Keeping You a Step Ahead

5214 Maryland Way Suite 200 Brentwood, TN 37027


Available Anytime

Frequently Asked Questions


  • Computer Forensics
  • Information Security
  • Data Loss Prevention
  • Litigation Support
  • eDiscovery

What is Computer Forensics?

Should I or My IT Staff Attempt Our Own Investigation?

There are very distinct differences between a computer professional and a specialized Computer Forensic examiner. While both work with computers, the focus and training is drastically different. The ability to safely and thoroughly examine computers, or any other kind of digital information, for digital evidence is a highly specialized skill set that requires intensive training and meticulous procedures. If anyone other than a qualified Computer Examiner does as little as power on the computer or insert media into a computer, evidence could be destroyed and unusable in court.

NetEvidence, Inc. regularly conducts extensive computer forensic investigations, for clients ranging from small companies to fortune 100 corporations. in addition, we have worked with federal and state law enforcement, under the direction of a company's counsel, on a variety of matters.

Our certified computer forensic investigators use proprietary techniques to meet the stringent requirements of the courts in all of our findings. Our specialists have significant experience assisting companies in a wide range of investigations.

What Can a Computer Forensics Examination Provide?

  • Recovery of deleted computer files
  • Determination of websites that have been visited
  • Determination of what files have been downloaded
  • Determination of when files were last accessed
  • Determination of when files were deleted
  • Discovery of attempts to conceal or destroy evidence
  • Discovery of attempts to fabricate evidence
  • Discovery of hidden text that was removed from the final printed version of a document
  • Discovery of faxes sent or received on a computer
  • Discovery of email messages and attachments, even if previously deleted
  • Discovery of other types of communications strings (i.e., Instant Messaging)

How Can Computer Forensics Help?

NetEvidence experts know how computers and programs operate, and we can explain the forensic findings to each client in a professional manner at all knowledge levels. Because we understand the hardware and software, we know where to find potential evidence, and we are able to authenticate the findings in court. Most importantly, we understand how to create and maintain a chain of custody so the evidence is received without challenge of improper handling and procedure.

NetEvidence creates a comprehensive chronology of computer usage, determines whether computer evidence was altered, damaged or removed, and provides you with a timeline report stepping you through the entire investigation.

When Should I Seek a Computer Forensics Examination?

  • Employee internet abuse
  • Unauthorized disclosure of corporate information and data
  • Intellectual Property Theft
  • Wrongful Termination
  • Breach of Contract
  • Industrial espionage
  • Damage assessment (following an incident)
  • Financial Fraud
  • Sexual Harassment
  • Deception Cases
  • General Criminal Cases (many criminals store information on computers, intentionally or unwittingly)
  • Merger and Acquistion
  • Spoliation of Evidence

Can You Guarantee the Recovery of Deleted Files and eMail?

No. Several factors can affect the ability to recover deleted data from a computer or electronic device. After a file has been deleted it may be overwritten and become unrecoverable through the regular operation of the computer. Also, there are commercially available drive-wiping utilities that can render deleted files unrecoverable.

Additionally, activity or files may be known, but the targeted media may not be the system that created or caused the activity. Mobile phones, laptops, cloud based systems, desktops, and networks all have to be factored into the investigation where present.

Can Instant Messages be Uncovered?

In some cases, Instant Message communications can be uncovered.

What is Meta-Data?

Many computer forensic investigations revolve as much around the timing of the document creation, modification or deletion, as around the contents of the documents themselves. Meta-data is information about a file (such as last modification date and time) that is saved automatically by the computer operating system.

Additional Meta-data might be which company the software was registered to within the application, which printer last printed the document, which network drive was last targeted for saving the file, etc.

What do I Receive After a Computer Investigation?

Forensic Discoveries provide a detailed report that explains the processes used to acquire and secure the electronic evidence, the qualifications of the examiner, the scope of the examination, the findings of the examination, and the examiner's conclusions. The format of the findings section can vary depending on the goals of the investigation. The findings section may include file listings including: file date/time stamps, document printouts, email printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results. The examiner's conclusions may be the most critical component of the final report. These conclusions, based upon the examiner's expertise and experience in the field of computer forensic technology, often form the basis for expert testimony in a court proceeding or for the filing of an affidavit.

