Computer Forensics News - Kroll Ontrack UK - articles related to computer forensics, computer investigations, digital forensics and all computer relat

Site Map
Computer Forensics
Disclosure Services
Ontrack Inview
Courtroom Services
Resources
About Us

Electronic Evidence Newsletters

Printable Version

COMPUTER FORENSICS

... but he was such a nice guy!!
Alex Comyn, Client Manager - Ontrack Forensics, UK Region

When an employee is suspected of fraud, IP theft, or needs to be investigated for some other reason, it often comes as a complete surprise to many of his closest colleagues. A relationship of trust has been built up, possibly over many years, which can lead to crimes going unsuspected. In situations such as these the in- house investigator is faced with a number of dilemmas:

  • Digital evidence is volatile and needs to be secured as soon as possible;
  • How to gain access to the suspects PC, digital storage and media with the minimum of disruption to the surrounding workforce;
  • Is anyone else involved? Will any overt action alert them and jeopardise the case or allow them to delete evidence;
  • If you are going to prosecute or even submit to a tribunal, how should the evidence be gathered?

The more high profile the suspect is, the more complex these issues become; in cases involving Directors and board members it can often be a challenge even in identifying who to trust. Without access to highly trained in-house computer forensic experts an organisation will typically turn to the IT department for initial assistance. While this may seem timely and beneficial, it is often a path to evidence destruction. Simply by ‘having a quick look’ critical evidence can be altered, irreparably. Before any action is taken, the internal team must consider the following:

  1. No action taken should change data held on a computer or storage media which may subsequently be relied upon in court;
  2. In exceptional circumstances, where it is necessary to access original data held on a “live” system, the person undertaking that must be competent to do so and be able to give evidence explaining what was done and why;
  3. A complete record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

In any investigation of electronic evidence the emphasis must be on evidential integrity and security. Computer forensic practices maintain this integrity, gathering analysing and preserving the data in an authentic, accurate and complete form. This ensures it is acceptable as evidence in a court of law.

In observing this priority it is necessary to adhere to stringent guidelines. Such guidelines do not encompass the taking of 'shortcuts', and the forensic practitioner accepts that time must be expended in order to maintain the highest standards of work. This is a difficult concept to relay as the organisation wants the evidence found and presented quickly, but the practitioner, knowing that he may have to testify in court, has to take time to check and double check every tiny detail of his findings.

Before contacting a specialist the internal investigator should consider the following questions:

  • Where is the suspect’s machine located?
  • Is this the only machine that he/she has access to?
  • Does anyone else have access to this machine?
  • What type of operating system is running?
  • Is there likely to be any encryption present?
  • Where are the suspect’s shared file areas?
  • What email systems does he/she have access to?
  • Is web mail (hotmail, yahoo etc) available?
  • Can machine access times be corroborated with CCTV or card access logs?
  • Is there a computer usage policy in place and how robust is it?

As data continues to proliferate through a myriad of electronic sources it is very likely that the investigation will need to deal with a PC (desktop or laptop), PDA, mobile phone, memory sticks, CDs, DVD, email, servers and so on. Given the pervasiveness of computers in our lives, it is almost inevitable there is a link between crime and computers. As personal computer use has exploded, so too has the number of people willing to use computers to commit wrongdoing. As a result, almost any type of investigation and litigation today may rely on electronic evidence.

Computer Forensics is a minefield for the enthusiastic and unwary but also the most likely place to find evidence in the current digital age. The volatility of data and the speed at which it is created or destroyed requires that this digital evidence must be dealt with effectively and expeditiously.


Electronic Discovery Homepage Electronic Disclosure Computer Forensics Homepage Computer Forensics Paper Discovery Homepage Courtroom Services
Learn how to efficiently manage large volumes of electronic information and quickly find evidence.
Electronic Disclosure Services 		Learn how to find hidden or hard-to-find data, recreate past computer-related conduct, or access data that you think is forever lost.
Computer Forensics Services 		Learn how Kroll Ontrack can help you present evidence throughout the legal process.
Courtroom Services
 
Privacy Policy | Legal Notices | Site Map | Ontrack Data Recovery UK