Computer Forensics: An Overview

Computer Forensics: An Overview

By: Reese Kimmons, MS ISA


When you delete a document or file from your computer, it doesn’t just go away.  Your operating system merely marks the space the data occupied as being available for use again.  Until that space is overwritten, and sometimes even after it is, all or part of that “deleted” information may be recovered and reconstructed.  Computer forensics investigators specialize in retrieving data such as this using procedures that ensure the recovered information will be admissible as evidence in court should that become necessary.  Forensics specialists apply their skills to retrieve deleted, encrypted, hidden, lost, and protected files from personal computers, servers, storage devices, phones, and tablets.  In many cases, a forensics investigation can also reveal how the recovered data was used, the origin of that data, and how and with whom it was shared.  The evidence these investigations uncover often becomes the deciding factor in both civil and criminal proceedings.


The process and the people


Forensics engineers must adhere to detailed policies and procedures regarding preparation of the systems they examine and how the evidence they retrieve will be handled.  These include processes for identifying and collecting the evidence, ensuring its authenticity, and maintaining chain of custody documentation.  Failure to follow these procedures can result in the evidence being excluded in court.


Once collected, the evidence is examined and evaluated using a variety of tools at the investigator’s disposal.  The investigator must document the processes used to examine the data.  Information that was tagged with a date of origin, includes a timestamp, or appears to have been intentionally hidden is often the most valuable.  Investigators record characteristics such as these in their reports.


Many forensics investigators possess industry certifications in the field, have advanced degrees relating to information security, and/or have a law enforcement background.


Computer forensics in the corporate environment


Common applications for computer forensics in the corporate environment include, but are certainly not limited to, cases involving fraud, intellectual property, sexual harassment, and corporate espionage.


As an example, if you work in the corporate world, you’ve probably been provided with notification that whatever you create on the company computer belongs to the company, even if it is personal in nature.  Computer forensics is being successfully utilized in cases wherein an employee claimed to be the owner of intellectual property and denied that it was actually created using company resources.  Even if the employee tries to hide or delete the evidence, an investigation will frequently yield the data necessary to prove that the employer is the owner of that disputed property.


In some cases, the conspicuous lack of evidence is evidence enough.  A computer forensics investigator was asked to review the records of a New York brokerage firm to look for evidence of criminal activity.  As it turned out, the brokerage firm’s IT personnel possessed the knowledge required to completely remove the pertinent files in a way that prevented the investigator from recovering them.  The investigator, although unable to produce the incriminating data, was able to report to the court that emails and other files that should have been stored on the company’s systems were no longer there and that they had been intentionally removed.  This was enough to cause the judge in the case to convict those involved in the cover-up, ruling that they had tampered with evidence in an effort to conceal their criminal activity.


High profile criminal cases


One of the more memorable cases wherein computer forensics investigations provided critical evidence was that of the BTK Killer.  In this cold case, police worked for three decades to locate the murderer of numerous women during a 16 year crime spree.  After 10 years without much progress, the killer made the mistake of sending police a floppy disk containing a Microsoft Word document.  Metadata recovered from that file by a forensics investigator led police to the killer within a matter of hours.  He later confessed to the murders.


In another case where computer forensics played a significant role, investigators found medical data on a doctor’s computer indicating he had authorized the administration of lethal levels of propocol to his patient, who subsequently died.  The doctor was Conrad Murray.  His patient was Michael Jackson.


In 2010, the wife of Baptist minister Matt Baker died from an apparent suicide.  She ingested an overdose of sleeping pills and left a suicide note, or so it seemed.  Although this appeared to most to be an open and shut case, investigators kept it open for four more years as they searched for, and examined, evidence.  A forensics investigation of Reverend Baker’s computer eventually revealed information leading to his conviction and a 65 year prison sentence for his wife’s murder.  The data recovered not only called his character into question, but also revealed that, shortly before his wife’s death, he had researched sleeping medications, overdoses, and pharmaceutical sites.




Evidence gathered during computer forensics investigations is used in divorce cases, murder trials, identity and intellectual property theft proceedings, fraud, forgery, tax evasion, and sex offense cases, to list only a few.  If a computer, tablet, phone, or storage device was utilized at any point during the planning or commission of an act that results in civil or criminal proceedings, a computer forensics investigation may yield key evidence needed by the court to render the appropriate decision.  Should you require the services of a computer forensics investigator, find one that has the experience, training, credentials, and tools necessary to provide quality results while following procedures to ensure the evidence they uncover is not tainted and is admissible in court.


By Miya Shay
Monday, November 16, 2015
HOUSTON (KTRK) — Anastasia and Dmitry Gudkov know all too well about threats and violence in their homeland.

“It’s a difficult situation in my homeland, Ukraine,” said Anastasia.

So when the attacks struck Paris, they were relieved to be in Texas.

“It could happen anywhere,” said Dmitry, “But we feel much safer here, than be in Europe, and Europe is much prone to terror attacks because so close to the Middle East.”

Rob Kimmons, a local security expert, says even though the security risk may be lower in the United States, it’s always important to be prepared.

“Put a plan in mind just as if you’re on an airplane, what you’re going to do, if something happens. Where are the exits, where are the security checkpoints,” said Kimmons.

Kimmons says it’s not a matter of if, but when, a terrorist attack will occur on US soil again. His advice, even for people who conceal and carry guns, to always run from a threat first.

“Fleeing is the first option, hiding is the second, if you hide you need to be quiet, turn off the ringer.”

Meanwhile, the Harris County Sheriff’s Department says it is in constant communications with state and federal authorities, however there is no active credible threat.

“We have not yet identified any threats that would cause us to heighten our state of alert or readiness if you will. There an ongoing effort to maintain terrorist watch activities in the area,” said Sheriff Ron Hickman.


By Jessica Willey
Friday, April 08, 2016
HOUSTON (KTRK) — A Houston widow was swindled out of thousands of dollars by a man she met on Facebook.

The 74-year-old wants to remain anonymous because she’s embarrassed but she also wants to tell her story to warn others. There are hundreds of online dating scams and she is now a victim.

“She was actually the third (client). I had two others and they lost more,” said Rob Kimmons, a former Houston police officer turned private investigator. Even Kimmons is surprised by how rampant the scam is.

The woman says she got a friend request on Facebook from a man calling himself Brock Carl. They first communicated on Facebook. He would also comment on posts she had commented on and they hadmutual friends, or so she thought.

“He was very carefully and very professionally insinuating himself into my life,” she said.

The two eventually started talking on the phone. It was three months before he asked for money saying it was for a business deal in India. He sent her a copy of what she thought was his passport. It earned her trust. By then, she also thought she was in love.

“He’s a fabulous actor.”

She sent him more than $60,000 in several wire transfers. None of it was real. After investigating, Kimmons believes the money went to Nigeria.

“If you’ve never met them and you’re talking on social media and they ask for money, stop it right there,” Kimmons said.

This victim has lived and learned.

“I hate it. I’m sorry I got sucked in, but I won’t lose another penny. I would assure you that.”