However, some reports may only provide specific results as directed by counsel. Often times, it is better to have less than more until you know how the case is going to proceed.

Is Information Security Only About Computers?

Protecting your digital data is important. But paper and the human voice remain important elements of the security mix. Keep confidential printed information in locked file cabinets and shred it when it's no longer required. If you're talking about confidential information on the phone, take appropriate steps to ensure you're not overheard. Remember the old saying "loose lips sink ships".

What is a Firewall and How do they work?

A firewall acts as a protective barrier between your computer and the Internet, monitoring all incoming and/or outgoing traffic and allowing only the network traffic you permit. Firewalls come in the form of software, which nestles itself between your operating system and your network card. They also come in the form of hardware; for many home and small office users, it is a simple router device that sits between your computer's network jack and the wall connection. You can customize the level of protection the firewall gives you, setting it to filter information flow from specific domain names, addresses, or types of network traffic.

Hackers search the Internet in a way akin to dialing random phone numbers. They send out pings (calls) to random computers and wait for responses. Firewalls prevent your computer from responding to these random calls. If your computer doesn't respond, hackers won't know it's there.

What is the Best Way to Store Confidential Information?

Removeable media such as USB drives are convenient ways to store data; the trouble is, they're just as convenient for thieves as for you. Wherever possible, store confidential information in protected encrypted space. If you have to store confidential information on removeable media, you must encrypt it and then delete it as soon as you no longer need it.

Should I Worry About eMail Scams?

Learn how to recognize the signs of a hidden attack and avoid becoming a phishing victim. Never click on a link in an email; if you're tempted, cut and paste the url into your browser. That way, there's a good chance your browser will block the page if it's bad. And don't open email attachments until you've verified their legitimacy with the sender.

How Can I Best Protect My Laptop?

Keep your operating system, critical applications (like your browser) and antivirus patched and up-to-date, and use a personal firewall. That way, you'll avoid becoming vulnerable to hackers and others looking to steal information. You should also run FireVault on Mac OS X or something similar on Windows to encrypt your entire hard drive in the event it is stolen or lost, your data will not be able to be accessed.

What Information Needs to be Protected?

All of it! Operate under a need-to-know data classification. Examples of information needing to be protected includes but is not limited to: Passwords or other login credentials, PINs (Personal Identification Numbers), Birth date combined with last four digits of Social Security Number and name, Credit card numbers with cardholder name, Tax ID with name, Driver's license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name, Social Security number and name, Health insurance information, Medical records related to an individual, Psychological counseling records related to an individual, Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account, Biometric information, Electronic or digitized signatures, Private key (digital certificate), Law enforcement personnel records, and Criminal background check results.

How Often Should I Chnage My Password?

It really isn't about the frequency of password values. It is about the strength of the password. Never make a password your dog's name, spouse's name, type of car you drive, or anything that is easily known about you for someone to guess. Make the password long and contain non-alpha characters in addition to the letters you use.

What is Encryption?

The process of transforming information (called plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those processing the special knowledge, usually referred to as the key.

What is Data Loss Prevention?

How will the DLP technology reduce risk?

Our DLP solutions reduce risk in many ways, here are three standards included in all solutions:

  1. Blocks unapproved confidential information sent to personal email accounts (i.e., Yahoo, Gmail, etc.).
  2. Encryption may be applied to email messages when confidential information is detected in an outgoing message and/or attachment.
  3. Intellectual property is quarantined when matched to one or more of our custom rules. The correct team members are contacted about reviewing the data prior to it leaving the company.

Is email the only system affected by your DLP solutions?

No. Email is the first phase of our DLP program. The DLP technology will include monitoring and preventing use of unauthorized USBs, and scanning desktops and file shares for confidential information. Communication will be distributed as new DLP features are implemented.

Will my manager be notified if an email message is blocked?

An email notification may be sent to your supervisor/manager and privacy officer depending on the circumstance. During the initial phase, the goal will be to obtain an understanding of business needs. Eventually, it is planned to send notifications to supervisors/managers as part of the tuned DLP program.

What is Litigation Support?

