Computer forensics is becoming an indispensable tool for information gathering as our lives become more dependent on computers and other digital technologies. As a result of this pervasiveness, electronic forensics increasingly plays a larger role in various investigative disciplines, such as in civil litigation and crime detection.
Conventional computer usage invariably leaves traces and evidence of use. Although a user may believe that specific data has been deleted or protected, investigators skilled in the art of digital forensics often can retrieve some or all of the deleted data. For example, “deleting” a file in a conventional manner normally only removes a file's entry from the drive index, which serves as the table of contents for the drive. The underlying data is not erased until it is overwritten through an independent process. Thus, although a file may appear to be deleted, it may be discoverable by one skilled in the art. Furthermore, computer usage generally leaves data scattered throughout the device undetectable to an average user. Similar to deleted or partially deleted files, one skilled in the art can locate these often critical pieces of data. Due to inherent properties of computer-produced digital data, one skilled in the art can often glean and use information using forensic methods.
Digital data has inherent key differences as compared to traditional paper data. Because electronic data is easily created, duplicated and manipulated, there is generally a greater amount of computer data than paper data. Digital data can be far easier to organize, search and cull. As a result of the ease of creation, manipulation, duplication, and storage of digital media, many of the documents and files created today are stored only in computers. Computer data also contains unique electronic information not present in paper documents. Such information about the information, or “metadata”, can include user information, transmission and edit data, and various time stamps. Computer data is also electronically searchable and sortable by both the actual file contents and its metadata. A user can specifically target and manage relevant information through keyword searching, filtering, data culling, indexing and de-duping.
For example, in criminal and civil investigations electronic forensic discovery is gaining widespread use and acceptance. Police agencies and prosecutors often seek computer evidence of criminal conduct. Individual computer owners are also increasingly monitoring usage. Companies are also investigating employee misconduct, wrongdoing and fraud through computer forensics. When suspicious activity is identified, many companies conduct an internal investigation before bringing in legal assistance or law enforcement agencies. Even for non-investigative purposes, companies routinely monitor computer usage.
Because of the complexity of the tools involved and knowledge required for conducting computer forensics, non-experts such as attorneys, prosecutors and internal investigators often turn to a computer forensic expert to conduct electronic discovery. Although there is no substitute for a well-qualified expert, there is a need in the art for a tool that will enable a non-expert to conduct electronic discovery.
Normally, simply searching for files in a computer via accessing its contents through native operating system controls may alter the evidence and bring the validity of the results into question. Simply booting up a computer device or engaging the operating system of a live computer often alters the data on the digital media. Thus, spoliation concerns require that proper precautions be taken during electronic discovery, and forensically sound procedures must be used to show that the recovered evidence is valid and reliable. As in traditional forensic disciplines, detailed, documented, and art-accepted protocols must be employed. Safeguards may include simply comparing the size and creation dates of files to more advanced techniques such as conducting cyclical redundancy checks and calculating a message digest. Additional forensic steps may include detailing and logging the steps of recovery process and verifying the accuracy of the copied data.
Authentication and chain of custody are also important considerations. In order for the gathered evidence to be useful in court, it is important that the data not be damaged or compromised. Without verifiable safeguards, admissibility and reliability of the gathered evidence may be challenged and excluded. Also, to avoid raising suspicion, for example in an on-going investigation, it may be desirable to avoid leaving traces of forensic activity on the target device. Because of these concerns, forensic experts are often used.
The present invention addresses these concerns by allowing a user (a non-forensic expert) to conduct electronic discovery in a forensically sound manner and by allowing the user to employ an integrated mechanism to export data for analysis by a forensic expert should one be necessary. Among other safeguards as discussed, the present invention preferably automatically logs detailed information about the target computer and the examination. The log file is preferably encrypted, digitally signed, and stored for future validation.
Thus, the present invention allows a user to conduct a preliminary examination of a target machine in a forensically sound manner before making a decision about incurring the cost of retaining a forensics expert. In many situations, the present invention allows a non-expert to conduct a forensically sound electronic discovery without expert assistance.