Call:   (888) 458-3222


Computer Forensics


Computers have changed the way we live our lives and the way we do business. The rules have changed on how to handle electronically stored information in litigation. Furthermore, several surveys on business data indicate that between 50% and 75% of all business data is never printed. The reality for business managers and attorneys facing litigation in today’s IT world is the disparateness of electronic data. Today we have e-mail, Word documents, Excel spreadsheets, PDF to name but a few of the file types that may need to be examined. Couple that with the fact that no two computers or IT systems are the same, it is a challenge to properly locate, preserve, review and produce electronically stored information.


A Computer Forensics Examiner will bridge the gap between the difficulties related to producing electronically stored information and the requirements for litigation. The Examiner will tailor a computer forensics solution that meets the requirements of the case regardless of the size. They will take a phased approach to your case so you are sure that the results are repeatable and defensible.


Initial Case Interview and Data Preservation

At the beginning of every engagement, the Examiner will review all elements of the case and provide an initial approach to moving forward. At this point, preservation of data is critical and they will offer a number of preservation services with the most common being a hard drive clone (in lab and/or on-site) and on-site acquisitions, typically for computers and targeted data from servers, to create bit stream image of the data.


The preservation services should follow accepted computer forensic techniques and the original data is maintained in its original form. When the Examiner takes possession of evidence, a thorough chain of possession form is created and maintained. Electronic extraction and preservation methods will protect the original data and metadata that may be critical to your case. They can collect media from personal computers, laptop computers, servers, external hard drives, micro drives, thumb drives, tapes, Apple / Macintosh, PDA’s, Blackberry devices, cell phones and many others.


Examination Strategy

The next step is to discuss the case in detail to develop a strategy for the evidence search. Computer forensics is more than just finding documents as there is typically evidentiary value for in a summary of computer usage and a summary of Internet usage.


Following is a summary of the components to a computer forensics examination:


Document search – The search is based on file types, date ranges and keywords. File metadata is also examined. The document search is inclusive of documents preserved from computers, servers and other media sources.


Computer system history – The system metadata and other system log files are searched to create a history of usage.


System chronology - Analysis of what the user did and when it occurred.


List of programs accessed by the user - Identification of user activity by accounts (e-mail and Windows user accounts) and what files were accessed and when.


Analysis of malicious software - Software placed on a computer including key loggers, spyware, wiping programs and remote access software.


Internet History – A chronology of Internet usage is created to determine web surfing habits and to detect online e-mail accounts.


Upon completion of your interview the Examiner we will create a statement-of-work that details which service they will use for your case with an estimate of fees. With your signature, the examination will begin.



Based on the statement-of-work The Examiner will then perform a thorough examination of the data. Any data evidence found will be included in the report. Throughout the process the Examiner will contact you if there are unexpected findings so you can determine if the examination criteria require modification.



The report will likely be in an HTML format (configured like an offline website) on a CD or DVD that self starts when you

install the disk into a computer. All the information about the case including the evidence is on the disk. When

there is a reference to evidence you will have a link to the native file and you can review the file immediately.


Court Presentation

In civil litigation, the reality is that we rarely go to court as the evidence found during the examination leads

to a settlement. If the matter does proceed to court, however, all of your examiners should have considerable experience

so you can be confident that the evidence will be presented competently.


Center for Computer Forensics

21800 Melrose Ave

Suite 1

Southfield, MI 48075

This website is not intended to provide legal or professional advice. The site is merely a starting point to learn about the topics listed. While we attempt to maintain current, complete and accurate information we accept no responsibility for errors or omissions.