents by employees. Businesses can initiate monitoring their own computer systems to avoid legal consequences in future. Making employees aware that monitoring software and Computer forensics personnel are available could prevent workers from wrong doing.

With the use of computers in everyday life and increasing amount of hi-tech crimes, Computer forensics is a growing niche in the litigation support sector. Unlike many jobs in information technology sector, chances are that computer forensics services will not be outsourced to other country because of the confidentiality of the data business which will not allow it to travel just to save a little cash.

Computer Forensics Who Is Better Qualified

What is computer forensics? Having worked in the field of Computer Crime and Forensic Investigation for over 12 years it is a question that is quite often asked. The clinical definition of computer forensics is the analysis of a computer system for the recovery of evidence that is currently on the system or has been…

What is computer forensics? Having worked in the field of Computer Crime and Forensic Investigation for over 12 years it is a question that is quite often asked.

The clinical definition of computer forensics is the analysis of a computer system for the recovery of evidence that is currently on the system or has been intentionally deleted from a system to hide revelvant facts to a specific case. Child porn, adultery and other types of crimes

As an investigative tool computer forensics has become a valuable asset. Considering almost 70% of all written communications have started or been sent through the use of a computer. Which also means most of the evidence needed for a case is also located on that same system.

What does a good forensic investigator need to know?

1) A masterful knowledge of computer hardware and software

2) A thorough knowledge of the different operating systems that are currently in use today

3) Techniques used to hide information within the file structure

4) A working knowledge of at least 3 different forensic recovery tools.
(No one tool is right for every case)

5) The ability to create a well laid out report so that the information is easily understood by laymen that may be reviewing the report.

There are a lot of individuals that claim that they are computer forensics investigators. It has been my experience nothing could be farther then the truth. Quite often any investigator that can turn on a computer self proclaims himself a computer investigator with out any real knowledge of a computer what so ever.

As evidence of this multiple states have required computer forensic investigators to be licensed as a private investigator. This practice just feeds fuel to the fire of incompetence. A forensic investigators job is simply to recover the information needed for a case and turn it over to an investigator to proceed with the investigation. The forensic investigators job is not to investigate the case. This makes as much sense as asking the local Wal Mart photo employee to be a licensed investigator to develop film for an investigator that is also part of the case not the investigation.

Computer forensic is a valuable tool when done by a professional in the field of computer forensics. Not the jack of all trades or the Private Investigator that has his hands full just doing investigations. I ask you this simple question the next time you need your broken arm would you have your dentist do it for you? After all they are both doctors.

I am sure reading this you can see how ridiculous these sounds. No less ridiculous is it to have an investigator pass himself off as a computer forensic investigator.

If we are not careful the effort to force a forensic investigator to be licensed will instead encourage already licensed investigators to take a stab at it ever causing the demise of this valuable investigative tool.

John L. Snider

Director of Investigations SPI

Computer Forensics Helping Katrina Homeowner Litigation

On Aug. 29, 2005, hurricane Katrina destroyed thousands of homes on the Gulf Coast. When homeowners were finally allowed to return to their homes and saw the damage, they began the process of working with their insurers to file their claim and start over. What they were faced with were claim denials for their homeowner…

On Aug. 29, 2005, hurricane Katrina destroyed thousands of homes on the Gulf Coast. When homeowners were finally allowed to return to their homes and saw the damage, they began the process of working with their insurers to file their claim and start over. What they were faced with were claim denials for their homeowner policies.

Zach Scruggs, one of many attorneys involved in litigation against these insurers, said Forensic turned over the e-mails as part of the pretrial discovery litigation. Homeowners who where suited State Farm Insurance for Hurricane Katrina claim coverage had complained the insurer of pressuring their engineers to modify reports regarding the hurricane damaged property so that policyholders' claims could be denied.

Recently obtained internal e-mails from an engineering firm that assisted State Farm adjust claims are assisting lawyers litigate their claims because of the evidence they have obtained with E-Discovery and Computer Forensics. Some of these e-mails are conversations between the Forensic president and CEO Robert Kochan and Randy Down, the firm's vice president of engineering services. In one particular e-mail, it says the firm will continue working with State Farm, but discusses need to “redo the word” of a report after a complaint by Alexis King, a State Farm Manager in Mississippi, so “such that the conclusions are better supported. ”

Alexis King did not want local engineers to inspect properties because they were “too emotionally involved” and were “working very hard to find justifications to call it wind damage when the facts only show water induced damage,” according to an e-mail. Randy Down questioned the State Farm's motives and question the ethics of the insurer through e-mail with the insurer telling the firm what to put in the reports.

