Computer Forensics

Carney Forensics began offering computer forensics services back in 2008 by investing in tools with enhanced, powerful capabilities. They have changed the game in settlement conferences and the courtroom for attorneys like you.

Computer Forensics Breakthroughs

Most important of the many recent technological breakthroughs has been the integration of computers, phones, and cloud evidence together in the same digital forensic data set or container. Combining the evidence sources into one corpus has enabled qualitatively new forms of integrated and probative analysis. We map out digital connections to show movement of key documents and files between computers, phones, and the cloud. This evidence helps to prove up theft of intellectual property or proprietary data cases. We build a connection graph and a timeline for your adversary’s misappropriated document to show its journey. And how and when it changed along the way. These demonstrative exhibits enable visually persuasive ways of showing and telling your client’s story.

Email, Documents, and iPhone Backups

Our powerful computer forensics tools recover deleted email, documents, and iPhone backups from laptop and desktop computer drives. iPhone backups are time capsules discovered on the user’s computer for which most people have no idea they exist. But when we examine the computer in our lab we can reveal all the recoverable mobile evidence from those iPhone backups from the past.  Live and deleted text messages, calls, contacts, and mobile app evidence may be produced to provide support for your client’s claims and defenses. 

Artificial Intelligence for Smart Computer Forensics

We employ the latest artificial intelligence and machine learning tools to categorize automatically your client’s computer forensics evidence. AI spots photographs that show weapons, license plates, automobile dashboards, or laptop screen grabs of text messages, documents, or ID cards ordinarily unsearchable. AI also analyzes and classifies chat and text messages for sexual harassment in employment investigations. It makes evidence reviews and producing reports showing material evidence easy and cost-effective.

Web Browsing and Google Search Evidence

Regularly we find Internet and web browsing evidence on Windows and Mac computers which reveals Google or Bing searches that often go to the user’s intent and motives. Our computer forensics tools also provide useful clues from the computer’s browser sessions about the user’s foreseeable cloud storage accounts like Dropbox, Google Drive, and Microsoft OneDrive. Often we can recover their contents from documents and files in the cloud. Our computer forensics tools also identify anti-forensic software installed on the computer for wiping and erasing data which may signal the intentional destruction of evidence. As a result we have become experts in spoliation cases.

Computer Forensics FAQs

What is computer forensics?

US-CERT defines computer forensics as “the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.”  It involves the identification and preservation of evidence to be collected.  And most important, it produces reports on computer evidence using highly sophisticated software and hardware tools and scientific methods.  Computer forensics when done properly changes no evidence on a computer, its hard drives, or other storage devices.

What are examples of computer evidence?

Computer evidence has been critical to our clients’ cases including operating system and application artifacts which support claims of theft of intellectual property and document forgery.  We also collect and produce email, Internet browser, multimedia, and database evidence from computers.  For more specific examples of digital evidence, please see the Carney Forensics case studies.

What evidence can be recovered during a computer forensics examination?

Many types of evidence can be recovered, including information about documents residing on the computer being examined. In addition, information can be recovered about documents deleted recently or often long ago. Fragments of deleted documents may also be recovered. Deleted email messages, photographs, audio recordings, business documents, and even databases may be recovered for analysis. Details about user activity may be revealed and documented.

How long do computer forensic examinations take?

The answer depends on numerous factors. This is why it’s important to call us and talk to our project manager about the evidence to be recovered. Once we understand your case and the evidence you need, we can give you a ballpark estimate of timing for planning purposes. The volume of data on the devices, how much searching and filtering is needed, and what other analyses are required will influence the time required.  The good news is the initial step, forensically copying, or imaging, the hard drive(s) can be performed in just a few days and then returned to you or your client.

Can an examiner determine if an employee copied documents off a computer just before leaving the company?

The answer depends on a variety of factors, but most of the time the examiner can develop circumstantial evidence or strong inferences supported by facts that copying has occurred. Circumstantial evidence may include date and time stamps showing that a removable device was attached to or mounted on the computer on the last day an employee was at work and using the computer.  Often, depending on how much time has passed and how up to date the computer’s operating system may be, documents can be identified that were accessed after that removable device was attached to the computer.  Examination of the removable device, if identified and available, may prove the copying act and become “smoking gun” evidence of document theft or misappropriation.

Someone forged the date a computer document was created or edited. Can you prove it?

