Frequently Asked Questions
Digital forensics is the process of identifying, preserving, collecting, analyzing, and reporting on digital evidence all while maintaining a proper chain of custody.
Anytime there is the chance that electronically stored information such as an email or deleted file will be used as evidence in a court of law. While it is never in the client’s best interest to ignore relevant sources of evidence, disregarding digital evidence is not only antiquated but may be a basis for ethical violations and malpractice claims. Please contact your state bar association for details.
If opposing counsel has retained a computer expert, then it is important that their testimony be peer reviewed to ensure accuracy. A proper legal strategy will consider not only the evidence discovered by your side, but a careful scrutiny of the opposition’s evidence.
Stop using the device containing the digital evidence immediately. If the device is powered off, then leave it turned off. If it is on, then leave it on. Remove the device from the Internet by unplugging the network cable if it has one or turning off the wireless antenna. Refrain from any other activity on the device. Contact Deadbolt Forensics® as soon as possible to preserve the digital evidence. Time is of the essence since leaving a computer turned on can gradually destroy evidence as the operating system writes data to disk as part of its normal operation, even if no one is logged in. This will destroy deleted files which could otherwise be recovered using forensic techniques. If the target device is under the control of opposing counsel, a notification of the duty to preserve electronic evidence should be sent as soon as possible.
The amount of time necessary to acquire the evidence depends on the device storing the data. Four hours is a rough estimate with more time required for large or slow devices. If the storage is attached to a critical server that is in use and cannot be taken offline, then a live acquisition can be performed without incurring any downtime. The tradeoff is that this will usually take longer and is not as clean since the evidence is changing as it is being acquired. As for the actual analysis and delivery of the findings, this depends on the evidence being examined. Typically clients receive these results within 4-7 business days of collection.
Deadbolt Forensics® is available to assist you 24 hours a day if an immediate onsite forensic acquisition is required.
Deadbolt Forensics® will accept all types of cases including civil, criminal, plaintiff, and defense work.
Computers keep track of files using a Table Of Contents (TOC) similar to the one you find at the beginning of a book. Without this feature, the computer would have to scan every file on the system whenever you opened a document since it wouldn’t know where to look. Imagine trying to find a chapter on torts in a legal textbook without the TOC or an index. You’d be forced to flip through each page until you found the right section. Clearly the TOC improves the performance of locating files but it is also used to speed up the deletion of files as well. When a file is deleted, the computer erases the entry in the TOC for the file rather than deleting the file itself since this is much faster. At this point, if you were to look for the file using your file manager it would appear to be deleted since there is no entry in the TOC. Forensic software would still be able to find the file since these tools ignore the TOC and examine all files directly. A file whose entry has been removed from the TOC will eventually be truly deleted when a new file is stored directly on top of the old one and overwrites its data. Formatting a disk creates a new TOC which effectively removes all files from the current TOC and makes them appear deleted. Most formats are quick formats which means the actual files themselves are not deleted and can be recovered by ignoring the TOC and scanning the files directly. Some disk wiping software will actually delete both the TOC entry as well as the contents of a file, effectively deleting it for good. Fortunately, these secure deletion programs often leave timestamped evidence of their use which means it is easy to prove spoliation of evidence in these cases.
Encryption is difficult to implement and hard to use correctly. As a result, vendor and user mistakes provide several methods for recovering passwords based on the type of protection used. Often times, there are unencrypted copies of the target file scattered throughout the system making it unnecessary to even break the encryption. Also, the court may order the user to surrender all passwords for the computer in question.
Files currently on the system, recently deleted files and excerpts from files deleted long ago. Usage information for each of those files, such as knowing that a specific Word document was edited on a specific date at a specific time. User activity, including exact times the computer was being used and what events were taking place such as plugging in a portable hard drive or USB memory stick. Internet usage history, including a list of all websites visited as well as copies of many of the visited pages.