Untitled

Frequently Asked Questions/ Computer Forensics

What does a computer forensic expert do?

The first rule of computer forensics will be adhered to, which simply means " don't alter the original evidence in any way."A trained examiner will document all work, write-protect all media, make exact forensic copies of the media often referred to as a mirror image , perform an examination and analysis on the copy, and prepare an expert written report. Copies are typically made for the client/attorney and also for the opposing side which may also be analyzed by an opposing computer forensics expert.

What should be included in a forensic examination report?

As with the handling and examination of any evidence, a well-documented chain of custody is a must. An examiner should include notes taken in the case file. These notes will not be included in the final report, however, they will be subject to disclosure under the rules of discovery. The report should detail the hardware, media, procedures, software, and findings and conclusions. Often the volume of evidence is so large that it will not be included in a printed form, but rather will be transmitted to the client in an digital format (Most often on CD or DVD). TMD includes an expert report on paper and copied to digital media. TMD also places any relevant data/files on a write-protected CD or DVD for the client. TMD includes the following on CD for any client: table of contents of every file located on the media, detailed directions on how to view the files on the CD, software to view the files,evidence/files presented in a "Tree" type format as used in Windows in which the client can "walk" the tree and click on the file to view, and extra copies of the digital media for discovery purposes.

Who can allow a computer to be searched for evidence?

The lawful owner of a computer can give permission or consent to examine the data on a computer or digital media. A business or corporation may grant permission for a search on any of their computers, regardless of the user. In a typical civil dispute, both parties can mutually agree to an examination or the court can order an examination. Typically in a criminal case the computer or media will usually have been initially seized by law enforcement. The opposing counsel can often request copies of the seized media and request an examination by a computer forensics expert. If there is a dispute to ownership, you should contact an attorney who can instruct you what the applicable New Jersey and Federal courts have ruled in regards to these matters.

What happens when you "DELETE" a file?

Think of a card catalog in a library. When you delete something, all that you are doing is throwing out the card from the card catalog. The actual book still remains on the shelf. The computer has only been told that the shelf space is available for use if necessary. If the computer does use that space, THEN the actual file is overwritten and truly gone. TMD can locate those "old books" if you will, (meaning files that were deleted) and even recover portions or fragments of any possible data that remain.

What is free space or unallocated space?

Is data (which is stored in clusters) are not being shown as in use by a file in the FAT or MFT (which both act as a table of contents for files on a PC). This is because data is not allocated to any particular file. Recoverable deleted files reside in unallocated space. Files that may have been deleted and partially overwritten can also reside and be recovered by a computer forensic examiner. This area is a very important area for an expert to search on digital media.

What is file slack?

When files are created, they usually are not exactly one cluster in size. If they do not exactly end at the end of a cluster, there will be unused space between the end of the file data and the end of the cluster. This unused portion is called file slack. File slack can contain data from previous files that have been deleted or partially overwritten.

What happens when a user FORMATS a hard drive? Is my data really deleted?

Contrary to what many users think, when a hard drive is formatted it may appear that the data has been deleted, in most cases it has not and remains hidden to the user. Computer forensic experts can recover this data with special forensic tools. Formatting a hard disk places the operating system Boot Record in the location specified in the partition table, clears out any FAT entries by changing the values to zero, and clears out the Root Directory (data area) by also changing the values to zero. The data area remains UNTOUCHED and IS NOT overwritten during formatting.

How can I be sure data on my hard drive has truly been deleted?

TMD can ensure your hard drives are professionally "wiped clean" of any data by use of special forensic wiping software. TMD ensures data is completely deleted according to the Department of Defense data wiping specifications. Upon completion of this process, the data is permanently deleted and cannot be recovered. This is extremely important for law offices, business, and corporations, as well as any individual who wants data permanently deleted for many reasons including security, confidentiality, donating computers to charity, or wiping the data from the hard drive, for reuse once again. Please see our DATA RECOVERY FEES section for fees for secure data deletion service from TMD.

What is a Swap File?

The Windows Swap File is space on a hard disk reserved for the operating system to do what's called paging. When physical memory runs out, Windows takes the oldest unused pages (each page consists of data) from memory and moves it to virtual memory. This process is called swapping, hence the name "swap file".The swap file is essentially a single large file containing a huge amount of data. The swap file is important when conducting computer forensic investigations since a large volume of data can exist within the swap file, which the computer user has no knowledge of. This data is typically temporary and whenever a computer is run, the potential exists in the Windows Swap File to be overwritten. TMD ensures through sound forensic procedures that this data (if present) is located and searched for evidence pertinent to a given investigation or case.

What is METADATA?

Generally speaking, metadata is data that describes other data, typically data contained in a file. It is a term that also refers to information that is stored along with other data. It includes such things as the date/time the file was created, modified and last accessed. It can tell a forensic examiner who the original owner or author was as well as everyone who has ever used the file. Sometimes it also contains previous versions of the document.

What is a "Keyword" Search?

To search an electronic catalog or index by having the program search for terms (keywords) provided by the user or client. Keywords do not have to be standardized subject headings, and a keyword search often searches all data fields for the terms (eg, "winter" as a keyword might retrieve items with Winter in the author field as well as items with "winter" in the text or title). Keyword searching often allows flexible and powerful features such as Boolean operators, truncation, and field searching.