By Susan Steen and Johnette Hassell, Ph.D.
Electronic Evidence Retrieval, LLC
www.electronicevidenceretrieval.com

Thirty years ago computers were colossal machines utilized only by government agencies and prodigious corporations. These early machines were so large and complex that they required their own temperature-controlled rooms in order to function properly. Since that time they have metamorphosed into ordinary domestic devices that are as much a part of our daily lives as the telephone or the television. Because Americans use personal computers to communicate, work, learn, plan, and entertain, we have come to view our PCs as extensions of ourselves. For this reason, computers often contain important information, which can be used as evidence in legal proceedings, even if the information is not directly related to computers. This computer-based evidence can be anything from e-mail, to photographs, to confidential documents. Most importantly, the data frequently can be retrieved from a suspect computer, even if the user has deleted the information, defragmented the drive, or even reformatted the drive.

Computer forensics is the specialized practice of investigating computer media for the purpose of discovering and analyzing available, deleted, or "hidden" information that may serve as useful evidence in a legal matter. Computer forensics can be used to uncover potential evidence in many types of cases including, for example:

- Copyright infringement
- Industrial espionage
- Money laundering
- Piracy
- Sexual harassment
- Theft of intellectual property
- Unauthorized access to confidential information
- Blackmail
- Corruption
- Decryption
- Destruction of information
- Fraud
- Illegal duplication of software
- Unauthorized use of a computer
- Child pornography

Computer forensics combines specialized techniques with the use of sophisticated software to view and analyze information that cannot be accessed by the ordinary user. This information may have been "deleted" by the user months or even years prior to the investigation, or may never have been saved to begin with - but it may still exist in whole or in part on the computer's drive.

It is always in the best interest of the attorney, the client, and the matter to locate a forensics specialist who can assist in all stages of building a case, including:

- Ascertaining whether the computer(s) in question may contain information relevant to the matter.
- Assisting in preparing and responding to interrogatories.
- Retrieving and examining information that is accessible only through the use of forensics programs and methods.
- Developing court reports.
- Planning and providing expert testimony.

In order to determine whether a computer holds information that may serve as evidence, the professional must first create an exact image of the drive. The examiner examines only this image drive to protect the original from inadvertent alterations. These images must be actual bit-by-bit or "mirror" images of the originals, not just simple copies of the data. Acquiring these kinds of exact copies requires the use of specialized forensics techniques.

These mirror images are critical because each time someone turns a computer on, many changes are automatically made to the files. In a Windows® system, for example, more than 160 alterations are made to the files when the computer is turned on. These changes are not visible to the user, but the changes that do occur can alter or even delete evidence, for example, critical dates related to criminal activity.

Assuring chain of custody is as important to the specialist who oversees drive imaging and evaluation of the data for its evidentiary value as it is in medical forensics. The forensics specialist uses hash codes to assure chain of custody.

Hash codes are large numbers, specific to each file and each drive, that are computed mathematically. If a file or drive is changed, even in the smallest way, the hash code will also change. These hash codes are re-computed on the original and images at various points during the investigation in order to ensure that the examination process itself does not modify the image being examined.

Computer forensic analysis is often useful in matters that, on the surface, seem unrelated to computers. In some cases, personal information may have been stored on a computer. In one embittered divorce case, a husband hid joint funds in a secret bank account. In another, an employee renamed software developed by his current employer to begin his own company. In still another, a male employee sent suggestive e-mails to a female co-worker over a period of months. Although all of the parties in these scenarios had deleted the information from their computers, computer forensics specialists were able to retrieve damning evidence from the drives.

How is it possible to retrieve deleted evidence? A computer's operating system utilizes a directory that contains the name and placement of each file on the drive. When a file is deleted, several events take place on the computer. A file status marker is set to show that the file has been deleted. A disk status marker is set to show that the space is now available for another use. While the user can no longer see the file listed in any directory, nothing has been done to the file itself! This newly available space is called free or unallocated space and until the free space is overwritten by another file, the forensic specialist can retrieve the file in its entirety. Overwriting might be caused by a variety of user activities, such as adding a new program or creating new documents that happen to be written to the space where the "deleted" files exist. It is only when the data is overwritten by new data that part or all of the files are no longer retrievable through forensic techniques

The useable space on computer hard drives is divided into sectors of equal size. When a user needs to store information, the computer's operating system automatically determines which sectors will be used to perform the task. In many instances the information being stored will not use up all of the space available in the designated sector(s). When this happens, information that was previously stored on the hard drive remains in the unused part of the designated sector, in what is called slack space. This means that even if part of the drive has been overwritten with new data, chances are that some implicating evidence will remain in the slack space. Critical data contained in slack space is also recoverable using forensic techniques.