Expert Witness Corner: The Importance of Computer Forensics in Criminal Law

In many instances old, or conventional crime is perpetrated using new approaches that are reliant on technology. Postal fraud, for instance, has evolved to employ electronic communication channels, giving rise to waves of emails seeking to defraud recipients with promises of money and fictitious prizes (commonly known as ‘419 scams’ as many of such notes tend to originate from the African continent and 419 is their penal code for wire fraud).

Studies into the cost of cyber-crime, commissioned independently by the Department of Trade and Industry (DTI) reveal alarming trends in the abuse and misuse of technology. The average cost per security incident has risen to over £160,000 and nearly one in four businesses in the UK have suffered a serious hacker attack or virus outbreak. The impact of an information security breach can be so devastating to business operations that one in ten never actually recover and the shutters close permanently. To counter this growing threat, security and law enforcement agencies have adopted fresh approaches for dealing with high technology crime.

Forensic Computing is a relatively young science when compared to contact forensics such as fingerprint recognition which have roots that can be traced back to Edmond Locard, who in the early 1900s famously postulated the theory of evidence being left as ‘mutual exchanges of contact’. Whilst various descriptions exist in relation to this practice, the international survey undertaken by Hannen has been taken as the de-facto definition: ‘Processes or procedures involving monitoring, collection, analysis… as part of ‘a priori’ or ‘postmortem’ investigations of computer misuse’. It is important to appreciate that this definition takes a wider view than the conventional reactive description, where forensics was regarded purely as an incident response function. Hannen considers digital forensics as also taking a pro-active role in security, where it can be combined with intelligence and operational planning.

As a serious field of research, forensic computing studies only started to take real form in the early 1990s when, faced with ever increasing numbers of computers being seized at crime scenes and the potential for crucial evidence to be stored on a PC, various government agencies came together to host the International Conference on Computer Evidence (ICCE). Here many of the challenges facing law enforcement communities were aired and agreements forged to cooperate towards finding effective solutions.

Two years later, in 1995, the International Organisation for Computer Evidence (IOCE) was formed, and a further two years later the member states that comprise the G8 subscribed to the mission of IOCE, pledging support for the organisation. This was the catalyst required to stimulate research and development, and since then great advances have been made in all spheres of digital evidence management. When working on a matter where the case will rise or fall on the strength of digital evidence, for example where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. This places the evidence into the wider context of the offence and enables barristers to make directions to the court based on a fuller appreciation of matter.

Assuming material has been seized by the authorities, the state will usually conduct their own forensic assessments (typically undertaken by the regional police hi-tech crime unit), the results of which will be provided to legal representations. The mechanics of this process involve the ‘imaging’ of the ‘target media’ – the process of making a forensically sound duplication of digital materials of interest (e.g. the computer hard drive). During this duplication process a ‘write-blocking’ device will be employed to ensure the target media is not affected or corrupted in any capacity whilst its content is read and mirrored. The actual forensic analysis is then made upon the duplicated material, with the original placed into secure storage and maintained in the state in which it was seized. The forensic analyst will then peruse the imaged copy to identify materials of potential evidence value, extracting copies as necessary to form the basis of the expert report.

Looking at this from a defence perspective, a number of questions should be posed in relation to the digital evidence (based on the Daubert threshold test that evaluates the competency of evidence in the United States):

• whether the theories and techniques employed by the scientific expert have been tested;

• whether they have been subjected to peer review and publication; • whether the techniques employed by the expert have a known error rate;

• whether they are subject to standards governing their application; and

• whether the theories and techniques employed by the expert enjoy widespread acceptance.

Putting abuses of technology on a statutory footing, Britain has a suite of legislation that can be invoked, from the Computer Misuse Act 1990 to the Regulation of Investigatory Powers Act 2000.

Today digital forensics is an accepted science, and evidence duly secured in relation to best practices (in the UK these guidelines are outlined by the Association of Chief Police Officers) can be served in a court of law. Digital forensics are providing breakthroughs in all manner of high profile cases around the world, helping security and law enforcement agencies to catch offenders and secure convictions.

