Computer Forensics Can Provide the Key to the Case

In today’s electronic world, the crime scene in a CSI episode may look more like a motherboard than a murder scene.

Posted by Dawn Lomer in on July 18th, 2011

In the world of e-discovery, there are no secrets. Despite a criminal’s best efforts to hide the evidence, there’s often a chance that it can be recovered and presented in court.

Catching criminals and clearing the innocent can be a matter of digging deeper into the world of data. In today’s electronic environment, the crime scene in a CSI episode may look more like a motherboard than a murder scene.

To begin with, emails can be used as evidence in just about any case, says computer forensic consultant Richard Morochove of Morochove and Associates. “They are so common these days… Very few people will sit down and create a letter on paper.”

Electronic Paper Trail

With the majority of communication being conducted electronically, e-mail can be among the most compelling evidence in cases ranging from insider trading and fraud to harassment and discrimination. It’s hard to dispute the facts when the exact words written by a defendant are presented in court.

However, things aren’t always what they seem. “Sometimes data is given to me and I’m asked to give an opinion or examine it,” says Morochove. “Sometimes it’s an email and the person who sent the email says it’s a forgery. It’s a question of examining the email for evidence of authenticity.”

Recovering Deleted Data

A subject of an investigation is very likely to try to delete any electronic evidence, and this is where a computer forensic expert can uncover some surprising results. Depending on when files were deleted, how close the hard drive is to capacity and the amount of use a computer gets, many deleted files can be recovered.

“I was asked to look at information that was thought to be deleted about two years ago,” says Morochove. “I didn’t have much confidence that it would be there because the computer was being used almost on a daily basis and there were no separate accounts set up for the different users.” While Morochove did find relevant information, it is uncommon for data to be recoverable in these circumstances.


You might think that someone who needs to hide electronic evidence would encrypt it. Not usually, says Morochove. “The average individual doesn’t use encryption… Someone who has more of a criminal intent may be predisposed to using encryption, but it’s not as commonly used as you might expect.”

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template
There are different ways of getting at encrypted information, but the easiest and quickest is, of course, asking for the password. “Sometimes it’s a matter of getting a court order compelling them to provide the password,” says Morochove. “That’s the easiest way. Otherwise it’s tough slogging… guessing and using automated ways.”

Date and Time Evidence

A computer forensic expert can sometimes help to clear the accused by looking at properties of the files in question.

“I was working on behalf of the defendant in a criminal matter who was charged with possession of child pornography,” says Morochove. The pornography had been discovered while the defendant’s computer was being repaired at a repair shop and the technician had called the police, leading to the filing of criminal charges.

“But when we went through the investigation, one of the key things was the date and times of the files of child porn. The dates and times of those files were when the computer was in the possession of the computer store,” says Morochove. Clearly the files had been downloaded at the store and not by the defendant.

Electronic Log Evidence

Forensics can also uncover evidence from servers. In a case where one company accused a competitor of illegally competing with them by hijacking keyword searches in Google, Morochove’s team was able to prove, by analyzing the logs of the accuser’s e-commerce server over the course of a year, that there was a normal variation on different search terms. Allegations that searches were being diverted to the defendant were unfounded.

No matter which side you’re on, electronic evidence can be the master key that unlocks the case.

Dawn Lomer
Dawn Lomer

Managing Editor

Dawn Lomer is the managing editor at i-Sight Software and a Certified Fraud Examiner (CFE). She writes about topics related to workplace investigations, ethics and compliance, data security and e-discovery, and hosts i-Sight webinars.