*********************************************************************** Forensic Strategy Data Recovery Newsletter Vol. 1, Issue 1 ***********************************************************************
--------- EDITOR'S NOTE ----------------------------------------------- The intent of this newsletter is to educate and inform attorneys about basic computer forensics for cases that involve personal computers or computer evidence. Utilizing the services of a computer forensics specialist can eliminate problems that often occur when forensics is of significant importance to a case: timing, the handling of the data and the possibility of evidence being destroyed.
-------- IN THIS ISSUE: -----------------------------------------------
1. COMMENTARY - Computer Forensics 101: What is Computer Forensics?
2. SPONSOR - Varidev Technology Solutions
3. UPCOMING NEWSLETTER ISSUES - Items you can look forward to in future issues!
4. CONTACT US - For more information on Forensic Strategy Services.
-----------------------------------------------------------------------
1. ==== COMMENTARY ====
* COMPUTER FORENSICS 101: What is Computer Forensics? By: Scott Moulton, Computer Forensic Specialist mailto:scott@forensicfirm.com
Forensics, as it relates to computers and data, is the collection and preservation of data to investigate or establish facts for any type of legal purpose. For each case, computer forensics can contain many different types of material and can be gathered from dozens of sources. Information can be limited to what exists on a hard drive and may even include data from the Internet, tapes, CDs, disks or printouts made by a specific computer.
Computer forensics is an emerging specialty that has no defined criteria. This makes it difficult to find a person with the knowledge, experience and skills needed to be an expert in this area. Colleges are beginning to recognize this as a growing field and are adding degrees and certification programs to their curriculum.
With the speed at which the computer industry changes, it is often a struggle for the legal profession to keep up with all of the new laws established to convict criminals who use technology as a weapon. It is equally challenging to locate a knowledgeable computer specialist that has the interest, expertise and skills in fields other than computer science. Consequently, a computer forensic specialist who has skills in other disciplines such as accounting and/or law, will deliver better results meaning more useful and credible evidence for you.
Methodologies are a set of processes that can be applied to any situation. While the tools or items used to lay the groundwork for the discovery phase may vary, the methodology remains the same. Some of these methods are still being developed in the area of computer forensics. Changes are frequent because of new laws that require the way processes are completed. Other changes are due to an ever-evolving technology and the ability to completely remove two or three processes with new software or hardware.
Qualified computer forensic specialists will spend considerable time staying in front of the new technology curve. It takes an extreme amount of work to keep up with the changes in the computing industry, as well as, issues involving the law. This is the type of expertise you should seek for assistance with cases requiring computer forensics.
Most lawyers have little knowledge about computers and will need guidance as a case develops. They will continually need to discuss the case with a computer forensic specialist and review new material even when it seems unnecessary. When dealing with computers and data, the process of understanding what is achievable and what isn't requires an advanced understanding of technology generally not found outside the professional computer security community. Not only must the computer forensic specialist assist the attorney with what can be done but they must also stand as a credible witness under the pressure and scrutiny of cross examination.
During the discovery phase of a case, being a forensic computer specialist can be compared to being a Private Investigator, only the subject matter is mainly dealing with computers and electronic data. Discovery often involves several passes at the data. As new facts are revealed about the case, the old data will need to be reviewed to see what has been discovered and how it is applicable to the case. In some cases, knowing what happened is more important than the actual data itself.
Example #1: In a divorce case, a court order was given to the husband with instructions not to delete or destroy any data. The computer was to be picked up by a forensic investigator and reviewed for evidence per the court order. The husband promptly went home and deleted everything on the computer he thought would be incriminating. After examining the computer, it was proven that he purposely deleted data after the court order. Since he violated the court order, this case could have easily escalated into more than just a divorce case for the husband. When the opposing attorney confronted the husband with this fact, the husband quickly decided to settle out of court and agreed to his soon to be ex-wife's demands.
Example #2: The majority of work is often discovering how to look at the information and display it so that it makes sense to laymen. This also includes educating the attorney about the technical details so they can decide how to approach the case. It is of no value if the information is so complex that it can not be explained clearly.
In a recent case, a CD was stolen from a company. During the discovery period of the case, the defendant was ordered to make an EXACT copy of the original CD and deliver it to the plaintiff the same day.
It was noted that one of the files had been changed on the CD. On the CD there were several files that amounted to 500 megabytes. This brand of CD was only able to hold 650 megabytes. The specific file in question was a 200 megabyte file.
The defendants claim was that the CD was a CDRW (ReWritable CD) and that the file changed while viewing the CD. In this instance the changed file could not overwrite the existing file, but would be appended to the CD. As there was only 150 megabytes left, there was not enough space to append a 200 megabyte file. The defendant would have needed another 50 megabytes in order to make a change to the file on the same CD. Therefore, this was not an exact copy of the same CD that was taken.
Only a computer specialist with experience with a ReWritable CD would have realized this was not possible. The opposing attorney initially accepted the explanation; however, the computer specialist on the team revealed that evidence had been tampered with.
More examples and experiences will be discussed in future issues. If you are interested and would like to continue to receive our newsletter, please see our website to sign up for a FREE subscription at: http://www.forensicstrategy.com/contacts.asp
-----------------------------------------------------------------------
-------- Sponsored by Varidev Technology Solutions --------------------
Varidev Technology Solutions can develop solutions to help your business operate more efficiently. Varidev is your complete business technology resource for front-end and back-end database development using Microsoft .NET Technology. Varidev has made operations much more efficient for companies like Six Flags and Georgia Pacific, and they can do it for you. Check out amazing demos at http://www.varidev.com
-----------------------------------------------------------------------
3. ==== UPCOMING NEWSLETTER ISSUES ====
* What items are usually found in data recovered * Equipment used for Forensic Storage of Data * Details of Forensic Data Gathering
4. ==== CONTACT US ====
* TECHNICAL QUESTIONS: mailto:info@forensicstrategy.com
* COMMENTS OR QUESTIONS ABOUT THIS NEWSLETTER:
To suggest a topic for a future issue or to send a comment to the editor email: mailto:comments@forensicstrategy.com
* WEBSITE: http://www.forensicstrategy.com
* MAILING ADDRESS/PHONE/FAX: Forensic Strategy Services, LLC. 601B Industrial Court Woodstock, Georgia 30189 ph: 770.926.5588 fax: 770.926.7089
* WOULD YOUR COMPANY LIKE TO SPONSOR A FORENSIC STRATEGY DATA RECOVERY NEWSLETTER? Send us an email at mailto:sponsor@forensicstrategy.com
-----------------------------------------------------------------------
To receive the latest information about forensic computer technology and news SUBSCRIBE to our FREE email newsletter: http://www.forensicstrategy.com/contacts.asp
Thank you for reading The Forensic Strategy Data Recovery Newsletter.
__________________________________________________________ Forensic Strategy Services, LLC. 2003