Role of the Computer Forensics Expert Witness in the Litigation Process

Wednesday, September 22nd, 2010

Computer Forensics

Computer forensics are used in criminal investigation, civil litigation, hacking, embezzlement, industrial espionage, insurance fraud and law enforcement or Internet/company property abuse.

Computer forensics focuses on acquisition, restoration and analysis of digital data. In business world, computer forensics can be used to restore corrupted or lost data, resurrect outdated software environment, and analyze common security breach activities.

A Computer Forensics Expert

A computer forensics expert is an experienced personnel who can access a compromised computer, duplicate all files and directories and document all steps taken during the recovery and discovery process. A computer forensics expert is an experienced personnel who can maintain the integrity of data, preserving the chain of control and following a proven methodology of review. A computer forensics expert can track deleted files, hidden files, files created by the system such as an automatic backup of a document, or fragmented files that are scattered throughout the storage devices. A computer forensics expert is an experienced personnel who can document the location of electronic data, its nature, format and other identifiers.

A Computer Forensics Expert Witness

A computer forensics expert witness is an experienced personnel who is adept at handling the tools of computer forensics, resolving matters in corporates and litigation processes by contributing to the evidence pool, establishing truth for more efficient and rapid resolution, judgment or settlement. Digital data that is lost, stolen, deleted or otherwise manipulated can be of evidential value in a lawsuit.

Role of a Computer Forensics Expert Witness

A computer forensics expert witness plans strategies: The analytical and technical skill sets of a computer forensics expert witness provides attorneys with assistance at every step of the litigation process through discoverable and electronically stored information and the form in which it should be presented strategically.

A computer forensics expert witness assists counsel for plaintiff: The attorney for a plaintiff is entitled to all electronic information that is key to the litigation and he may request the electronic data to support his client’s claims. The computer forensics expert witness can brainstorm with the attorney and the client regarding all physical locations of the relevant and different forms of e-data. The computer forensics expert witness can also assist in determining if data wiping or encryption utilities were used.

The computer forensics expert witness assists the counsel for defendant:

  • The computer forensics expert witness confers with the client and his IT personnel attorney for the defendant to discuss how to maintain files during litigation and how to preserve and protect data
  • The computer forensics expert witness can assist in balancing privacy with evidence production by providing electronic discovery on behalf of their clients, including redacting proprietary or attorney/client privileged data
  • The computer forensics expert witness also assists his client’s IT professionals understand the legal requirements associated with preservation of electronic data
  • The computer forensics expert witness can attend “meet and confer” sessions.
  • The computer forensics expert witness suggests information to request with respect to backup procedures
  • The computer forensics expert witness provides assistance with wording for interrogation and requests for potential deposition questions for IT personnel
  • The computer forensics expert witness can determine where and how often the suspect had used the Internet if it is relevant to the case
  • The computer forensics expert witness restores and recovers deleted files
  • The computer forensics expert witness researches and determines if any dates have been altered
  • The computer forensics expert witness helps parties understand the scope and nature of electronic data collection, filters privileged data and assists in determining the extent of the data accessed

Analysis: The computer forensics expert witness researches analyzes the key words, documents or dates important to the litigation as an evidence to tampering and data deletion.

The computer forensics expert witness can offer testimony:

  • The computer forensics expert witness has the skills and experience to explain technical concepts and present mass amounts of data in a clear and understandable manner with respect to electronic evidence
  • The computer forensics expert witness can demonstrate the securely collected and preserved data as electronic evidence
  • The computer forensics expert witness needs to make sure the proper software is used as only a few software programs have been tested and approved by various courts as forensically sound and reliable
  • The computer forensics expert witness must also assure that he is employing accepted procedures including documenting the chain of custody of electronic data
  • The computer forensics expert witness must also assure that his overall ability to testify and demonstrate that the procedures he is employing is forensically sound
  • The computer forensics expert witness must be aware of the ethics of his profession and laws governing his testimony
  • The computer forensics expert witness should have reputable experience
  • The computer forensics expert witness must be able to withstand cross-examination

Data Triage Technologies offers Computer Forensics and Expert Witness Services to the legal communities in California and throughout the United States. Data Triage’s computer forensics experts identify, preserve and analyze potentially discoverable electronic evidence, while maintaining a cost effective approach throughout the process to support ongoing investigation. Let the professionals at Data Triage Technologies assist you in obtaining the evidence vital for winning your case!

