Investigation FAQs

1. How do you go about investigating the evidence on a computer?

In accordance with current best practices and in order to maintain the integrity of the electronic evidence, a forensic image is made of the hard drive of the computer containing the evidence. Specialized hardware, software, and personnel verify and document that the image is a complete and correct copy of the original and that best practices in computer forensic procedures have been used to protect your option to use the evidence in court. The forensic analysis then proceeds against the image using search words supplied by the client. We communicate with the client each step of the way and produce a report for your legal counsel marked “Attorney Work Product.”

2. What kinds of information can you find in a computer investigation?

Deleted material, emails, chat room activity, faxes, letters, printed documents, calendar records, addresses, phone numbers, financial records, activity timestamps, internet activity, threats, plans, hacking tools, evidence of side-business operation or competitor activities, and evidence of spoliation, among other information. Some evidence is only available electronically, not from a printed piece of evidence. Consider that one email can document: who actually sent and received it, exactly what time and date each exchange occurred, who was copied, blind copied, responded, where each one filed the email, and exactly when each email was deleted, sometimes documenting spoliation.

3. Do we need to bring the computer to you and leave it?

No, eVestigations Inc. can come to you and take the image at your site. Many clients prefer us to arrive after hours or on weekends to protect the confidentiality of the investigation. The suspect remains unaware of the situation and may continue to use his/her computer.

4. If we go to court, do you have an expert witness?

Yes, eVestigations Inc. president Paul Herrmann is experienced as a retained expert witness. His credentials, experience, and familiarity with your case will position him well as your expert witness (see Our Team – Paul Herrmann).

5. What kind of information can you get from PDA’s, cell phones, and other technology besides computers?

PDA’s provide a wealth of information besides calendar records and address book data. They may connect to the company network, and create documents, email, or spreadsheets, essentially providing information that can be retrieved from any other computer. Cell phones can provide a record of contact (numbers dialed or received, text messages), contact information, and the location of the cell phone as recorded by satellite throughout the day. An automobile GPS (Global Positioning System) can also track the whereabouts of a suspect’s auto via satellite.

6. Why can’t my IT Department pull out evidence to prove what my employee is doing?

Just as average citizens are untrained to handle evidence they see at a murder crime scene, so most IT Departments are untrained in retrieving evidence in a manner that will be admissible in court. An IT employee who turns on the computer in question to “look around” is changing and contaminating the electronic evidence, jeopardizing the result of any future legal action which may be prudent. Even if employees utilize current best practices while handling evidence, confidentiality and impartiality issues may arise during the investigation. Consider the five issues discussed below. As specialists in electronic evidence handling, we are board-certified EnCE (Encase) examiners with years of experience in computer forensics. We are also licensed private investigators, which legally obligates us to maintain your confidentiality.

Confidentiality	It is very difficult to keep internal investigations confidential using internal investigators.  Breaches of confidentiality can damage reputations and compromise cases.  Often state laws protect employee assigned investigators with “whistle blower” statutes should they decide to break the confidentiality. Most states require licensed external investigators to maintain the confidentiality of the client to which they are engaged.
Impartiality	At times internal investigators find themselves investigating colleagues, superiors or subordinates. This may have not been known at the start of the investigation. These situations may lead to dismissal of claims, civil actions and situation escalation
Sanction	Failure to utilize “best available” procedures and techniques in dealing with evidence can lead to court sanctions and spoliation claims. Sarbanes-Oxley Act sanctions negligence in the preservation of evidence.
Criminal Action	Inexperienced or untrained investigators may inadvertently violate the law governing investigations and/or surveillance.
Civil Action	Many laws and acts governing investigations and surveillance, such as ECPA, provide for recovery of civil damages by those victimized by failure to comply.

7. We don’t want anyone at the office to know about the problem. Can we meet somewhere private to talk? How can we keep this quiet?

eVestigations Inc. maintains a secure modern conference room at the Frazer, PA, location which has served clients well for confidential meetings. Confidentiality is a top priority for us, and we are legally obligated to you as licensed private investigators. We work through your attorney to maintain attorney work product so that only the information you want to reveal is discoverable by opposing counsel. We can investigate after hours at your business and prevent employees from becoming aware of the problem.

8. Our company is concerned about an employee who was recently terminated. How can we protect ourselves against a frivolous lawsuit down the road?

Routine imaging of the computers of exiting employees may protect your evidence should an employee threaten to sue at a later date. If his/her computer is recycled to another employee without first imaging the hard drive, data may be destroyed by the time the company needs it. By retaining an image of the employee’s electronic evidence, the company can choose when and if the hard drive should be analyzed at a later date.