In the US, for example, the notorious BTK serial killer that had a reign of terror lasting over twenty five years in the Wichita areas, was ultimately tracked down after he sent a disk to a local radio station gloating at the police’s inability to catch him. Unique digital footprints embedded within the files were extracted by forensic specialists, and like a lone fingerprint, investigators now had a powerful lead – all they needed was to match the file to the computer that had created it (much like having a fingerprint but not a suspect’s hand to match it with). Wichita Police then conducted a house to house search, taking file samples from every computer encountered. Back in the laboratory, the file footprints were compared to the sample disk posted by the BTK killer, eventually finding a match. This tied the floppy disk to Dennis Radar’s PC, a virtual smoking gun as far the prosecution were concerned. This digital evidence became a pivotal element of the State’s case and ultimately helped secure a conviction.

In the UK the 2002 murders of Holly Wells and Jessica Chapman in Soham, Cambridgeshire, also saw digital forensics play a crucial, but largely unknown, role in the investigation. Technical analysts examined one of the girl’s mobile phone to identify where it was located when it had been turned off. Information on the nearest network communication tower tends to be stored in a phone’s memory and when the signal coverage of that tower is plotted, it is possible to identify the rough area (typically a few square kilometres) in which the phone was located when it was switched off. Having extracted this information from the handset, authorities had a rough idea of where to base their search; which ultimately led to the recovery of the two girl’s bodies.

Speaking in an interview several years after his pioneering research on the Manhattan Project where atomic reaction theory was developed, scientific visionary Oppenheimer explained that ‘the scientist is free to ask any question, to doubt any assertion, to seek for any evidence’. This thinking holds especially true when applied to the discipline of forensic computing in a legal context. Here experts may be instructed by either the prosecution or the defence, however, in either instance, they have a higher duty to the court. They are instructed as experts, but experts for the truth. It is important therefore to ensure that the experts instructed are duly qualified, experienced and independent.

Commenting on the nature of digital evidence, John Brown, Partner at Hogan Brown Solicitors, explained how the fragile nature of digital evidence can pose serious challenges to the investigator: ‘digital material is extremely volatile – perhaps more delicate than its physical counterparts. It can be copied, amended, and transferred without almost any trace – only experienced and qualified specialists should be employed to work in a digital forensic environment if the subsequent findings are to withstand the scrutiny of a court of law’. When working on a matter where the case will rise or fall on the strength of the digital evidence, perhaps where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. It is also important that lawyers, when they try to find an expert witness choose someone with the necessary skills who is not only able to prepare an objective, unbiased report but also deliver oral testimony if required.

Forensic computing and the securing of digital evidence is a powerful tool in today’s fight against increasingly technically-savvy criminals. It is a discipline that continues to evolve and should remain high on the radar for both legal practitioners and law enforcement authorities.

Ross Patel is a forensic computer consultant with Afentis Forensics. You can view the company profile and find an expert witness at X-Pro UK, the innovative expert witness directory.

Find More Expert Witness Articles

Computer Forensics, Mobile Phone Forensics, Expert Witness and Data Recovery throughout the UK

HD Forensics is a computer and mobile phone forensic specialist and security consultancy company, based in the North East of England. We offer an impartial, independent and specialised professional digital forensic investigation service to both defence and prosecution clients. We provide an expert witness service for court if required. Our experts are trained and certified by Bond Solon and Cardiff University. For more details log on to www.hdforensics.co.uk .
Video Rating: 0 / 5

McCann E-Investigations Houston Computer Forensics Announces New Rates for Data Storage


Houston, TX (PRWEB) May 13, 2012

McCann E-Investigations (McCann EI), a Texas-based computer forensics firm announced that it will offer new storage rates for all data collected in computer forensics investigations. Many of McCann EIs clients have on-going cases which require storage of imaged data for future use. McCann will offer secure storage of client data at McCann EIs state-of-the-art computer forensics lab for as low as $ 0.75 per gigabyte per month.

