Computer forensics is used in many areas. In civil law for discrimination and harassment cases, by insurance companies for workman’s compensation cases, by corporations for trade secret misappropriations, and in criminal law mostly for drug and embezzlement record-keeping and child pornography.
As mentioned previously, this is a loosely related, developing specialty area. It is most closely related to typewriting comparison. The FBI has, for many years, maintained typewriter databases, ink databases, copy toner databases, paper databases, and watermarks (which sometimes change every year). Private examiners do not have the advantage of large databases available to government examiners.
Computers and computer printouts also leave a trail that can be followed, whether it’s from something simple like how full or dry a printer ink cartridge is, to the various alignments and misalignments of dot matrix and laser printers, to fiber analysis of the paper used, computer crime specialists utilize some of the same age-old techniques that typewriting analysts used as well as other investigative methods.
A computer forensic expert will have experience on a wide variety of hardware and software.
Unlike paper evidence, computer evidence exists in many forms, with earlier, alternate, and backup versions of each and every file somewhere on the hard drive and frequently unknown to the user.
The process of examining a suspect computer system is as follows:
- Secure/protect the system from further use, damage, or corruption
- Discover all files, including hidden and encrypted ones Recover all (or as many as possible) deleted files
- Reveal all hidden, temporary, and swap files
- Access all protected or encrypted files
- Analyze all unallocated or «slack» spaces on a disk
- Print out an overall analysis of the system, listing all files
- Formulate an opinion of the system layout, file structure, and any attempts to hide, delete, protect, or encrypt information
There’s quite a bit of divergent terminology found in court testimony. The most common «conclusions» are really qualified opinions. Although the science of QDE has its origins in Bertillon’s points of comparison method, there’s no set standard, such as 11 or 12 «matches» as with fingerprinting. Instead, it’s up to each expert to say what constitutes a sufficient number.
The most commonly used phrases are «significant similarities», «most probably», or «very probably». An expert opinion need not be based on absolute certainty. A QDE expert can expect to be on the stand a long time, as direct, cross, redirect, and recross trial procedures play out. The background and integrity of the expert as well as the quality of the evidence determines both admissibility and impact.
Court-recognized expertise as a QDE expert is not something that can be achieved through self-study alone. An old common law rule that isn’t recognized much anymore says that one can become an expert by study without practice or by practice without study.
With QDE, the courts (State v. Evans 1991) have decided that a person needs both: study and practice — that is, a period of training (internship or apprenticeship is better than a self-study course) and a period of experience (twenty some previous cases worked on is a good average). In addition, there’s a rather large literature base to become familiar with, and a good number of journals, periodicals and newsletters.
Some famous FORGERS & FORGERIES:
- Major George Byron (Lord Byron forgeries)
- Thomas Chatterton (Literary forgeries)
- John Payne Collier (Printed forgeries)
- Dorman David (Texas Dec. of Independence)
- Mark Hofmann (Mormon, Freemason forgeries)
- William Henry Ireland (Shakespeare forgeries)
- Clifford Irving (Howard Hughes forgery)
- Konrad Kujau (Hitler Diaries)
- James Macpherson (Ossian manuscript)
- George Psalmanasar (Literary forgery)
- Alexander Howland Smith (historical documents)
- Thomas James Wise (Printed forgeries)
- Unknown (Documentary Photos Billy-the-Kid)
- Numerous (Biblical forgeries).