•  Employee internet abuse
• Unauthorized disclosure of corporate information and data (accidental and intentional)
• Industrial espionage
• Damage assessment (following an incident)
• Criminal fraud and deception cases
• Protection, no contact or anti-harassment orders that either clearly express or that have incorporated by law that telephone, e-mail  or other types of electronic communications are included.
• More general criminal cases where computers are alleged to be an instrumentality of crime and information  is stored on computers that is evidence of crime(s) or potentially exculpatory evidence (many people store information on computers, intentionally or unwittingly).

Q: How is a computer forensic investigation approached?
A:It's a combination of art and science.  However, very broadly, the main phases are:  secure the subject system (from tampering during the operation); take a copy of hard drive or other mass storage media (as appropriate); identify and recover all files (including those deleted) and slack space; access/copy hidden, protected and temporary files; study 'special' areas on the drive; investigate data/settings from installed applications/programs; assess the system as a whole, including its structure; consider general factors relating to the users activity; create detailed report. Throughout the examination, it is important to stress that a detailed log of  the examiner's activities is maintained.

Q: Is there anything that should NOT be done during an investigation?
A: It is important to avoid modifying the data, even date/time stamps may be sources of relevant information in a case where the questions that need to be answered relate to when something happened (Rebooting may cause files to update and compromise the quality of evidence that can be recovered).

Q: How much do computer forensic investigations typically cost?
A: The cost of a computer forensic investigation varies greatly, depending on the number and types of systems involved and the complexity of the recovery of evidence.  The proper framing of the questions to be answered is critical to the management of examinations. 

A complete examination of a single Terabyte hard drive may have over 200,000,000 pages of electronic information and may take between 15 to hundreds of hours or more to examine, depending on the amount of data, types of data, condition of the media and data and the questions to be answered.  A reasonable quote can be obtained prior to the start of the examination if complete and accurate information about the systems is available to the examiner, and the scope of the examination is clear (i.e. the questions that need to be answered).

This time could increase or decrease, depending upon the type of operating system used, the type of data contained within the system, and the size and amount of data in question. The hourly rate for  computer forensic examiners generally, ranges from under $100 per hour up to $600 per hour.

At IT Forensics, Inc., our examiners hourly rates vary from $200 per hour up to $375 per hour, depending upon the specific service required.   In most instances, examination and reporting can be completed in less than 20 hours, and the total analysis usually totals less than $8,000.00 for a single hard drive.

We charge a reduced hourly rate for equipment operation time if our personnel are not actively involved in that process, but periodically monitoring (typically for one system this fee is $30.00-50.00 per hour).

Q: Can evidence be recovered from Blackberry's, PDA's, cell phones, recorders and digital cameras?
A: Yes, evidence can be extracted from virtually any electronic device or component that has non-volatile memory.

Q: Should you retain a company/team of  digital forensic examiners or a solo practitioner?

 A: Under some circumstances retaining a single digital forensic examiner may be appropriate if he/she has expertise on the specific system/device you are concerned with getting evidence from, and you are  certain that there will be no other devices or systems involved that would require a quick expansion of the areas of expertise involved. If the case has the potential to involve other devices or systems outside the expertise of the forensic examiner a team with diverse background and specialized experience is more likely to provide the capability to rapidly handle the previously unidentified system(s).  Additionally, a team gives the assigned forensic examiner sources to consult with if problems come up that merely require a quick look or a short consult to address (but for which you would not want to have to retain another examiner to address).

Q:  In what types of cases can a digital forensic examiner make a contribution?

 A:  Virtually any type of case can potentially require the services of a digital forensic examiner, some examples include:  Criminal Defense, including Fraud, Embezzlement, Harassment, Identity Theft, Sex Crimes, Military; Administrative;  Civil Litigation including Civil Rights, ADA, Corporate, Construction, Communications, Employment, Education, Environmental, Intellectual Property, Maritime, Medical Malpractice, Securities, Bankruptcy, Health Care,  Probate, Real Estate, Insurance, Sexual Harassment, Discrimination, Labor, Landlord-Tenant, Torts, including Personal Injury,  Employment, Workers' Compensation, OSHA, Whistle Blower; Family Law including Divorce, Child Custody, Child Support, Spousal Support, Maintenance or Alimony and Property Distribution. Simply think of where the evidence that would support the allegations would be found in these cases. Similarly, exculpatory evidence may also be found on computer systems for these types of actions.

Q:  What happens to evidence if it is damaged, partially lost or changed in the process of acquisition or analysis?

A:  There is is little of anything in the physical universe that is perfectly preserved.  Most acquisitions start with the real possibility that there was relevant evidence on the system being subject to the recovery process that was there at some time in the past, but that is not there now and can't be recovered.  Some documents may still have remnants existing and may be partially recoverable, but with significant elements of information no longer available. Any number of problems may exist and examiners may even make decisions that lead to mistakes in an acquisition.  The art of live acquisition (collecting the data from RAM) is particularly vulnerable as active processes may be changing/updating data even as it is being collected.  The courts have long understood that evidence is seldom pristine and perfect and have rules that allow even damaged evidence to come in, and the court (the judge) will typically give an instruction to the jury about their duty to determine how much weight to give to that less than perfect evidence.  The jury has to do that with all evidence, i.e. determine how much weight to give it in making their decision.  The examiner will note and report any problems (or mistakes), if practical correct them and then proceed.