Denver Computer Forensics

Doc1 Computer Forensics

Doc1 Computer Forensics

Doc1 Computer Forensics

Doc1 FAQ

What is Computer Forensics?

Computer Forensics is the science of identification, preservation, and analysis of electronic data in a fashion that is acceptable in a court of law. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. Mostly, Computer Forensics experts investigate data storage devices hard drives contained in traditional desktop and laptop computers or removable data storage devices such as: CD-ROMs, floppy disks, and tape backups. Computer Forensics experts:

Computer forensics is done in a fashion that adheres to the standards of evidence that are admissible in a court of law.

Source: Wikipedia

My cases don’t involve computers. Why do I need forensics?

More than likely, every case involves a computer in some aspect. Computers are used for everything from communication to storage of documents. In today’s electronic age, approximately 90% of communication in a business is conducted through a computer in one form or another. Due to the increased reliance on computers, it could be well worth the effort to consult a Computer Forensic expert on your case. Computer Forensics has been used on all types of cases including fraud, employee misconduct, divorces, child pornography, harassment, and theft of intellectual property.

What is Electronic Evidence?

Electronic evidence consists of any data that is stored on an electronic medium. Electronic mediums can consist of a wide array of devices consisting of computers, laptops, cell phones, PDAs, floppy discs, CD-ROMs, DVDs, digital cameras, iPods, large servers, tape backups, etc. Essentially, if the device can store electronic data in any form, it is considered to be electronic evidence.

What is Electronic Discovery?

Electronic discovery is the legal process of collection, processing, and review of electronic data (Office Documents, E-mail, etc.). Electronic discovery is also referred to as E-Discovery. Depending on the case situation, electronic discovery can be a simple or a daunting task. If the incident in question can be isolated to just a few computers, your electronic discovery phase could be very simple. However, if the incident is spread across server computers, servers, and networks, electronic discovery could be an extensive task. Due to the fact that technology is evolving and new devices are being introduced at such a quick pace, it is recommended to consult an expert as to what electronic evidence may be pertinent to your situation.

Why all the buzz about Electronic Discovery?

Due to the fact that roughly 90% of communication in the business environment takes place through computers (E-mail, instant messaging, voice mail, etc.), the odds are very high that something about your situation will be located on a computer. With computers playing such an integral role in today’s business environment, how can you afford not to examine this evidence?

When would we need use computer forensics?

Computer Forensic examiners will examine electronic evidence using scientific procedures in order to determine what exactly occurred. A computer forensic professional is trained in these scientific procedures so that he or she may apply the same tried and true principles to each and every piece of evidence.

Computer Forensics should not only be used once a threat or risk is determined, but also in a proactive approach. Creating a forensic copy of individual’s computer just prior to termination will ensure that the individual did not send out your critical client lists to their personal E-mail account just prior to departure. If the incident already occurred, there is a great need to preserve the evidence as soon as possible. Computer systems are very dynamic. Simply booting the computer can alter or destroy your critical evidence. This is why preserving the evidence using set scientific processes designed to preserve your evidence is very critical. A Computer Forensic preservation process should be used the moment warning signs appear.

What is the difference between electronic discovery and Computer Forensics?

Computer Forensics is an important subset of electronic discovery. The goal of electronic discovery is to find, collect, and sort all readily available files on a computer system. It is a very generic gathering process. Computer Forensics can be employed as a part of the electronic discovery process when more detailed information can be found. There could be hidden or deleted critical files. Computer Forensics can also attempt to determine when and how crucial files were transferred from a computer system. Computer Forensics is a more specialized aspect of electronic discovery that can yield more precise results.

What is digital information risk?

In the digital world, it is extremely easy and inexpensive to create, copy, and store electronic information. With a few clicks of a mouse, critical client lists can be copied onto a thumb drive, a memory device about the size of a thumb, and removed from the premises. Digital information risk is the risk that unless safeguards are in place, intellectual property can be easily copied and removed from a system with little difficulty. The most common way to communicated today is through E-mail. An E-mail message can be easily forwarded or stored in many places leaving corporations vulnerable to litigation problems.

What is a forensic acquisition?

