Computer Investigations Defined
Documentary evidence has quickly moved from the printed or type written page to computer data stored on floppy diskettes, zip disks, CDs and computer hard disk drives. Furthermore, a new type of virtual evidence has been created as a result of E-Commerce transactions and E-Mail communications over the Internet. The sharing of computer files over the Internet, when tied to the commission of a crime, creates a new and novel twist to the rules of evidence and also legal jurisdiction. Keep in mind that when criminal activities involve the use of the Internet, venue can be in different cities, counties, states and/or countries. The evidence needed to prove such computer-related crimes potentially resides on one or more computer hard disk drives in various geographic locations. Also, the computer hard disk drives may be the property of criminals as well as innocent third parties, e.g., Internet Service Providers. Such evidence is commonly referred to as computer evidence but it is not limited to just cases involving 'computer crimes'. Computer crimes are specifically defined by federal and/or state statutes. However, many computer investigations rely upon computer evidence which is not connected to a computer crime, e.g., traditional crimes which are committed using one or more computers as tools in the commission of a crime.
Computer evidence can reside on computer storage media as bytes of data in the form of computer files and ambient data. Ambient data is usually beyond the awareness of most computer users and such data can potentially provide the computer forensics investigator with the element of surprise when computer users are interviewed. For example, a computer user who believes that he destroyed the computer evidence may confess when confronted with part or all of the evidence extracted from ambient data sources.
Computer investigations rely upon evidence stored as data and the timeline of dates and times that files were created, modified and/or last accessed by the computer user. Timelines of activity can be especially helpful when multiple computers and individuals are involved in the commission of a crime. To aid in the analysis of computer usage time lines, NTI has created a computer forensics tool called FileList Pro. The computer forensics investigator should always consider timelines of computer usage in all computer-related investigations. The same is true in computer security reviews concerning potential access to sensitive and/or trade secret information stored in the form of computer files.
Computer investigations play an important role in cases involving the theft of company trade secrets. More and more, intellectual property lawyers rely upon computer evidence and computer investigations in such cases. The same is true concerning criminal litigation involving stock frauds, financial frauds and embezzlements. Much of the evidence related to these types of crimes will be in computer data form. In the past, documentary evidence used to prove these crimes was exclusively in paper form. However, many computer-related communications and transactions are now conducted without paper documents ever being created. Financial fraud investigators has been forced to change the way they do business.
Computer-related investigations can involve the review of Internet log files to determine Internet account abuses in businesses or government agencies. Computer investigations can also involve the analysis of the Windows swap/page file through the use of programs like NTI's NTA Stealth, Fuzzy Logic Intelligent Filter, FNames Intelligent Filter, Filter_G Intelligent Filter, Filter_N Intelligent Filter GExtract Intelligent Filter and GetHTML Intelligent Filter. Using computer forensics procedures, processes and tools, the computer forensics specialist can identify investigative leads in the form of passwords, network logons, Internet activity and fragments of E-Mail messages that were leaked from computer memory during past Windows and/or Windows XP work sessions. When such leads are identified, they can be perfected through the use of computer forensics text search programs like NTI's TextSearch Plus and TextSearch NT programs. Other computer forensics software tools are used to document the computer evidence once it has been preserved, identified and extracted. The use of these special computer forensics tools and techniques taught in NTI's 5 Day Computer Forensics Course.
