Corporate Investigator Answers Investigation

Computer Investigation (3)

IT FORENSICS 3 - EVIDENCE FROM COMPUTERS & LAPTOPS Call us on 020 7158 0332 or send an email to

Evidence obtained from computer hard drives that may have been deleted or hidden


Evidence will be most often found in files that are stored on hard drives, whether internal or external. Files may, of course, have been deleted and will need running of sophisticated recovery programmes. Dates and time of creation can be of vital importance, as can modification dates, deletion dates etc. Temporary back up files, web cache , address books etc may be re-created with application

Areas for consideration include:

User Created Files: May contain evidence of relevant activity, e.g. address books and database files that can prove associations with persons external or internal, or undisclosed communication. Images can be rebuilt even if deleted, as can video or scanned documents. Such files may be in the form of:

  • Address books
  • Email files
  • Images
  • Text Documents e.g. Word
  • Internet Browser bookmarks
  • Databse Files
  • Spreadsheets
  • Audio & Video files & links
  • User Protected Files: A user may encrypt or password-protect important data, or hide files on a hard disk, within other files, or attempt to hide incriminating data under an innocent sounding name. User Protected files may be in the form of:

  • Compressed or Zipped Files
  • Renamed or misnamed files
  • Encrypted files
  • Password Protected Files
  • Messages written in a manner that only writer and recipient can understand
  • Hidden Files
  • Computer Generated Files: Evidence may also be found in files and data areas that are created routinely by Operating Systems - something of which the user is often not aware. Password recovery is often achievable through recovery and examination. Some file components hold evidentiary value such as time and date creation/ modification / deletion / access; even turning the machine on may alter some of this information e.g. the last time a PC was booted may be of importance. Data may be retrieved from:

  • File backups
  • Dates, times, passwords
  • Deleted Files
  • Hidden Partitions
  • Lost clusters
  • Boot records
  • Other partitions
  • If in doubt - don't touch ! Never attempt to recover data or explore data from a computer without the necessary skills - this may affect the integrity of a chain of evidence to your later cost. When working with units our first move will be to clone the unit and conduct our work from the clone without booting the machine. By all means, however, take evidential photographs

    Computer forensics is a generic name describing forensic analysis and reporting of computer or IT media. As well as the hard drive(s) this may include USB drives, MP3/4's, external drives etc. While most cases involve Windows Operating Systems we can also apply the same principles to Mac OS and Linux. Never make the error of believing that when you hit the delete key the information is gone - there is a high possibility deleted data may be recovered in it's entirety

    We apply Computer forensics in investigation for many reasons including:

  • Misuse of company information by employee or ex-employee
  • Internal theft or fraud
  • Analysis of email and deleted files
  • Pornography and/or illegal downloads
  • Data Recovery
  • Paedophilia
  • Substance Abuse / dealing
  • Internet Misuse
  • Theft of Intellectual Property (e.g. databases)
  • Computer Evidence determining an Employment Tribunal case as reported in the Daily Telegraph

    Daily Telegraph Employment Tribunal

    Retrieving deleted data in corporate environments as evidence in investigation

    Corporate Investigation

    Evidence gained from investigation of a computer has determined litigious decisions


    Recreating deleted files and messages from a clone made of a computer hard drive

    Computer Recovery of deleted files and timeline building

    First Actions to take if you suspect a computer holds evidence that will make a watertight case

    computer forensic evidence

    Mobile Phone Investigation - unravelling the secrets of a mobile phone

    undeleting mobile phone messages

    Maintaing the Evidence held on a computer will help to ensure the integirty of information

    Preserving evidence for a Computer Investigation

    Action to take on-site what you should do first, what to touch and what not to touch and retain

    Preserving evidence for a Computer Investigation
    Private Investigator

    "searching the world for answers"

    Copyright © Detective Ltd 1995-2024 ·

    Site Map