Digital Forensics and e-Discovery

Discovering, Recovering, and Analyzing Data

Digital Forensics—the retrieval and analysis of Electronically Stored Information (ESI) requires a wide knowledge of techniques and technology, as well as a variety of very specialized, expensive equipment. MSA has plenty of both.

ESI is an essential component of civil and criminal matters, as well as regulatory investigations. MSA’s certified digital forensic professionals ensure that critical information is consistently identified, collected, preserved, and analyzed according to the rules of evidence.

We have the team, tools and technology to help you with digital forensics services including:

  • E-evidence Recovery and Analysis

  • Data Recovery

  • Document Discovery

  • Password Recovery

  • Mobile Device Forensics

  • Litigation Support

  • Expert Testimony

MSA’s Digital Forensics Team can perform on-site data acquisition and analysis of computers, networks and other digital devices. All analysis of devices is performed at our state-of-the-art laboratory.

Electronic Discovery is the identification and securing of electronically stored information (ESI) with the purpose of using it for its evidentiary value in either a criminal or civil proceeding. MSA Investigations’ Electronic Discovery or e-Discovery professionals have substantial experience in retrieving ESI, which can be stored in various forms including, e-mails, metadata, voice-mails, documents, instant messages, text, digital images, graphics, databases, spreadsheets, file fragments, audio files, and other forms of digital data.  This data is often preserved from a variety of sources, which include handheld devices, computers, thumb drives, servers, and backup tapes.  ESI is obtained and preserved by our professionals in accordance with the rules of evidence.

Some of the cases in which e-Discovery methodology has been employed by our specialists include the following:

  • Litigation Support

  • Copyright and Trademark Infringement

  • Employee Misconduct

  • Corporate Fraud

  • Tax Fraud

Digital Forensics FAQs

Computer Forensics – Frequently Asked Questions

What is Digital Forensics?

Digital Forensics is a scientific examination by a certified computer forensic specialist, which includes the identification, collection, preservation, and analysis of all forms of Electronically Stored Information (ESI) in such a way that the data obtained can later be used as evidence in a court of law, or in possible use for litigation.

What types of digital media devices can potentially hold data?

  • Computers

  • iPads and Laptops

  • Smartphones and Most Other Cell Phones

  • MP3 Music Players, iPods

  • Hard Drives

  • Digital Cameras

  • USB Memory Devices

  • PDAs (Personal Digital Assistants)

  • Backup Tapes

  • CD-ROMs & DVDs

What are the common situations in which Computer Forensics is used?

  • Unauthorized disclosure of corporate information

  • Theft of intellectual property or trade secrets

  • Employee Internet abuse or other violations of a computer policy

  • Workplace misconduct

  • Damage assessment and analysis

  • Industrial espionage

  • Negligence, sexual harassment, and deception cases

  • Evidence collection for future employee termination

  • Criminal fraud and white-collar crime

  • More general criminal cases and many civil cases

What can a Digital Forensics examination provide?

  • Data Recovery of deleted, encrypted or hidden computer files even after a hard drive has been reformatted or repartitioned

  • Passwords for password-protected or encrypted files

  • Determination of:

    • Web sites that have been visited

    • Files that have been uploaded or downloaded

    • When files (docs, pictures, etc.) were last accessed/deleted

    • User login times and passwords


  • Discovery of:

    • Attempts to conceal, destroy, or fabricate evidence

    • Text that was removed from the final document version

    • Faxes sent or received on a computer

    • Deleted email, texts, webmail, and attachments

    • Other types of communications strings such as Instant Message chat logs


Can deleted emails be recovered?

Deleted emails can be recovered in the majority of cases, but there is no guarantee.

When emails are deleted from your Inbox there is still a chance that they reside on the server or in other areas of a computer. Computer forensic tools and methods allow for the data extraction and examination of email storage including information that had been previously deleted.

If someone uses a webmail account like Gmail, Yahoo, or Hotmail, is it possible to find that email?

Web-based email programs such as these do offer the ability to recover information even when the computer is not on the Internet. Web browsers (Internet Explorer, Firefox, Chrome, Safari, etc.) store temporary internet files on the computer that can later be retrieved by computer forensics.

Can deleted files be recovered?

