Computer forensic evidence trackers

The simple definition of computer forensics is a technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a crime or other computer use that is being inspected. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel. One definition is analogous to "Electronic Evidentiary Recovery, known also as e-discovery, requires the proper tools and knowledge to meet the Court's criteria, whereas Computer Forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence." Another is "a process to answer questions about digital states and events". This process often involves investigating computer systems to determine whether they are or have been used for criminal, civil or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, these include but are not limited to hard drives, portable data devices (USB Drives, External drives, Micro Drives and many more). Computer forensics experts:

  1. Identify sources of documentary or other digital evidence.
  2. Preserve the evidence.
  3. Analyze the evidence.
  4. Present the findings.

Computer forensics investigative experts


Computer forensics is done in a fashion that adheres to the standards of evidence that are admissible in a court of law.Thus, computer forensics must be techno-legal in nature rather than purely technical or purely legal. Refer to Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations for the US Department of Justice requirements for Computer Forensices and electronic evidence processing.


Electronic evidence can be collected from a variety of sources. Within a company.s network, evidence will be found in any form of technology that can be used to transmit or store data. Evidence should be collected through three parts of an offender.s network: at the workstation of the offender, on the server accessed by the offender, and on the network that connects the two. Investigators can therefore use three different sources to confirm of the data.s origin.

Like any other piece of evidence used in a case, the information generated as the result of a computer forensics investigation must follow the standards of admissible evidence. Special care must be taken when handling a suspect.s files; dangers to the evidence include viruses, electromagnetic or mechanical damage, and even booby traps. There are a handful of cardinal rules that are used when to ensure that the evidence is not destroyed or compromised:

  1. Handle the original evidence as little as possible to avoid changing the data.
  2. Establish and maintain the chain of custody.
  3. Document everything done.
  4. Never exceed personal knowledge.

If such steps are not followed the original data may be changed, ruined or become tainted, and so any results generated will be challenged and may not hold up in a court of law. Other things to take into consideration are:

  1. The time that business operations are inconvenienced.
  2. How sensitive information which is unintentionally discovered will be handled.

In any investigation in which the owner of the digital evidence has not given consent to have his or her media examined . as in most criminal cases . special care must be taken to ensure that you as the forensic specialist have legal authority to seize, image, and examine each device. Besides having the case thrown out of court, the examiner may find him or herself on the wrong end of a hefty civil lawsuit. As a general rule, if you aren't sure about a specific piece of media, do not examine it. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation.

Some of the most valuable information obtained in the course of a forensic examination will come from the computer user themself. In accordance with applicable laws, statutes, organizational policies, and other applicable regulations, an interview of the computer user can often yield invaluable information regarding the system configuration, applications, and most important, software or hardware encyption methodology and keys utilized with the computer. Forensic analysis can become exponentially easier when analysts have passphrase(s) utilized by the user open encrypted files or containers used on the local computer system, or on systems mapped to the local computer through a local network or the internet.


Computer forensic tools from open source digital forensics

Hiring A Computer Forensic Expert

Common Pitfalls In Hiring A Computer Forensics Investigator
Computer Forensic Experts

Some of the more common pitfalls that an attorney can encounter when hiring a computer forensics expert or other professional are easy to avoid and may save your case. Here are a few to keep in mind:

Waiting Until The Last Minute.

Although when pressed, a computer forensics expert can often get the job done and be ready for a deposition or trial in two or three days, more often than not, problems can arise that will preclude us from doing the best that we can for you. Sooner is always better than later for a number of reasons. The best computer forensic investigator for the job may be booked up, he or she may also have personal scheduling conflicts, they may need to travel to get the job done and costs for that travel will obviously be higher, some experts charge more for rush assignments, the information that the computer forensics expert retrieves may yield far more places to look for other supporting evidence but you are out of time, etc., etc., etc.

Hiring The First Computer Forensic Expert Who Tells You Want You Want To Hear.

There are many experts to choose from, but few are the right ones for your assignment. As with any business person, the forensic computer investigator knows how to sell her or his services. Computer forensics can be very complicated work, particularly in a network environment. If the answers seem too simple, move on. Be careful that they are the right expert and not just an expert with the right answers. Some important questions to ask include: Are they licensed private investigators or simply some guy with forensic software? (The later knows how to run a search program but has little or no understanding or investigations and how to get you everything) What is their history in court? Who else do they work for? These and may more questions should be asked before a decision is made.

Hiring From The Low Cost Drawer

The lowest cost computer forensic expert is likely to make the worst expert. The reality about this work is that those who are truly qualified to help your client cannot offer their services for $2,000.00. To expend the time, energy and resources needed to do even the simplest computer forensics, it is not possible to run a profitable computer forensics practice and charge rates that low. If the expert is a good one, they will know that they are worth more. True experts do not .discount. their fees.

Give Your Expert Inadequate Information

Providing your computer forensics expert with all of the information they need to conduct a complete, accurate and thorough investigation is a must, anything less, despite the excuse, will certainly put your client.s case at risk. If for some reason you do not have access to everything you need, let your forensics expert know ahead of time. With the current case law extending your privilege to your private investigator, it may make more sense to have the computer investigators work directly with the client. One of the worst things you can do is hide information from your expert just because it doesn't support your theory. When aware of everything, the computer forensics investigator can be prepared and honest without accidentally taking you down the wrong path.

Create An Off-The-Wall Theory And Ask The Computer Forensic Investigator To Back It Up

Not only are most of our findings very black and white, we are experts and labeled as such for a reason. It is unlikely that any reputable expert will agree to endorse something unorthodox or illicit. We undergo extensive training not only to become experts but also in investigative ethics. If we tell you that your theory is not supportable, please respect our expertise. Once we give you the evidence found on a hard drive or other storage media, you can form a defensible legal theory that will work.