Computer Forensics: Data Recovery & Analysis


The objective of computer forensic analysis is to determine the facts as stored on digital evidence in a non-biased and objective manner.

Knowing where and how to look can reveal facts that would otherwise be hidden.

Each investigation presents unique challenges and the examiner faces many tasks:

  • First and foremost is to ensure the integrity of the digital evidence so it will be admissible in a court of law;
  • Conduct detailed timeline analysis to reconstruct events
  • Determine the origin and history of electronic documents
  • Tie different pieces of digital evidence together
  • Prepare demonstrative exhibits for an ongoing investigation or court
  • Assist counsel with preparing for depositions
  • Provide expert witness testimony


Computer forensic analysis is involved with different types of investigations that may involve:

  • The recovery of hidden and deleted data
  • Identify who created a file or email message
  • Investigation of unauthorized activity violating company policy such as descrimnation, harassment, or inappropriate Internet activity.
  • Tie different pieces of digital evidence together
  • Prepare demonstrative exhibits for an ongoing investigation or court
  • Exfiltration of sensitive company information


Types of computer forensic data analysis:

Disk Forensics: Involves the preservation and analysis of digital storage devices, such as internal and external hard drives, removable and portable media, optical media (CD’s and DVD’s), cell phones, and mobile devices.

Email Forensics: Involves the analysis of electronic mail, such as the origination and actual sender, the date and time stamps, and the authenticity of the content (if it has been tampered with).

Internet Forensics: Involves the analysis of user activity associated with specific websites or content and determine whether the activity was intentional or accidental.

Network Forensics:Involves the analysis of captured network traffic, server logs, and other types of event logs.


Use of internal staff for internal investigations

We are often brought in to conduct internal investigations that are based on a wide range of allegations. Some of the pitfalls that some companies experience are based on using internal IT resources to conduct a sort of pre-investigation. While IT groups are used to dealing with sensitive information, they are often not equipped to properly preserve and analyze digital evidence. Additionally, they could be called upon to testify as expert witnesses, which is something they are likely unprepared to handle.

Since some allegations can quickly escalate into a large incident, serious consideration should be given about bringing in an expert during the initial stage. Using a third party expert helps to maintain confidentiality of an investigation and also brings an impartial investigator. We have been brought into internal corporate investigations for this very reason.

By starting in the initial stage of an investigation, the examiner can provide consulting about proactive investigation techniques that can be employed as part of the investigation.