Forensics FAQ

Computer Forensics Frequently Asked Questions

What is computer forensics? – Computer Forensics can be defined as the discovery process where data and metadata are analyzed and interpreted to reconstruct events. Metadata is data about the data. Sometimes metadata is not plainly visible, but generally is of utmost importance and every effort must be made to recover, analyze, and understand it. As businesses have transitioned from keeping documents and records on paper to electronic storage, the field of computer forensics has grown in importance. These days, computer forensics, electronic discovery, and electronic evidence analysis and investigation are a critical part of litigation, both civil and criminal. The retrieval of evidence maintained in electronic storage is critical in order to reconstruct the events that occurred and the actions of the parties. A significant portion of this electronic evidence may be hidden or obscured, whether by the nature of the technology or by the actions of an individual, corporation, or law enforcement.

Is electronic evidence contained only in computers? – No. As the use of “smart” devices becomes more common, the number of devices that may contain electronic evidence has expanded. Electronic evidence is frequently found in computer networks (network forensics), Internet and cloud storage (Internet forensics), hard drives, external storage devices, tablet computers, iPads, PDA’s, and cell phones, including Android phones, iPhone, Blackberry, Windows phone, and others.

What type of cases require the services of a computer forensics expert? – It is hard to think of any cases where the involvement of a competent computer forensics expert is not justified. If data stored in a computer network, the Internet, hard drives, pen drives, tablet computers, or smartphones can be relevant to the case, only a competent computer forensics expert can forensically extract this data in a matter that preserves the data and its admissibility. The e-Discovery process is important in both civil and criminal cases. This process involves the investigation of computer systems or other electronic devices to determine whether the system was used for illegal, unauthorized, or other legally actionable activities. The data recovered from these devices can be used as evidence in various types of civil and criminal cases, for example Intellectual Property disputes, sexual harassment cases, labor disputes, employment cases, divorce, child custody, computer hacking, use of business property for personal use, Internet sexual crime cases (such as possession of child pornography or solicitation of a minor), RICO violations, and others.

What is the role of the computer forensics expert? – A computer forensics expert may be retained as an expert witness if the engagement results in court testimony. The computer forensics expert may also serve the role of litigation support. In that capacity, the computer forensics expert recovers, identifies, preserves, investigates, and presents the information maintained in electronic storage. The result of the computer forensics expert’s findings could be critical in formulating a litigation strategy. In this capacity, AVM Technology stands out from other computer forensics experts. With our litigation experience both from a legal and technical perspective, we can assist attorneys and parties in planning the case and identifying the best possible presentation of the evidence discovered by the computer forensics expert. Sometimes this role may involve an AVM Technology computer forensics expert testimony, or our consultation in deciding whether it is appropriate to settle a case.

AVM Technology utilizes both commercial our own custom proprietary tools to facilitate the process of data recovery , reconstruction of events, and analyze data. The data can be contained in electronic storage in computer files, emails, audio, and the Internet. We assist the litigation effort by presenting complex technical subjects in a condensed and coherent format that can be used by an attorney to prepare the case and also be understood by a lay jury.

Given our legal experience, we have the required expertise to ensure that we recover the electronically stored evidence in a sound forensic manner. A faulty recovery process can otherwise cause the electronically recovered evidence to be inadmissible in court. It is important to find the evidence but it is just as important for the computer forensics expert to recover the evidence in a way that preserves its admissibility. Our testifying and non-testifying litigation support expertise includes, without limitation:

Drafting an Electronic Discovery Protocol, reconstruct the use of a computer or other electronic device, including the Internet history, describe a time line of events, identify and address spoliation of evidence, retrieve and reconstruct files, e-mails, and important computer activity logs, open password protected and encrypted files by defeating the passwords, create a repository of the electronically stored evidence, maintain and document the chain of custody, find files and data even when the data has been deleted or concealed, locate important hidden financial documents, reconstruct phone logs, including calls and text messages, computer forensics expert witness testimony, and computer forensics expert witness rebuttal (counter-forensics expert).

An important part of the computer forensics expert’s role during the litigation process involves identifying devices that may contain electronically stored information relevant to the claims or defenses of the parties to the case. During the litigation discovery process, each side must produce documents that contain specific search terms or search parameters. AVM Technology’s expertise in both law and Information Technology provides us with unique expertise in identifying, preserving, and analyzing storage devices containing evidence within a network that could be home based or located in a business environment. AVM Technology’s specialized knowledge of the arrangement of data and metadata (data about data) assists the legal team and the attorney in propounding effective electronic document requests (whether interrogatories or requests for production of documents) as well as verifying compliance by the opposing party. Sometimes an AVM Technology computer forensics expert may testify in Court during a hearing regarding a Motion to Compel. Our role during the litigation process will also include validating the evidence obtained during the computer forensics investigation and during the discovery process. Often, evidence obtained from the opposing party may need to be analyzed and examined competently to ensure that spoliation has not occurred. During our data collection process, an AVM Technology computer forensics expert creates forensic copies of all evidence to ensure preservation up to the trial and beyond. We utilize commercial and custom computer forensic software and tools that have been accepted and validated by the courts. This ensures that the data obtained by the computer forensics expert is admissible at trial.