Does Your Company Have A Computer Incident Response Team (CIRT)?

Saturday, July 31st, 2010

Computer Incident Response Team is an expert group that handles computer security incidents. Whenever a new technology arrives, it is invariably dogged by misuse like the first worm in the IBM VNET and Morris Worm that hit Internet and paralyzed it. This led to the formation of the first Computer Emergency Response Team at Carnegie Mellon University under U.S. Government contract. With the massive growth in the use of Information and Communications Technologies thereafter, the Computer Incident Response Team (CIRT) has come to stay as an essential part of large organizations.

No matter how well your network is protected, there are always incidents you are not prepared to deal with, by yourself. It may be because the problem is beyond your technical know-how for the necessary action to be taken. Security policy of a company is not complete until procedures are put into place for the handling and recovery from the incidents. The best solution is to include a Computer Incident Response Team (CIRT) within the company’s incident response procedures.

What is a Computer Incident Response Team (CIRT)?

A Computer Incident Response Team (CIRT) is a group of people who can promptly and correctly handle an incident. A Computer Incident Response Team (CIRT) can quickly contain, investigate and recover from an incident that poses a threat to the security of an organization. A Computer Incident Response Team (CIRT) is usually comprised of members from within the company. A Computer Incident Response Team (CIRT) must have people with the authority to make decisions and take actions.

Who constitute a Computer Incident Response Team CIRT?

Depending on the needs and resources of the company a Computer Security Incident Response Team (CIRT) is constituted.

Members in a Computer Security Incident Response Team (CIRT):

Management: A member of upper level management on the Computer Security Incident Response Team can make the big decisions, and be an effective resource involved in evaluating security, selecting a team, developing a policy and exercising the plan during an incident based on input from the members of the team.

Information Security: They are the trained personnel in the area of handling electronic incidents with an ability to handle a multitude of incidents. An Information Security member on the Computer Security Incident Response Team can assess the extent of the damage and execute containment, basic forensics and recovery.

IT Team: In the event of an incident, the IT team on the Computer Security Incident Response Team knows where the data can be accessed or discovered before the evidence or the corrupt database is over written and replaced from a back up.

The IT/MIS: The IT/MIS on the Computer Security Incident Response Team can assist the Information Security team with technical matters if required.

IT Auditor: The IT Auditor tracks the incident and works with IT/security conducting post-incident reviews to avoid problems in the future.

Security: The Security on the Computer Security Incident Response Team can assess any physical damage, investigate physical evidence and guard evidence during a forensics investigation to maintain a chain of evidence.

Attorney: An attorney on the Computer Security Incident Response Team is useful for supplying them with legal advice on the usability of any evidence collected during an investigation and also provide advice regarding liability issues that affect customers, vendors or the general public.

Human Resource: Many incidents involve company employees. The Human Resource on the Computer Security Incident Response Team provides advice as to how best to handle situations when an employee is discovered to be involved.

Public Relations: The Public Relations on the Computer Security Incident Response Team communicate with team leaders, the press and stockholders to ensure an accurate understanding of the issue, the company status and current situation.

Financial Auditor: Financial Auditor on the Computer Security Incident Response Team has the hardest job to do when an incident occurs putting a monetary figure that has occurred as a result of an incident for insurance companies and to press charges under the National Information Infrastructure Protection Act.

Some managers may not opt to create a team and prefer outsourcing professionals when an incident occurs. For them creating a Computer Incident Response Team may not be the best solution for every company, but it can prove to be an invaluable tool. Computer Incident Response Team improves the response time to any computer based problems an organization may face.

Data Triage’s Computer Incident Response Team helps the organizations which has become the victim a of security breach. CIRT team captures and isolates evidence while restoring services efficiently. Steps are taken to insure the evidence is preserved for possible litigation or legal compliance.

How The Computer Criminals Control Information – Types of Computer Crime

Tuesday, October 6th, 2009

As computer-related crimes become more prevalent, understanding the types of computer-related crimes provides law enforcement an insight for investigative strategies.

The first insight is knowing the types of computer crimes.

Computer as the Target

This computer crime includes theft of intellectual property. The offender accesses the operating program under the guise of the system’s manager. The intruder accesses the contents of computer files in the system through the trap door that permits access to systems should there be a human or technological problem.

