Computer Forensics: An Overview

By: Reese Kimmons, MS ISA

When you delete a document or file from your computer, it doesn’t just go away.  Your operating system merely marks the space the data occupied as being available for use again.  Until that space is overwritten, and sometimes even after it is, all or part of that “deleted” information may be recovered and reconstructed.  Computer forensics investigators specialize in retrieving data such as this using procedures that ensure the recovered information will be admissible as evidence in court should that become necessary.  Forensics specialists apply their skills to retrieve deleted, encrypted, hidden, lost, and protected files from personal computers, servers, storage devices, phones, and tablets.  In many cases, a forensics investigation can also reveal how the recovered data was used, the origin of that data, and how and with whom it was shared.  The evidence these investigations uncover often becomes the deciding factor in both civil and criminal proceedings.

The process and the people

Forensics engineers must adhere to detailed policies and procedures regarding preparation of the systems they examine and how the evidence they retrieve will be handled.  These include processes for identifying and collecting the evidence, ensuring its authenticity, and maintaining chain of custody documentation.  Failure to follow these procedures can result in the evidence being excluded in court.

Once collected, the evidence is examined and evaluated using a variety of tools at the investigator’s disposal.  The investigator must document the processes used to examine the data.  Information that was tagged with a date of origin, includes a timestamp, or appears to have been intentionally hidden is often the most valuable.  Investigators record characteristics such as these in their reports.

Many forensics investigators possess industry certifications in the field, have advanced degrees relating to information security, and/or have a law enforcement background.

Computer forensics in the corporate environment

Common applications for computer forensics in the corporate environment include, but are certainly not limited to, cases involving fraud, intellectual property, sexual harassment, and corporate espionage.

As an example, if you work in the corporate world, you’ve probably been provided with notification that whatever you create on the company computer belongs to the company, even if it is personal in nature.  Computer forensics is being successfully utilized in cases wherein an employee claimed to be the owner of intellectual property and denied that it was actually created using company resources.  Even if the employee tries to hide or delete the evidence, an investigation will frequently yield the data necessary to prove that the employer is the owner of that disputed property.

In some cases, the conspicuous lack of evidence is evidence enough.  A computer forensics investigator was asked to review the records of a New York brokerage firm to look for evidence of criminal activity.  As it turned out, the brokerage firm’s IT personnel possessed the knowledge required to completely remove the pertinent files in a way that prevented the investigator from recovering them.  The investigator, although unable to produce the incriminating data, was able to report to the court that emails and other files that should have been stored on the company’s systems were no longer there and that they had been intentionally removed.  This was enough to cause the judge in the case to convict those involved in the cover-up, ruling that they had tampered with evidence in an effort to conceal their criminal activity.

High profile criminal cases

One of the more memorable cases wherein computer forensics investigations provided critical evidence was that of the BTK Killer.  In this cold case, police worked for three decades to locate the murderer of numerous women during a 16 year crime spree.  After 10 years without much progress, the killer made the mistake of sending police a floppy disk containing a Microsoft Word document.  Metadata recovered from that file by a forensics investigator led police to the killer within a matter of hours.  He later confessed to the murders.

In another case where computer forensics played a significant role, investigators found medical data on a doctor’s computer indicating he had authorized the administration of lethal levels of propocol to his patient, who subsequently died.  The doctor was Conrad Murray.  His patient was Michael Jackson.

In 2010, the wife of Baptist minister Matt Baker died from an apparent suicide.  She ingested an overdose of sleeping pills and left a suicide note, or so it seemed.  Although this appeared to most to be an open and shut case, investigators kept it open for four more years as they searched for, and examined, evidence.  A forensics investigation of Reverend Baker’s computer eventually revealed information leading to his conviction and a 65 year prison sentence for his wife’s murder.  The data recovered not only called his character into question, but also revealed that, shortly before his wife’s death, he had researched sleeping medications, overdoses, and pharmaceutical sites.

Summary

Evidence gathered during computer forensics investigations is used in divorce cases, murder trials, identity and intellectual property theft proceedings, fraud, forgery, tax evasion, and sex offense cases, to list only a few.  If a computer, tablet, phone, or storage device was utilized at any point during the planning or commission of an act that results in civil or criminal proceedings, a computer forensics investigation may yield key evidence needed by the court to render the appropriate decision.  Should you require the services of a computer forensics investigator, find one that has the experience, training, credentials, and tools necessary to provide quality results while following procedures to ensure the evidence they uncover is not tainted and is admissible in court.