Our technicians always work from copies made of the original data and the original drives are securely stored, said Dan Weiss, Partner and Licensed Private Investigator at McCann E-Investigations. Once the project is completed, we will now offer to store the copies of the data for future use, continued Weiss.

McCann EI will retain the data for forty five (45) days following the final report related to such data. After the 45 days, the client can agree to storage of all of the data at $ 0.75 per gigabyte per month. McCann EI will also provide secure destruction of all data related to the case upon the clients request. All hard drives will be permanently wiped and any case files will be securely disposed. It should be noted that the destruction of data and related case files is permanent, irreversible and irreparable. Should the case be re-opened, the data acquisition process would have to begin again at the normal rates.

After the 45 day retention period and absent other written agreement between McCann EI and the client, any data/equipment/media unclaimed or otherwise abandoned for a period in excess of thirty (30) days will be disposed of at McCann EIs discretion. McCann EI will not be responsible for data/equipment/media left in its possession beyond such thirty (30) day period.

About McCann EI:

http://www.einvestigations.com

Twitter: @McCannEI or https://twitter.com/#!/McCannEI

Facebook: https://www.facebook.com/pages/McCann-Investigations/203760582969139

Call us toll-free at 800-713-7670

McCann Investigators follow the trail and decipher the information regardless of whether the evidence is digital, such as electronically stored information found on computers, mobile phones or other devices or if the investigation requires traditional private investigative services. McCanns PI tools and techniques include surveillance, undercover work and detailed record searches. The final product helps our clients gain a deeper understanding of what has happened or what is occurring. The gained clarity and discovery of truth allows our clients to quickly respond and recover.

McCann EI is based out of our state-of-the-art forensic labs in Houston, which provide the latest in computer forensic and IT security technology. Our e-investigators combine digital skills with traditional private investigative techniques to provide you with an one-stop solution for your investigative needs. Our lab houses our computer forensics and electronic discovery service along with our databases, surveillance technology, and undercover investigators. Our investigators are experienced in providing expert witness testimony, including computer forensic testimony, in courts across Texas. Although we are headquartered in Houston, our investigators live in and work in cities all across Texas.

Call us toll-free at 800-713-7670 or speak to a local investigator:

Austin Computer Forensics: 512-377-6142

Houston Computer Forensics: 832-628-4904

Dallas Computer Forensics: 214-329-9059

Lubbock Computer Forensics: 806-589-0320

Lufkin Computer Forensics: 936-585-4070

Brownsville Computer Forensics: 956-465-0849







More Expert Witness Press Releases

Expert Witness Corner: Computer Counter-Forensics

Digital Evidence Triad:

The fragile nature of digital evidence, coupled with the complexity and skill required to conduct an assessment that will bear the scrutiny of a court of law, makes it important to independently validate and verify the findings of the forensic assessor.

Case preparations involving scientific evidence must consider three core areas in detail, exploring each facet of evidence to assess whether Best Practice and prevailing regulations have been adhered to. This also ensures a full appreciation of the available digital evidence, which can be placed into the context of the allegations and accompanying physical evidence. These three spheres are:

1: Search & Seizure: The means by which the target media (e.g. hard disks and CD’s found on the suspect or at a specific location) were acquired by law enforcement agents and their subsequent preservation through the ‘chain of custody’.

2: Preservation of Evidence Containment and protection of evidence exhibits so as to ensure fragile and volatile digital evidence is neither corrupted nor tainted.

3: Forensic Assessment & Analysis Evaluation of media and raw materials to furnish law enforcement agents with forensically sound evidence that can be presented in a court of law.

Efforts geared towards thwarting or impacting on the forensic computing process are levelled at one or more of these spheres.

Physical Safeguards:

In the context of countering digital forensic practices, physical security is based on the principle that if a computer system cannot be found, then it cannot be seized by the authorities for examination.

