We can recover Computer Evidence quickly and easily!

People use their computers for almost everything; many of these things can be used against you. Hiding money, illegal activities, inappropriate emails and just about anything you can think of.

Often, if you are trying to hide something, you’ll make an effort to completely clean out your computer by deleting “everything” and reformatting. The problem is, when you contact IT support and you are told that all is lost, they probably have no idea what a digital forensic investigator can do!

The harsh truth is that the evidence is still there, waiting to be found, you just can’t see it. The only question is, do you want it recovered or not.

Many businesses that have a disgruntled employee, or feel that an employee is involved in unacceptable activities at work, may want to acquire some digital evidence, they can use a digital forensic investigator to recover all the evidence that they need.

At the TCG Digital Forensics Division, we are pleased to provide all the evidence that you need off of a computer, cellular device, laptop or tablet. The obvious advantage that we have is that we recover digital evidence that few others could and keep all affairs private!

Need something recovered? Don’t hesitate to give us a call on 079 691 0138 or email craig@tcgforensics.co.za

When should you consider using computer forensics?

If any form of digital information is even remotely involved in a case or legal situation, a computer forensic examination will be required. Digital information has invaded virtually every aspect of our day-to-day existence, having become a basic component of our lives, from computers, to smartphones, to social networking, digital information plays a crucial role in almost every case.

Computer forensics differs from data recovery, which is, recovery of data after an event affecting the physical data, such as a hard drive crash. Computer forensics goes much further. Computer forensics is a complete computer examination with intricate analysis of digital information being the ultimate goal.

For a successful forensics examination, you must have all the information relevant to a matter, not only to construct effective legal strategies, but also to focus your expectations and efficiently budget your services. There is nothing more difficult to address than a case which has become complicated by new facts, where you once expected the matter to proceed smoothly and without significant cost. Knowing all the facts early in a matter, allows you to better prepare for those cases that will require significant legal expertise to manage.

In response to pending litigation, analysing your relevant ESI is an excellent way to discharge your duties to preserve evidence and avoid spoliation, while also acquiring all relevant information essential to your legal theories and strategies. Similarly, as part of critical business decisions, forensically analysing relevant computers and devices can provide essential information. For example, analysing the computers of corporate officers or employees as part of the termination process can alert you to possible litigation issues such as violation of non-compete agreements, improper copying of intellectual property, etc.

To prepare for litigation, an attorney ought to determine whether a Request for Production of Documents will obtain all relevant evidence. A simple question to ask is whether you want to discover part of the relevant information (i.e. visible by your opponent’s operating system) or all of it (deleted, hidden, orphaned data, etc). It is not unrealistic to anticipate that information contained on a computer system which is helpful to a matter would be saved, while that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is not unusual to discover deleted emails and other data invisible to the operating system that significantly impacts the case. Computer forensic analysis extracts all the emails, memos, and other data that can be viewed with the operating system, as well as all invisible data. In many cases, the invisible data completely changes the nature of a claim or defense, often leading to early settlement and avoiding surprises during litigation.

In any situation in which one or more computers may have been used in an inappropriate manner, it is essential to call a forensic expert. Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use. Taking the wrong steps in these circumstances can irrevocably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.

Digital, computer and mobile forensics requires much more than what you may think. At DLA, our seasoned investigators use a special set of skills and tools to recover or find the digital data that you need!

How Computer Forensics Works - Standards of Evidence

If the investigators believe the computer system is only acting as a storage device, they usually aren't allowed to seize the hardware itself. This limits any evidence investigation to the field. On the other hand, if the investigators believe the hardware itself is evidence, they can seize the hardware and bring it to another location. For example, if the computer is stolen property, then the investigators could seize the hardware.

In order to use evidence from a computer system in court, the prosecution must authenticate the evidence. That is, the prosecution must be able to prove that the information presented as evidence came from the suspect's computer and that it remains unaltered.

Although it's generally acknowledged that tampering with computer data is both possible and relatively simple to do, the courts so far haven't discounted computer evidence completely. Rather, the courts require proof or evidence of tampering before dismissing computer evidence.

Another consideration the courts take into account with computer evidence is hearsay. Hearsay is a term referring to statements made outside of a court of law. In most cases, courts can't allow hearsay as evidence. The courts have determined that information on a computer does not constitute hearsay in most cases, and is therefore admissible.

If the computer records include human-generated statements like e-mail messages, the court must determine if the statements can be considered trustworthy before allowing them as evidence. Courts determine this on a case-by-case basis.

DLA is based in Cape Town and combines the experience of two seasoned investigators with both criminal and civil backgrounds with the latest technologies to follow the electronic trail and find the digital evidence you need!

Computer Forensics Basics – How it works

The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence. Many of the techniques detectives use in crime scene investigations have digital counterparts, but there are also some unique aspects to computer investigations.

For example, just opening a computer file changes the file -- the computer records the time and date it was accessed on the file itself. If detectives seize a computer and then start opening files, there's no way to tell for sure that they didn't change anything. Lawyers can contest the validity of the evidence when the case goes to court.

