Common Questions and Answers About Computer Forensics

When is the best time to contact a forensic company?
As soon as possible; Preservation of evidence is the key.


How do I remove a computer that is turned on?
Pull the Power Cord from the back of the computer; do not shut it down normally.  This will preserve the volatile data that would be lost once shutdown and/or rebooted.  Volatile data can include important information such as what documents were printed, clipboard contents, and data in memory.  The information may be critical to the evidence.


Can I just have an image taken of a device?
Yes, the service you need to Preservation Only.  Once the device is acquired, you are free to redeploy the machine back into the working environment.


Can’t my IT person or another employee look through the data?
Absolutely NOT, every time the drive is turned on and accessed, data is being deleted and/or overwritten.  Another question worth asking is “Do I feel comfortable putting that person on the witness stand instead of a forensic specialist?


What industries does Computer Forensics deal with?
Some of the main industries include Legal, Healthcare, Government, Transportation, High Tech, and Pharmaceutical.


An employee departs the company, a few weeks later or less, the company notices a drastic drop in sales and/or clients.
Forensic Specialists can acquire and analyze the hard drive for evidence of communications with the departed client about moving to the new company.  They can also determine if files such as client lists were copied to removable media and/or e-mailed through a corporate or web-based (personal) e-mail.


An employee was fired for lack of production; now he/she is saying that they were wrongfully terminated. 
Forensics Specialists can determine Internet History artifacts including deleted Internet History files and search for non-work related activity and provide a detailed report to the client.


An employee leaves the company and starts working for a competitor.  In a short amount of time, the competitor releases a new formula that your company was working on for months/years.
Forensic Specialists can determine if the employee “stole” the formula whether it be via a thumb drive, External Hard Drive, or e-mailed to a 3rd party or web-mail account.


What Is Computer Forensics?
Computer Forensics is the analysis of electronic data to ensure that electronic evidence is maintained so that critical data trails, time & date stamps, and an accurate Chain of Custody can be identified so that it may maintain its evidentiary status as part of the electronic evidence discovery process.  The main components in Computer Forensics are the Identification, Preservation, Extraction, and Presentation of electronic data. 


Why hire a computer forensics company or investigator?
First, you want to be sure your case isn’t spoiled due to technicalities like faulty and improper acquisition, tampering or poor handling and storage of evidence.

Second, if it is important enough to go to court it is important enough to have properly trained professionals handle your evidence so that it is admissible in court. Many states have very specific requirements regarding the acquisition, imaging and investigation of electronic evidence because it is so easy to tamper with. These states require that the forensic image is created by a state licensed PI. If this procedure is not handled properly your case can be dismissed before you even get a shot at presenting it.


How Can Computer Forensics Help Me?

Help determine which devices need acquired
Find the “Smoking Gun” in your case
Testify in Court as an expert witness
Provide strategies regarding the report findings
Can prove if the opposition is “guilty” of wrongdoing
Provide facts that are backed up by the forensic community


Who needs computer forensics
Law firms
Government agencies
Law enforcement agencies


What types of devices can forensic evidence be found on?

Palms, laptops, Blackberry phones, desktop computers, servers, flash drives, external hard drives and storage media, camera cards, servers, CD/DVD, Cell phones, Floppy Disks, Jaz Drives, Zip Drives, Tape Media


What Kinds of computer forensic investigations do you perform?

Corporate e-mail
Intellectual property disputes
Wrongful termination disputes
Malicious acts by terminated or disgruntled employee(s)
Employee activity (search for excessive personal browsing during work hours)
Divorce cases
Sexual harassment
Expert witness service
Litigation support
NIDA (non-invasive data acquisition)
Electronic investigation
Electronic records management
Insurance fraud cases
Stalking, hacking, illegal activities
Employee theft
Business fraud
Case examples
Trade and business secrets theft
Data recovery (for damaged drives)


What types of electronic data is considered evidence?
Webmail (Hotmail, Yahoo, AOL, etc)
Plain text and documents
Calendar files
Contact files
Digital faxes
Audio files
Video files
Computer applications
Viruses and spyware


What are the steps in a computer forensic investigation?
Open a case
Acquire the evidence
Create a forensic image
Index and catalogue the evidence
Analyze the data (evidence)
Save evidence to viewable drive
Create a report of findings
Provide you with the report and findings

What do I do if I suspect wrong doing or inappropriate activity?
Identify the suspect/employee and which devices they had access to including laptops, PCs, Servers, thumb/jump drives, etc.