A forensic acquisition is one of the very first steps in the Computer Forensic process. A specially trained forensic examiner creates a bit-stream forensic image of the targeted computer. A bit-stream image is essentially a very specific mirror copy that copies anything and everything within the computer, including deleted information. The forensic acquisition process utilizes special forensic hardware and software to ensure that the mirror copy is 100% complete with no errors and can be admissible in court. The evidence is extensively photo-documented, serial numbers and unique identifying marks are recorded, and if necessary, a chain of custody form is established.

My cousin is knowledgeable in computers, can’t he make a copy?

No! Almost anyone can make a copy of the computer, but can he/she do it in a fashion that doesn’t change the evidence in the least, will include all deleted data in the copy, and uses forensically sound methodology? Computer forensics is governed by very specific rules that require specialized software, hardware, and training. If these court accepted methods, software, and hardware are not utilized, this could result in a corruption of evidence that could cause severe problems in your case! If such a corruption does occur, your electronic evidence may not be admissible in court!

Just how much information is contained within a computer?

The amount of data that a computer can store is growing at an extremely fast pace. For example, in 2000, a typical hard drive (primary storage device within a computer) contained 30 Gigabytes of data. In 2006, reasonably priced drives are available that contain 500 Gigabytes of data. How many pages can be printed from a hard drive of that size?

Size of Data Approximate Printed Pages
1 Gigabyte 100,000 - 140,000
30 Gigabytes 3,000,000 - 4,200,000
500 Gigabytes 50,000,000 70,000,000

What happens when a file is deleted?

A common analogy that is often used to describe a file deletion is a library card catalog system. When a file is deleted, it is the same as removing a card catalog reference from the library. The book (file) is still on the shelf, but the reference to the book in the card catalog is missing. It is now very cumbersome to find the book (file) that used to be reference by the card catalog. Computer forensics can often find files while they are in this state. The book (file) will remain on the shelf in the library until the space is needed for another book (file). At this point, the file is permanently deleted and can rarely be recovered.

What is metadata? Why is it so important to me?

A common and simplistic definition for metadata is ‘data stored within the data.’ Every file that is created within a computer contains metadata. This metadata could contain information as to what computer the document was created on, who modified it, when it was modified, and other information.

This information is especially important in employee misconduct cases. A small portion of computer forensic cases involve employees leaving a firm with trade secrets. If these employees start a firm of their own and use these trade secrets, a computer forensic analysis could reveal that some of their electronic files were actually created on the original company’s computers. This analysis would prove that they were improperly taken.

What is spoliation?

Spoliation occurs when an electronic device, such as a desktop or laptop computer, has the data residing on the storage device altered. This change could be as simple as improperly powering the computer, causing new data to be written to the hard drive and changing times and dates of files. This process can either be intentional or accidental.

There have been many cases where litigants intentionally alter the contents of the drive with a ‘scrubbing’ utility in order to hide or delete data on their computers that they do not want to be found. Often, it is possible to determine if this occurred and what files could have been effected.

Due to the dynamic nature of electronic evidence, accidental spoliation can easily occur simply by turning on a computer. Depending on the operating system installed on the computer, hundreds of files can potentially be changed simply by allowing a computer to boot. Just booting the computer can change hundreds of critical file times and could possible delete information critical to your case.

This changes critical file times can could also deleted information essential to your case.

Doc1 Computer Forensics can examine your electronic evidence devices in order to determine if spoliation of your evidence occurred, and if so, what were the potential consequences to your case.

Can Doc1 Computer Forensics examine E-mails?

Yes! E-mails from several types of E-mail services can be reviewed with ease. Commonly, we find that activity of interest usually occurs on individual’s personal E-mail accounts, rather than on their work account. If this personal E-mail activity occurred on an individual’s work computer, Doc1 can examine what the extent of any personal E-mail activity was just by examining the work computer. There is the thought that personal E-mail communication is not recoverable. This is not true. Doc1 Computer Forensics can examine a wide array of E-mail accounts including Hotmail, Yahoo!, GMail, and MSN.

Can Doc1 Computer Forensics provide copies of the examined content?

