Computer Forensics FAQs


What is computer or digital forensics? 

Computer or Digital Forensics is scientific analysis, or an investigation in which data is closely examined to find out how, who, what, when, or why to recover data, troubleshoot computer systems, inspect them for unauthorized use or misuse, or to detect criminal activity.


Why is computer forensics important to my company? 

There is a very good chance that some day computer systems at your company will be affected by an incident. Whether that incident is external or internal attack, theft, accident, failure, or natural disaster, computer forensics can help you recover, fight back against, and prevent future incidents.  


What is electronic discovery? 

Electronic Discovery, also known as e-discovery, uses computer forensic methodologies to analyze and dissect electronic storage media in order to manufacture documents to be used in a court of law. These documents can be created or stored in many digital formats, common ones include: word processor documents, photographs, spreadsheets, email, text files, and many more. Only a Certified Computer Forensic Examiner with comprehensive computer understanding that is specially trained in evidence collection can track down and recover these documents in a way that is court acceptable.    


If I delete files on my computer, are they gone forever? 

No, some or all of the files can usually be recovered, but the more the computer is used after the deletion, the less chance there is of recovering those files. The best thing that you can do after the files have been deleted is to take your computer or portable storage media to a Certified Computer Forensic Examiner as soon as possible. 


What happens on my computer when I delete a file or folder? 

Imagine that a file on your computer is a book in an enormous library. Your computer needs a place to store your files and folders, which is typically on the computer’s hard drive. Library books also need a place to be stored, which is on shelves in a library. Books are found in a library by looking them up in a directory, which gives the location of the book on a shelf. You can then go find and use the book. When you delete a file on your computer what happens is the location of where to find the file or folder is removed from the computer’s directory (sort of speak). In a library, deleting the book from the directory does not remove the book off the shelf; it is not removed until another book takes its place. This is essentially the same on your computer, your file or folder is not removed until other data occupies it space (overwrites).   


I am thinking about selling or donating my computer, but I am worried about my data falling into the wrong hands, is there anything that I can do to protect myself? 

Yes, there is a procedure that can be completed to make your files much more difficult to be stolen or misused. This procedure should be used whenever a computer is to be retired, reused, donated, sold to another person, or disposed of. It is very important that the storage media be properly sanitized (erased) to ensure that important data does not fall into the wrong hands. To make sure that your important files are not easily recoverable, they need to be overwritten by other data. This is commonly referred to as “wiping” the storage media. I recommend the Department of Defense 5220.22-M section 8-301 Clearing and Sanitization standard, which overwrites your data 7 times. A common piece of software that can do this is the Disk Utility that comes with many modern Macintosh computers.  


An employee has left our company what steps can I take to ensure our data is protected?  

Sometimes when employees leave a company they feel like the company owes them something, or are upset if they were asked to leave and feel the work they did while at the company belongs to them. These feelings can turn into a computer forensic and legal matter when the employee attempts at stealing or sabotaging property before or after their final day. Here are some best practices that your company can do that will help defend against these kinds of attempts.

Prior to the employee’s last day, an audit of the employee’s permissions should be completed; to see exactly what systems the employee has access to, especially to make sure that there are no systems with administrative passwords that only he/she knows. Changing of administrative level passwords should be completed prior to the employees last day. On the employees last day, security should escort him/her out of the building without warning, to avoid theft or a possible incident as they are leaving. If it is going to be a firing, all of the employee’s access and permissions to all systems should be removed before notifying the individual. If it was a voluntarily quit, access and permissions to all systems should be removed as soon as the employee has left the building.

All appropriate personnel should be told that the person is not with the company anymore, excluding details, and that they should contact management if the ex-employee makes any attempts at communication. Vendors and customers that the employee worked with should also be notified of the employee’s release. The Information Technology department should have logging enabled on critical systems and they should be watching for unusual login/access attempts. Building security should also be informed of the employee’s release and should be closely watching for any attempts at re-entry. 

As for the ex-employee’s computers/laptops, the storage media (ex. hard drives, thumb drives, etc) should be forensically copied and the copies stored in a secure location, prior to the computers/laptops being wiped and reused. Another way would be to remove the storage media from the computers/laptops, securely store it, and put new sanitized media into the computer/laptops for reuse. These steps are important to protect the company in case the ex-employee files a lawsuit. Key evidence could be on the storage media that is critical to the case.  


What are some things I can do to prepare for litigation, in a case that involves or potentially involves electronic evidence?  

The first thing that you need to do is identify the scope of time that applies to the electronic evidence. The scope of time that applies to the electronic evidence can vary across jurisdictions but typically is when a reasonable person should believe that litigation may occur.  Certainly, if there is any notice that litigation may take place, such as a letter from an attorney, a threat to sue, or other action that would indicate litigation may occur, then there may be a legal obligation to not destroy any evidence; from the point in time that you thought that there could be a lawsuit. From that point forward you are in a litigation hold and must not destroy any evidence relevant to the case.

Next, you should identify the “key players” in your company whose evidence is relevant to the case and inform them immediately via email and in person of their duty to preserve written and electronic documentation. The managers/supervisors of the key players should also be informed of their employee’s duty to preserve. All automatic email or data storage deletion system attendants need to be deactivated for the key players and no backups of any kind, tape or hard drive, should be destroyed or overwritten. Backup tapes and drives need to be kept and accounted for.

After that, you should gather a copy of you current Data Retention Policy and a copy of your current Acceptable Use Policy. The important information that your Data Retention Policy should include is the amount of time that your company holds onto to your data and documents, including their backups. This document could explain why certain evidence that was relevant to the case was destroyed. The Acceptable Use Policy will outline how employees are allowed to use company computer equipment; specifically whether or not they are allowed to use removable storage media (thumbs drives, cd-roms, etc).


An incident has occurred at our company, my IT staff is very knowledgeable with technology. Do I really need a computer forensics expert? 

Many good intentioned information technology employees have attempted to do investigations themselves and end up destroying evidence or make it unacceptable in a court of law. They may think they are trying to help, but what they are really doing is stomping around a crime scene with muddy boots. Your local IT staff does have good knowledge in technology within their arena, but they have not had the education and training to handle and preserve evidence in a court approved manner with court acceptable tools and technology. 


Can data be recovered after a computer has been formatted? 

Formatting a computer is a common misconception that makes people believe that all their files are gone for good. This is not true.  A Computer Forensic Examiner can recover a large amount of data from a computer that has been formatted.