Forensic Investigator & Auditing
If you have been the victim of fraud or a financial crime, a forensic investigation can find the criminals responsible and can halt further loss. Forensic , also known as financial investigation, uses intelligence-gathering techniques, accounting, business, and communication skills to provide information and evidence that can be used by attorneys involved in criminal and civil investigations.
New or existing business owners, we have a layered plan to fit all types of IT budgets. Call (800) 478-4914 Today
Common scenarios examples include:
| Employee internet abuse | Unauthorized disclosure of corporate information and data (accidental and intentional) | Industrial espionage | Damage assessment (following an incident) | Criminal fraud and deception cases | Protection, no contact or anti-harassment orders that either clearly express or that have incorporated by law that telephone, e-mail or other types of electronic communications are included. | More general criminal cases where computers are alleged to be an instrumentality of crime and information is stored on computers that is evidence of crime(s) or potentially exculpatory evidence (many people store information on computers, intentionally or unwittingly).
Frequently Asked Questions
Q: What is Computer Forensics?
A: There are several definitions. However, most will include the following concepts, even if stated somewhat differently: Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve digital information in a manner that allows it to be used as evidence.
Q: What are some of the forensic terminologies clients are exposed to when working with an examiner ?
A: Our forensic examiners work with our clients to ensure they understand the significance of the artifacts identified within the electronic evidence. If the client does not understand the significance, then the jury will not understand either! A glossary of commonly used forensic terms is provided by our staff.
Q: What is the difference between computer forensics and digital forensics? A: Generally, the concepts overlap, but digital forensics may be the more contemporary expression and more inclusive, recognizing forensic services directed at more types of devices besides those that have been traditionally considered computers, such as cell phones, landline phones, cameras, sound recorders, personal digital assistants, networks including the internet and world wide web and others.
Q: What is evidence?
A: Any matter of fact that tends to prove or disprove an element in a lawsuit. A system of rules and standards is used to determine which information is reliable and authentic and is relevant and may be admitted as being more probationer than prejudicial and to what extent a judge or jury may consider that information (weight), as proof of a particular fact element in a lawsuit.
Q: What kinds of cases may have need of computer forensic evidence?
A: A forensic investigation can be initiated for a variety of reasons. The most high profile are usually with respect to criminal investigation, or large scale civil litigation, but digital forensic services can be of value in a wide variety of situations. About 85% of all corporate data is stored electronically, more than 93% of new data is stored electronically, and approximately 75% of this information may never be printed. Consequently, in almost every legal matter, critical and relevant evidence can reasonably be expected to be stored electronically. Proper collection and examination of this evidence is critical to preserve the evidence, and to manage cost. Acting proactively may me necessary and appropriate to avoid accusations of spoliation in discovery. Computer forensics is the methodology used to ensure that electronic evidence is properly acquired and handled. It is well documented in the media that computer or digital evidence has provided the "smoking gun" in high profile cases. With most new information in businesses of all sizes being created, stored and transmitted on computer systems, it makes it necessary to consider what digital evidence may exist in every case.
Q: How is a computer forensic investigation approached?
A:It's a combination of art and science. However, very broadly, the main phases are: secure the subject system (from tampering during the operation); take a copy of hard drive or other mass storage media (as appropriate); identify and recover all files (including those deleted) and slack space; access/copy hidden, protected and temporary files; study 'special' areas on the drive; investigate data/settings from installed applications/programs; assess the system as a whole, including its structure; consider general factors relating to the users activity; create detailed report. Throughout the examination, it is important to stress that a detailed log of the examiner's activities is maintained.
Q: Is there anything that should NOT be done during an investigation?
A: It is important to avoid modifying the data, even date/time stamps may be sources of relevant information in a case where the questions that need to be answered relate to when something happened (Rebooting may cause files to update and compromise the quality of evidence that can be recovered).
Q: How much do computer forensic investigations typically cost?
A: The cost of a computer forensic investigation varies greatly, depending on the number and types of systems involved and the complexity of the recovery of evidence. The proper framing of the questions to be answered is critical to the management of examinations. A complete examination of a single Terabyte hard drive may have over 200,000,000 pages of electronic information and may take between 15 to hundreds of hours or more to examine, depending on the amount of data, types of data, condition of the media and data and the questions to be answered.