Here, the offender uses the computer to obtain information or to damage operating programs while committing the following computer crimes:

  • Theft of marketing information, like customer lists, pricing data, or marketing plans
  • Blackmail based on information gained from computerized files, like the medical information, personal history, or sexual preference
  • Sabotage of intellectual property, marketing, pricing, or personnel data
  • Sabotage of operating systems and programs with the intent to impede a business or create chaos in a business operations
  • Unlawful access to criminal justice and other government records
  • Changing a criminal history, modifying want and warrant information
  • Creating a driver’s license, passport, or another document for false identification
  • Changing tax records or gaining access to intelligence files
  • Techno-vandalism through unauthorized access to damage files or programs
  • Techno-trespass violating the owner’s privacy as in criminal trespass

Computer as the Instrumentality of the Crime

Here, the processes of the computer facilitate the crime.

The computer criminal introduces a new code (programming instructions) to manipulate the computer’s analytical processes and for converting legitimate computer processes for the following illegitimate purposes:

  • Fraudulent use of automated teller machine (ATM) cards and accounts
  • Theft of money from accrual, conversion, or transfer accounts, credit card fraud, fraud from computer transactions like the stock transfers, sales, or billings and telecommunications fraud
  • Billing charges to other customers through cellular phones
  • Once they capture the computerized billing codes, the computer criminals program these codes into other cellular phones simply by hooking up the phone to a personal computer
  • Using software originally developed by programmers in other countries they reprogram the signal chip in the cellular phone
  • Share the same through underground computer bulletin board services (BBS)

Computer is incidental to other crimes

In this category of computer crime, the computer is not essential for the crime to occur.

In every following case, the systems merely facilitate the offenses:

  • Helping the computer crime to occur faster
  • Processing of greater amounts of information
  • Making the computer crime more difficult to identify and trace
  • Unlawful banking transactions and money laundering
  • Supporting unlawful activity via BBSs
  • Erasing or denying proper access of organized computer crime records or books, and bookmaking involving drug raids, money laundering seizures, and other arrests in encrypt the data or design
  • Allowing computer criminals to destroy the storage media, such as disks, to eliminate evidence of their illegal activities
  • Letting child pornographers exchange information through BBSs

These computer crimes require unique data recovery techniques in order to gain access to the evidence.

Computer Crimes Associated With the Prevalence of Computers

The presence of computers, and microcomputers, generates sinister mutations of the traditional crimes like the software piracy/counterfeiting, copyright violation of computer programs, counterfeit equipment, black market computer equipment and programs, and theft of technological equipment.

  • Violation of copyright restrictions of commercial software can result in the staggering loss to businesses
  • Hackers break into computers with the help of the software illegally written and sold
  • Successful computer programs, like the word processing, spreadsheets, and databases are duplicated, packaged, and sold illegally on a large scale
  • Just like the pirated audio and video tapes, counterfeit computers and peripherals (items such as modems and hard disks) are also manufactured and sold under the guise of originals

Legal Issues Of Computer Crimes

Some States have enacted laws specifically directed toward computer crimes, while other States rely fundamentally on the common law as it applies to current and emerging technology. The elements of a computer-related offense must be established for successful prosecution.

  • The physical act of a computer crime, actus reus, may be demonstrated best by an electronic impulse
  • It is difficult to define and track
  • A computer crime can occur in 3 milliseconds using a program code that tells the software to erase itself after the computer executes the action eliminating the evidentiary trail
  • Causation relates to the self-destruction of computer programs that facilitate computer crimes and an investigator can not show causation if the offender erases the executing instructions
  • The electronic data interchange (EDI) and its networks complicate the legal elements by making computer crimes more difficult for law enforcement to specify, document, and materially link the crime to an individual
  • The EDI connects parties via computer for contract negotiations, sales, collections, and other business transactions
  • The computer becomes the vault, with the EDI serving as the key to its contents
  • The ability to access data in the computer must be relatively easy in order to maximize business efficiency
  • Security controls must be introduced in order to protect the business’ “crown jewels”
  • Maximum security and easy accessibility are not compatible: As the businesses prefer user-friendly equipment, system security usually takes second priority
  • The phenomenal growth of computer BBSs, on-line services, and the Internet only serves to compound the problem

As a result, computer-related crimes become easier to perpetrate and more difficult to identify, investigate, and prove.

Special Problems with Computer Crime

Intellectual property consists of concepts, ideas, planning documents, designs, formulas, and other information-based materials intended for products or services that have some commercial value or represent original thoughts or theses. Crimes associated with intellectual property focus primarily on theft when the product has commercial value, as opposed to basic research or research for private use.

