FORENSICS: ELECTRONIC EVIDENCE MAKES ITS MARK IN INVESTIGATIONS
Computer forensics offers a surprising amount of help investigators.
By Jon Boroshok, Contributing Writer
A few weeks ago the shocking Missouri murder of Bobbie Jo Stinnett
put computer forensics in a very public light. Stinnett was strangled
and her unborn baby cut from her body and stolen. The examination of
her computer provided a trail of electronic clues that led
investigators to Lisa Montgomery and the rescue of the baby in a
matter of hours.
"When you're in a digital society, where are you going to look?"
asked Alan E. Brill, senior managing director of Kroll OnTrack in
Secaucus, N.J. "If someone is on the Internet a lot, you'll look at
their computer. The best piece of evidence may be sitting on a hard
Computer forensics -- recovering electronic evidence -- makes sense
in today's information age. According to Brill, 90% of information
goes through a computer, and more than 70% of that never gets
printed. That unprinted information is potential evidence in criminal
and civil matters that can't be ignored.
Unless files and data have been completely wiped clean, odds are they
still exist on the computer. It's often easy to tell if the data has
been wiped out too. "In the majority of cases, you find slam-dunk
evidence," said Dean Gonsowski, director of litigation strategy for
Fios in Denver, Colo., experts in electronic discovery. "It becomes
surprisingly easy to piece together evidence."
Information thought to be deleted is often found in cached Windows
pages, temp files, file allocation tables, etc. Information and files
are stored by the operating system, and aren't always easy to get rid
of. This meta data, the information about the content of files
created and maintained by the computer, is useful in an
investigation. It can show changes -- deliberate or incidental, and
is valuable evidence. Brill also pointed to "vampire data,"
information thought to no longer exist that comes back from the dead
and bites you on the neck.
Many law enforcement agencies and private firms use computer
forensics. John Colbert, CEO of Guidance Software in Pasadena,
Calif., said investigators now have the tools to complete an evidence
search, and no longer need to be the ultimate computer guru.
"In nearly every major case you hear of today, computer forensics is
involved," he said. From incident response to legal discovery,
computer forensics is happening behind the scenes.
The Missouri murder case is just the latest example. "The fact that
the cops thought that way is proof of the evolution," Brill said. In
the Stinnett case, reports indicated that she had met her killer via
the Internet when Montgomery inquired about the show dogs Stinnett
Computer forensics isn't limited to criminal cases. Use of electronic
evidence is not uncommon is civil cases, such as a spouse suspecting
the other of wrongdoing, or a company finding cause for terminating
an employee. Accounting irregularities are fertile ground for
Gathering digital evidence follows the same procedures that any crime
scene unit must use. Problem can occur when companies try to do their
own forensics rather than bringing in the experts of law enforcement
authorities. Every time a computer is powered up or a file is
accessed, evidence may be accidentally erased.
"You don't go into a laptop, grab the hard drive, and stick it in a
bag," cautioned Gonsowski.
Electronic evidence must be obtained without damaging it.
Investigative software can make a read-only exact clone of the hard
drive that is admissible as evidence in court. "It's like dropping a
bullet in an evidence bag," Colbert said.
The evidence is preserved, while the computer it came from can still
be used by its owner. It does not need to be impounded, and the
examination can even be done at odd hours so the process is not
disruptive. It can also be done clandestinely. Gonsowski noted that
courts are often quick to grant access for noninvasive computer
The key to computer forensics usability in court is often the actual
investigator. Colbert said there is a growing demand for Guidance
Software's EnCE certification (EnCase Certified Examiner). The
certification, qualifies the individual as an expert in the field if
computer forensics. It empowers the EnCE to render an expert opinion
in court, and adds weight to his credibility.
"Everybody that handles a file has to be ready to testify about it,"
Brill said. "You never know if what you're doing may be part of the
criminal case." He advised investigators to stay current with
technology. Every time hardware or software is upgraded, a potential
investigator must be updated.