Forensic Pursuit performs all of the following as part of their comprehensive computer investigation service:

• What is forensic analysis?
• Who requires the services of computer forensic specialists?
• Why can’t my IT guy do this? He says he can.
• Can deleted information still be found if the user has reformatted or repartitioned the hard drive?
• Can deleted information still be found if the user has run "defrag?"
• Can deleted information still be found if the user has run a "clean-up" utilities program?
• Can forensic analysis determine what web sites have been visited and what files downloaded?
• Can forensic analysis reveal what documents have been sent to the printer?
• Can encrypted files be decrypted?
• Can forensic analysis find email from web-based email clients, like Yahoo, MSN, or Hotmail?
• What are file date stamps and how are they used in forensic analysis?
• Can electronic evidence be extracted from PDAs or cellular phones?
• What is metadata and why is it important to an investigation?
• Can I determine if a duplicated hard drive is an exact copy of the original?
• What happens to electronic information after it is deleted?

What is forensic analysis?

• Forensic software provides the specialist with a powerful set of tools that are used to ascertain patterns, words, and sequences of numbers based on information obtained from the client.
• Passwords can be defeated, encryption and compression can be unlocked. All areas of content storage are then searched to assure all potential evidence is located.
• The time and date information made available by forensic software provides the specialist with the necessary tools for uncovering sequences of events as they relate to the evidence.

Who requires the services of computer forensic specialists?

As the use of computers expands on a daily basis, so do the number of disciplines that can make effective use of computer forensic services. Some of these include:

• Attorneys considering matters in which evidence was or may have been created or stored in digital media, such as computers or floppy disks, even if that evidence is currently deleted, hidden, or otherwise not accessible.
• Personnel directors and human resource specialists involved in proceedings in which critical evidence may at some time have been stored or created on a computer or sent as e-mail.
• Companies wishing to monitor or investigate employee computer usage.
• Accountants and auditors who want to investigate suspect monetary transactions.
• Individuals and organizations who believe someone has violated their copyrighted or trade secret work product.
• Law enforcement officials seeking evidence of wrongdoing, such as child pornography, terrorist activities, and money laundering.

Why can’t my IT guy do this? He says he can.

• Although your IT people are highly knowledgeable in their field, computer forensics work is best performed by outside experts.
• The requirements of the courts necessitates that computer forensic investigations are performed by external entities equipped with authorized forensic technology and trained to observe forensic protocols.
• Outside forensic experts employ the proper hardware and software to identify, isolate, and preserve electronic information in a court admissible manner.
• Also, outside experts are truly objective and their analysis cannot be tainted by have any personal knowledge of relationship with the subject of the investigation.

Can deleted information still be found if the user has reformatted or repartitioned the hard drive?

• Yes. The idea that formatting or repartitioning removes information from a hard drive is widely believed. In reality, reformatting rebuilds operating system information, such as the symbol tables, but it does not remove what is on the disk. A professional with the right tools and know-how can recover most of what was on the disk before the reformatting operation was conducted.

Can deleted information still be found if the user has run "defrag?"

• Yes. Many pockets of information are not altered by the defrag process. Some documents, most notably those from Microsoft Word®, contain internal information that describes much of its history and modification.

Can deleted information still be found if the user has run a "clean-up" utilities program?

Probably. Most hard drive “cleaning” routines are not forensically sound. This means that files are deleted but not wiped from the hard drive. Most files that are deleted but not wiped can be retrieved by a trained forensic examiner.

Can forensic analysis determine what web sites have been visited and what files downloaded?

• Yes. Most software the accesses the internet or communicates with the outside world keep a log of their activity. In addition, the Windows operating system itself logs some of these activities. Logs can be emptied or deleted, but residual information often resides and is recoverable by qualified forensic analysts.

Can forensic analysis reveal what documents have been sent to the printer?

• Yes. Like most activities performed on a modern-day computer, sending files to the printer leaves traces. Log, link, and spool files can all be accessed to determine if a particular file was printed and when.

Can encrypted files be decrypted?

• Sometimes. The ability to decrypting encrypted files varies widely with the technology used to encrypt the files in the first place. Contact Forensic Pursuit to discuss the possibilities in your particular case.

Can forensic analysis find email from web-based email clients, like Yahoo, MSN, or Hotmail?

• Yes. Email composed and read in web-based email clients manifest themselves as visited web pages, which can be retrieved like any other visited web pages.

What are file date stamps and how are they used in forensic analysis?

There are three dates associated with a file: the date it was created, the date it was last modified, and the date it was last accessed (without modification).

• The creation date is the date that the file was created on its current media. When a file is moved from one computer to another, the creation date is changed to the move date. Thus, the creation date is the date that a file was initially created on the current machine.
• The modification date is the last time the file was modified on any computer. The modification date is not altered when a file is moved from one computer to another. It changes only when the contents of the file have been changed and saved in some way.
• The access date is the date the file was last accessed. In this situation, "access" is interpreted very loosely. In addition to opening a file and saving it without changes, copying a file from computer C to computer D changes the access date on C. The access date is also changed if one inspects the file properties, even if the file was not opened.

Can electronic evidence be extracted from PDAs or cellular phones?

• Forensic investigative techniques can be readily employed on PDA's, cellular phones, and other electronic devices to identify, isolate, and analyze data in full accordance with court admissible guidelines.

What is metadata and why is it important to an investigation?

• Metadata is basically data about data. Specifically, metadata describes how, when, and by whom a particular electronic file was created, modified, and where it was transmitted. These technical aspects of a file often yield information and insight relevant to an investigation or litigation as it conveys a detailed account of a document's history and distribution.
• Additionally, metadata can often be used to reconstruct a timeline of events, produce additional investigative leads, and establish a user's knowledge regarding the existence and content of files.

Can I determine if a duplicated hard drive is an exact copy of the original?

• Demonstrating that a forensically duplicated hard drive or other media device is precisely identical to the original is critical to ensuring the court admissibility of electronic information.
• To address this issue, a computer forensic specialist employs hardware and software to prevent the manipulation or corruption of data on the original device, while facilitating a true bit-by-bit duplication. To validate a successful forensic duplication and to verify the original is identical to the new copy, a hash value is calculated.
• This hash value is a sophistical mathematical algorithm known as MD5 (Message Digest 5) that computes a unique hexadecimal alphanumeric identifier based on the entirety of the data stored on a hard drive. This hash value is computed individually on the original hard drive and any subsequent duplications to confirm that they match, thus demonstrating an exact and identical copy.

What happens to electronic information after it is deleted?

• A common misconception is that when information or a specific file is deleted, it is permanently erased from the hard drive. In reality, the act of deleting a file does not actively delete any information. What occurs is a small portion of information that points to the location of the file on the hard drive is erased.
• This pointer is used by the operating system to compile the directory tree structure and by removing this pointer file, the actual file becomes invisible to the operating system. Overtime, the location of the unwanted file will be overwritten by new information.
• Forensic technology exists to locate, reconstruct, and recover information and files that were deleted, however, still exist in total or have been partially overwritten by new data.