Computer Forensics FAQ
What is computer forensics?Simply put, computer forensics is the collection, preservation, analysis and presentation of electronic evidence.
What kind of evidence can be found?Text files, graphic files, audio files, deleted files (if not overwritten), hidden files, system files, and e-mail. Correspondence, tax and accounting records, addresses and phone numbers, presentation files, business plans, calendaring information, task lists – all may contain significant
evidence.
Yes, if they have not been completely overwritten. If they have been partly overwritten, the answer is maybe. Special utilities can help in this regard.
Is it possible to determine when files were deleted?Sometimes, depending on the operating system, even if they were removed from recycle bin.
What’s wrong with doing computer forensics in-house?If you have a competent forensics technologist in-house, you are very lucky indeed. Most firms do not, and end up relying on their IT staff, which is without a true forensics background. Unfortunately, well-intentioned amateurs frequently destroy or taint evidence when they acquire or search through it. There are few things as frustrating as finding a smoking gun, only to have it declared inadmissible.
What can a forensic technologist do for me?As you might imagine, the facts determine the answer. However, in general, a forensics technologist can help evaluate such things as how data may have leaked, how e-mail may have been forged, how your network may have been penetrated, whether employees are making unauthorized copies of proprietary information or running their own businesses on company time, and whether keystroke logging applications have been placed on any of your systems. The possibilities are as endless as the fact scenarios.
How can a forensic technologist help if litigation is involved?A forensic technologist can help draft discovery requests so that all pertinent electronic information is likely to be gathered. Once the evidence is produced, the technologist can sift through it, searching by means of keywords, dates, names, types of files, etc. and presenting the results in a user-friendly form. If necessary, the technologist can “acquire” (capture) entire hard drives, preserving the chain of custody, can restore deleted information, and can recognize files which have had their extensions altered to hide their true nature, and the like. As needed, the technologist can provide expert testimony in court.
Can password or encryption protection be cracked?Usually yes, but not always. Remember too that there are laws protecting privacy rights, and it is often necessary to get a court order before cracking a password or encryption.
If I have had an office fire, run over my laptop with my car, or otherwise lost my files, can you get them back?Once more, the answer is usually yes, but not always. If files were recently deleted, they may still be whole and recoverable. The further back in time they were deleted, the less recoverable they are. You may be able to get substantial portions back, but not everything.
Physical damage is another issue entirely. Miracles are indeed possible, but data recovery in the face of serious physical damage is very expensive, and generally only worthwhile for irreplaceable or extremely valuable data.
How is Sensei Enterprises different from other computer forensics companies?There are a number of reputable computer forensics companies. Sensei’ primary distinction is that it is co-owned by a technologist and a practicing attorney. Clients frequently find it helpful to have access to both legal and technical skills within the same firm.
What kind of forensics software/hardware does Sensei use?We use the industry leaders: Generally FastBloc for acquisition and EnCase for acquisition. Most leading law enforcement authorities also use FastBloc and EnCase. Courts have consistently validated evidence produced via their use. We also have a number of additional software tools to assist with other forensics functions as needed including dtSearch.
