• Home
• About Us
• Contact
• Ethics
• Services
• Rates
• FAQ

Frequently Asked Questions (FAQ)

Disclaimer 

What is Electronic Discovery?

What is metadata?

What is Computer Forensics?

What should I do if I need computer forensic services?

Why can’t I just retrieve the evidence myself?

Do you bill for processing time?

Are you a licensed Private Investigator?

Disclaimer 

Information given on this and all other pages on this site is for informational purposes only, and whilst reasonable care is taken, we do not warrant its accuracy.  No advice is intended to be for a specific purpose, and no advice is intended to be construed as legal advice.  Persons needing legal advice should contact a lawyer.

What is Electronic Discovery?

Electronic Discovery is the process of obtaining and presenting Electronically Stored Information (ESI) in support of the discovery process for civil litigation.  It generally concerns the production of relevant electronic documents (such as word processor documents) and correspondence (such as emails).  It also involves the presentation of metadata for those documents.

Patrick Computer Forensics searches for and gathers all relevant ESI from the client’s computer system(s), culls all non-relevant files to reduce the time and cost of storage, then works with lawyers to add the documents into litigation support software such as Concordance or Summation.

Changes to the Federal Rules of Civil Procedure effective December 1^st 2006 create specific responsibilities for companies subject to discovery relating to producing ESI.  Be sure and consult your lawyer about your obligations, and if they need technical assistance, have your lawyer contact Patrick Computer Forensics Inc.

What is metadata?

Metadata is “data about data”, and refers to information stored in an electronic document that describes the document itself.  This data is not immediately visible, especially when you print a document using the default settings for most software.  For an example of metadata, right click on a word document in windows explorer and then click Properties.  Now click the Summary tab.  You will see information such as the author, date created, number of words, and so on. This is metadata: information about the document.

What is Computer Forensics?

Computer Forensics is the collection, preservation, analysis and presentation of evidence contained in electronic devices such as computers, disks, PDAs, mobile phones, thumb drives and much more.  In order for your evidence from these sources to be acceptable to a court, it must be collected in accordance with the rules of evidence, including: maintaining chain of custody, preventing or at least minimising and documenting any alteration of evidence, analysis in a way which is both scientifically sound, and reproducible, and presented in a manner which a jury can understand. Computer Forensics combines investigative skills with computer science skills with communication skills.

Computer Forensics also includes finding and recovering deleted files and data, and hidden data within documents.  A forensic examiner may also search for signs of intentional alteration of files, and tampering with the computer system.

Computer Forensics therefore goes much further than Electronic Discovery, since it not only presents documents, but explains the digital “history” of the evidence.  When Electronic Discovery goes bad, a Computer Forensic examiner is often called in to resolve the issues.

What should I do if I need computer forensic services?

If you are working on a computer and you believe you have found evidence, stop working on the computer and contact your lawyer immediately.  Do not continue looking for more evidence.  If your computer is turned off, do not turn it on.

Instruct your lawyer to retain the services of Patrick Computer Forensics Inc.  Once your lawyer has retained our services, we will contact you as soon as possible to arrange preservation of your evidence. 

We understand that whilst gathering evidence is important, it’s also important for businesses to be able to keep on conducting business, so Patrick Computer Forensics Inc can respond quickly to forensically copy your computer hard drives with minimal interruption whilst all pertinent evidence is preserved. 

Why can’t I just retrieve the evidence myself?

Electronic evidence obtained by anyone other than a properly trained and experienced Forensic Computer Examiner working with tested and proven forensic tools and/or methods is likely not admissible in court.  The simple act of turning on a computer changes hundreds of files and settings in Windows.  Simply clicking on and viewing a word document alters date and time information which could be vital to your case.  Looking around a computer with evidence on it is like walking all over a crime scene with dirty boots and no gloves: you can destroy evidence, and leave your fingerprints all over the place.  If your evidence involves deleted files, then continuing to work on the computer could destroy that evidence.  The analogy we like to use is that electronic evidence on a computer in use is like a slow burning fire: the longer you let it go, the less likely you will have anything of value left.

If your use of a computer accidentally or intentionally destroys evidence, you could be subject to sanctions for spoliation.  In a criminal matter, you could leave yourself open to the accusation that you tampered with evidence.  Your lawyer can explain these issues and their legal consequences in greater detail.

Why local is important

Rapid response:  Because electronic evidence is volatile and able to be destroyed, it is important to preserve the evidence in a timely manner.  You don't see them say on CSI: "I'll come out and check your crime scene in a few days time".  Additionally, because continuing to use computers which contain evidence can negatively affect admissibility and result in destruction of evidence, your computers may be unavailable until evidence preservation is performed.  Having a local firm respond rapidly helps reduce your down time and keep your business running.

With Patrick Computer Forensics Inc. you combine the benefits of a local firm with an experienced and qualified examiner.

Travel fees:       Out of town firms will charge you travel fees.  These generally include flight costs, car rental,  hotels, meals, mileage, and a per diem for their staff.  At a minimum, travel on a case will usually involve the initial evidence collection and then court attendance.  As an example, a case Mr Patrick worked over 1000 miles away from his office involved two return flights, and two three-day hotel stays.  On an average out of town case, you can easily rack up $1000s in travel costs.

Do you bill for processing time?

Patrick Computer Forensics Inc. does not bill for unattended processing time.  

As an example, a very basic examination of a single computer may take a week to complete, but of that time, only 15 hours or so may be time the forensic computer examiner actually spends working on it.  The remainder of time is computer processing time.  For example, the deleted file search, forensic indexing and hashing process for a 500GB hard drive may take a day to complete.  Making of working copies (examiners normally don't work on the original drive, or even the first image of the drive) make take hours for each copy.

If you are being charged for processing time as if it were consulting time, then instead of paying 15hrs x $250/hr, you'd be paying 40 x $250.  That's the difference between $3750 and $10,000.  It is therefore important that you check whether a computer forensic firm charges for this processing time as it may substantially alter the costs.

Time spent processing out of office is always attended as required by forensic best practice to maintain control over your evidence.  This generally only applies to on-site evidence collection, but would also apply in Adam Walsh Act cases.