All of this information would have gone unnoticed if it was not for the field of Computer Forensics. Computer forensics has quickly become a vital tool and source of information for criminal investigators, corporate counsel, and attorneys. Computer forensics investigators use their skills to identify and restore formatted, corrupt, deleted or hidden files from computers or other electronic media while maintaining critical data paths, time & date stamps and accurate chain of customs & controls. They also obtain access to protected or encrypted data by using specialized software.

Computer Forensics And Forensics Data Recovery

CONDUCTING THE SEARCH AND / OR SEIZURE is an important party of Computer Forensics. If the search is not done properly then you will not be able to enter evidence to the case. The following is a outline Secure the Scene. Assign an safety officer to manage the scene. Preserve the area for potential finger…

CONDUCTING THE SEARCH AND / OR SEIZURE is an important party of Computer Forensics. If the search is not done properly then you will not be able to enter evidence to the case. The following is a outline

Secure the Scene.

Assign an safety officer to manage the scene. Preserve the area for potential finger prints
Leave computer in the state found. Document how they were found with photographs and written documentation. Immediately restrict access to computer (s).
Isolate from phone lines (because data on the computer can be access remotely).

Identify which machines are stand alone or network based. If the computer is network based then some of the data might reside on another machine. Below is a rule we follow when collecting evidence:

o On / Off Rule for Forensics data recovery and evidence gathering.

o If the device is “ON”, do NOT turn it “OFF”.

o Turning it “OFF” could activate lockout feature.

o Write down all information on display (photograph if possible).

o Power down prior to transport (take any power supply cords present).

o If the device is “OFF”, leave it “OFF”.

o Turning it on could alter evidence on device (same as computers).

o Upon seizure get it to an expert as soon as possible or contact local service provider.

o Make every effort to locate any instruction manuals pertaining to the device.

One of the key elements in every data forensics procedure is time. Users may unintentionally or inadvertently overwrite evidence simply by continuing to complete their daily tasks. Collecting and preserving data or evidence that may have been deleted or become inaccessible through normal computing methods is an important consideration. Determining what information needs to be collected before hand is critical to a cases success or failure.

Nation’s First National Computer Forensics Institute will be Located in Alabama

Computer forensics is becoming more mainstream in litigation and with the amendments to the Federal Rules of Civil Procedure on 12-1-2006, more cases will utilize these rules. With the expected increase in demand for qualified and trained law enforcement professionals, the first computer forensics institute has been announced and will be located in Hoover, Alabama.…

Computer forensics is becoming more mainstream in litigation and with the amendments to the Federal Rules of Civil Procedure on 12-1-2006, more cases will utilize these rules. With the expected increase in demand for qualified and trained law enforcement professionals, the first computer forensics institute has been announced and will be located in Hoover, Alabama. Construction of the facility is expected to begin by mid-April of 2007, with construction completed by January of 2008. Training is expected to begin in July 2007.

“With the ever-increasing precedent of cyber crimes such as identity theft, computer hacking and online child pornography, it is absolutely essential that we equip our law enforcement personnel with the best training and equipment available,” said Governor Riley. “This center will make Alabama the nation's leader in training our local, state and federal law enforcement to combat high-tech crimes.

The Center is being funded though a cooperative effort by the US Department of Homeland Security, the US Secret Service, and state, county, and local governments. The State of Alabama is contributing approximately $ 3 million dollars to the Center, to be used for build-up expenses. The US Department of Homeland Security is providing an additional $ 9 million dollars, and the US Secret Service is providing 18 full-time agents to help staff the Center.

US Secret Service agents will teach computer forensics and digital evidence to national, state and local law enforcement at the Center. These agents are in the field and understand the curriculum from a law enforcement perspective. It will include high-tech classrooms, a computer forensic lab, and public education exhibit space.

The Center is expected to train more than 900 law enforcement professionals each year.

What is a Computer Forensics Expert Witness?

What is an Expert Witness in the field of Computer Forensics? The most simple answer is a person who goes to court to testify regarding the accuracy and findings from the computer forensics service. In a nutshell, that is it. However, there is a lot more to being an Expert Witness in the field of…

What is an Expert Witness in the field of Computer Forensics? The most simple answer is a person who goes to court to testify regarding the accuracy and findings from the computer forensics service. In a nutshell, that is it. However, there is a lot more to being an Expert Witness in the field of Computer Forensics and E-Discovery.

