• PROFILE
• VALUATIONS
• FORENSIC
• CONSULTING
• ARTICLES
• ENGAGEMENTS
• CHECKLIST
• CONTACT US

Computer Forensics (Electronic Discovery)

Greg A. Raffaele CPA CVA FCPA

Computer forensics or electronic evidence discovery -- a science that uses technology to acquire, restore and analyze magnetically encoded evidence or digital data* -- is increasingly becoming a litigation tool. In litigation, digital data can be convincing evidence.

The CPA

As a forensic professional, the CPA may uncover and analyze 'hard' data that is incomplete. The CPA could then use computer forensics to search for digital data corroborating his hard forensic evidence. To testify as a computer forensics expert, the CPA must have knowledge to understand, present and justify the recovered evidence in court. He must document his techniques and procedures used to recover the digital data because computer forensics must comply with the legal requirements of evidence to be admissible in court.

The Risk

Courts have held that acquired digital data that does not create an audit trail may not be considered the strongest or best evidence. Specifically, the original evidence in its entirety must be properly collected and preserved so that an independent third party can obtain the exact results when the investigation process is duplicated. The results or findings, if legally acceptable, enhance the evidence contributing to an efficient and faster resolution (judgments or settlements) of legal matters.

Digital Data

Digital data is electronic information created in and utilized by computers and their applications. They are typically active files in different forms such as financial spreadsheets, word documents and e-mails. As active files, they are easily accessible, are used most often and exist in computer storage devices ('storage media') such as hard disk drives, servers, DVDs, CDs and floppy disks. Some storage media can hold the equivalent of hundreds of thousands of pages of information. In addition to active files, computer forensics recovers hidden, deleted, fragmented and back-up files either erased, damaged, encrypted (encoded), compressed or password-protected from storage media. Computers are not selective about what deleted or other 'non-active' data is written over when drive space is required for an active file. It is critical, therefore, that the storage media holding the digital data be taken 'offline' from other computer activities as soon as computer forensic activities are initiated and until the digital data can be acquired.

Understanding Data

When interacting with the graphic user interface (GUI) in operating system and applications software, the computer users can physically erase, hide and change data with little or no obvious trace. Users, however, are generally unaware that some digital data exist because the interaction between the operating system and applications software often results in data being stored multiple times. The computer also records the physical actions that are unseen to the user because computers are 'logically' by design. Computer systems generally have log mechanisms that record physical actions like passwords and file deletions. Computer forensics targets the duplication 'weakness' inherent in computers and the users lack of sophistication to identify and extract digital data. Only information technology (IT) persons have the skills to defeat the log mechanism.

All storage media use a file allocation table (FAT) or New Technology File System (NTFS) to index files in the storage media. Deleting files may remove only the file names from the index, but the deleted files may still be intact or in fragments scattered in unused sections of the hard drive or other storage media. As a result, attempts at deleting the files often fail because the data is inaccessible and only sophisticated computer users understand how computers automatically store information on the hard drive or other storage media. Additionally, users may try to conceal information, store information in random order or store information with deceptive file names or file extensions.

Many companies do not have record retention policies for digital data. If they need to purge e-mails, for instance, it is rarely done with any consistency or frequency. Contrary to popular belief, just hitting the 'delete' button does not purge e-mails forever. As a result, digital data could exist in the user's computer long after being deleted. Since electronic data may be impervious to destruction and may exist in other forms that are not so obvious, computer forensics requires the examination of all stored data.

Recovering Data

Utilizing special computer forensic tools, the target digital data is acquired through a non-invasive procedure by making a complete sector-by-sector bit stream image of the storage media. During the imaging process, it is critical that the 'exact' image of the target media be acquired in a DOS environment or with a forensically sound write-blocking device. The computer must be offline because turning it on and booting into the operating system (usually Windows) will modify the file system and destroy some potentially recoverable electronic evidence. The image becomes an 'evidence file' that is mounted as a read-only or 'virtual' file that is analyzed.

The Cyclical Redundancy Checksum (CRC) algorithm verifies every sector the integrity of the evidence file. The MD5 128-bit encryption hash file verifies the entire image confirming that it remains unaltered and forensically intact and that the critical date and time stamps remain unchanged. Under MD5 hash encryption, changing one bit of one byte of data will result in a notice stating that the evidence has been changed and that it is no longer forensically intact. Typical computer forensics services include data recovery analysis from hard disk and zip drives and floppy disks, CDs and DVDs and memory sticks and flash cards.

Conclusion

Searching computers for digital data or electronic evidence is a technical process that requires training and a properly controlled environment. Data recovery procedures are designed to protect the integrity of compromised or manipulated data. Therefore, before sending someone unfamiliar with computer forensic tools used for data search and retrieval, you may want to consult an expert.

*Synonyms: Electronic data, information or files; computer data, information or files.

We proudly serve Orange County and Greater Los Angeles. We are dedicated to serving the business valuation and forensic accounting needs of business owners, especially small business owners. We are also dedicated to serving the business valuation and forensic accounting needs of attorneys, CPAs and their clients. We are a solid alternative to high-priced business valuation and forensic accounting firms. We are a solid value. Contact us for a free consultation.