Over the years, we’ve fielded a lot of the same questions from business owners, managers, and attorneys, whether at the outset of an investigation or during the process itself. This week we’re addressing some of the most common.
How can computer or digital forensics help me?
It depends.
Really, it does, on the nature of the issue you’re dealing with. The majority of our work boils down to theft in some form. That could be theft of:
- Intellectual property (IP)
- Trade secrets
- Proprietary company data
- Or more broadly: misuse of company time, resources, vendor relationships, or even outright monetary theft.
All these cases involve data, and where there’s data, there’s a trail. Digital forensics can be invaluable from the first whisper of suspicion all the way through to courtroom proceedings, or even criminal charges.
It might start with a subtle concern about an employee. Maybe it’s suspected IP theft. Or perhaps a harassment claim that, upon investigation, reveals the actual harasser was the person making the complaint. Almost every matter today involves computing devices. To overlook digital forensics is to overlook one of the strongest tools for getting to the truth.
What’s the difference between forensics and e-discovery?
It’s a bit like casting a huge fishing net versus taking aim with a spear gun.
- E-discovery typically pulls in active data: emails, calendars, Word docs, spreadsheets, PDFs, databases. Think of it as answering the question: What’s there right now?
- Digital forensics does that and goes far beyond: recovering deleted data, piecing together fragments, building timelines, connecting devices, and trying to answer the who, where, when, how, and why, not just the what.
We’ve uncovered plenty of smoking guns in deleted files that e-discovery alone would have missed. While e-discovery is about gathering existing content, forensics is about investigating. It’s how we uncover not only what happened, but the surrounding story that proves or disproves wrongdoing.
Can you find everything that’s been deleted?
Some less-than-scrupulous or less-experienced examiners might promise they can. The truth? No one can find everything, especially if too much time has passed or if sophisticated wiping was used.
But we can find quite a lot. Even if files are deleted or partially overwritten, there are still many places on a drive that harbor fragments. Swap files, unallocated space, leftover temporary files, these often contain valuable information.
For example, we’ve reassembled 95% of a critical document from scattered data fragments. Sometimes it’s not so much stitching together pieces as it is stripping away the noise around data that the system intermingled over time.
Most people don’t realize how much Windows, macOS, and other systems keep in the background. Windows registry entries, system restore points, installer snapshots, all can contain clues. So even if a file itself is gone, odds are we’ll find remnants that help tell the story.
What pitfalls can someone avoid at the start of a matter?
The biggest mistake? Not securing the machine or device immediately.
It’s one of the most common ways people unknowingly step on a landmine. For instance:
- The company wipes the device and gives it to another employee.
- Or an eager IT person boots it up and starts poking around with built-in search tools.
This disrupts the chain of custody, which can complicate or even jeopardize your case later.
When in doubt, take it offline and out of service. Many companies we work with have instituted a waiting period before putting machines from key personnel back into circulation.
And who’s in a position to cause harm? Honestly, almost anyone. Sure, larger organizations usually have stricter access controls. But in many small and medium businesses, close relationships, cross-training, and general informality often mean people have more access than needed.
Keep in mind:
- HR might have sensitive data, but unless they’re plotting identity theft, they’re less likely to misuse it.
- Sales, operations, and management? That’s where the company’s crown jewels; trade secrets, vendor relationships, client lists, competitive strategies, live. Those roles are the usual hotspots for data theft.
Why use a digital forensics expert instead of just IT?
Your IT team keeps the business running. They’re essential, no IT means no computers, no network, no productivity.
But investigating is not the same as troubleshooting.
- IT can diagnose why a system isn’t booting or why a network is slow.
- But following leads, knowing exactly where data might hide, piecing together events, and preparing evidence for court? That’s a different skill set.
In fact, we’ve often had to step in after well-meaning IT staff already searched a device. Not insurmountable, but then we need affidavits explaining what was done, maybe deposition or courtroom testimony, and there’s always a risk that critical metadata was altered.
That’s why we often recommend that larger clients let us train their IT staff on the basics of preserving evidence properly:
- Establishing chain of custody.
- Taking forensic bit-for-bit images.
- Using safe tools for internal searches on copies, not originals.
That way, when we come in, the original evidence is intact, properly documented, and ready for serious investigation, reporting, and courtroom scrutiny.
Digital forensics is a powerful tool for businesses and legal teams, not just to uncover theft, but also to exonerate wrongly accused employees, refute or support claims, and protect a company’s most vital data assets.
In our next post, we’ll dive back into a real-world investigation, looking at yet another way insiders take data that doesn’t belong to them, plain and simple theft. #DigitalForensics #IntellectualPropertyTheft #IPTheft #TradeSecretTheft #FAQ
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.