|
The following is a brief summary of the
capabilities of computer forensics. By knowing
what forensics can (and cannot) do, can help you in your
decision making process of employing forensics or not.
For more information, please feel free to contact us
regarding your specific situation.
Evidence Preservation:
Perhaps the most important task of all is the initial
preservation of data. As you never get a second
chance to capture the original data, we advice it is
best to 'image and hold'. You can always
decide that you don't need to use the images that were
captured. It is too late to decide to image a
drive that was left in operation for days, weeks, or
months without capturing that initial image.
User Activity: A timeline
can be created of user activity. This activity can
include internet history, email history, file deletion
history, login/logoff activity, program use activity,
and nearly everything else a computer user can do.
This information is obtained through intensive analysis
of the computer.
Deleted Files: Typically,
the majority of deleted files aren't actually deleted
and they can be retrieved with forensic utilities.
Along with the actual recovery of deleted files, the
dates and times of the deletion is also recoverable.
This activity can be very important given a timeline of
"who know what, and when did they know it". The
intention of deleting responsive files is disastrous for
a respondent in litigation. We can find
those files.
Internet and Email History:
For employees suspected of computer misuse, such as
inappropriate email and history use, computer forensics
can recover that information, to include dates and times
viewed, persons emailed along with the attachments to
the emails. On occasion, we have shown that an
employee has spent the majority of time on the internet,
chat rooms, and email, with none of that time being
related to their duties.
Password Protected Files:
Files that have been password protected, we can employ
techniques on these files to attempt to bypass the
passwords. This occurs in cases were someone may
password protect a damaging document and 'forget' the
password.
IP Theft: Computer
forensics processes can find where employees may have
emailed client lists, copied confidential files to CD
Roms or USB devices, or communicated with competitors
over email and webmail. We can show a timeline of
activity, activity that shows actions indicative of
theft and conspiracy, and put it together in a manner
that shows intention as well as the damage done to the
organization by those actions.
Electronic Discovery: We
have discovered that the best collection of ESI
(electronically stored information) is conducted by
those with a clear understanding of evidence procedures
coupled with the technical skills to gather that data in
a manner that exceeds any expectations of collection.
Although the actual act of data collection seems simple,
it is actually simple to collect data in a manner that
you miss what you need (failure to produce), or alter
the data collected (failure to preserve), or collect and
give over to opposing counsel without review
(inadvertent disclosure). We suggest doing it
right the first time, as this will always be cheaper
than redoing it, cheaper than getting sanctioned in
court, and much cheaper than losing your case. |
