Header image  
private investigators specializing in the forensic imaging and analysis of digital media  
    HOME   |  
"When do I need computer forensic services?"

The short answer is, " Any time the information recovered is or is likely to become an issue in civil or criminal litigation." 

This is the core of the difference between computer forensics and data recovery:  Data recovery is a strictly technical task - all that the client cares about is having access to the files in question.  A computer forensic examination is an investigation - the examiner's report documenting what was found and where is every bit as important to the client as the recovered material.  Further, the examiner must be qualified, willing, and prepared to testify under oath in a court of law as to his or her findings.

Nearly anyone can get into a computer system and click around, looking at documents, browsing files, and running applications.  He or she may find exactly what they are looking for; the "smoking gun" that proves or disproves an issue.  A technically savvy person may even be able to recover deleted or hidden files.

If this is within your skill level and your only purpose is to confront a person or persons with evidence of their activities (or lack thereof), this may be sufficient.  However, if there is any chance that the matter may become the subject of litigation, either civil or criminal, any information so recovered has little or no value as evidence.  It's not evidence until the judge admits it, and opposing counsel can easily (and, very likely, successfully) challenge its admission at trial.  

To assure admissibility, the court must be confident that the person recovering the evidence is impartial and that the proceedures used maintainted the integrity of the evidence.  The recovery process must be documented and replicable.  Each step taken must be in accordance with established best practices such that another competent examiner can duplicate the results.  

The field of computer forensics lies where information technology and criminal investigation intersect, and the examiner must be trained in both areas. In-house information technology professionals, technically proficient as they may be, are not necessarily competent to undertake computer forensic examinations unless they have additional training and experience in the identification and handling of potential evidence.  Police officers, private investigators, and security professionals, competent as they may be, are not necessarily capable of conducting computer forensic examinations unless they have additional training and experience in the mechanics and file system structures of digital storage devices.  The computer forensic examiner must possess both sets of skills.