Intellectual Property:

  • Involves formulas, processes, components, structure, characteristics, and applications of new technologies and covers such areas as fiber optics, computer chip designs and conductivity, and telecommunications equipment, protocols, and technologies
  • Associated with the marketing and production of new technologies
  • Pricing information, marketing targets, product release dates, and production timetables

Computer Crimes by Malfeasance

The concept of computer crimes by malfeasance means that computer-related behavior stretches the bounds of legality and may be viewed as only technically wrong.

Some of the scenarios of malfeasance computer crimes:

  • A parent offers to copy a computer program for a school that cannot afford to buy the software
  • An employee secretly maintains a small database in an office computer as part of a sideline business
  • An individual uses someone else’s computer account number and password to view the contents of a database
  • A customer gives her unlisted telephone number as part of a sales transaction at a store. The store enters the number into a computerized database and later sells the data to a telemarketing firm without the customer’s permission
  • A university computer programmer develops a program to schedule classes as part of a job assignment. The programmer then accepts a job with another university and leaves with a copy of the program for use at the new place of employment

These computer crimes illustrate the gray areas of computer abuse, areas that fall increasingly on the shoulders of law enforcement to address and resolve.

International Issues:

Technological knowledge and expertise contribute to the growth of computer crime on an international level.

Businesses can make great use of the

  • Unifying measures
  • Open communications like the single, European-wide communication protocol
  • Strong profit-oriented EU market spanning 12 countries
  • Open borders
  • Unification of technology standard
  • Easier banking
  • Monetary transfers between countries

Computer criminals are taking undue advantage of all these issues as:

  • Emerging international crime-related issues
  • Industrial espionage/competitive intelligence
  • Economic/political espionage
  • Expansion of international organized crime beyond traditional areas
  • Theft of technological hardware

Computer criminals have adapted the advancements of computer technology to further their own illegal activities. Unfortunately, their actions have far out-paced the ability of police to respond effectively. Protocols must be developed for law enforcement to stall the various categories of computer crime. Investigators must know the materials to search and seize the electronic evidence to recover, and the chain of custody to maintain.

Data Triage Technologies Provides Comprehensive Computer Forensics, Electronic Discovery, Electronic Data Discovery, Data Recovery, Data Management, Intrusion Prevention, Network Security Audit, and Expert Witness Services to the legal communities in California and throughout the United States.

Author: Meshaal McLean

Email Discovery as Electronic Evidence

Tuesday, July 22nd, 2008

In today’s legal discovery world, electronically stored information requires special attention in litigation. The recent emphasis on producing electronically stored information requires an e-discovery team to apply legal principles to information technology. But electronically stored information in some cases drive them out of business, especially in companies as they are unaware to find electronically stored information, especially Email and associated attachments. Most email discovery efforts relate to the collection and review of Email as they remain one of the highest risk areas.

Email is most popularly used by all the people for communication of personal or business related matters. Currently more than 1000 million Email accounts are in use Worldwide, with an average of more than 4 Email accounts per person. With the Email accounts, all your incoming, saved, and sent mail is stored on a mail server with in IMAP folders. As we know we all rely on Email to operate our businesses in our personal lives, it is important to take preventive measures to avoid the ultimate disaster of unrecoverable Email.

The message index in the Email s lists the messages and is stored as entries in a database associated with the file structure. When you delete mail messages the attachments of the deleted file are also deleted as well. How ever you can restore them as they are only moved to a special deleted message folder called Trash folder, like the files in Recycle bin. These deleted Email s still remain on a computer hard drive, servers or retained on back-up tapes.

After deleting the Email from the folder, it reduces the size of the database file by eliminating this vacant space. Once they get deleted they restore it in the trash folder, which can be easily retrieved. These files are not removed from an index of the files, they just move to the trash directory and the space is considered to be available for writing new data.

But if an Email in the trash folder is deleted again then it is no longer indexed and no longer readily accessible. But these files are not truly deleted; they still exist on your hard drive. These deleted files have not been erased, but in most of the cases they can be easily retrieved. To retrieve the data from the trash files, forensic examination is required to locate and retrieve them. In some circumstances, these mails may be impossible to retrieve from the server, hard drive or pc because they have been overwritten by other files.