Although each situation is unique, there is a very good chance that a Digital Forensics investigator can recover deleted files from the subject’s hard drive. When a file is deleted using standard methods, the contents of the file are not actually erased from the hard drive; the operating system merely erases a pointer to the file so that the file does not appear in the folders or directories, the file is actually still there. Contrary to popular belief, digital files are not vaporized when the delete button is pushed, and therefore, such files are usually recoverable and usable.

Can password protected files be accessed?

A certified Digital Forensic examiner will have a combination of sophisticated hardware tools and software programs to unlock certain types of password protected files. Depending on the type of file and the speed of the computer, some programs can try hundreds of thousands of passwords per second. However, longer and more complex passwords are more of a challenge to crack.

What is does the term “metadata” mean?

Briefly, it’s data about the data. Metadata is very important in Digital Forensics investigations as it describes essential aspects of the data (or document) including information about the author of the document, the last print time, or when the file was created, accessed, or modified. Metadata requires the same forensic scrutiny as any other form of data and often is not visible unless special tools and methods are used.

I think that a computer in my company may contain important evidence. What do I do?

Most importantly, let’s begin with what you should NOT do:

Do NOT use the computer or attempt to search for evidence, as any further use of the computer may damage and taint any evidence that might exist on the device.

Do NOT turn it on. If the suspected computer is turned off, leave it off. By powering on the system you run the risk of changing the data on the computer forever and losing valuable evidence.

Do NOT initiate a normal “Shut Down” process and shut the computer off. If you must shut down the computer, unplug it from the back of the tower or the outlet.

Do NOT type on the keyboard or move the mouse.

Do NOT allow the internal IT staff to conduct a preliminary investigation.

Do NOT remove any USB Drives/Devices, SD cards, or other devices that are connected to the computer.

Here’s what you CAN do:

Do store the computer in a secure place.

Do keep a detailed log of:

  • Who had/has access to the computer

  • What was done, if anything

  • When was it done

  • Where the computer has been stored since the incident

Do photograph the screen if computer is “on” and something is displayed on the monitor.

Do contact MSA Investigations immediately.

I think that a cellphone in my company may contain important evidence. How should I handle it?

Cell phones, iPads, digital cameras, and other mobile devices store data directly to internal memory that is more volatile, and can be lost when the device is shut off or the battery is depleted (or removed). Please follow these guidelines to secure these devices for future examination:

If the device is “off”, do not turn it “on”.

If the device is "on", leave it "on". Shutting down the device could enable password, thus preventing access to evidence and/or result in the loss of data evidence.

Photograph device and screen display (if available).

Label and collect all cables and transport with the device.

Keep the device charged.

If the device cannot be kept charged, analysis by a specialist must be completed prior to battery discharge or the data may be lost.

Document all steps involved in the seizure of the device and its components.

What are the cons to NOT calling a Computer Forensic expert immediately?

The longer a computer or digital device is used or awaits inspection, the higher probability that the digital evidence will be tainted or lost. It’s also true that the simple act of turning the computer on or looking through files can potentially damage the very data you’re seeking. The file creation dates can change, files can be overwritten, and evidence can be corrupted. But all of these risks can be lessened by contacting a Computer Forensics expert immediately, and acquiring an image of the computer as quickly as possible without destroying or altering any valuable evidence.

We have no plans to take anyone to court and merely want to make sure that an employee is not violating our company policy. Can’t we just have our in-house IT staff take a look?

There are four main reasons why in-house IT is not the best choice for such a task:

  • Recording the “Tracks”
    Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use. Taking the wrong steps in these circumstances can irretrievably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.

  • Untainted Data
    Even if proper evidence handling techniques have been used by in-house IT, the collection process itself has altered and has likely tainted the data collected. We have seen it happen. We often receive computers to examine after a company's computer personnel have attempted to recover evidence from it. In their attempts they have destroyed important evidence such as the date that files were last accessed.

  • Evidence Integrity
    In addition to the lack of skills, hardware, and software, using an in-house employee can make you vulnerable to allegations of fabricating evidence and other impropriety. You should avoid conflicts of interest that arise from using your own IT staff by hiring an independent expert. An outside computer forensics expert should be brought in as soon as possible to work with the IT, legal, and/or compliance personnel to offer an outside-unbiased perspective. Courts favor use of neutral third-party analysis.

