directions | email us >
computer forensic labs logo computer forensic labs





LEGAL INFORMATION

Accepted guidelines for forensic analysis:

  1. A forensic examiner is impartial. Our job is to analyze the media and report our findings with no presumption of guilt or innocence.
  2. The media used in forensic examinations must be sterilized (zeroed) before each use.
  3. A true image (sector by sector) of the original media must be made and used for the analysis.
  4. The integrity of the original media must be maintained throughout the entire investigation.

Evidence that attorneys are not aware even exists is often found during this process. Also, timelines of computer usage can help in crafting deposition questions and in targeting witnesses for interview.

Employees typically 'delete' incriminating and/or sensitive computer files but the information may still exist in slack space on the computer’s hard drive. This computer data may linger for months or even years and it can be recovered and documented using computer forensic methods and techniques.

Many times, computers are reissued when employees leave. Continued use of the computer may destroy the incriminating evidence that can be used against a former disgruntled employee. Also, continued use of the computer may raise questions as to who created the incriminating evidence and when. To prevent these problems and to preserve potentially valuable information, we recommend following a strict chain of custody and shut down the subject computer.

We recommend that you DO NOT attempt to search for the evidence yourself because this will change important date/ time stamps as well as user information, thus, possibly obstructing the investigation.

In most cases, verify the origin of E-mail and other types of computer network-based communications.

Identify techniques employed by the sender to mask or hide who actually sent the E-mail message.

Provide consultation and guidance for the generation of subpoenas for use in compelling the production of relevant evidence by Internet Service Providers that can be used to identify the person who sent the E-mail message.

Our primary job is to preserve the computer evidence and to transport the computer to a safe location where a complete bit stream backup of all stored data areas can be made. You also want to insure that the computer system can be reconfigured to match the configuration in which it was found. For this purpose, it is wise to take pictures of the complete computer system from all angles. Wires should be marked such that they can be easily reconnected. Also, the computer should be clearly marked as evidence and stored out of reach of inquiring co-workers. Chain of custody is as relevant when it comes to computers as any other form of evidence.

Law enforcement agencies have come under scrutiny regarding evidence issues. For this reason, it is important for the computer investigator to document everything, as they will be testifying in court.

Every effort must be made to show that no one could have made changes to the information contained on a computer system. Without such assurances, countless hours of processing effort may prove to be wasted time and the case may be lost at trial.

For data recovery services, please visit Data Recovery Link at www.datarecoverylink.com/

computer forensic footer

Phone: 303-500-7200 | Copyright 2012 Computer Forensic Labs, Inc.