When retained in a current or potential legal matter, the computer forensic specialist helps determine if a computer disk contains potential evidence. The specialist also oversees the extraction of information from the computer media and evaluates the information for its evidentiary value. Throughout the process, the forensics practitioner provides assurance of chain of custody. The following examples illustrate the results of some real world computer forensic investigations.
Two partners in the business of developing certain telecommunication services separated. Within a few months, one of the partners formed a new company and was marketing a product that was a virtual clone of the partnership product. A computer forensic specialist compared the two products and, using statistical techniques, showed that the partnership’s computer code had indeed been used in the new product and that their copyright had been infringed upon.
A group of employees of a high tech company decided to raid the market share of their employer. They formed another company, and using their employer’s technology, developed a product that competed directly with that of the employer, all the while remaining as employees of the company! A computer forensic analysis revealed that they had copied the employer’s designs, charts, and specification documents, and showed the trail of the documents as they moved from one conspirator’s computer to the next.
Computer forensic analysis is often useful in matters that, on the surface, seem unrelated to computers. In one case, an alleged bomber had kept downloaded files that described the bomb-making techniques he used. In another case, a bitterly fought divorce and child custody dispute, one party had scanned questionable pictures of herself into her company computer and then attempted to delete them.
In all these cases–and many others–computer forensics techniques were able to retrieve data that ultimately played a pivotal role in the outcome of the case.
A computer’s operating system keeps a directory, much like a telephone directory, of the name and location of each file. When a user deletes a file, the operating system does not remove the data. Instead, it indicates that the space is available; the contents remain in place until they are over-written by some other process. The treatment of “deleted” files is comparable to a telephone company that deletes a subscriber from the phone book but leaves that customer’s service active.
Someone who knows the phone number can still call the subscriber in question. Similarly, someone who knows how to access these released-but-not-erased areas, and who has the proper tools, can recover their contents.
In computer forensics, the operating system is both friend and foe. Its friendly nature makes the system easy to use, but to do so it must keep track of information that it hides from the user. This hidden information is a rich source of details about what the user has been doing. It contains information such as Web sites visited, e-mail sent and received, Internet-based financial transactions, and letters. A computer forensics expert exploits these hidden pockets of data to acquire information and to evaluate its usefulness as evidence in a particular matter.
A user need not save documents on his computer for them to be accessible to forensic specialists–as one bank robber discovered. Involved in twelve bank robberies in San Diego in late 1999, the “Gap-Toothed Bandit” wrote threatening demand notes on his computer, but exited his word processor without saving them. A forensic investigation of his computer yielded five of his demand notes.
How is that possible? In order to display the notes on his monitor, the system stored them in a temporary location; and, when he exited his word processor, the “friendly” operating system neglected to tell him the notes were still there.
While accessing the Internet, browsers keep records of the sites a user has visited. If a user permits cookies, small files used by browsers to keep track of a user’s visits, the cookies may yield passwords and other information about the user’s Internet practices. These records can be deleted if the user knows about them, is zealous in regularly deleting them, and overwrites their locations. If not, forensics investigations can disclose clear evidence of sites the user has visited.