Forensic Strategy Data Recovery Newsletter: Vol 1 Issue 1

• Previous message (by thread): GNU/LinuxTag 2003 in Karlsruhe/Germany
• Next message (by thread): 2 seconds
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

***********************************************************************
Forensic Strategy Data Recovery Newsletter              Vol. 1, Issue 1
***********************************************************************

--------- EDITOR'S NOTE -----------------------------------------------
The intent of this newsletter is to educate and inform attorneys about 
basic computer forensics for cases that involve personal computers or 
computer evidence.  Utilizing the services of a computer forensics 
specialist can eliminate problems that often occur when forensics is of 
significant importance to a case: timing, the handling of the data and 
the possibility of evidence being destroyed.

-------- IN THIS ISSUE: -----------------------------------------------

1. COMMENTARY
     - Computer Forensics 101: What is Computer Forensics?

2. SPONSOR
     - Varidev Technology Solutions

3. UPCOMING NEWSLETTER ISSUES
     - Items you can look forward to in future issues!

4. CONTACT US
     - For more information on Forensic Strategy Services.

-----------------------------------------------------------------------


1. ==== COMMENTARY ====

* COMPUTER FORENSICS 101: What is Computer Forensics?
     By: Scott Moulton, Computer Forensic Specialist
         mailto:scott at forensicfirm.com

Forensics, as it relates to computers and data, is the collection and 
preservation of data to investigate or establish facts for any type of 
legal purpose. For each case, computer forensics can contain many 
different types of material and can be gathered from dozens of sources. 
Information can be limited to what exists on a hard drive and may even 
include data from the Internet, tapes, CDs, disks or printouts made by 
a specific computer.

Computer forensics is an emerging specialty that has no defined 
criteria. This makes it difficult to find a person with the knowledge, 
experience and skills needed to be an expert in this area. Colleges are 
beginning to recognize this as a growing field and are adding degrees 
and certification programs to their curriculum.

With the speed at which the computer industry changes, it is often a 
struggle for the legal profession to keep up with all of the new laws 
established to convict criminals who use technology as a weapon. It is 
equally challenging to locate a knowledgeable computer specialist that 
has the interest, expertise and skills in fields other than computer 
science. Consequently, a computer forensic specialist who has skills in 
other disciplines such as accounting and/or law, will deliver better 
results meaning more useful and credible evidence for you.

Methodologies are a set of processes that can be applied to any 
situation. While the tools or items used to lay the groundwork for the 
discovery phase may vary, the methodology remains the same.  Some of 
these methods are still being developed in the area of computer 
forensics. Changes are frequent because of new laws that require the 
way processes are completed. Other changes are due to an ever-evolving 
technology and the ability to completely remove two or three processes 
with new software or hardware.

Qualified computer forensic specialists will spend considerable time 
staying in front of the new technology curve.  It takes an extreme 
amount of work to keep up with the changes in the computing industry, 
as well as, issues involving the law. This is the type of expertise you 
should seek for assistance with cases requiring computer forensics.

Most lawyers have little knowledge about computers and will need 
guidance as a case develops. They will continually need to discuss the 
case with a computer forensic specialist and review new material even 
when it seems unnecessary.  When dealing with computers and data, the 
process of understanding what is achievable and what isn't requires an 
advanced understanding of technology generally not found outside the 
professional computer security community.  Not only must the computer 
forensic specialist assist the attorney with what can be done but they 
must also stand as a credible witness under the pressure and scrutiny 
of cross examination.

During the discovery phase of a case, being a forensic computer 
specialist can be compared to being a Private Investigator, only the 
subject matter is mainly dealing with computers and electronic data. 
Discovery often involves several passes at the data. As new facts are 
revealed about the case, the old data will need to be reviewed to see 
what has been discovered and how it is applicable to the case. In some 
cases, knowing what happened is more important than the actual data 
itself.