A reasonable quote can be obtained prior to the start of the examination if complete and accurate information about the systems is available to the examiner, and the scope of the examination is clear (i.e. the questions that need to be answered). This time could increase or decrease, depending upon the type of operating system used, the type of data contained within the system, and the size and amount of data in question.
The hourly rate for computer forensic examiners generally, ranges from under $100 per hour up to $600 per hour. XSBG Inc., our examiners hourly rates vary from $200 per hour up to $375 per hour, depending upon the specific service required. In most instances, examination and reporting can be completed in less than 20 hours, and the total analysis usually totals less than $8,000.00 for a single hard drive.
We charge a reduced hourly rate for equipment operation time if our personnel are not actively involved in that process, but periodically monitoring (typically for one system this fee is $30.00-50.00 per hour).
Q: Can evidence be recovered from Blackberry's, PDA's, cell phones, recorders and digital cameras?
A: Yes, evidence can be extracted from virtually any electronic device or component that has non-volatile memory.
Q: Should you retain a company/team of digital forensic examiners or a solo practitioner?
A: Under some circumstances retaining a single digital forensic examiner may be appropriate if he/she has expertise on the specific system/device you are concerned with getting evidence from, and you are certain that there will be no other devices or systems involved that would require a quick expansion of the areas of expertise involved. If the case has the potential to involve other devices or systems outside the expertise of the forensic examiner a team with diverse background and specialized experience is more likely to provide the capability to rapidly handle the previously unidentified system(s).
Additionally, a team gives the assigned forensic examiner sources to consult with if problems come up that merely require a quick look or a short consult to address (but for which you would not want to have to retain another examiner to address).
Q: In what types of cases can a digital forensic examiner make a contribution?
A: Virtually any type of case can potentially require the services of a digital forensic examiner, some examples include: Criminal Defense, including Fraud, Embezzlement, Harassment, Identity Theft, Sex Crimes, Military; Administrative; Civil Litigation including Civil Rights, ADA, Corporate, Construction, Communications, Employment, Education, Environmental, Intellectual Property, Maritime, Medical Malpractice, Securities, Bankruptcy, Health Care, Probate, Real Estate, Insurance, Sexual Harassment, Discrimination, Labor, Landlord-Tenant, Torts, including Personal Injury, Employment, Workers' Compensation, OSHA, Whistle Blower; Family Law including Divorce, Child Custody, Child Support, Spousal Support, Maintenance or Alimony and Property Distribution.
Simply think of where the evidence that would support the allegations would be found in these cases. Similarly, exculpatory evidence may also be found on computer systems for these types of actions.
Q: What happens to evidence if it is damaged, partially lost or changed in the process of acquisition or analysis?
A: There is is little of anything in the physical universe that is perfectly preserved. Most acquisitions start with the real possibility that there was relevant evidence on the system being subject to the recovery process that was there at some time in the past, but that is not there now and can't be recovered. Some documents may still have remnants existing and may be partially recoverable, but with significant elements of information no longer available.
Any number of problems may exist and examiners may even make decisions that lead to mistakes in an acquisition. The art of live acquisition (collecting the data from RAM) is particularly vulnerable as active processes may be changing/updating data even as it is being collected. The courts have long understood that evidence is seldom pristine and perfect and have rules that allow even damaged evidence to come in, and the court (the judge) will typically give an instruction to the jury about their duty to determine how much weight to give to that less than perfect evidence. The jury has to do that with all evidence, i.e. determine how much weight to give it in making their decision.
The examiner will note and report any problems (or mistakes), if practical correct them and then proceed.Often the computer forensic evidence we discover and the analysis that we provide is the key evidence needed for a successful resolution of a case.
FAQ's Relating to Criminal Defense
Q: Why should your client have their own digital forensic expert to review the government's reports?
A: As good as the law enforcement investigators are, and as neutral as some may remain, you can still gain an edge if you discover exculpatory evidence not found by the government. But of course, if you rely on a government forensic examiner to do this work, you can know that the government entity prosecuting the case will know what you were looking for.