Uses of Computer Forensics

Computer forensics can be used in hundreds of ways. In the realm of serious crime, forensics is invaluable in tracking down the people behind acts of terrorism, murder, rape, blackmail, and money laundering. Forensics is also of value in such areas as theft of intellectual property, destruction or misappropriation of data, alteration of data, misuse of programs, use of unlicensed software, illegal duplication of software, and unauthorized access to a network or system. For human resources departments, forensics can prove useful in detecting unauthorized use of a company's computer for private gain, unauthorized access to confidential data, downloading and distribution of pornographic material, and misuse of e-mail, as well as in the resolution of employment disputes and dealing with hiring and firing matters.

Recovering Evidence

When looking for incriminating evidence in computers, the place to start is the My Documents folder. Less sophisticated criminals are sometimes caught because they kept incriminating material immediately accessible in such an easy-to-find location. Then, of course, the many records kept by e-mail programs can be accessed. The Microsoft antitrust trial, for example, focused on e-mailed statements from Bill Gates regarding its competitor, Netscape Communications. Since then, electronic discovery has assumed a vital role in many types of litigation. Groups such as Electronic Evidence Discovery (www.eedinc.com) estimate that 70 percent of corporate data exists only electronically and is never written down, up from 30 percent a few years ago. So the old notion of the FBI rolling in with several trucks and leaving with hundreds of file cabinets is changing. These days, they may still take some file cabinets, but these will be accompanied by dozens of servers and PCs.

Among the other places to look for evidence are Microsoft Outlook's Inbox, Deleted Files, and Sent Files. In addition to recovering e-mail from the desktop of the perpetrator, e-mail can sometimes also be recovered from corporate servers, backup tapes, ISPs, or the machines of recipients. Even data that has apparently been lost in deleted files can be recovered. If permanently deleted, it can still sometimes be recovered directly from the hard drive, provided it has not been overwritten.

Printed versus Electronic Versions

Rules of information discovery permit lawyers to receive printouts of computer data; however, this may not be the best way to retrieve data. Why? A computer-generated document is not necessarily the same as the printed version. Electronic files typically contain information that never appears on the screen or in the printed version of the file. This type of invisible material is known as metadata — information that the computer uses in processing files, such as when a document was created and by whom, when it was last modified and by whom, and on which computer it was created. Over 1000 bits of information, for example, travel along with each and every Microsoft Outlook e-mail. This type of data is kept as a record in the normal course of business but will never show up if someone provides only a paper copy of the document; yet, incriminating evidence may be stored away as metadata. Fortunately, lawyers and criminal investigators are getting wise to such things.

While the computer user does not actually create such metadata, other types of information are intentionally created but do not show up on paper. Deleted text is a prime example. When a person revises a document, deleted text may still be part of the file, even though it does not show up on the screen or when the document is printed out. In some cases, it is even possible to extract earlier versions of a document from the electronic version. I have seen this happen to someone who made some derogatory comments about someone and then deleted them in the final version of the document. Unfortunately, the deleted text was revealed when the Reject Deletion key under Microsoft Word's Track Changes function was used. In addition to Microsoft Word, database and spreadsheet programs also have collaborative features that retain deleted or revised text. All of these comments, as well as who made them and when, are also part of the electronic file, but not the paper version.