Example #1:
In a divorce case, a court order was given to the husband with 
instructions not to delete or destroy any data. The computer was to be 
picked up by a forensic investigator and reviewed for evidence per the 
court order. The husband promptly went home and deleted everything on 
the computer he thought would be incriminating.  After examining the 
computer, it was proven that he purposely deleted data after the court 
order. Since he violated the court order, this case could have easily 
escalated into more than just a divorce case for the husband. When the 
opposing attorney confronted the husband with this fact, the husband 
quickly decided to settle out of court and agreed to his soon to be 
ex-wife's demands.

Example #2:
The majority of work is often discovering how to look at the 
information and display it so that it makes sense to laymen. This also 
includes educating the attorney about the technical details so they can 
decide how to approach the case. It is of no value if the information 
is so complex that it can not be explained clearly.

In a recent case, a CD was stolen from a company. During the discovery 
period of the case, the defendant was ordered to make an EXACT copy of 
the original CD and deliver it to the plaintiff the same day.

It was noted that one of the files had been changed on the CD. On the 
CD there were several files that amounted to 500 megabytes. This brand 
of CD was only able to hold 650 megabytes. The specific file in 
question was a 200 megabyte file.

The defendants claim was that the CD was a CDRW (ReWritable CD) and 
that the file changed while viewing the CD. In this instance the 
changed file could not overwrite the existing file, but would be 
appended to the CD. As there was only 150 megabytes left, there was not 
enough space to append a 200 megabyte file. The defendant would have 
needed another 50 megabytes in order to make a change to the file on 
the same CD. Therefore, this was not an exact copy of the same CD that 
was taken.

Only a computer specialist with experience with a ReWritable CD would 
have realized this was not possible. The opposing attorney initially 
accepted the explanation; however, the computer specialist on the team 
revealed that evidence had been tampered with.

More examples and experiences will be discussed in future issues. If 
you are interested and would like to continue to receive our 
newsletter, please see our website to sign up for a FREE subscription 
at: http://www.forensicstrategy.com/contacts.asp


-----------------------------------------------------------------------

-------- Sponsored by Varidev Technology Solutions --------------------

Varidev Technology Solutions can develop solutions to help your 
business operate more efficiently. Varidev is your complete business 
technology resource for front-end and back-end database development 
using Microsoft .NET Technology.  Varidev has made operations much more 
efficient for companies like Six Flags and Georgia Pacific, and they 
can do it for you. Check out amazing demos at http://www.varidev.com

----------------------------------------------------------------------- 


3. ==== UPCOMING NEWSLETTER ISSUES ====

* What items are usually found in data recovered
* Equipment used for Forensic Storage of Data
* Details of Forensic Data Gathering

4. ==== CONTACT US ====

* TECHNICAL QUESTIONS: mailto:info at forensicstrategy.com

* COMMENTS OR QUESTIONS ABOUT THIS NEWSLETTER:

    To suggest a topic for a future issue or to send a comment to
    the editor email: mailto:comments at forensicstrategy.com

* WEBSITE: http://www.forensicstrategy.com

* MAILING ADDRESS/PHONE/FAX:
     Forensic Strategy Services, LLC.
     601B Industrial Court
     Woodstock, Georgia 30189
     ph: 770.926.5588
     fax: 770.926.7089

* WOULD YOUR COMPANY LIKE TO SPONSOR A
     FORENSIC STRATEGY DATA RECOVERY NEWSLETTER?
     Send us an email at mailto:sponsor at forensicstrategy.com

-----------------------------------------------------------------------

To receive the latest information about forensic computer technology 
and news SUBSCRIBE to our FREE email newsletter: 
http://www.forensicstrategy.com/contacts.asp


Thank you for reading The Forensic Strategy Data Recovery Newsletter.

__________________________________________________________
Forensic Strategy Services, LLC. 2003

• Previous message (by thread): GNU/LinuxTag 2003 in Karlsruhe/Germany
• Next message (by thread): 2 seconds
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]