The essential goal of litigation support is to organize, analyze, and present case materials through computer systems. In federal criminal defense cases, there are three primary ways that litigation support is used by Federal Defender Office (FDO) staff and Criminal Justice Act (CJA) panel attorneys. One is in conducting electronic courtroom presentations. Another is management and analysis of paper documents and their electronic equivalents. The third is the identification, collection, preservation, processing, review, analysis and production of electronically stored information (ESI).

Litigation support is the marriage of project management and technology. We believe that while every district is different and every case is unique, there are certain standards to follow in order to ensure that the data involved in a case is handled in a cost effective and time efficient manner allowing for good organization, easy retrieval and effective client representation.

I have electronic data, now what?

You walk into your office and on your desk sit a few hard drives and a stack of DVDs and CDs. On your floor and down your hallway sit what seems to be an endless number of boxes filled with paper. You are told that there is more coming, yet you have no idea what you already have. Now what? This is an increasingly common dilemma being faced by trial teams and we hope that we can help you answer that question easily and efficiently. We want to be part of your team and, like the common language we must speak when it comes to ESI, there are some common questions that need to be answered in order for you to manage your data effectively, plan your strategy, budget thoughtfully, and develop a workflow for your team to follow so that you move ahead smoothly.

What is the primary purpose of ESI?

The primary purpose of the ESI protocol is to facilitate more predictable, cost-effective, and efficient management of electronic discovery and a reduction in the number of disputes relating to ESI. The protocol provides a mechanism, through a meet and confer process, to address problems a receiving party might have with an ESI production early in a case, and to discuss the form of the discovery that the party receives.

What is eDiscovery?

eDiscovery, or electronic discovery, is the process used by organizations to find, preserve, analyze, and package electronic content (often referred to as eletronically stored information or ESI) for a legal request or investigation.

What does "electronic discovery" and "data preservation" mean?

"Discovery" is the process by which relevant information is exchanged between parties in a lawsuit. It is conducted via production of documents and the taking of depositions. Federal and state courts have long recognized that electronic data is subject to the same discovery rules as other evidence relevant to a lawsuit. The issue has received substantial national attention recently, however, because of a series of court rulings resulting in the imposition of huge sanctions on parties for their failure to preserve electronic data and because of amendments to the Federal Rules of Civil Procedure that took effect on December 1, 2006. Upon notice that a lawsuit has been commenced against you (or a charge filed with an administrative agency), or if it is reasonably anticipated that a lawsuit may be brought (or a charge filed), you are now under a legal duty to preserve all evidence, whether hard copy or electronic, that might become relevant to the lawsuit.

What data needs to be preserved?

The new federal rules require a party to suspend routine or intentional purging, overwriting, re-using, deleting, or any other destruction of electronic information relevant to a lawsuit, including electronic information wherever it is stored - at a work station, on a laptop, or at an employee's home. It includes all forms of electronic communications - e.g., e-mail, word processing, calendars, voice messages, instant messages, spreadsheets, videos, photographs, information in PDA's, and data in any other locations where electronic information may be stored. This electronic information must be preserved so that it can be retrieved - if necessary - at a later time. The information must be preserved in its original electronic form, so that all information contained within it, whether visible or not, is also available for inspection - i.e., it is not sufficient to make a hard copy of electronic communication.

What will I have to do?

You will be notified of the duty to preserve electronically stored information through a notice called a "litigation hold" (or a "preservation hold"). You will then be asked to cooperate with NetEvidence, and your local IT personnel to ensure that we identify and preserve all potential sources of electronically stored information in your possession or under your control. You will be asked to complete and return a questionnaire identifying all potential sources of electronically stored information. It is critical that you complete and return this questionnaire without delay. Until NetEvidence personnel have taken steps to preserve your electronically stored information, you should be particularly careful not to delete, destroy, purge, overwrite, or otherwise modify existing electronic data.

Who will be looking at my data?

Initially, no one will review your data. If and when a discovery request is made, NetEvidence may be asked to conduct a search of the data. You or your counsel will be present if and when your data is ever accessed. On occasion, before a discovery request is made, your counsel may want to review electronically stored information to assist in answering the lawsuit or to comply with initial discovery obligations.

Ask Your Questions Now