Corporate Investigator Answers Investigation

Computer Investigation (3)
Evidence

IT FORENSICS 3 - EVIDENCE FROM COMPUTERS & LAPTOPS

Evidence will be most often found in files that are stored on hard drives, whether internal or external. Files may, of course, have been deleted and will need running of sophisticated recovery programmes. Dates and time of creation can be of vital importance, as can modification dates, deletion dates etc. Temporary back up files, web cache , address books etc may be re-created with application

Areas for consideration include:

User Created Files: May contain evidence of relevant activity, e.g. address books and database files that can prove associations with persons external or internal, or undisclosed communication. Images can be rebuilt even if deleted, as can video or scanned documents. Such files may be in the form of:

  • Address books
  • Email files
  • Images
  • Text Documents e.g. Word
  • Internet Browser bookmarks
  • Databse Files
  • Spreadsheets
  • Audio & Video files & links
  • User Protected Files: A user may encrypt or password-protect important data, or hide files on a hard disk, within other files, or attempt to hide incriminating data under an innocent sounding name. User Protected files may be in the form of:

  • Compressed or Zipped Files
  • Renamed or misnamed files
  • Encrypted files
  • Password Protected Files
  • Messages written in a manner that only writer and recipient can understand
  • Hidden Files
  • Computer Generated Files: Evidence may also be found in files and data areas that are created routinely by Operating Systems - something of which the user is often not aware. Password recovery is often achievable through recovery and examination. Some file components hold evidentiary value such as time and date creation/ modification / deletion / access; even turning the machine on may alter some of this information e.g. the last time a PC was booted may be of importance. Data may be retrieved from:

  • File backups
  • Dates, times, passwords
  • Deleted Files
  • Hidden Partitions
  • Lost clusters
  • Boot records
  • Other partitions
  • If in doubt - don't touch ! Never attempt to recover data or explore data from a computer without the necessary skills - this may affect the integrity of a chain of evidence to your later cost. When working with units our first move will be to clone the unit and conduct our work from the clone without booting the machine. By all means, however, take evidential photographs

    Computer forensics is a generic name describing forensic analysis and reporting of computer or IT media. As well as the hard drive(s) this may include USB drives, MP3/4's, external drives etc. While most cases involve Windows Operating Systems we can also apply the same principles to Mac OS and Linux. Never make the error of believing that when you hit the delete key the information is gone - there is a high possibility deleted data may be recovered in it's entirety

    We apply Computer forensics in investigation for many reasons including:

  • Misuse of company information by employee or ex-employee
  • Internal theft or fraud
  • Analysis of email and deleted files
  • Pornography and/or illegal downloads
  • Data Recovery
  • Paedophilia
  • Substance Abuse / dealing
  • Internet Misuse
  • Theft of Intellectual Property (e.g. databases)
  • Private Investigator
    Alphabetical Site Index

    "searching the world for answers"

    Copyright © F.L.I.P. Ltd 1995-2016 ·

    Site Map