Computer Forensics: In Search Of Dead Data
Joseph F. Kovar
Ron Kramer, vice president and COO of Portland, Maine-based All Computer Solutions (ACS), is drawing on those varied skills to build a practice in computer forensics, a specialized niche of electronic discovery dedicated to bringing dead data back to life.
Certain computer forensics tools can look at all the data on a storage device bit by bit to recover deleted parts and make it available for search. They also can make a complete bit-by-bit image of the device and create a hash value based on its contents. That hash value is used to ensure the forensic copy of the data is not altered during litigation.
MORE ON E-DISCOVERY:
The real work of the computer forensic expert, however, is more than searching and retrieving. "It's about the tools, policies and procedures needed to show that we are compliant with what the courts require," Kramer said.
A former criminal investigator with the U.S. Treasury Department and a former police officer in San Francisco, Kramer brings the kind of investigative skills to his computer forensics cases few solution providers can claim. When working for a client, Kramer said he processes information as if he were a policeman.
"We take possession of the data, photograph it and document the process," he said.
Mark Filler, president of Filler and Associates, a Portland-based CPA firm, said he has called upon Kramer and ACS on a number of cases where his clients needed computer forensics help.
"Any time I come into a case where information on a hard drive has been deleted or monkeyed with, I call ACS," Filler said.
In cases involving business disputes or doctoring of accounting books, defense attorneys often do not realize computer forensics might be required, he said. "Often, they just need tax filings. But often, it's not enough. When I tell an attorney they need information that was maybe deleted or changed, he doesn't know."
Mike Cunniff, partner at McCloskey, Mina, Cunniff and Dilworth, LLC, a Portland law firm, works with ACS. "With Ron's experience as an investigator and federal agent, he can think like a gumshoe," he said. "Many people in his position have vast experience electronically or as an investigator, but few combine the two."
For example, Cunniff said, the government may be investigating fraud, based on a seizure of a computer in a client's office. Sometimes, the government's case may rely on a single document.
"We need to see if it's an original document, or a draft, or a copy," he said. "We may ask Ron to look at where it was stored. Was it on a server or in a folder labeled 'Draft?' "
In such cases, Kramer may actually validate the government's case, Cunniff said. "Then we move on with a different approach," he said. "As a defense counsel, we need to protect our client's rights. So we may move to a settlement."
Kramer said computer forensics is a fast-growth business, but not one typical solution providers should approach lightly.
"The transition for someone like myself with a strong investigation and IT background was a challenge for me," he said. "If you are well-organized, have some investigative background, and understand computer tools, you can consider moving into this space."