Computer forensics – providing court-safe Evidence

Computer forensic techniques have been helping lawyers and companies deal successfully with all kinds of crime for 16 years.

Brian Eardley Wilmot

As cyber-crime specialists, Auckland-based Computer Forensics (a recent addition to ADLS’s Member Benefits Programme) has seen how crimes involving the use of computers have grown and changed, and have evolved leading-edge techniques to combat them since 1999.

Computer forensic techniques can make collecting and presenting evidence much easier – and also reveal a clear evidence trail.

Although best known for dealing with cyber-crime, which is growing apace, these techniques can be invaluable in following up on a huge range of crimes. By way of example, Brian Eardley-Wilmot, Managing Director of Computer Forensics, says one case his team helped bring to court involved a dairy robbed at gunpoint. CCTV footage showing the robbers had been corrupted. His team restored the corrupted media file, which identified the robbers, providing incontestable evidence.

Establishing and properly documenting a chain of evidence is an important part of computer forensics work. Finding evidence is important, but just as vital is presenting it in a legally acceptable way. Rules and guidelines must be followed to preserve the integrity of the forensic investigator’s work and an audit trail created so others can understand it.

Data recovery techniques are also frequently used to combat cyber-crime, which is growing fast. A recent PwC global survey of economic crime released in February this year found that 40 per cent of New Zealand organisations had suffered such a crime in the past two years. This is up 33 per cent since 2014. It is also higher than the global average of 36 per cent.

Using computer forensic techniques

So what do computer forensic techniques involve and how can they help the legal profession?

Basically, they involve the analysis of computers, with the aim of retrieving and preserving data in such a way as to ensure it is acceptable in court. In practice, this involves performing a structured investigation to find out what happened and who was responsible, while properly documenting the evidence trail, to produce a “finding report”.

An investigation can involve analysing a computer’s hard drive, chasing down who really sent certain emails or accessed those porn sites, trawling through files’ meta-data, or retrieving website viewing histories. An investigator might also check to see if data was sent offsite via a USB drive.

As people and business have gone mobile, so have forensic investigators. In an employment dispute, they might analyse geo-location data to find out if someone really was where they said they were. Or, deleted texts or Facebook messages might be retrieved from a smartphone, iPad or USB.

One defamation case Computer Forensics dealt with involved a company whose sales manager had recently left. Soon afterwards, the company’s clients revealed they had been defamed in emails sent from an unknown hotmail account. A thorough analysis of the former sales manager’s PC and recovery of deleted data, using the kind of procedures used by the New Zealand Police and Serious Fraud Office, revealed the defamatory emails were created when he was known to be using the PC. Detailed analysis also showed MYOB and other data had been copied to a USB drive from the computer during the sales manager’s last three days at the company.

Porn and deception entwined

Forensic analysis can uncover a whole host of crimes because computers are now used in so many different industries and ways. For example, a particularly unpleasant crime Computer Forensics helped uncover was definitely not what it appeared at first.

A major organisation was in crisis because a very senior manager was suspected of having downloaded thousands of pornographic images from the internet. He vehemently denied it. Computer Forensics did a thorough analysis and discovered a clash of IP addresses on the computer system – it appeared the system administrator may have been the culprit.

The system administrator denied involvement, but further investigation revealed he had used his local desktop system to download 15,000 pornographic images. To cover his tracks – and to frame the manager – he had altered his local system’s IP address so the trail led to his colleague. Confronted with the evidence, he confessed.

The above are just a few examples of the kinds of cases computer forensic investigations can help unravel. Intellectual property theft, for example, is growing hugely. Computer Forensics deals with many such cases – one involved an employee suddenly resigning to set up in direct competition and stealing company data to help him do so. (Deleted files on his PC’s hard disk showed marketing data emailed to a private account.)

As well as intellectual property theft, crimes involving a computer can now include ID theft, Ponzi schemes, industrial espionage, sexual harassment, deception and negligence. Forensic investigation techniques can be used in all these areas, as well as in employment disputes, fraud and bankruptcy investigations. Relevant files relating to crimes like kidnapping, drug trafficking and money laundering are also often on computers too – and can be recovered, even when deleted.

To ensure all evidence is admissible in court, Computer Forensics utilises court-approved “EnCase” procedures as used by the New Zealand Police and other law enforcement organisations. This ensures the evidence files can be immediately used by Police, rather than risking delays as their own files are created.

Brian Eardley-Wilmot is a cyber-crime specialist and Managing Director of Auckland-based Computer Forensics. He can be contacted by phone on (09) 359 9424 or 021 4545 00 or by email at Computer Forensics provides special, preferential offers to ADLS Members as part of the Member Benefits Programme. To find out more, please visit the dedicated Member Benefits page on the ADLS website.

Contact Us
Phone 09 303 5270
Fax 09 309 3726