  • Legal Expertise
    It is unlikely your employee qualifies in court as an expert in the forensic examination of a computer. As non-experts, they would only be allowed to testify to facts, and would not be permitted to testify to opinions or conclusions as an expert would.

What if we have already utilized our in-house IT staff and the recovery didn’t go as planned—can you still assist us?

Depending on the damage done by the internal IT staff, a skilled computer forensics vendor may be able to salvage some of the damaged evidence. However this can be an arduous and time-consuming process that often costs several times more than the original analysis would have cost.

How does Digital Forensics differ from data recovery?

The goal of data recovery procedures is solely to recover the files and folders lost from damaged disk drives, media, computers, peripherals or operating systems due to disk or system failure, unintentional deletion, or other unexpected circumstance, without monitoring the usage of the device. Generally, data recovery could be considered the first step in gathering evidence in a computer forensics investigation.

Digital Forensics is concerned with providing evidence (or proving a lack of evidence) regarding how a computer was used, what files were accessed and at what time, and who had accessed them. Digital Forensics investigators are able to find, assemble, analyze, and explain large amounts of digital information that would not be particularly helpful for data recovery services, but are invaluable in a court of law.

What types of data do you focus on in your investigations?

In Digital Forensics, there are three types of data that we are concerned with: active, archival, and latent.

  • Active data is the information that you and I can see. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain.

  • Archival data is data that has been backed up and stored. This could consist of backup tapes, CD's, floppies, or entire hard drives to cite a few examples.

  • Latent data is the information that one typically needs specialized tools to access. An example would be information that has been deleted or partially overwritten.

How does the Certified Digital Forensics recovery process work?

The first step is to clearly determine the purpose and objective of the Investigation. Then they will secure the subject computer system from tampering or unauthorized changes during the investigation.

Next, the Investigator “discovers” all files on the subject's system. In many cases, information gathered during a computer forensics investigation is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files (known by digital forensic practitioners as slack space). Special skills and tools are needed to obtain this type of information or evidence.

Then, the investigator copies, protects, and preserves the evidence from any possible alteration, damage, data corruption, or virus introduction that may render the evidence inadmissible in court.

After that, the Investigator recovers all deleted files and other data not yet overwritten. A deleted file will remain resident on a hard drive until the operating system overwrites all or some of the file. So in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The ongoing use of a computer system may destroy data that could have been extracted before being overwritten.

Finally, the investigator includes an analysis of all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as 'slack' space in a file.

What do I receive after a computer investigation?

The Digital Forensics expert will provide a detailed report that explains:

  • Processes taken in acquiring and securing the electronic evidence

  • Qualifications of the examiner

  • Scope of the examination

  • Findings of the examination

  • Conclusions

Please note, the findings section may include file listings including file date/timestamps, document printouts, e-mail printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results.

The examiner’s conclusions may be the most critical component of the final report. These conclusions based upon the examiner’s expertise and experience in the field of computer forensic technology often forms the basis for expert testimony in a court proceeding or for the filing of an affidavit.

Vestibulum pretium varius diam vitae

Maecenas vitae sem non nulla sagittis eleifend a vel nunc. Donec suscipit est non magna sodales malesuada. Nunc a tincidunt augue, vulputate feugiat nulla. Nulla magna arcu, pretium eu efficitur eget, auctor id turpis.

  • Lorem

    Cras elit neque, imperdiet eu dignissim ut, dictum a tortor. Ut vitae malesuada eros, eu rutrum velit. Vestibulum et ex id lorem faucibus blandit nec quis nunc. Suspendisse consequat ornare neque, eget porttitor erat pretium a.

  • Ipsum

    Cras elit neque, imperdiet eu dignissim ut, dictum a tortor. Ut vitae malesuada eros, eu rutrum velit. Vestibulum et ex id lorem faucibus blandit nec quis nunc. Suspendisse consequat ornare neque, eget porttitor erat pretium a.

Vestibulum pretium varius diam vitae

Maecenas vitae sem non nulla sagittis eleifend a vel nunc. Donec suscipit est non magna sodales malesuada. Nunc a tincidunt augue, vulputate feugiat nulla. Nulla magna arcu, pretium eu efficitur eget, auctor id turpis.