Computer Forensics 101
Article by Rick Leinecker, October 13, 2006

I was sick to my stomach after hanging up the phone. A coworker called and needed help. She had been physically abused for two years by a husband who also cheated on her. She told me that she had their computer, and was sure that there was evidence on it that would help her in court. Fortunately, I am an expert at computer forensics, which includes the skills needed to investigate and extract information from computers. And it would be a pleasure to help someone out in this situation.

Okay, so what kind of information can you expect to get from a computer? Potentially there is plenty of information that can be useful. For starters, there might be a lot of saved documents such as letters that may be significant. Imagine how important finding dozens of letters to an extramarital girlfriend would be. And even if the letters have been deleted, there's still a good chance that they can be recovered.

You can get the web browser history. (This includes both Internet Explorer and Mozilla Firefox.) The browser history lists the web sites that have been recently (usually the last 20 days - more if the computer hasn't been used recently) visited. This may be important if the person in question visited questionable or illegal sites.

You can also retrieve emails that have been read on the computer. If the email account is protected by a password, that's simply another step. Email passwords can often be easily cracked, and then local copies of emails can be retrieved, read, examined, and saved to secondary media.

Pictures can tell a story, too. There might be pictures of girlfriends or boyfriends, or activities that are somehow suspect. And here again, pictures that have been deleted can be recovered in many cases.

The one thing that may not be available is previous instant messaging conversations. These are rarely saved to disk, and therefore almost impossible to retrieve. In rare cases, they may have been saved to disk, but don't count on it. This may be the one area that would be most useful when relational investigations are being made.

You can get some information just by opening My Computer and browsing the files that are on the hard drive. But most of the important information such as the browser history and password-protected emails can only be retrieved by using special software.

When you're deciding who will examine the computer, there are two things to remember. The first is that it almost always requires special software in order to do a full investigation. The second thing is that by simply using the computer you may be destroying evidence. It's kind of like walking through a crime scene; you have to be very careful not to corrupt the evidence. Don't ask the teenager next door to examine the computer unless they are certified computer forensics technicians because it's a complicated process and they may corrupt the evidence.

Someone who is trying to cover their tracks may get rid of some of the evidence. Files can be deleted, browser histories can be cleared, and emails can be removed. But the evidence can still be recovered most of the time by a qualified computer forensics technician.

I can't tell you what I found after examining my coworkers computer because of confidentiality restrictions, but it was worth the time for me to do the investigation. If you have any question about what's on a computer and you really need to know, you should have it examined.

If you live in Rockingham County and you need computer forensics help, you're in luck. There's a web site at www.ComputerForensicsRC.com (Computer Forensics Rockingham County) where you can find out the information you need in order to get whatever services you need.

That's the introduction to computer forensics.