Activity on a computer leaves work files, text files, graphic files, audio files, deleted files (if not overwritten), hidden files, system files, and logs that can be used to trace a user's activity. Correspondence, tax and accounting records, addresses and phone numbers, presentation files, business plans, calendaring information, task lists, email messages, Internet activity, downloaded files, word processing documents, and spreadsheets are frequently recovered from magnetic media – all may contain significant evidence.

We can usually tell what a computer was used for, when it was used, what the user has done on the Internet (and when), and recover much of what the user wrote, read or viewed on the computer.

The first rule of computer forensic evidence analysis is "don't alter the evidence in any way." The simple act of turning on a computer can alter or destroy any evidence that might be there. The search for evidence on a computer should only be done by a trained and experienced computer forensic examiner.

The examiner will document all work, write-protect all media, make copies of media (often referred to as a mirror image), perform an examination and analysis on the copies, and prepare a written report. Extra copies of the mirror images are often prepared for other investigators, attorneys or the opposing side. You may get the copies on CD-ROMs, tapes, or some other media. Even these copies will need to be analyzed by an experienced professional.

How the information is collected depends on the situation. In cases where chain of custody is of paramount concern, a team from T3i DTL will respond to the computer location and collect the information by making a forensic copy of the computer storage. Other cases allow for the computer to be shipped directly to T3i DTL lab in Atlanta. Where down time is unacceptable, the acquisition of the computer information can be done after hours and on-site. State of the art forensic imaging software and hardware are used to reduce the average on site time to a few hours.

We can usually tell what a computer was used for, when it was used, what the user has done on the Internet (and when), and recover much of what the user wrote, read or viewed on the computer.

"Computer Forensics is the process of identifying, preserving, extracting, and producing electronic evidence (including deleted data) on all types of electronic storage media. It is often applied to the most heavily litigated areas today: intellectual property, trade secrets, and fraud."

Information can be found in places other than the in the disk's file directories and folders. Software tools can extract data from deleted files that haven't been over-written and file fragments that were not replaced by new data when a file is written to the disk.

Simply turning on the computer and searching for data can cause spoliation. T3i has the technical expertise to ensure proper chain of custody and flawless processing of electronic evidence.

Relevant information is prepared in a format that will be easily used and understood in a court of law. The methods used can be demonstrated to be sound. Information found in this way can be used either to convict or to exonerate depending on each case.

Electronic evidence is any computer-generated data that is relevant to a case. Included are email, text documents, spreadsheets, images, database files, deleted email and files and back-ups. The data may be on floppy disk, zip disk, hard drive, tape, CD or DVD.

Computer forensics investigators examine computer hardware and software using legal procedures to obtain evidence that proves or disproves allegations. Gathering legal evidence is difficult, and requires trained specialists who know computers, the rules of evidence gathering and how to work with law enforcement authorities.

Computer forensics examiners should be called in when a threat to a company's business and reputation is serious. Any organization that does not have a way to detect and stop malicious behavior can be victimized with no legal recourse. Preserving evidence according to Federal Rules of Evidence gives choices that otherwise would not exist. When an intruder attacks or steals from an organization, the ability or threat to get law enforcement involved may be the only way to reduce the damage or prevent future occurrences. Gathering computer evidence also is useful for confirming or dispelling concerns about whether an illegal incident has occurred and for documenting computer and network vulnerabilities after an incident.

Companies employ computer forensics when there is serious risk of information being compromised, a potential loss of competitive capability, a threat of lawsuits or potential damage to reputation and brand. Some companies regularly use forensic investigations to check employee computers. In theory, employees are less tempted to stray when they know they are being watched.

A significant area of risk arises if company employees are allowed to determine which data residing on their computers or storage media is potentially relevant.

There are multiple problems inherent in employee data selection and collection:

• There may be an inconsistent understanding or interpretation among employees as to what constitutes relevancy.
• The lack of a cohesive collection strategy may make the data unreliable.
• Having employees copy their information over to a centralized location creates a significant risk of data alteration resulting from automatic updating functions within word processing and spreadsheet programs (“AutoSave”), as well as viral exposure.
• Employees who are involved in the data collection are immediately made fair targets for being called to testify regarding the completeness and accuracy of their data collection. There are few things as frustrating as finding a smoking gun, only to have it declared inadmissible.

Yes. Files that have been accidentally deleted from your computer can be recovered through our forensic process. In many cases, whole files or file fragments can be found. Even if data has been deleted, it is possible to find evidence that the file was once present or evidence showing that the files were in fact deleted. Preserving the information is the first important step. Discontinue use of the computer and immediately contact The T3i DTL for direction on how to proceed. The T3i DTL has a high rate of success in recovering these files.

As with the examination of any evidence, a well-documented chain of custody is a must. A forensic analysis should include notes taken by the examiner. These notes may not be included in a final written report, but they can and do get included in discovery requests. The report should detail the hardware examined, the procedures and software used in the examination, and any evidence found.

The T3i DTL will store the extracted electronic evidence in virtually any format requested including new hard drives, CD-ROM, floppy disks, or tape media. In addition, we provide a hard copy summary of our investigation.

Sometimes, depending on the operating system, even if they were removed from recycle bin.

Simply turning on a computer damages valuable information that could be retrieved in a forensic examination. The proper forensic process changes none of the information on the computer and is the best way to document what has occurred on the computer and retrieve lost, hidden, or deleted information. Many of the valuable artifacts obtained in an examination would not be visible through the normal computer interface. The forensic process examines the electronic media for information ignored by the operating system.