Locked cabinets and steel laptop cables will frustrate efforts to remove devices from the suspect’s premises; however, they will be defeated given adequate time and resources.

More advanced approaches towards protecting computing devices include concealing key computer drives or media under the floorboards, in the loft space or in out-house facilities such as a garage. This can afford a degree of security and ensure that devices remain hidden from investigators. Communication with the device can be achieved without telltale cabling, relying instead upon encrypted wireless signals.

Anti-tamper devices, such as specialist alarm units that reside within computer casing, can be used to upset and hinder the search and seizure process. More complex approaches towards asset protection can include integrated ‘anti-seizure’ devices that are attached to the computer drive. These are designed to corrupt the computer drive data should any attempt be made to remove the disk or access the system without the use of a special hardware token and password.

File & Application Security:

Investigators will naturally gravitate towards files and folders that appear to have titles of relevance to the case in hand. Perhaps the simplest approach to concealing files or folders is to rename them to something innocuous and unlikely to arouse suspicion.

A more considered approach to hiding information involves the moving of user data, such as textual reports or financial spreadsheets, into archives which normally contain only files required by the computer for operation (e.g. the system32 or config folders).

Both of these approaches help conceal information from the curious or casual browser, but the material will undoubtedly be uncovered during the course of a comprehensive forensic evaluation of the computer drive.

A different approach involves changing the way in which the computer operating system interprets files. Microsoft WindowsTM, the most prevalent desktop computing environment, identifies files and the program that should be used when they are being opened by the extension associated with the filename. Extensions take the form of a full stop and three letters appended to a filename – for instance the popular.doc extension that indicates a Microsoft WordTM document.

A somewhat crude but nonetheless effective approach to obscuring information is to change the associated file extensions. This could make a Word document (.doc extension) to appear as a bitmap graphic (.bmp extension). If a user attempts to open the file, the default program associated with the file-type, Microsoft PaintTM in this instance, will be invoked. Since the file data is actually in Microsoft Word format, Microsoft Paint will not be able to render the information and will return an error.

Such efforts are likely to help sensitive materials pass under the nose of casual observersand those intent on identifying files of a particular type, such as graphical images which feature the extensions including.bmp or.jpeg.

A more conventional approach towards protection of information is to employ passwords. Starting with Microsoft Office 95, it became possible to password protect office productivity files to prevent unauthorised access. Well equipped forensic laboratories have specialist equipment to allow dictionary and brute-force attacks (trying all possible character combinations) against password protected files and programs, so unless a particularly complex pass-phrase is used the security is likely to be broken fairly quickly.

Most users employ passwords based on words found in the English dictionary or words that have meaning to them, such as the name of their wife or pet. These passwords are not complex enough to thwart concerted efforts to break the security. Passwords based upon non-English words, greater than eight characters in length and using both numbers and non-alphanumeric characters (e.g. exclamation or punctuation marks) provide a level of complexity that is extremely difficult to break.

However, password protection can have serious shortcomings that can be exploited by forensic investigators. Protection of this type usually places a barrier up at the beginning of the file, which means if this safeguard can be by-passed, the actual data contained within can be extracted. A classic example is a forensic examiner using a plain text editor, such as Notepad, to open a password protected document. All controls, safeguards and features that may be in place through Microsoft Word are thus circumvented.

Taking file and application level protection to the next level is the practice of cryptography – the science of securing information through the use of reversible transformations. The word “cryptography” has its roots in the greek terms “cryptos”, meaning secret, and “graphy”, meaning writing. Simple ciphers, known as mono-alphabetic or Caesar systems, involve the substitution of letters. The development of digital computing revolutionized cryptography and made today’s highly complex and secure cryptographic systems possible.

With the introduction of Microsoft Windows XPTM an enhanced security feature known as Encrypting File System (EFS) has become readily available to desktop computer users. EFS is a cryptographic support system that enables files, folders and even sections of the hard disk file system to be encrypted using a variant of the Data Encryption Standard (DES) algorithm.

