Let Fact Finding Forensics Light the Way

Friday, September 8, 2017

Struggling to identify the primary user of a computer in your matter? Allow the facts to speak for themselves. Corroborating artefacts beyond the typical documents identified in an electronic discovery exercise will often prove valuable if dominion and control of a particular system is ever called into question.

Take the following scenario: if a computer is handed over pursuant to a search order and forensically acquired by examiners, do you know who used that computer daily if it was in a shared desk space? Was it used solely by the office administrator who worked 8am – 5pm each day? Did others know her logon password? Was there even a password in place? How can one determine the users of the computer at a given time, apart from signed witness statements and, to a greater extent, CCTV!?

Following are ways in which the industry sometimes answers the question of computer ownership:

  1. Look at the registered owner information in the system, as well as the names of any user accounts to the extent they are ‘friendly names’ and not something like ‘U301618’.
  2. E-mail data on a computer can help display who was sending messages from their authorised account(s). On the basis that these e-mail messages are legitimate, this is a good place to start.
  3. Office documents authored by the user with relevant metadata coinciding with their working hours can also add insight. If traditional MS Office type documents are created and edited on the computer, they typically contain an additional layer of metadata relating to the author, date last saved, date last printed and so forth. This can help add to the increasing list of corroborating artefacts.

Following are ways in which a forensics examiner may answer the question of computer ownership:

  1. Whether locally stored e-mail data resides on the computer is of no consequence. Examiners can still look a bit deeper at things like web browsing histories: auto-fill form data, recent site visits, cookies and even renderings of an actual site visited. This can be tremendously valuable if a user is logging into their favourite dating site, paying their electricity bill, or fulfilling their social media addiction.
  2. On Apple computers, data about behaviour and events are becoming harder to parse and interpret, as the OSX operating system increases its privacy-security implementations. Despite these changes, there are still a wealth of artefacts for dissection that can shed light on the computers’ primary users. Recently backed up iOS devices, like iPad’s and iPhones, can quickly reveal to whom they belong, such as ‘Joan’s iPhone’. These artefacts can well exist on a PC and are stored in a very comparable manner to their Mac counterparts.
  • KEY REMINDER: These backups created by the iTunes application can usually be parsed by forensic examiners and will often contain messages, notes and other key data about the respective mobile devices.
  1. Are there identifiable cloud applications (client-side) installed on the computer? If so, examiners can potentially parse and report on the account name such as, ‘<Dropbox>’.
  • If there is an intuitively named e-mail account associated with a cloud service provider, that’s great, but you can also reasonably assume that [some] data are synchronously stored on line as well as the tangible computer. This could have huge implications in a trade secret or IP theft case.

Have you ever encountered a closet full of laptops with no labels nor asset tags? The aforementioned techniques and examples may prove useful in your cases and could also be used to identify a grouping of unidentified devices seized or turned over. If there are a relatively large number of systems like this, consider using bootable forensic environments that allow the examiners to quasi natively review the contents and parse certain artefacts, without first creating the forensic image(s). This can also be done without modifying the original data and is sometimes referred to as ‘advanced previewing’.

Engage a data forensics expert on your next matter to help light the way and find the facts you need to make your case.



Author: Timothy LaTulippe, EnCE, CCE, MiCFE, CCPA, DFCP

Tim LaTulippe is a Certified Forensic Examiner and a Senior Consultant with Advanced Discovery’s UK division. Timothy holds a variety of certifications including EnCE, CCE and CCPA, as well a BS in Computer and Digital Forensics and a Master of Science in Data Forensics Management (MSc (Hon)). He has assisted in complex investigations in both the public and private sectors, working with government agencies, Fortune 100 corporations and AM Law 100 firms to provide complete, correct analysis of incidents and issues, and specializes in complex investigations, data privacy, and information security.

Formerly a Senior Forensic Examiner with Digital Forensics, Inc., Timothy has served as an expert witness in a variety of State, Federal and military proceedings. His broad experience includes matters involving trade secret theft, medical malpractice, intellectual property theft, unfair business practice, fraud and internal investigations. Additionally, Timothy is the author of “Working Inside the Box: Real Life Example of GDS in a Forensic Examination,” which was published in The Journal of Digital Forensics Security & Law, and “The Need for Targeted Collections in a Diminished Economy.” He is a member of the Digital Forensics Certification Board, the International Association of Financial Crimes Investigators, the High Tech Crime Consortium, and the International Association of Computer Investigative Specialists.

More Posts

View all Posts


    Subscribe to receive our
    Experts’ Insights Blog feed.

  • Get in Touch