With the increased usage and dependence on the Internet – for corporate and individual communication – electronic communication is now the standard and 'paper' communication is the new exception.

  • 80% of all corporate data is stored electronically
  • 95% of new data is stored electronically (approximately 80% of this information stays in electronic format).

As a result, in almost every legal matter, critical and relevant evidence will be stored electronically. Proper collection and examination of this evidence is critical to avoid spoliation, to preserve the evidence, and to manage cost.

An Expert Witness is a specialized and rapidly growing field of investigation within Computer Forensics and E-Discovery. And as such, these individuals are a leading defense, or indemnity – depending on which side of the litigation you are on, up corporate America's sleeve against cyber crimes and prosecuting 'hackers'. An Expert Witness service typically works closely with a Computer Forensics investigator, or sometimes has the credentials and experience of both.

Computer Forensic investigators unaware the depth of a security breach, recover data that has been corrupted or intentionally deleted, identify how a 'hacker' got past the security checks and if fortunate enough, identify the individual who caused the damages. The term 'hacker' can either be an individual on the Internet, an employee, or a spouse looking to steal or destroy data.

Expert witness service provides testimony, documentation and witness preparation to help present discovered electronic data in legal proceedings to help you prove and win your case.

Should your company, or yourself, need the service of an Expert Witness for a case dealing with Computer Forensics and E-Discovery, make sure that the computers which could be involved in the case are secured from use and contact a Computer Forensics service to discuss your situation.

Changes to the Federal Rules of Civil Procedure – Computer Forensics and E-Discovery

On December 1, 2006, many amendments to the Federal Rules of Civil Procedure went into effect. There are three rules specifically that affect Computer Forensics and E-Discovery which need to be considered when building a case for your client, as well as protecting your client's rights. Most companies fail to realize the following two points:…

On December 1, 2006, many amendments to the Federal Rules of Civil Procedure went into effect. There are three rules specifically that affect Computer Forensics and E-Discovery which need to be considered when building a case for your client, as well as protecting your client's rights.

Most companies fail to realize the following two points:

  • Any data that can be compiled into viewable form, whether presented electronically or printed on paper, is potentially within the definition of “document”.
  • Electronic documents may be considered obsolete by the business in terms of its current computer infrastructure, but may have archival value and be recoverable to a readable format by specialized forensic techniques.

FRCP – Rule 26 (LII 2007 ed.)

With the new law regarding E-Discovery now in place, Rule 26a1 changes are very important.

At the first sign that litigation is coming, a company must use their Litigation Hold procedures and not wait for the courts to act. The problem is most companies do not have these procedures in place, nor do these companies know that litigation holds must start this early in the process.

Of course in order to have Litigation Hold Procedures, a company must have a retention policy and know where the company's data is stored and must be easily accessible.

Rule 26. General Provisions Governing Discovery; Duty of Disclosure

Except in categories of proceedings specified in Rule 26 (a) (1) (E), or to the extent otherwise mandated or directed by order, a party must, without awaiting a discovery request, provide to other parties:

(A) the name and, if known, the address and telephone number of each individual likely to have discoverable information that the disclosure party may use to support its claims or defenses, unless solely for impeachment, identifying the subjects of the information;

(B) a copy of, or a description by category and location of, all documents, electronically stored information, and tangible things that are in the possession, custody, or control of the party and that the disclosure party may use to support its claims Egypt defenses, unless solely for impeachment.

FRCP – Rule 34 (LII 2007 ed.)

With the new law concerning E-Discovery now in place, Rule 34 identifies new procedures regarding the production of documents and electronic data for litigation.

Rule 34. Production of Documents and Things and Entry Upon Land for Inspection and Other Purposes

(a) Scope.

Any party may serve on any other party a request (1) to produce and permit the party making the request, or someone acting on the requestor's behalf, to inspect, copy, test, or sample any designated documents or electronically stored information – including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained – translated, if necessary, by the respondent into reasonably usable form, or to inspect, copy, test or sample any any designated things which sentence or contain matters within the scope of Rule 26 (b) and which are in the possession, custody or control of the party upon which the request is served; Egypt (2) to permit entry upon designated land or other property in the possession or control of the party upon which the request is served for the purpose of inspection and measuring, surveying, photography, testing, or sampling the property or any designated object or operation thereon, within the scope of Rule 26 (b).

