The Truth is in There: Sleuthing for Data with Digital Forensics

Page 1 of 3

As the computer becomes more intertwined in our every action, it naturally follows that digital information will become increasingly important in legal processes as well. Today, digital information is increasingly used as evidence in criminal and civil cases and companies are leveraging digital evidence to quietly change an employee's behavior, force out a bad apple, or to file charges.

Within the bowels of our hard drives lie email threads and instant messaging histories. Within our browsers lurk the history and browser cache, which leave footprints of what websites we have visited and when. We leave documents, metadata, and other digital bric-a-brac every time we interact with a computer, and all of this information can be used by investigators to identify who did what and when.

But beyond the obvious places one could find information, there are hidden spots most of us probably don't even know exist such as the Windows Swap File or the unallocated space on your hard drive. Did you know, for instance, that when you delete a file, it doesn't actually go away? Instead, the operating system simply makes the hard drive space available. Investigators can extract data from this unallocated space with special digital forensic tools.

Chances are, if you have done something with your computer—even if you password protected it, applied enterprise digital rights management, or deleted it—determined investigators will find it. In fact, a whole industry has developed around helping government, law enforcement, and enterprises follow digital evidence trails and extract the bits and bytes that trace the path of our digital lives.

Forensic Meaning
Digital forensics involves researching a hard drive (or network) to find evidence of wrong-doing, says Brian Karney, director of project management at Guidance Software, a company that makes EnCase, one of the leading digital forensics software tools. "It boils down to people using data investigation to get answers," Karney says. "What makes digital forensics different from regular content is the fact that the data itself is very fragile," he says.

Brian Carrier, Ph.D., who is director of digital forensics at Basis Technology Corporation, a company that uses multilingual language tools to help investigators extract digital information in multiple languages (and also author of the book, File System Forensic Analysis, An Illustrated Reference), says the term "digital forensics" means different things to different people. "It's one of those terms that's a good buzzword," Carrier says, but how people define it depends on the job at hand. "Law enforcement says you must follow the rules of the law to present the results in court, while companies may use digital forensics to do internal investigations, but the results may not be used in court, so they may not follow the same thoroughness of handling evidence." Both are valid, Carrier says, but because there are two distinct purposes, he prefers a different term. "I actually personally prefer the term ‘digital investigation' over digital forensics just because it is more of a general term and doesn't throw in the whole legal requirement of evidence handling," he says.

P. Kevin Smith, VP of North American sales at LTU, a company whose software searches images for evidence of wrongdoing—whether that involves child pornography, counterfeiting, or brand or trademark violations—sees digital forensics in broader context. "From our vantage point, digital forensics goes into the investigation of digital data, be it on a hard drive or over a network or the web used for investigative purposes involving law enforcement, private investigation, or competitive intelligence," Smith says. 

Corporate vs. Criminal 
Karney identifies two possible investigative scenarios: People using a computer to perpetrate a crime against other people (whether directly or indirectly) or people using a computer against another computer, such as in a hacking scenario. Both could involve corporate or criminal investigations. The corporate investigator might want to track a hacking incident, find evidence of embezzlement, employee-to-employee harassment, or intellectual property theft, while a government investigator could be tracking terrorist activity on an internet café computer. A criminal investigator might use instant messaging threads between co-conspirators to help build a case in a murder investigation. 

Karney says that corporations haven't always been active investigators and that is a relatively recent phenomenon. "What has happened over the years is what was started as being more focused on government applications and law enforcement, dealing with [criminal activity] and whatnot, has evolved into something where most commercial organizations are dealing with various types of business challenges, and that involves getting access to information to make decisions about it," Karney says.  

*Please note that the phrase "The truth is in there" is a registered trademark of FDR Forensic Data  Recovery, Inc., and may not be used without permission. See for more details.

Page 1 of 3