Q. I have a computer that potentially contains evidence. Who do I call?

A. Call a computer forensic specialist to image the hard drive on that computer to preserve all data on the drive -- both active and inactive (deleted) data – as of the current point in time. Do not boot the computer or use it in any way before the CF specialist acquires the hard drive image.

Q. Can you recover documents or files that have been deleted?

A. In many cases, a computer forensic examination can recover deleted files from the subject hard drive. When a user "deletes" a file via standard methods, the contents of the file are not erased from the hard drive. The "deleted" file is just made invisible to the user.

Q. Can you guarantee that all deleted files on a computer will be recovered?

A. No. Several factors can affect the ability to recover deleted data from a computer hard drive. After a file has been deleted it may be overwritten and become unrecoverable through regular operation of the computer. Also, there are commercially available drive-wiping utilities that can render deleted files unrecoverable.

Q. Can you determine if a drive-wiping utility has been used on a hard drive?

A. There are often tell-tale signs of someone using a drive-wiping utility on a computer. Many computer users intent on hiding data by wiping their hard drive are not sufficiently clever to hide evidence of the drive-wiping software itself.

Q. What is meta-data and how can be it used in my case?

A. Many computer forensic investigations revolve as much around the timing of document creation, modification or deletion as around the contents of the documents themselves. Meta-data is information about a file (such as last modification date and time) that is saved automatically by the computer operating system. Whereas a user can easily forge a date on a document; the document's meta-data can reveal the true date and time that the document was created or modified.

Q. Can e-mail be recovered through a computer forensic examination?

A. In many cases the answer is 'yes'. However, there are many factors that affect the recoverability of e-mail messages that may have been sent/received via the examined computer. Some e-mail configurations store all e-mail on a central server in which case no e-mail would be stored on the local hard drive. Other configurations store all e-mail messages to a local e-mail archive file, in which case all of the e-mails in the archive could be recovered. Still other configurations use a hybrid approach where the bulk of the e-mail is stored on a central server yet there may local archive files and/or offline copies of a user's mailbox that can be recovered from the local hard drive. Finally, there is the possibility of someone using a web-based e-mail service (e.g. Yahoo, gmail, Hotmail, etc.) in which case many e-mails that were sent or received from the computer may be recovered by combing through the hard drive's temporary internet files.

Q. What can I expect to receive as a result of a computer forensic examination?

A. The computer forensic examiner will issue a detailed report that explains the processes taken in acquiring and securing the electronic evidence, the qualifications of the examiner, the scope of the examination, the findings of the examination, and the examiner's conclusions. The format of the findings section can vary depending on the goals of the investigation. The findings section may include file listings including file date/timestamps, document printouts, e-mail printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results. The examiner's conclusions may be the most critical component of the final report. These conclusions based upon the examiner's expertise and experience in the field of computer forensic technology often form the basis for expert testimony in a court proceeding or for the filing of an affidavit.