Whether we are engaged to assist with a private, corporate, or law enforcement investigation, our forensic examination always begins with the same initial steps. We obtain a forensic image of your data in a manner that gives us the files/folders, as well as what has been deleted (but not yet overwritten) on your computer system. We preserve that data and work on the forensic image we have obtained. This allows you to continue operating your business. In the case of a law enforcement investigation involving illegal material, the originally seized data can be secured for court purposes. Throughout the process, we maintain the chain of custody of your computer equipment.

​

Using information gathered during our initial engagement meetings, we identify and extract the data which is relevant to your investigation. We piece together data that is not saved as individual files, which help show what activity was taking place on the computer system at the dates and times in question, and/or surrounding the activity of concern. And lastly, we document our findings and present those to you in a report that is easily understood.

​

Why Call A Forensic Expert?

There is a natural tendency to use your firm’s computer network administrator, or your computer savvy neighbour, both of whom ‘know computers.’   However, it is important to recognize that specialized training and experience is a requirement to be great at any job.

​

• My neighbour is a well-known labour and employment lawyer, would I hire her to represent me in a real estate closing?

• My best friend is a heart surgeon, would he be the first call if my son needs a root canal?

​

It is also important to recognize that opposing counsel will quickly raise ‘bias’ when a firm has its own staff conduct the forensic investigation.  An in-house investigation by another employee is certainly more likely to lean toward what the employer believes happened.   Our forensic experts are hired to analyze and interpret all of the information, presenting our clients with the truth, no matter what it may be.  It is important to understand a computer forensic investigation may prove or disprove, an allegation.

​

One of the key factors in computer forensics is the preservation of digital evidence.  When an employee was dismissed from their job, they were permitted to pack up their belongings without supervision.  It was during this time when several corporate documents, emails, as well as the company’s accounting system database, were deleted from the employee’s computer.  Considering possible electronic evidence only as an afterthought, management engaged the services of their firm’s IT support personnel to investigate.  The IT person started up the computer system, logged in and checked the recycle bin for deleted files.   A subsequent forensic analysis not only revealed the start-up of the computer system by the IT professional, but it also uncovered that computer system start-up resulted in the permanent overwriting of the previously deleted accounting system database.  So, although many documents, spreadsheets and over 300 email messages were recovered, the innocent actions of the IT staff member, caused the permanent destruction of the firm’s accounting system.

​

You need a computer forensic expert when:

​

• Someone is interested in wrongdoing,

• They have access to a computer.

​

In this situation, there is a high probability the computer was used to create the wrongful act (the computer itself is the crime scene) or that related documents were stored on the computer (provides evidence or insight into a crime).  In either case, Teel Tech will work with you to recreate the electronic footprints of that user’s actions.

​

Remember; the most accurate results come from your decision to call a professional.

​

Comparing Data Recovery to Computer Forensic Analysis

Data recovery is the process of recovering deleted files. While computer forensics can also recover deleted files, it digs much deeper into the actions surrounding the file deletion.

​

Examples

A) In a Child Pornography investigation, over 1,000 photo images were found in a temporary internet file storage area on the computer hard drive, along with many more deleted photo image files. Defence instantly raised the argument his client made several unintentional visits to illegal internet web sites, which automatically saved those files on his computer. The computer forensic analysis found there were also several deleted email messages related to subscription renewals to these illegal internet web sites, along with credit card payments for access (in the name of the suspect). The deleted email messages were not ‘complete files,’ and as such would not have been recovered through a simple data recovery operation. And so, while the presence of the files does raise some questions, the presence of the email messages, along with deleted data showing deliberate manual attempts by the computer user to seek out this material, resulted in a guilty plea.

​

B) Following a home break and enter, the owners filed an insurance claim for several stolen items, along with over $10,000 of the owner’s wine collection. A computer forensic investigation of the home owner’s computer system found not only dozens of deleted files related to wine, but it discovered within the computer’s activity the computer user had sought out information on wine and developed an ongoing inventory database only after the alleged theft took place. While a data recovery operation would have found deleted files, the computer forensic analysis revealed relevant activity, date and time information, and subsequently also revealed insurance fraud.

​

C) A law firm is brought in to investigate a case of employee vs. supervisor sexual harassment, regarding comments the employee allegedly received in an email message, from the supervisor. Although the supervisor stated the employee added the alleged comments after she received the email, a subsequent forensic analysis supported the employee’s allegation, resulting in the supervisor’s resignation. The forensic analysis also showed that before handing in his corporate computer, an external data storage device had been connected, and thousands of corporate files were copied from the supervisor’s computer.

​

Computer Forensic Analysis

Examples of information gathered, that our clients have found useful:

• Inappropriate photo image and video files stored under a particular username on a computer system, found to have been saved thereafter the computer user conducted specific internet searches ‘seeking out’ that material using peer-to-peer software.

Although deleted, the internet searches were recovered and the employee terminated for breach of computer usage policy.

• Exfiltration of the intellectual property taken by the employee’s moving on to the competition.

• Individuals often back up mobile devices (iPad,s cell phones) to their computer systems. These backups are a gold mine of user activity, which comes in handy especially if the mobile device is not readily available when investigators are seeking it out.

• Metadata (data about data) can contain information on which computer user created, modified and/or printed a particular document.