5 Questions
06-29-2007, Tulsa World - John Stancavage
http://www.tulsaworld.com/busi . . . 070629_5__spanc60125

Gavin W. Manes is president of Oklahoma Digital Forensics Professionals Inc. He holds a doctorate in computer science from the University of Tulsa, where he works as research assistant professor in the Center for Information Security. Manes has performed extensive work in the areas of law enforcement and national security. He is a member of the American Academy of Forensic Sciences, High Tech Crime Investigation Association, Digital Forensics Working Group, Association of Computing Machinery, Oklahoma Infragard, Information Systems Security Association and the American College of Forensic Examiners Institute.
1 Could you briefly describe what Oklahoma Digital Forensics Professionals does, and how it got started?

OKDFP is a provider of digital forensics services for businesses and legal professionals in Oklahoma. We collect and analyze digital information from devices such as computers, cell phones and personal digital assistants to discover facts for potential use as evidence in court. We're kind of like a CSI team, but for computers.

The forensics investigative process consists of collection, investigation and expert analysis of data for use in litigation, mediation or general business practice. Our company was founded three years ago in Tulsa, and we are operated solely by Oklahom aeducated individuals.

2 Is it true that a person cannot permanently delete information on a computer?

Hitting the delete key on a computer simply removes the reference point to the particular location of a piece of data. It doesn't actually remove that set of 1s and 0s from the hard drive. There are a number of techniques to read those 1s and 0s, even if there is damage to the hard drive. However, those investigations are not economically feasible for the majority of clients. As a general rule, if the degree of deletion is advanced, the process of data recovery is quite expensive.

3 What are the implications of all that data being available for possible recovery?

Since most people don't know how easily deleted information can be retrieved, most don't even attempt to scrub it from their electronic devices —which certainly makes our job easier! There are a number of deletion tools available, but in some cases the mere use of these tools can imply guilt.

It certainly means that when recycling or throwing away computers, both businesses and individuals should be very careful about the treatment of their hard drives. In a business scenario, it means that Internet activities, e-mail conversations, Word documents, spreadsheets and other information can be retrieved from employees' computers, which has broad consequences for possible lawsuits and regulatory concerns.

4 Is litigation based on digitally stored data increasing? What can individuals and companies do to protect themselves?

The inclusion of evidence from electronic devices in modern litigation is certainly increasing. More and more attorneys and their clients are recognizing that there is a wealth of information available on computers and cell phones that can help their cases. In addition, many businesses are realizing that they can use digital forensics services to help prevent the loss of proprietary information or intellectual property in the normal course of business. Businesses can help protect themselves by establishing and policing good computer use policies that clearly outline the appropriate handling of proprietary information in electronic form.

5 When a company decides to fire or lay off an employee, what steps should it take as far as the digital data that person may have on office computers, home PCs or even BlackBerrys and cell phones?

It is very important that once an individual is terminated, they neither log onto their company-owned computer or user accounts, nor use their company- owned cell phone or BlackBerry. This crucial step prevents disgruntled employees from deleting or stealing large amounts of company information, such as client lists, engineering specifications or other intellectual property. We also recommend taking a forensic image of all company-owned electronic devices after the employee separation event, to be examined at the time or stored for later investigation.