Hard drives forensic examiners tackle may be as little as 20 gigabytes, or some newer drives are 250 gigabytes, even up to 750 gigabytes.
Computer forensic examiners, using special computer forensic software, first acquire an image of the target media, then do an analysis.
A lot of the evidence you seek will not be visible to the untrained eye. You won’t find it in a Word document by using Windows Explorer, or by starting a program from a shortcut on the desktop.
The basics of computer evidence recovery
Basic computer hardware
Computers with huge hard drives and lots of removable media contain a mind-boggling amount of information.  Read more...

In all that space - whether visible files, or invisible, deleted information, has got to be evidence!

Where can a computer user store information?

Files can be stored on hard disks, zip disks, floppy disks, JAZ disks, Bernoulli cartridges, magnetic tape, magneto-optical cartridges, CD-ROM, CD-R, CD-RW, and DVD. The data you are seeking in your investigation might also be stored on a network, or perhaps at an off-site storage location somewhere on the Internet or on someone else's server, with our without their knowledge.

What type of evidence can we find in a computer?
The evidence you seek might be stored in a variety of forms:
  • Financial spreadsheets
  • Databases
  • Word - processing documents
  • Diaries and journals
  • E-mail
  • Picture
  • Movies
  • Sound files
Where else can we find evidence on a computer?
A lot of the evidence you seek will not be visible to the untrained eye. You won't find it in a Word document by using Windows Explorer, or by starting a program from a shortcut on the desktop.

Even though "invisible" to the every-day computer users, computer forensic specialists can plumb the depths of a computer to tell you what it was used for, including what the user has done on the Internet, and when. The forensic examiner can then recover much of what the user wrote, read or viewed on the computer for months or even years back.

What happens when you "delete" a file?
Many people believe that when you delete a file, it is no longer on the computer. In reality, all you do is simply take that file out of the "visible" files you can see with Windows Explorer. The file itself is not deleted, but stays on the computer until you add enough more information to the computer so that the file is "overwritten."

When you delete something from a card catalog in a library, all you are doing is throwing away the card. The book itself remains on the shelf. In the same way, the computer's "books" in the form of files still reside on the hard drive, though they are not indexed and you can't find them easily. If you create enough information to use that space, the old file will be overwritten and is not recoverable.

Computer forensic specialists use special software to scan the part of the hard drive not visible to the average user. There, they can recover all of the "old books" still on the shelves, or at least parts of them that will still reveal significant evidence.

Who can give us permission to search a computer for evidence?
Whoever owns the computer can give us permission to search it. Usually, a business can consent to a search on any of the computers the business owns, regardless of who was using the computer. In a civil lawsuit, the parties can agree to an examination or the court can order one. In a criminal case, law enforcement usually seizes the computer. The suspect's attorney can request copies of the seized material and the computer forensic examination report. The attorney may then want to get another forensic opinion through a private computer forensics lab.

What does a computer forensic analyst do?
The first rule of computer forensic evidence analysis is "don't alter the evidence in any way." The simple act of turning on a computer can alter or destroy any evidence that might be there. The search for evidence on a computer should only be done by a trained and experienced computer forensic examiner. The examiner will document all work, write-protect all media, make copies of media (the "mirror image"), examine and analyze copies of media, and prepare a written report. The examiner then prepares extra copies of the mirror images for other investigators, attorneys or the opposing side. You may get the copies on CD-ROMs, tapes or some other media.

Other critical rules to safeguard the evidence
A skilled computer forensic examiner will protect the evidence by careful and well-documented handling to ensure that:
  • The chain of custody is intact and documented
  • Evidence is not destroyed, altered, or compromised
  • All evidence pulled out of the suspect's hard drive image is protected from damage, as is the original suspect hard drive
  • Computer viruses aren't introduced into the equation during the analysis process
  • Business operations are not hindered for very long
How the computer forensic examiner does his job
He or she will:
  • Protect the suspect's computer system during the forensic examination from damage, alteration, corruption of data, and viruses
  • Find all files that are evidentiary, whether regular, visible files, deleted (yet recoverable) files, hidden files, password-protected files, and encrypted files
  • Extend the search for evidence to temporary or swap files used by both the application programs and the operating system, the slack space and unallocated areas of the hard drive. (see "Definitions")
  • Provide a comprehensive report on the suspect hard drive's file structure, files found that are relevant, and who created the files (if possible to determine)
  • Provides expert testimony in court or expert advice when the court process is not an option
What do we include in a forensic examination report?
A well-documented chain of custody is the foundation of evidence examination. A forensic analyst takes detailed notes that result in a final written report that gives every procedure invoked, every process run, and every "question" asked of the computer and the "answer" provided by the computer being examined. The report you receive will explain in detail the hardware examined, the procedures and software used in the examination, and any evidence found.

Because many cases result in "too much" information to print out, the evidence will often be delivered to you on a CD ROM, with understandable instructions on how to view this evidence.

Computer forensics is the collection, preservation, analysis, and court presentation of electronic evidence. The proper collection and analysis of computer evidence is critical in many criminal investigations, civil litigation (electronic evidence discovery) and corporate internal investigations. Finding the "smoking gun" may not benefit an investigation if the examiner cannot establish in a court of law that the subject computer evidence was not corrupted or tampered with. EnCase enables the non-invasive recovery of all existing information on the subject drive, including deleted files and fragments thereof, while preserving a proper chain of custody under standard computer forensics protocols.
Download our brochure, HERE