By Shelia Watson
Contributing Writer

Computer forensics is much the same, except, one would hope, without dead bodies or bloodstained crime scenes.

“What we do is a lot like what you see on the CSI show,” said Mark King, a computer forensics expert working on the Al Parish case.

Parish faces 11 criminal and five civil charges related to his operation of investment funds that involved as many as 600 investors over time and from which more than $55 million has been lost.

The nature of the work is meticulous, King said.

“You see them (on the show) taking every fingerprint, getting details of everything and taking the photos,” he said. “That goes on with the data too. We’re looking at the computer, noting that it’s the original data drive, getting an accurate image so the evidence can be used in the cases.

“It’s different than a bullet shell or blood, but it’s still important evidence.”

In today’s computer-driven world, where e-mail and instant messaging are the norm, knowing how to collect, handle and analyze information on a computers can be critical to a successful civil or criminal prosecution.

Years ago discovery of evidence meant spending hours looking through stacks of papers in file cabinets and boxes. Today, almost everything is in electronic form, King said.

“There are still some things printed out, but most things are on computers today,” he said. “That’s where we first go to try and forensically recover electronic data and media, be it a desktop computer, a laptop, a PDA or a cell phone.”

Forensics experts know what to look for and can identify additional information sources for relevant evidence, including earlier versions of data files or differently formatted versions of data used by other applications.

With electronic data in particular, an investigator must preserve the evidence in its original state and prevent suspect files from being altered or damaged through viruses, improper handling or electromagnetic or mechanical damage.

Fortunately, data can be replicated exactly for analysis and processing without destroying the originals.

“You have to be very persistent, very patient,” King said. “It’s very time consuming because of the amount that has to be analyzed, but it’s also very interesting and challenging.”

King called the work a type of triage. And when investigating a business, the first person he’s interested in is the president or CEO, he said.

“Next we go to the accounting person, the CFO or controller. Next we get the person in charge of investor relations. That way we start acquiring and triaging the electronic media,” he said.

The first items King tries to locate are the investor lists so he can start forming a database and contact them about the case so they can provide their proofs of claim. After that, he begins looking for the accounting records and puts together a funds tracing database that will tell him what was invested and by whom, he said.

“Typically the electronic records that can be the most important to our investigation and piecing everything together are the financial records, the accounting and bank statements,” said J. David Dantzler, an attorney who is working with the receiver in the case. “We also want any information regarding investors, and that could include drafts of advertising materials, offering documents, agreements, basically anything that could inform us about the history of the person we’re investigating.”

E-mail records and instant messaging logs can be valuable sources of evidence, because people are often more casual when using that type of communication than they are in hard-copy correspondence such as written memos and letters, Dantzler said.

“Far and away those are among the most important records,” he said. “They’re usually quick and off the cuff, so it’s much more like having insight into a phone conversation. You’re not as measured as you might be in a letter, so you can sometimes get a more accurate view of the person.”

King called the Parish case “unique” in the sheer volume of data that needed to be analyzed.

According to the receiver’s report filed in May, the items recovered included 17 computers and laptops along with a number of electronic storage devices.

“The computer he used at his office held two 500-gigabyte drives,” King said. “Most people don’t need a terabyte for data. When you get up into that size, it really takes a long time to analyze.”

King noted that computer forensics will only become more challenging because more and more items are being stored electronically“More computers are being used in business today, plus the programs are getting larger and the hard drives are getting bigger,” King said. “For us and for law enforcement and the government, we’re continually trying to keep up so we can do a fast analysis.”

Dantzler agreed.

“We’re in the electronic age,” he said. “That’s certainly true with respect to funds tracing. Today people usually keep electronic checkbooks or accounting records, and we can very quickly get a sense of where the money came from and where it went. In fact, if someone is keeping a paper check register, it’s a little more difficult than it used to be to get that information because you have to piece it together now from records turned over from the banks.”

Business Journal reporter Dan McCue contributed to this report.

SUBSCRIBE | REPRINTS | CONTACT US

Phone: 843-849-3100    Fax: 843-849-3122