Some people say that using digital information as evidence is a bad idea. If it's easy to change computer data, how can it be used as reliable evidence? Many countries allow computer evidence in trials, but that could change if digital evidence proves untrustworthy in future cases.

Computers are getting more powerful, so the field of computer forensics must constantly evolve. In the early days of computers, it was possible for a single detective to sort through files because storage capacity was so low. Today, with hard drives capable of holding gigabytes and even terabytes of data, that's a daunting task. Detectives must discover new ways to search for evidence without dedicating too many resources to the process.

What are the basics of computer forensics? What can investigators look for, and where do they look? Find out when the digital forensic experts from DLA discuss the steps in collecting evidence from a computer?

What to do if a computer in your business contains important evidence

First of all – STOP using the computer or device! Any use of this may damage or taint any evidence present. If the suspected computer is turned off, then leave it off.

If the computer or device is on, do not go through the normal “Shut Down” process… rather call the digital forensic experts first.

Do not allow your internal IT staff to conduct a preliminary investigation.

It is important to recognise that all you have initially is information and data, not actual evidence. Unless your IT staff is certified in computer forensics and trained on evidentiary procedures (very few are), they most likely have not followed other accepted evidence techniques. 

Another thing to keep in mind is that even if proper evidence handling techniques have been used, the collection process itself has most likely changed or altered the data collected. By opening, printing and saving files, the meta-data is changed! Lastly, the simple act of just turning on the computer changes files, caches, which along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was present.

Depending on the damage done, a skilled computer forensic specialist may be able to salvage the damaged evidence. This however, can be an arduous and time-consuming process which often costs several times more than it should. However, it is always important to bear in mind that it is not always possible to restore evidence from computers that have been mishandled.

Keep a detailed log of who had access, what was done and where the computer has been stored since the dates in question.

Computer forensics may be an unknown and mysterious discipline to many, but it is easy to avoid the most common mistakes by following the guidelines outlined! Only use certified digital forensic experts, such as the professionals from DLA, contact them today and get the job done right.

This gruesome murder case was solved by computer forensics after 30 years of searching

For more than 30 years, the case of the BTK serial killer went as one of the biggest unsolved mysteries in America. Police spent thousands of hours and millions of dollars trying to figure out the identity of this man, who killed 10 people in and around Wichita, Kansas, between 1974 and 1991.

But, on the 16^th of February 2005, in a few short hours computer forensic specialists accomplished what police had failed to do for more than 30 years – they identified the BTK killer as a man named Dennis Rader! This case remains the most famous ever solved by computer forensics.

The case started on the 15^th of January 1975, when Dennis Rader killed four members of the Otero family. Over the next 15 years, he would admit to killing six more female victims.

As he was committing these murders, Rader would taunt police by sending them bizarre notes. His first note was found in the Wichita Public Library; in it he claimed responsibility for the Otero murders and provided details only the police would know. He also promised that he would kill again and suggested a nickname for himself – BTK (Bind, Torture, Kill).

Rader went on to write numerous letters to the police, including twisted poems, puzzles and pictures. Sometimes he would send the letters straight to the police and other times he would mail them to the media or hide them somewhere.

Local police worked with the FBI and spent thousands of hours studying these communications. They hired the best criminal psychologists, followed up on every possible lead and interviewed thousands of people. Even with so much evidence and effort, police were still unable to tie any of the murders to Dennis Rader.

It was not until 2004, after 10 years of silence from the BTK killer, that police finally caught a break. That year, Rader resumed his communications with police. He sent them a Word document on a floppy disk that computer forensic experts immediately examined.

By using special forensics software, police were able to pull up a Word document that have been deleted. The document revealed a clue – it had last been modified by someone named Dennis at Christ Lutheran Church. A quick search of the church’s website revealed that Dennis Rader was actually the president of the church’s congregation council!

Police were then able to quickly link Rader to the BTK murders.

Today, computer forensics is used more than ever to solve crimes, such as murder, kidnapping, fraud and embezzlement. Forensic investigators are able to dig up information that was thought to be long gone on cellphones, computers, laptops, hard drives and chats. The tools these experts use are growing more and more advanced every day.

Looking for professional forensic investigators to find the digital evidence that you need? At DLA, two seasoned investigators join and use the latest technologies to weed out the result's that you're looking for!

Recover computer evidence quickly and easily!

People use their computers for almost everything; many of these things can be used against you. Hiding money, illegal activities, inappropriate emails and just about anything you can think of.

Often, if you are trying to hide something, you’ll make an effort to completely clean out your computer by deleting “everything” and reformatting. The problem is, when you contact IT support and you are told that all is lost, they probably have no idea what a digital forensic investigator can do!

The harsh truth is that the evidence is still there, waiting to be found, you just can’t see it. The only question is, do you want it recovered or not.

Many businesses that have a disgruntled employee, or feel that an employee is involved in unacceptable activities at work, may want to acquire some digital evidence, they can use a digital forensic investigator to recover all the evidence that they need.

We at DLA are pleased to provide all the evidence that you need off of a computer, cellular device, laptop or tablet. The obvious advantage that we have here at DLA is that we recover digital evidence that few others could and keep all affairs private.

Need something recovered? Don’t hesitate to give DLA a call.