FRCP – Rule 45 (LII 2007 ed.)

With the new law regarding E-Discovery now in place, Rule 45 identifies new procedures to follow when your company subpoenaed.

Rule 45. Subpoena

(d) Duties in Responding to Subpoena.

(1) (A) A person responding to a subpoena to produce documents shall produce them as they are kept in the usual course of business or shall organize and label them to correspond with the categories in the claim.

(1) (B) If a subpoena does not specify the form or forms for producing electronically stored information, a person responding to a subpoena must produce the information in a form or forms in which the person ordinarily contains it or in a form or forms that are reasonably usable.

(1) (C) A person responding to a subpoena need not produce the same electronically stored information in more than one form.

(1) (D) A person responding to a subpoena need not provide discovery of electronically stored information from sources that the person identifies as not reasonably accessible due to undue burden or cost. On motion to compel discovery or to quash, the person from what discovery is thought must show that the informationought is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of Rule 26 (b) (2) (C). The court may specify conditions for the discovery.

These are just snippets of the rules and your attorney or corporate counsel should have access to the entire Federal Rules of Civil Procedure Amendments document. It is important to consider these rules when planning to use a Computer Forensics Investigator or E-Discovery service.

What is Computer Forensics?

It is the end of the day and it has been discovered that several critical files are missing from your file server. That alone is normally enough to freak out most server administrators, but this specific incident also happened to be on the exact same day a particular employee was 'terminated'. As you recall that…

It is the end of the day and it has been discovered that several critical files are missing from your file server. That alone is normally enough to freak out most server administrators, but this specific incident also happened to be on the exact same day a particular employee was 'terminated'. As you recall that individual, had access to the missing data, but as far as you know, she did not seem like the type of person to do something malicious. Then again, you noticed she seemed pretty upset as she was clearing out her desk that day too. You begin to wonder if there is a connection between the two, and if so, how you collect the necessary information to present to your manager.

No, you are not imagining a scene from CSI or Court TV. This situation happens daily in real life and may have happened, or could happen, at the company you work for. Remember Enron?

What is Computer Forensics?

Computer forensics, sometimes known as “Digital Forensics” or “Electronic Evidence Discovery”, is often described as “the preservation, recovery and analysis of information stored on computers or other electronic media” .

Computer forensics has quickly become a vital tool and source of information for criminal investigators, corporate counsel, and attorneys. Computer forensics investigators use their skills to identify and restore formatted, corrupt, deleted or hidden files from computers or other electronic media while maintaining critical data paths, time & date stamps and accurate chain of customs & controls. They also obtain access to protected or encrypted data by using specialized software.

In addition, with the increased usage and dependence on the Internet, for corporate and individual communication, computer forensic investigators are equip to analyze emails, Internet searches, file transfers, online account transactions and anything else a computer is used to do over the Internet.

How do they do it?

Computer forensic investigators typically focus on 4 areas when investigating a potential incident. There are other areas of attention as well, but the following are the most common. Including illicit and damaging activities that could damage your company's reputation.

Saved Files

These are files that can be viewed on the computer. This is usually a non-intrusive task to obtain these files.

Deleted Files

These files are just that … deleted. They are either in the 'trash' or require special software to 'capture and restore' the files. This is usually a non-intrusive task to obtain these files.

Temporary Files

These files are typically generated from browsing the Internet, working on a document, some types of back-up software as well as certain software installations for example. Identifying these requires specialized software and is an intrusive process.

Meta Data

This information is typically associated with the details of a file or document. Such as, the date the file was created, modified and last accessed. Additional information that could be captured could include the original creator of the file (of course that information depends on the original installation of the application) as well as anyone who has ever accessed the file. Identifying these requires specialized software and may or may not be an intrusive process.

What would Computer Forensics Service be used for?

There are several possible uses for this type of service. The most common applications of computer forensics are as follows:

  • Divorce Cases
  • Electronic Investigation
  • Expert Witness Service
  • Corporate E-mail Investigation
  • Litigation Support
  • Intellectual Property Disputes
  • Investigation and Discovery Litigation Programs
  • Insurance Fraud Cases
  • Corporate Investigations
  • Corporate Counsel Support
  • Electronic Records Management

There are many reasons why you, or your company, may require the service of a computer forensics investigator. If you suspect that you may have an incident requiring computer forensic service, or electronic evidence discovery & analysis, you should secure the computer from further use and contact an experienced computer forensics service company.