Yes! Doc1 can provide lists of certain files, or the files themselves, in hard copy or on CD-ROMs for the client to review at their leisure. Lists of E-mails can also be generated and all or specific E-mails can be produced in hard copy or CD-ROM for the client to review.

The computer in question has been formatted. Is it still worth examining?

Yes! A common myth that exists is that once a computer has been formatted, all of the data is completely erased and is no longer recoverable. Nothing can be further from the truth. Formatting takes place when a new operating system (Windows) is installed on a computer. Doc1 Computer Forensics can examine computers that have been formatted with relative ease. A large majority of the data on the computer is usually recoverable.

There is a password on several files and the computer itself. What now?

Doc1 Computer Forensics can access files that a user has placed a password on. Sometimes passwords do not have to be broken and Doc1 Computer Forensics can bypass the password and encryption process altogether.

An incident occurred several years ago. Could there still be valuable data on the computer?

Yes! E-mails can sometime be recovered that are well over five years old. There is still value in a computer that an incident occurred several years prior, however, the more time that passes from the incident, the less likely the data is to be recovered. Deleted data will remain on a computer until the data is overwritten with newly saved data. This is why one of the predominant factors in recovering delete data is dependent on the amount of activity on the computer since the data was deleted.

Is it possible to determine when a file was copied from a computer or deleted?

Usually. There are a number of factors that allow for Doc1 Computer Forensics to recover the specific history of a certain file. Depending on these factors, Doc1 Computer Forensics may be able to determine the file history.

How long does a Computer Forensic examination take?

A general rule of thumb is that a forensic examination will take between 5 and 10 hours. Depending on the task, this estimate can vary greatly. However, the more guidance that you, the client, can offer to us as far as your goals and any information associated with the case, it can be possible to have a narrowed examination scope.

Can you track the internet history of a computer?


Can you determine when certain E-mails were sent and produce only specified groups?


Can you provide me a list of files on the computer?


Can you eliminate duplicate files?


I’m about as computer illiterate as my dear old Grandmother, will you work with me?

Yes! Doc1 Computer Forensics recognizes that the legal community has a wide variety of technical skill. For most of our clients, working with us is their first jump into the world of electronic discovery and Computer Forensics. We recognize the fact that Computer Forensics may be a completely foreign language to you. We will help guide you through the process by speaking in lay terms and analogies to convey very technical terms to our clients, judges, and juries.

I need someone to testify as an expert in my case. Can Doc1 Computer Forensics provide these services?

Yes! The Doc1 Computer Forensics team has prior testifying experience in various state courts. Our experts excel at taking extremely complicated concepts and communicating them to clients, attorneys, judges, and juries by using lay terms and analogies.

This sounds expensive. What can I expect as far as cost?

Computer Forensics does not have to be a costly process. Doc1 Computer Forensics works on cases involving a single computer all the way through to large cases with dozens of computers, servers, and tape backup systems.

We pride ourselves on providing superior customer services to clients where you consult with the individual examiner from the initial consultation all the way through to trial.

Because every case is completely different, it is impossible to say what your case will cost. However, Doc1 Computer Forensics works very closely with our clients on budget issues and will try to choose the most cost effective and beneficial route for you.

Who can allow an examination of a computer to be searched for possible evidence?

The owner of the computer or a business may give permission for a search on any of their computers. If it is a civil dispute, there could be an agreement between the parties involved or even a court order.

In a criminal case, the computer would first be seized by law enforcement. The opposing counsel can request a forensic copy of the seized computer and the report, and also request a private examination be completed by an independent lab.

A family computer can be examined for Internet activity. This should help determine if there is activity on the Internet or through Email that would be relevant to a divorce or custody issue. Depending on the circumstances, it may be required that the examination by requested by an attorney.

I want to learn more about Computer Forensics! How can I learn more?

Doc1 Computer Forensics offers CLEs and paralegal ‘lunch-and-learns’ to educate the legal community about Computer Forensics and electronic discovery. Also, we are happy to come to your office for a one on one consultation. Please feel free to contact Rob Lelewski at 720-233-4064 or Beth Taylor at 303-883-1254

CONTACT US | Copyright ©2007, Doc1 Computer Forensics. All right reserved.
website design by

Doc1 Computer Forensics Sign In