You are here: Home / Investigative Services / Computer Forensics

Computer Forensics

 

Chicago Computer Forensics & Data Recovery

ETS Investigations, LLC specializes in forensic data recovery with legal concerns, such as litigation and criminal trials as well as Forensic Examination and analysis of hard drives and cell phones, which requires a set of skills that typical internal IT support staffs typically do not possess.

A third party, unbiased investigation team is often needed to conduct forensic data recovery in case findings and research methodology becomes a matter of litigation during trial.

When is forensic data recovery needed?
If you need data recovered from a drive for litigation, or if you need to find out if a drive has been illegitimately tampered with, forensic data recovery is the only way to ensure that the integrity of the information is preserved in a fashion that will hold up in court. A knowledgeable lawyer will consider any evidence presented without an unbroken chain of custody/report to be tainted. An expert witness may be needed to testify.

Here’s a scenario:

One of your employees may have been selling sensitive secrets to a rival company.
This violates his contract, and you are entitled to litigate. However, his email correspondence is the only way to prove that he’s been in negotiations with the rival company. If you use a standard data recovery service to retrieve his files, your only piece of evidence is dubious at best.

However, if you have your evidence complete with chain of custody reports and an explanation of what had to be done to retrieve the data, then you have a much stronger case. Even if data isn’t recoverable, a forensic data recovery lab can prove that your employee purposely destroyed his email, enough to end a case in many situations.

With a standard data recovery, this information may not be given to you, at least not in a legally usable form.

What is chain of custody documentation?
Chain of custody reports let you know everyone that touches your drive from the moment it arrives at a forensic data recovery lab to when it is returned. This documentation is legally necessary. They also ensure that the engineers working on your recovery are not able to spread information regarding your data, which may potentially damage your case.

How should I choose a forensic data recovery company?
Your attorneys are your best guide regarding your decision to pursue forensic recovery. They may prefer to be the company’s main contact; they can speak legalese while you deal with other matters. Your attorneys may know more about what you need from a forensic data recovery company, and may even have one in mind. Any company that you consider should have a recent history of forensics cases, preferably a specific data recovery engineer that you can speak with directly. It’s preferable to have your case handled by as few engineers as possible.

If you are heading to trial, you will need an expert witness. Don’t consider cost. If you really need forensic data recovery or an expert witness, you need the right people to help win your case. Expect to pay $400 an hour or more and the Lab will always ask for a sizable retainer. An expert witness will likely ask for travel expenses as a separate cost, unless that witness happens to live near the city where the trial is taking place.

Computer Forensics

Computer Forensics - Data Recovery

How does a computer forensics examiner recover data?
Most of the time, forensics cases don’t involve physically damaged drives, but rather drives with deleted files or the like. Your forensics company will:

    • Make a clone of the drive (imaging)
    • Work on that clone to ensures that there is no chance of losing any information from your original drive
    • Analyze key files created by the operating system to reconstruct what a person used the computer to do
    • Undelete files in many situations
    • Retrieving key pieces of evidence such as emails or Microsoft Office documents

Since most users don’t realize what needs to be done to permanently destroy a file, it is fairly common for files deleted in Windows to be retrieved unscathed.

If a file is deleted and overwritten:

  • the operating system will make a note to that effect
  • the computer forensics team can find this information for your case – Even successful deletes can yield positive legal results

It is extremely hard to beat a computer forensics company at their own game.

What other information can be recovered from a hard drive?
Your chosen forensics examiner can provide you with extremely specific information, such as the exact time someone logged in or out of a computer, what websites were visited, when the user opened programs, and what programs were accessed frequently. They may even be able to reconstruct documents printed by the computer or find file names and extensions that had been changed by the user.

You need to consider and plan what you need to prove, and let the examiners know. They’re under nondisclosure agreements, and you should fully confide any relevant information with them. Avoid giving these details to any other representative of the company, however.

With a good computer forensics company, your case stands a much better chance of being successful. Be sure to communicate with your lawyer and the engineers working on your case, and with a little help you can quickly receive the information you need.

Call us today at (847) 466-7522 or contact us for further Computer Forensics information or to get your questions answered about any of our services.

ETS Investigations, LLC | IL Agency 117-001556 | Serving Chicago, Illinois | Private Detectives and Private Investigations Since 1950.

869 E. Schaumburg Rd., Suite 319, Schaumburg, IL 60194 | Tel: (847) 466-7522 | Fax: (847) 466-7685 | info@etsinvestigate.com