Attacking cryptographic materials is known as cryptanalysis and requires highly experienced consultants for any reasonable chance of success. Attacks can be levelled against the protocol (i.e. the mechanics of the encryption system employed), the protected file/data, or the interface and environment (i.e. the manner in which the user has interacted with the cryptosystem and/or computer system to create the secured material).

A more complex approach to concealing information involves placing it within or around another open and public source, a practice known as stegonography. Classic examples of stego’ include invisible inks or the use of grilles to cover a written message and reveal only selected words or phrases. In a digital context, stegonography involves embedding the code that constitutes one file, for instance a graphical image, into the code structure of a secondary file.

The use of stegonography can be difficult to detect even with the benefit of specialist forensic tools and when employed correctly can allow suspect material to evade even the most astute investigator. When combined with cryptography, stegonography can be an especially powerful means of safeguarding both the presence and content of information.

Another approach to concealing information is to embed data in special sections of the file system structure. Alternative Data Streams (ADS) was a design feature introduced into the Microsoft WindowsTM operating system with the NTFSTM file system as a means to provide compatibility with the Macintosh Hierarchical File SystemTM (HFS).

The way the Macintosh’s file system works is it uses both data and resource forks to store its contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details. There has been a marked increase in the use of these streams by malicious hackers wanting to store their files once they have compromised a computer. Not only that, it has also been seen that viruses and other types of malware are being placed there as well. The crux of the matter is that these streams will not be revealed using normal viewing methods, whether via a command prompt or using the Windows Explorer.

Whilst data embedded within ADS will remain invisible during all normal operations, forensic examiners can identify such material using complex data analysis tools. When information is encrypted, embedded within other file code (stegonography), and finally hidden in an ADS, it is likely that the material will be safe from even the most astute investigators.

Internet Privacy:

The Internet is an essential tool for business and leisure but is also a compelling resource for those commissioning or researching criminal activities.

Reading email or browsing the World Wide Web (WWW) leaves traces on the host computer that can be recovered by forensic investigators to give an indication as to website visited, terms used on search engines and conversations held in online chat-rooms.

Whilst popular browser applications such as Internet Explorer and Mozilla feature routines to remove personally identifiable information, a more considered approach to eliminating any local traces of online activity would involve the use of a specialist application such as ‘Evidence Eliminator’.

To add a layer of security between the computer and Internet, and thus protect against any potential eavesdropping on the telephone/broadband network, an approach known as Onion Routing may be employed. Developed by American researchers Onion Routing employs a complex series of relays, routers and encryption protocols to ensure anonymity and confidentiality of traffic.

Whilst investigators without the capacity or capability to undertake complex cryptographic evaluations may be at a loss to identify the content of such protected internet content, it may be possible to glean useful information through the use of ‘traffic analysis’. Here the intention is to identify patterns and norms. For instance, it may not be possible to determine what website an individual is accessing, but through cataloguing the traffic it can be possible to say, with certainty, when a user was online. Should this be backed up with physical surveillance that can attest the individual was alone at the premises under observation at a particular point in time, then should further evidence come to light at a later point (perhaps as a result of performing a forensic analysis of the suspect’s computer, following a search/seizure order), it can neatly tie the suspect to the computer keyboard.

Exploiting Forensic Methodology:

Whilst the approaches previously discussed have focused on obscuring or concealing either the physical computer devices or the digital evidence contained therein, the following techniques are geared towards thwarting the forensic process of examination of digital media.

Operations upon files and folders are recorded in timestamps, which provide details as to when the file/folder was created, when it was last accessed, and when the file/folder was last modified. Timestamp data is recorded automatically by the operating system and provides crucial evidence as to actions and times/dates when they occurred. However, appreciating how valuable timestamp data can be to investigators, tools have been created by various Hacking groups to allow manual or automatic modification of timestamps. This technique is known as “fuzzing” and can make attribution of the file – or who was at the keyboard at a specific point in time – near impossible. Furthermore, fuzzing taints the evidence so that the integrity of the timestamps is damaged to a degree that would make them inadmissible in a court of law.

