Computer Forensics: What's Every IT Organization Should Know

Part 3

Frequently asked questions

1. Q: How do I preserve the status quo without ordering a party to stop using its systems?
A: If you suspect an employee of harmful or illegal activity, you need to have a certified forensic examiner come in and make a forensic copy of the data on their PC. Since you do not want to alert the employee to your suspicions, it is best to do this "after hours" or as part of a maintenance/update procedure. The examiner can then search the forensic copy to determine if there is any suspect activity.

2. Q: A party wants to make "Ghost" images of the drives. Are those forensically sound?
A: While there are many software tools to make copies of drives, the safest way to proceed is to invest in a certified forensic examiner. You want to avoid at all costs ANYTHING that will alter the data on the drives being copied. This will ultimately come back to haunt you in court.

3. Q: What devices and media should be considered for examination?
A: The simple answer is everything. In today's BYOD world, data can reside on any number of devices. Even game systems! Therefore when asking to perform a legal search, make sure the warrant or court order includes any possible device that has the capability of storing data. Also, do not forget to include remote devices as well.

4. Q: How intrusive is a computer forensic examination?
A: If done properly by a forensic professional, making a forensic copy of data is very unobtrusive and very difficult for the suspected employee to detect.

5. Q: What does it cost?
A: Just pennies a day. In all seriousness, it is hard to put a price range on a computer forensic examination. There are many factors that can affect the price. The number and size of the drives, the condition of the drives, is there a reference hash database available, is it known what files are being searched for, and many more. The best advice is to call a computer forensic company and discuss it with them. After an initial consultation most companies will ask for a retainer up front, so be prepared.

RFC v. DeGeorge Financial Case Studyy

This litigation involved cross-claims for breach of contract. RFC was asked to retrieve and produce relevant emails from their back-up tapes for the period covering October through December of a specific year. RFC's in-house legal counsel determined that RFC did not have the internal resources necessary to retrieve the emails from the back-up tapes in the permitted time frame. So, RFC retained the services of Electronic Evidence Discovery, Inc., to assist RFC in the email retrieval project.
After several weeks using standard recovery techniques, RFC produced 126 emails dating from January through early August and 2 emails from September. There were no emails produced from October to December, which was the critical factual time period. RFC claimed that the lack of responsive emails from the relevant time period was either because there were no responsive emails from that date or because they did not exist on the accessible back-up tapes.
DeGeorge then asked RFC for a copy of the back-up tapes so they could have their own vendor at-tempt to retrieve the emails. That vendor was the ACE Data Group. Within four days of obtaining the tapes, ACE Data Group had located 950,000 emails on the November and December tapes. They began forwarding printed emails to RFC's counsel for review and production. Because of time pressure, the parties agreed that RFC would produce all of the 4,000 emails that De-George had been able to print out, which they did so later in court.


While this article has just scratched the surface in regards to the wide world of computer forensics, I hope it has been informative. The main emphasis is that whenever you suspect employee activity that may be illegal or harmful to the company, contact a certified forensic examiner and discuss it with them. The investment could very well mean the difference between winning or losing in court. If you would like to contact me about this article, feel free to email me at:


[1] National Institute of Standards and Technology, "National Software Reference Library," , January 2010.
[2] SHS, "Secure hash standard," 1995. [3] U.S. Department of Justice, United States Attorney' Bulletin, January 2008
[4] Residential Funding Corp. v. DeGeorge Fin. Corp., 306 F.3d 99 (2d Cir. 2002)
[5] Frank Breitinger and Harald Baier, "Security Aspects of Piecewise Hashing in Computer Forensics", 6. GI FG SIDAR Graduierten-Workshop über Reaktive Sicherheit.

Appendix A: Commercial Vendors Mentioned in this Article

AccessData Corp.
Orem, Utah

Guidance Software
Pasadena, California