A few weeks ago the shocking Missouri murder of Bobbie Jo Stinnett put computer forensics in a very public light. Stinnett was strangled and her unborn baby cut from her body and stolen. The examination of her computer provided a trail of electronic clues that led investigators to Lisa Montgomery and the rescue of the baby in a matter of hours.
"When you're in a digital society, where are you going to look?" asked Alan E. Brill, senior managing director of Kroll OnTrack in Secaucus, N.J. "If someone is on the Internet a lot, you'll look at their computer. The best piece of evidence may be sitting on a hard drive."
Computer forensics -- recovering electronic evidence -- makes sense in today's information age. According to Brill, 90% of information goes through a computer, and more than 70% of that never gets printed. That unprinted information is potential evidence in criminal and civil matters that can't be ignored.
Unless files and data have been completely wiped clean, odds are they still exist on the computer. It's often easy to tell if the data has been wiped out too. "In the majority of cases, you find slam-dunk evidence," said Dean Gonsowski, director of litigation strategy for Fios in Denver, Colo., experts in electronic discovery. "It becomes surprisingly easy to piece together evidence."
Information thought to be deleted is often found in cached Windows pages, temp files, file allocation tables, etc. Information and files are stored by the operating
Many law enforcement agencies and private firms use computer forensics. John Colbert, CEO of Guidance Software in Pasadena, Calif., said investigators now have the tools to complete an evidence search, and no longer need to be the ultimate computer guru.
"In nearly every major case you hear of today, computer forensics is involved," he said. From incident response to legal discovery, computer forensics is happening behind the scenes.
The Missouri murder case is just the latest example. "The fact that the cops thought that way is proof of the evolution," Brill said. In the Stinnett case, reports indicated that she had met her killer via the Internet when Montgomery inquired about the show dogs Stinnett raised.
Computer forensics isn't limited to criminal cases. Use of electronic evidence is not uncommon is civil cases, such as a spouse suspecting the other of wrongdoing, or a company finding cause for terminating an employee. Accounting irregularities are fertile ground for computer forensics.
Gathering digital evidence follows the same procedures that any crime scene unit must use. Problem can occur when companies try to do their own forensics rather than bringing in the experts of law enforcement authorities. Every time a computer is powered up or a file is accessed, evidence may be accidentally erased.
"You don't go into a laptop, grab the hard drive, and stick it in a bag," cautioned Gonsowski.
Electronic evidence must be obtained without damaging it. Investigative software can make a read-only exact clone of the hard drive that is admissible as evidence in court. "It's like dropping a bullet in an evidence bag," Colbert said.
The evidence is preserved, while the computer it came from can still be used by its owner. It does not need to be impounded, and the examination can even be done at odd hours so the process is not disruptive. It can also be done clandestinely. Gonsowski noted that courts are often quick to grant access for noninvasive computer forensics investigations.
The key to computer forensics usability in court is often the actual investigator. Colbert said there is a growing demand for Guidance Software's EnCE certification (EnCase Certified Examiner). The certification, qualifies the individual as an expert in the field if computer forensics. It empowers the EnCE to render an expert opinion in court, and adds weight to his credibility.
"Everybody that handles a file has to be ready to testify about it," Brill said. "You never know if what you're doing may be part of the criminal case." He advised investigators to stay current with technology. Every time hardware or software is upgraded, a potential investigator must be updated.