1300 222 547
Computer Forensics - How to Leverage Data Recovery for Use in Court
One of the first questions you can expect to be asked in the computer forensics field is: What exactly are you hoping to find on the Hard Drive?
It is actually a difficult question to accurately respond to. The short answer would be “evidence”, but what that evidence is exactly, varies from case to case. It might be something as simple as a few stolen documents on the suspect’s C: drive, or it might be something much more subtle, such as a login record showing the suspect was on the computer at a certain time on a certain day.
It is the same with crime scene forensics. What is the detective looking for exactly? It might be evidence like a thumbprint or a hair sample, something linking an individual to the crime scene, or it could be something that seems entirely unrelated. Many of us have seen the detective shows where the culprit is caught because he left behind a single thread of his shirt. Computer forensics is very similar in that every case will have a different definition of what constitutes a chain of evidence.
Of course, a slightly trickier question would be: What right do you have to access the suspect’s computer in the first place?
Really, it varies from state to state. As a general rule, company property is always subject to search and seizure, in any context. It belongs to the company, not the employee, so you can go ahead and inspect it and take a look any time you believe it is necessary to do so. If the computer belongs to the suspected employee, it is more complicated and you may not be allowed to look into it until criminal charges have been pressed or you’ve obtained some form of search warrant.
You may wish to look into the laws in your own state or province to know what you can and cannot do if you suspect computer fraud, but in any situation if you call a computer forensics expert they should know what they are allowed to do to obtain the relevant information. Even if, for example, it turns out that the hard drive is off limits, there may be other routes to take to collect evidence.
If you can access the hard drive, the computer forensics expert will generally make a copy of the drive and lock it to ensure that the master copy he or she has created matches the original.
One of the trickier parts of the job is proving who did what with the hard drive. It is very easy for the suspect to say, “I didn’t do that, the forensics technician placed that information there to implicate me”. Luckily, the drive automatically keeps a record of what was added and when. Through passwords, login times and location records, it is then easy for a forensics expert to list the facts and say, “the information was accessed from the suspect’s home/office/…”.
Many computer fraudsters fall into the false comfort of believing that once you’ve deleted information from your hard drive, it’s gone forever. Not true. Nearly every file that goes in and out of a hard drive leaves some sort of artefact, some evidence that it was there. This could be a backup copy of a word document, created by the computer just in case the original was accidentally deleted, or it could simply be a record of deleted documents.. This will vary from case to case and from document to document, but there is almost always going go be some evidence that the document was originally stored there.
Ignoring such crimes as computer fraud and on the like, computer forensics can also address much more pedestrian issues, such as making sure that your employees follow company policy. If, for example, productivity has notably declined among administrative staff and you’re wondering why, through a computer forensics expert you could highlight the cause, namely that a large number of your employees are spending time on FaceBook on company time.
So basically, whatever your employee is doing on a computer, a computer forensics expert can make you privy to it. When analysed and organized by a forensics expert, this can prove vitally important in business or in a court of law.
