Carney Forensics began offering computer forensics services back in 2008 by investing in tools with enhanced, powerful capabilities. They have changed the game in settlement conferences and the courtroom for attorneys like you.
Computer Forensics Breakthroughs
Most important of the many recent technological breakthroughs has been the integration of computers, phones, and cloud evidence together in the same digital forensic data set or container. Combining the evidence sources into one corpus has enabled qualitatively new forms of integrated and probative analysis. We map out digital connections to show movement of key documents and files between computers, phones, and the cloud. This evidence helps to prove up theft of intellectual property or proprietary data cases. We build a connection graph and a timeline for your adversary’s misappropriated document to show its journey. And how and when it changed along the way. These demonstrative exhibits enable visually persuasive ways of showing and telling your client’s story.
Email, Documents, and iPhone Backups
Our powerful computer forensics services recover deleted email, documents, and iPhone backups from laptop and desktop computer drives. iPhone backups are time capsules discovered on the user’s computer for which most people have no idea they exist. But when we examine the computer in our lab we can reveal all the recoverable mobile evidence from those iPhone backups from the past. Live and deleted text messages, calls, contacts, and mobile app evidence may be produced to provide support for your client’s claims and defenses.
Artificial Intelligence for Smart Computer Forensics Services
We employ the latest artificial intelligence and machine learning tools to categorize automatically your client’s computer forensics evidence. AI spots photographs that show weapons, license plates, automobile dashboards, or laptop screen grabs of text messages, documents, or ID cards ordinarily unsearchable. AI also analyzes and classifies chat and text messages for sexual harassment in employment investigations. It makes evidence reviews and producing reports showing material evidence easy and cost-effective.
Web Browsing and Google Search Evidence
Regularly we find Internet and web browsing evidence on Windows and Mac computers which reveals Google or Bing searches that often go to the user’s intent and motives. Our computer forensics services also provide useful clues from the computer’s browser sessions about the user’s foreseeable cloud storage accounts like Dropbox, Google Drive, and Microsoft OneDrive. Often we can recover their contents from documents and files in the cloud. Our computer forensics services also identify anti-forensic software installed on the computer for wiping and erasing data which may signal the intentional destruction of evidence. As a result we have become experts in spoliation cases.
Computer Forensics FAQs
US-CERT defines computer forensics as “the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.” It involves the identification and preservation of evidence to be collected. And most important, it produces reports on computer evidence using highly sophisticated software and hardware tools and scientific methods. Computer forensics when done properly changes no evidence on a computer, its hard drives, or other storage devices.
Computer evidence has been critical to our clients’ cases including operating system and application artifacts which support claims of theft of intellectual property and document forgery. We also collect and produce email, Internet browser, multimedia, and database evidence from computers. For more specific examples of digital evidence, please see the Carney Forensics case studies.
Many types of evidence can be recovered, including information about documents residing on the computer being examined. In addition, information can be recovered about digital documents deleted recently or often long ago. Fragments of deleted documents may also be recovered. Deleted email messages, photographs, audio recordings, business documents, and even databases may be recovered for analysis. Details about user activity may be revealed and documented.
The answer depends on numerous factors. This is why it’s important to call us and talk to our project manager about the evidence to be recovered. Once we understand your case and the evidence you need, we can give you a ballpark estimate of timing for planning purposes. The volume of data on the devices, how much searching and filtering is needed, and what other analyses are required will influence the time required. The good news is the initial step, forensically copying, or imaging, the hard drive(s) can be performed in just a few days and then returned to you or your client.
The answer depends on a variety of factors, but most of the time the examiner can develop circumstantial evidence or strong inferences supported by facts that copying has occurred. Circumstantial evidence may include date and time stamps showing that a removable device was attached to or mounted on the computer on the last day an employee was at work and using the computer. Often, depending on how much time has passed and how up to date the computer’s operating system may be, digital documents can be identified that were accessed after that removable device was attached to the computer. Examination of the removable device, if identified and available, may prove the copying act and become “smoking gun” evidence of document theft or misappropriation.
