FREQUENTLY ASKED QUESTIONS
Q: What types of "evidence" can Computer Forensics provide?
A: In order to efficiently process data, modern computers store large amounts of data to a network or system of hard disks. Much of this information is stored without the user being aware of its existence. This data may be in the form of actual files or information that the computer used to carry out a specific task. A few examples are user files, system files, deleted files, and system data that allow the computer to perform its tasks. Accessing the information provided by the computer is often the difference between " guessing" what happened, and " knowing" what happened with a high degree of certainty.
Q: What takes place during a Computer Forensic Examination?
A: The basics are: safeguard and preserve unaltered digital media, process and recover data as required, analyze the recovered data, and report the findings. This may seem simple, however, these tasks require the Computer Forensic professional to be knowledgeable in a wide variety of technologies, legal and investigative issues.
Q: What does Computer Forensics have to do with Litigation Support?
A: Computer Forensics is invaluable at discovering useful evidence on digital media. Today, most organizations store huge amounts of vital information on digital instead of on paper or microfiche. The use of email has opened a new window into an organization previously unavailable to outsiders. Computer Forensics helps litigants discover these types of evidence found in electromagnetic media.
Q: Why can't my own Corporate Security Investigators conduct a Computer Forensic examination?
A: Most corporate security departments don't have examiners with the technical skills required to properly process digital evidence. Even with the assistance of corporate IT professionals, the integrity of the data evidence is frequently compromised because staff members lack the training and experience to properly handle and process it thoroughly.
Q. We have computer personnel in our company, why shouldn't we let them conduct the examination?
A. Although they may have a considerable amount of knowledge and experience with computers, maybe even data recovery, it's unlikely they have the requisite knowledge of the forensic procedures to find all the evidence, protect the data, and ensure the admissibility of evidence in civil or criminal trials. We take steps to safeguard the computer data; these steps require specialized training, hardware, and software. We have the training, experience, and tools to conduct a thorough examination of computer data and are able to interpret what we find.
In addition to the lack of skills, hardware and software, using a company employee can open you up to allegations of fabricating evidence and other impropriety. We're an independent firm with integrity as the cornerstone to our company.
Can your employee qualify in court as an expert in the forensic examination of a computer? Probably not. Assuming their findings were not suppressed, they would only be allowed to testify to facts. They would not be allowed to testify to opinions or conclusions as a qualified expert witness in court.
We've received computers to examine after a company's computer personnel have attempted to recover evidence from it. In their attempts they have destroyed important evidence such as the date that files were last accessed. Our forensic procedures are designed to safeguard every bit of evidence.
Q. We're working with a Private Investigative company. Can't they examine the computers for us?
A. While there are many tens of thousands of Private Investigators around the country, the examination of computers is far beyond the skills and training of most. There are many specialties in Private Investigation; just because an investigator has excellent credentials for conducting financial investigations does not mean that they are qualified to examine computers. If you are going to pay someone to recover computer evidence, pay a professional examiner. Using our expertise and forensic tools, we can recover evidence that others wouldn't even know to look for.
Q. Can we use a data recovery firm for doing computer forensics?
A. Some data recovery firms may have qualified forensic examiners; most do not. While some of the same skills and software are used in both computer forensics and data recovery, computer forensics requires extensive additional knowledge and experience. Remember, a forensic examiner is not only finding the data, but is also providing expert analysis of what they find. This expert opinion must be capable of standing up under intensive cross-examination. Likewise, you need to know the qualifications of the person(s) that will actually perform the examination rather than the collective qualifications of all of the examiners at the company. When it comes time for testimony, the individual examiner's qualifications, not the company's, will be under scrutiny.
Q. We already have a relationship with one of the Big 5 accounting firms that says they can do computer forensics. Should we hire them?
A. There are some excellent forensic examiners working for the Big 5 accounting firms. There are also some unqualified individuals being passed off as qualified. As with a data recovery firm, the qualifications of every individual that will be involved in your case must be known in advance.
Q. We don't plan on going to court. We're just looking for what an employee has been utilizing a computer for. Isn't it okay to use in-house computer personnel to do this?
A. If your concerns are strong enough to warrant the examination of a computer, then isn't it important to do it right. If the employee is fired or disciplined as a result of the examination, civil litigation will likely follow. We can provide you with the documentation and expert testimony necessary to substantiate your actions. Our experience allows us to not only find the evidence, but to interpret its meaning.
Q. Why should we choose you to examine our computer?
A. We have years of experience in the cost effective recovery of computer data, forensics analysis, providing expert testimony in court and other computer related matters. Our clients include corporations of all sizes and public agencies. Our success is a result of knowing as much as possible about the case in advance. Then combined with our experience, the evidence is analyzed and certain information is revealed. This information is compiled into a report, sent to the client and additional case strategy is formulated. We hold discussions about our findings and present suggestions for developing other leads or recommend no further work be done on the evidence.
Q. What does it cost?
A. We charge $400/hour for forensic analysis or expert witness testimony and require a minimum $4,000 retainer. An average examination generally takes between 15 to 30 hours, though this can vary in either direction, depending on the matter. Factors that effect the amount of time required include: the amount of data searched (i.e. hard drive size), volume of material, number of search hits, encryption, intentional hiding of data or deletion, and attempts at destroying data. There's also economies of scale when multiple hard drives are searched concurrently under a single case. Please call us for more details; there is no charge for the initial consultation.
|
|