ACPO Guidelines for the seizure of computer devices, suggest immediate disconnection of the power unit, so as to preserve information on the system computer drive(s). This is regarded as Standard Operating Procedure (SOP) by investigators around the world, but it does have one very serious shortcoming. By disconnecting the power, any information stored within the volatile memory (e.g. RAM) will automatically be lost and cannot be retrieved. Hacking tools have evolved to take advantage of this investigative procedure; having scripts and applications that run exclusively in memory so that no traces will survive on the disk should the computer be seized by the authorities. It is considered to be only a matter of time before this counter- forensics technique becomes even more widely adopted by those intent on using computers for the commission or support of criminal enterprise.

Legal Context:

Whilst not a security technique or forensic safeguard, some criminals have shown remarkable forward planning as a precaution if they one day have to stand trial for an offence.

In legal circles there have been a number of high profile cases involving computer abuse/misuse, where the line of defence has been that the computing device had been under the control of an unknown third party. In many cases the assertion is the computer has been broken into by a Hacker, who used the device as a platform for perpetrating their crime. This has become known as the ‘Trojan defence’ and was applied successfully in the case of R v Aaron Caffrey, who was charged with breaking into computer systems owned by the American port authority in Houston.It has been known for criminals to purposefully infect their computers with viruses and malicious code, laying the foundations for just such a defence should the need ever arise.

The technical arguments as to whether computer code, which is what essentially all digital media is, can constitute obscene media have long been agreed in the rulings of R v Fellows and R v Arnold. In matters involving obscene images and media, the recent ruling in R v. Porterhas put flesh on the bones of the argument as to what constitutes ‘possession’ in a technical sense. In this case the presiding Judge gave directions as to whether the jury could consider that deleted images, recoverable only using advanced forensic means, could still be considered in the possession of the owner.

Recently the Home Office announced plans to begin enforcing provisions outlined in Part 3 of the Regulation of Investigatory Powers Act (RIPA). The wording of this act would make it an offence for an individual or entity to refuse or be unable to disclose passwords or encryption keys specifically requested by the authorities in relation to an investigation. One argument against these provisions is that it reverses the burden of proof and makes a party guilty of an offence should they be in a legitimate position to be unable to comply with a disclosure order.

One of the main criticisms of the act, however, is whether or not it will have the desired effect in enabling criminals abusing or leveraging technology to suitably punished. The oft-quoted example is that of an individual arrested on suspicion of possessing obscene images and media. Should the computer drive be strongly encrypted, the authorities may attempt to coerce the decryptions keys via RIPA. However, it would clearly not be in the individual’s best interests to comply, as this would reveal the extent of their cache and almost certainly result in a punishment that would far outweigh that which would be on the table as punishment for non-compliance with the RIPA provisions.

Security vs. Accessibility:

When considering security controls and countermeasures a careful balance must always be achieved, as to how to maintain reasonable accessibility to the data whilst ensuring confidentiality.

A collection of obscene images could, for instance, be grouped into one archive that is strongly encrypted and the resulting code embedded into the file structure of an innocuous file that is in turn buried deep within the computer’s file system. This computer drive may then be concealed within the loft crawl space and communications with the device achieved using encrypted wireless protocols. Clearly this would afford a good degree of secrecy to the material, but does make it increasingly difficult to access or retrieve for any practical purposes.

The accessibility angle is used to the advantage of investigators, who will routinely scan suspect premises for wireless communication signals or follow computer data or power cables to identify any hidden devices.

Summary:

Criminals and those engaging in offences involving the use or support of information technology continue to use various means to thwart the efforts of investigators to secure digital evidence. Whilst countermeasures range from the crude yet novel (e.g. burying devices under the floorboards) to the highly sophisticated (e.g. encrypting information and concealing the code within redundant areas of the computer file system) – it is clear that defensive practices of this nature are becoming increasingly prevalent. Equally, these efforts are becoming worryingly effective in hindering the efforts of law enforcement and have contributed significantly in the police either training their own specialist investigators or trying to find an expert witness with the requisite skills.