Even if your Email is completely lost, then these mail recovery tools are used to scan the entire hard disk, locate and recovers the deleted Email and also repairs the database if it is corrupted.

Imagine your Email database deleted or the file system corrupted. If that happens, you would need an undelete tool to get the files back. Though the database becomes corrupted, the data content may still exist, but the structure of the file may be wrong such that the mail cannot list the messages. Then you need to use email discovery tools typically to scan your hard disk and list a whole bunch of files with damaged, crippled file names.

As different mail programs store data in different formats like word, Excel, csv, pdfs etc, you must use a data recovery tool that supports the mail software you are using. For Outlook Express or Windows Mail, Mail Recovery is effective and easy to use, For Microsoft outlook files to recover, you need Outlook recovery, and for Mozilla thunderbird mail folders you can recover by using a text editor as they are plain text files.

To avoid severe legal sanctions, you need an easy way to search for relevant Email in order to quickly meet legal discovery requests. In fact, an effective Email discovery solution can help mitigate these legal risks. is one of the leading experts in the field of email discovery, which restores electronically stored information in Email and associated attachments.

Technical Considerations in Review Process of E-Discovery

Wednesday, June 25th, 2008

Decision-making, backing up your data and managing a review database to acquire digital data in your company is no longer a solvency for your problem in E-discovery, though you decide to go with the legal attorney for review process in E-Discovery. Data collection plays a key role in review process. There are some technical issues that need to be considered, which will help the legal team in identifying potential problems as well as successful review in E-Discovery.

Following are checklist of technical issues that can aid in this review process of E-discovery:

ISP (Internet service provider) will look simple but in most cases they are overlooked. Reliability, network speed and throughput can have a tremendous impact supplied by the ISP. Consult your network engineer and find who you’re ISP (Internet service provider) is and how reliable are they. So that Ip addresses at the main location can be rerouted. For eg: When you access your personal E-mail from your own Internet service provider, chances are your E-mail comes to you from your ISP’s E-mail servers in one of three ways POP (Post office protocol), IMAP (Internet mail access protocol), MAPI (Messaging Application Programming Interface) or HTTP (Hyper text transfer protocol),which helps in finding out the e-mail.

Bandwidth: Routers, hubs, firewalls, cables, and modems all these will effect the actual bandwidth. The bandwidth fluctuates time to time. An average sampling of this bandwidth should be taken every day. This is very important because the reviewers are going to access the data online and check whether they have the actual bandwidth speed. Use the online support tools to measure the speed of bandwidth that provide upload and download speed.

Map out the number of hops associated with each computer and review location Tracert is a network command tool used to show the route taken by the packets across an IP network i.e. the information from your computer to one you specify. This tracert command lists all the routers it passes through, until it reaches its destination and will also tell you how long each ‘hop’ from the router to router takes. This will provide lots of relevant information to the networker.

Use web analytic software to view the reviewers and location This will impact adversely if 100 reviewers are trying to access the same information, resources or website from the same physical location at the same time, verses only 10 reviewers doing the same. By making a list of total number of reviewers and their physical access location, we can estimate how long a review will take and from which place.

Software Configuration In order to ensure that Web usage is consistent it is necessary to ensure that software’s are configured in a consistent manner. You should ensure that the Web server is configured so that appropriate information is recorded and that changes to relevant server options or data processing are documented.

Not all the time the web usage data might give true indication of usage of data. This is due several factors such as effects of caches, cookies, browser types, auditing tools, etc. Despite these reservations collecting and analyzing usage data can provide valuable information.

Fire wall operation The loss of files, e-mails, financial records can be avoided in conjunction with the other security issues, with the help of Firewall. Firewall is necessary for almost every review process, because they it plays a vital role in overall performance of network. Check whether your firewall is blocking your ports or whether it is accessing the internet through identified specific ports? Most of the firewall has the devices such as NAT(Network address translation) which protects you by hiding the internal ip address to outsiders from reaching your internal network and also inspects the incoming visitors, and also has additional features by terminating the VPN (Virtual private network) which allows the users to securely communicate using encrypted traffic.

Data collection always plays a key role in review process of E-Discovery. After gathering the information based on the checklist of technical issues make a decision by sharing with your technical support team, whether these are with in normal parameters. This will enable the legal team to address for developing the solutions to potential issues and will set up a successful E-Discovery review. is the best practice for the corporate firms, who possess both the technical and legal knowledge to set up a successful claim.