Again it depends on a variety of factors such as how long the forgery was in effect. If just for a few minutes, it may be more difficult to detect. A computer forensics examiner can correlate computer logs to check for time anomalies. The time change itself may be logged if the proper computer settings are in place. If the computer is part of a domain with time synchronization in place, the examiner may recover error messages generated as the system tries to correct for the forged time.

A document was sent via email to a competitor and was later deleted. Can you prove it?

Proof will depend on the email software used, the time since deletion, and several other factors. Another issue to consider is a corporate or other large organization environment. If so, backup copies may be available that can be restored to recover the email evidence. Also cooperation from the organization may be essential to determine if the email was received and can be preserved. In addition, server logs may be recovered that show when and how an email, no longer available, was sent by matching metadata or email headers identifying the path a message took as it went through various mail servers.

What can be done if our selected keywords fail to identify responsive documents?

Keywords may be the beginning, but not the end of analysis.  Many documents and computer files cannot be adequately searched or filtered using keywords.  These include graphics, such as fax image copies, unsearchable PDF documents, some email files, compressed or “zipped” files.  Also encrypted files, such as password protected Microsoft Office documents, cannot be searched. Examiners must search challenging documents in a different manner or even manually review them for keywords.

Will formatting a disk erase the computer evidence?

Formatting a disk only removes the pointers to the data, the index.  Formatting is like ripping out the table of contents from a book.  You may not know the chapters or topics, but the words are all still there to be read. The evidence itself will remain until overwritten by new data. If you were to inadvertently format a drive by choosing the wrong drive from a list, for example, the vast majority of the evidence will be recoverable, most likely without significant damage to documents.  Stop using the computer’s disk and call your computer forensics examiner.

Is it okay to have our IT staff look for evidence on a computer before requesting a forensic examination?

No, “looking” for evidence by personnel not trained in proper digital forensic protocols will likely modify or tamper with it.  More important, forensically unsound activity may limit some or all of the computer’s evidence from being admissible in court. Inappropriate computer activity can change date and time stamps.  It can corrupt or overwrite critical evidence making it no longer recoverable. Even simply powering up a computer will change and overwrite data. So will allowing a powered up computer to continue running, especially if it’s connected to the Internet or a company network.

Why do we need a forensic image of the computer’s disk? The local computer shop will copy the disk for us. Won’t that be adequate?

No, unless done in a forensically sound manner with the proper hardware and software.  Why? Data will be missed, data will be changed, and data will likely not be admissible in court. Generally when untrained personnel attempt to copy evidence, only the “active” data is copied.  Even then, date and time stamp information is changed. Evidence deleted or data stored in a prior version of a file system will not be copied.  Therefore, recovery, analysis, and review will be impossible for evidence overlooked by untrained techs using forensically unsound methods and tools.  Last, computer shops do not prepare proper chain of custody documentation which may limit admissibility of evidence, if challenged in court.

We’re thinking about requesting a forensic examination of a computer. Are there precautions we should take while we are deciding?

The most important step you can take is to stop using the computer, removable disk, flash drive, or other media and shut it off and/or unplug it.  Do not turn it back on or plug it in until you decide what you will do. If the device is already off, don’t turn it on, or do anything with it until you decide. Even leaving a computer on with no obvious activity can destroy evidence. Most operating systems, like Windows, or Mac OS, have ongoing processes running in the background that will, over time, write information to the disk which overwrites previously available evidence. This is true even if no one is logged on to the computer or it is in a “locked” state. As long as it is powered up, evidence is at risk.

Do you perform collections of computer evidence on site at a client’s business?

Yes, we will collect on site, often after hours or on weekends, at the convenience of the client. We prefer to perform the analysis in our lab which is more cost effective for the client.

How much does a computer forensic acquisition and analysis cost?

It’s difficult to accurately estimate total costs upfront. There are many unknown factors and analysis opportunities to consider before evidence collection and preliminary analysis. Carney Forensics strives to provide the best service in the most cost-effective manner. From the initial call through final reports or courtroom testimony, our experts work closely with each client to ensure they have the information they need to make good decisions and prioritize analysis opportunities and weigh costs against benefits throughout the investigation or matter.

What do you charge for storage of evidence?

Carney Forensics will store client’s data for three months at no charge. If you would like us continue to store your data, we charge $50 per month.