If possible, remove all devices and secure starting a Chain of Custody including information such as User’s Name, Location of the device, Date/Time of removal, who removed the device, and where the device is stored. (By doing this, you are getting the best possible evidence and making sure that the evidence isn’t compromised.)

Preserve the evidence. Contact a Forensic Company to image the devices.  When imaging occurs, the device is hooked up to a writeblocker and a bit by bit image is created (exact copy of the drive) then verified to ensure that nothing has changed on the original drive. 


What do I do if I am facing an investigation?
Retain council
Comply with court orders and directives
Do not attempt to hide, delete or sabotage suspect computers, equipment or devices
Ask for a copy of the forensic image of the devices so you can perform your own investigation or verify the findings of the opposition
Ask for a copy of the investigators report and findings so you can prepare your defense or dispute the validity of findings
Have an outside computer forensic company or investigator review the report, findings and perform an investigation on your behalf to validate or refute findings


Do I pay for services if the evidence I am looking for is not found?
Yes, because like any legal services, you are asking for specific work to be performed on your behalf. You are hiring a computer forensic expert on an hourly basis to attempt to find the evidence you suspect is there so you can build and prove your case. If the suspected evidence is not on the computer(s) or device(s) you provide you still have options.
You can expand your search into other computers or devices. We have found that many times when evidence is not discovered on the initial devices there is often evidence or data trails connecting the original devices to others or even outside media. This usually occurs when the suspect deleted evidence after transferring it or sending it in correspondence to him or herself or an accomplice. If the investigation determines there are or were outside sources you can take these findings to the court and have those computers or devices siezed as evidence and have have an investigation performed on them to locate the evidence to support your case. this work in an

What is a chain of custody?
A Chain of Custody helps maintain evidentiary status by documenting who has been in contact with the “evidence”, When, where and why. It includes information such as User’s Name, Location of the device, Date/Time of removal, type of device, model and serial number, who removed the device, and where the device is stored. (By doing this, you are getting the best possible evidence and making sure that the evidence isn’t compromised.)


What do expert witness services provide?
An expert witness provides testimony, documentation and witness preparation to help present forensically discovered evidence in legal proceedings to help you prove and win your case. An expert witness is a leading defense, or offense – depending on which side of the litigation you are on.


What are the Federal Rules of Evidence?
The federal rules of evidence outline “what electronic evidence is”, how it is to be acquired, preserved and handled to be admissible as evidence. In 2006, the Federal Rules of Civil Procedure were amended and approved by the Supreme Court. Of specific interest are FRPC Rules 26, 34 and 45 dealing with depositions, discovery and subpoena.

What is the difference between Computer Forensics and E-Discovery?



Collects only Active Files

Acquires the entire device including Deleted Files

Returns an abundance of Files to the client

Analysis of the data is performed by forensic specialists using parameters given by the client and can determine what happened to the files

Need to hire reviewers to manually go through each document and determine if it is relevant to the case.

The client will get a detailed report of the findings from a forensics specialist

Need to hire an Expert Witness or have IT staff testify.

Offers Expert Witness Support

High Overall Cost

Costs less than e-Discovery




      • 80% of all corporate data is stored electronically and 95% of new data is stored electronically.

      • Any data that can be compiles into a viewable format, whether presented electronically or printed on paper, is potentially within the definition of a “document”.

      • With the increased usage and dependence on the Internet, for corporate and individual communication, electronic communication is now the standard and “paper” communication is the new exception.

      • Electronic documents may be considered obsolete by the business in terms of its current computer infrastructure, but may have archival value and be recoverable to a readable format by specialized forensic techniques.



To ask questions about starting a computer forensics investigation call