Home | Computer Misuse Act 1990 | Expert Evidence | Expert Determination | Michael J L Turner | Services | Contact

Computer Evidence

Michael J L Turner MA FBCS CITP MAE FEWI

Home > Data Examination
E-mail Michael Turner Contact Me
Print friendly page Print-friendly CV
E-mail this site eMail Link

A forensic computer data examination is an investigation that:

  • complies with established computer forensic principles
  • uses appropriate computer forensic techniques
  • identifies data relevant to a case and
  • produces exhibits for the court

 

Data Examination - sources of evidence and evidential artifacts

Michael Turner has experience of the following Data Examination sources of evidence and evidential artifacts:

Computing platforms

Mainframes, minis, LANs, WANs, POS networks, PCs, Mail servers, Database servers, Internet

Databases

Database (MS Access, SQLServer) tables, change history and database applications

Application databases (Thumbs, AOL PFC, Windows Media Player, P2P File-sharing - Kazaa and IMesh, iTunes, Whois?)

Date and time stamps

File system date-stamps (File Created, Last Modified, Last Accessed), Software application (MS Word, MS Excel) metadata, System clock settings, Timezones and Daylight saving (BST) settings

Deleted files

Recovery of deleted files, Recycle Bin, Norton Recycler

Documents

Document version history, revision history, print history, authenticity, authorship (MS Word, MS Excel, Lotus)

Domain Names

Domain name registration records, domain name transfer records

E-mail

Client-based E-mail and E-mail archives (Outlook, Outlook Express), Web-based E-mail and E-mail archives (AOL, Hotmail)

Encryption Truecrypt encryption and decryption

Evidence Elimination

Anti-forensics secure deletion (Evidence Eliminator, Eraser, Sure Delete)

Forensic image copy formats

EnCase, dd, FTK, SMART, ditu, DIBS, Vogon

Hard disk drives

History of formatting, defragmentation, wiping of hard disk drives

Hardware configuration

History of changes to hardware configuration

Link files History of access to files on hard disks and removable storage media

Log files

Activity logs, Audit trails, Event logs, Internet Access logs

Media

Hard disk drives, CDs, DVDs, USB memory sticks, removable media, obsolete media formats

Messaging Chat logs (ICQ, IRC, MSN, NetMeeting, Skype, Yahoo Messenger)

Operating system

History of Windows installation, re-installation, upgrades

Passwords

Logon and Account Password setting, changes, resetting; password recovery, cracking

Program source code

Program source code in C, C++, Visual Basic, Java, HTML, XML, MS Access, Basic, COBOL, DIBOL, command scripts

Registry settings

System settings (Configuration, Last Use, Last User, Last Shutdown) and User settings (IE Search terms, Typed URLs and Auto Logon IDs)

Software version

Software version change control history

Telephone call records

Communications traffic data - telephone service provider call records (SPOC)

User Identity

User ID, Account ID, Logon ID, MAC, SID, GUID, Passwords, Shared Logons, Unattended Logons

Web archives

Web archive searches, Presence or absence of web-pages, web-page versions, State of the Art, Age of Models - USC 2256 or 2257

Web browsing

Web browser (Internet Explorer - IE, Netscape, Mozilla) cache, Browser history files (active and deleted)

Bookmarks, Favorites, Cookies, Google searches

Applications

Michael Turner has thirty-five years' experience of software applications in a range of sectors, including:

Accountants Fabrics PC maintenance
Agricultural equipment Film industry Police
Civil Aviation Financial Services Post Office Horizon
Armed Forces Golf clubs Printing
Banking (Internet) Government Property
Banking (Investment) Home PC use Publishing
Banking (Online) Hotel Queue management
Brewing Insurance Recruitment
Business information Internet Retail
Chemicals Local Government Schools
Computer manufacturer Medical Repatriation Software development
Computer systems supply Motor racing Software publishing
Construction Motor trade Solicitors
Derivatives trading Number plate recognition (ANPR) Telecommunications
Estimating Parcel courier Travel

 

 

Michael Turner

The Academy of Experts: Michael J L Turner

Expert Witness Institute: Michael J L Turner

UK Register of Expert Witnesses

 


   
© Copyright Michael J L Turner 2006 - 2017