History has taught us that attacks against systems – whether physical or digital in nature – only increase in efficiency and effectiveness over time. It is therefore essential that lawyers involved in these type of cases find an expert witness with the requisite skill set that can deal with the complex technical issues that often arise.

This article is not a ‘how-to’ guide and certain details from both the defensive and offensive perspectives have been intentionally omitted. The techniques described in this article are documented in a variety of public resources and in many instances employed quite regularly by criminals abusing or misusing technology.

It is considered more harmful to the forensic industry to operate under a veil of security and operate with a false sense that the practices employed are above reproach.

It is hoped that by highlighted this disturbing trend some of the challenges and limitations of current forensic computing practice can be appreciated. Furthermore, this can stimulate informed discussions that will lay the foundations for research into fresh approaches for countering counter- forensic practices.

Ross Patel is a forensic computer consultant with Afentis Forensics. You can view the company profile and find an expert witness at X-Pro UK, the innovative expert witness directory.

expert witness accreditation

Related Expert Witness Articles

McCann E-Investigations Austin Announces Launch of New Website Focused on Austin Computer Forensics


Austin, TX (PRWEB) June 03, 2012

McCann E-Investigations (McCann EI), a Texas-based computer forensics firm announced that it has launched a new website solely focused on Austin Computer Forensics. The new website will allow Austin customers to have access to information and overviews of Austin computer and digital forensics information with links to even more information at McCann EIs main site.

McCann EIs Austin computer forensics division provides digital services to law firms, private businesses as well as to individuals in various case types such as family law, bankruptcy, fraud and embezzlement. In addition to Austin computer forensics service, McCann EI Austin also provides digital forensics services and network breach remediation.

Austin, Texas is a vast market for computer forensics cases. said Gary Huestis, Director of Forensics Services at McCann E-Investigations. We provide multiple services to our Austin computer forensics clients including cases such as contentious divorces, intellectual property theft and non-compete enforcement. continued Huestis.

Gary Huestis is the Director of Forensic Services for McCann EIs Austin digital forensics. Mr. Huestis is an EnCase certified examiner and a licensed private investigator.

About McCann EI:

http://www.einvestigations.com

Twitter: @McCannEI or https://twitter.com/#!/McCannEI

Facebook: https://www.facebook.com/pages/McCann-Investigations/203760582969139

Call us toll-free at 800-713-7670

McCann Investigators follow the trail and decipher the information regardless of whether the evidence is digital, such as electronically stored information found on computers, mobile phones or other devices or if the investigation requires traditional private investigative services. McCanns PI tools and techniques include surveillance, undercover work and detailed record searches. The final product helps our clients gain a deeper understanding of what has happened or what is occurring. The gained clarity and discovery of truth allows our clients to quickly respond and recover.

McCann EI is based out of our state-of-the-art forensic labs in Houston, which provide the latest in computer forensic and IT security technology. Our e-investigators combine digital skills with traditional private investigative techniques to provide you with an one-stop solution for your investigative needs. Our lab houses our computer forensics and electronic discovery service along with our databases, surveillance technology, and undercover investigators. Our investigators are experienced in providing expert witness testimony, including computer forensic testimony, in courts across Texas. Although we are headquartered in Austin, our investigators live in and work in cities all across Texas.

Call us toll-free at 800-713-7670 or speak to a local investigator:

Austin Computer Forensics: 512-377-6142

Houston Computer Forensics: 832-628-4904

Dallas Computer Forensics: 214-329-9059

Lubbock Computer Forensics: 806-589-0320

Lufkin Computer Forensics: 936-585-4070

Brownsville Computer Forensics: 956-465-0849







Related Expert Witness Press Releases