Again it depends on a variety of factors such as how long the forgery was in effect. If just for a few minutes, it may be more difficult to detect. A computer forensics examiner can correlate computer logs to check for time anomalies. The time change itself may be logged if the proper computer settings are in place. If the computer is part of a domain with time synchronization in place, the examiner may recover error messages generated as the system tries to correct for the forged time.
Proof will depend on the email software used, the time since deletion, and several other factors. Another issue to consider is a corporate or other large organization environment. If so, backup copies may be available that can be restored to recover the email evidence. Also cooperation from the organization may be essential to determine if the email was received and can be preserved. In addition, server logs may be recovered that show when and how an email, no longer available, was sent by matching metadata or email headers identifying the path a message took as it went through various mail servers.
Keywords may be the beginning, but not the end of analysis. Many documents and computer files cannot be adequately searched or filtered using keywords. These include graphics, such as fax image copies, unsearchable PDF documents, some email files, compressed or “zipped” files. Also encrypted files, such as password protected Microsoft Office documents, cannot be searched. Examiners must search challenging documents in a different manner or even manually review them for keywords.
Formatting a disk only removes the pointers to the data, the index. Formatting is like ripping out the table of contents from a book. You may not know the chapters or topics, but the words are all still there to be read. The evidence itself will remain until overwritten by new data. If you were to inadvertently format a drive by choosing the wrong drive from a list, for example, the vast majority of the evidence will be recoverable, most likely without significant damage to documents. Stop using the computer’s disk and call your computer forensics examiner.
No, “looking” for evidence by personnel not trained in proper digital forensic protocols will likely modify or tamper with it. More important, forensically unsound activity may limit some or all of the computer’s evidence from being admissible in court. Inappropriate computer activity can change date and time stamps. It can corrupt or overwrite critical evidence making it no longer recoverable. Even simply powering up a computer will change and overwrite data. So will allowing a powered up computer to continue running, especially if it’s connected to the Internet or a company network.
No, unless done in a forensically sound manner with the proper hardware and software. Why? Data will be missed, data will be changed, and data will likely not be admissible in court. Generally when untrained personnel attempt to copy evidence, only the “active” data is copied. Even then, date and time stamp information is changed. Evidence deleted or data stored in a prior version of a file system will not be copied. Therefore, recovery, analysis, and review will be impossible for evidence overlooked by untrained techs using forensically unsound methods and tools. Last, computer shops do not prepare proper chain of custody documentation which may limit admissibility of evidence, if challenged in court.
The most important step you can take is to stop using the computer, removable disk, flash drive, or other media and shut it off and/or unplug it. Do not turn it back on or plug it in until you decide what you will do. If the device is already off, don’t turn it on, or do anything with it until you decide. Even leaving a computer on with no obvious activity can destroy evidence. Most operating systems, like Windows, or Mac OS, have ongoing processes running in the background that will, over time, write information to the disk which overwrites previously available evidence. This is true even if no one is logged on to the computer or it is in a “locked” state. As long as it is powered up, evidence is at risk.
Yes, we will collect on-site, often after hours or on weekends, at the convenience of the client. We prefer to perform the analysis in our lab which is more cost effective for the client.
In the majority of legal cases, the examiner can recover and analyze the computer’s evidence and generate forensic tool reports for the legal team’s review for an average cost of approximately $5,000. Each computer hard drive takes about 12 hours of lab time. Factors that go to cost include how much storage capacity is built into each of the computer’s hard drives. And how many hours of analysis are needed. Last, a critical factor is how many computer forensic tools are required to recover and analyze the material evidence upon which the dispute will turn, especially deleted or hidden evidence, also specialty evidence like documents and media.
Carney Forensics will store client’s data for three months at no charge. If you would like us continue to store your data, we charge $50 per month.