Computer Usage Analysis


Forensicon assists clients every day by performing usage analysis to determine what specific user actions took place during a specific time period. Forensicon is known for its detailed timeline analysis which helps understand whether a device has been used in a normalized way.

Computer forensics has the ability to help reveal the exact actions taken by a user.  It is often necessary to perform computer forensic usage analysis to be able to identify what activities recently took place on a computer.  Activities may be  a result of user actions or may be systematic and part of normal computer usage.  In some instances, other individuals inside or outside the organization may connect to a computer in an effort to perform rogue activities that may reflect negatively on the normal user of the computer.  Obtaining the facts and an expert’s interpretation and opinion regarding those facts can provide you the validation and confidence you need before taking action.

There are many types of questions that forensic examiners are often asked to research and respond to.  Some of these may include any of the following:

  • Were any external storage devices recently connected to the computer?
  • Are there indicators that show that a computer user copied or transferred company files, trade secrets and other sensitive data to external sources?
    • Internet based cloud storage (Google® Drive®/Docs®, Dropbox®, iCloud®, FTP, or other)
    • USB Storage Devices (External Hard Drives, Jump drives, Thumb Drives, etc.)
    • Cell Phones & SIM Cards
    • Disk Media
    • Webmail or email
    • iPads or tablet-based computing device
  • What specific actions took place on a key date and time by the user?
  • Did the user run or install programs that are designed to obfuscate or cover their tracks?
  • What files were deleted by the user?
  • Did the employee engage in bad faith and provide information to outside parties?
  • Did the employee break the company policy regarding standards of acceptable computer usage?
  • Is the document produced really as it appears?
  • Did anyone else access the computer who may be trying to frame the suspect or perpetrator?

Computer forensic activity and usage analysis can help tell the story about what actions took place.  Analysis of the computer registry and other artifacts including link files, USB device history, Windows® restore points, unallocated space, deleted files, recently run programs as indicated by the Windows Prefetch, among others, can help piece together the story of what transpired.  In some instances, the computer user may perform actions on the computer that complicate a forensic investigation by purging many of these sources of information beyond recovery or detection.

In circumstances where deliberate efforts were taken to purge and destroy data beyond recovery, Forensicon can often use our years of experience to help demonstrate that the computer lacks the normal pattern of data that exists on a computer in regular use.  Proving usage of scrub software is a more challenging undertaking in many instances and often requires an experienced expert to persuade a court of law to accept an opinion that deliberate user initiated actions took place specifically for the purpose of concealing potentially relevant data from the legal discovery process.  Forensicon has appeared in court or testified via affidavit regarding the alleged usage of data scrubbing software.  Forensicon experts have achieved successful outcomes where scrub software was used and has supported counsel with obtaining remedies from the courts.

Selecting an experienced outside independent forensic firm to forensically image the suspect’s computer and perform forensic activity analysis in an attempt to validate management’s initial suspicions can help mitigate risk and provide objective proof to suspicions and allegations that may require disciplinary action of the employee.  Before considering terminating, suspending or reporting an employee to legal authorities, companies and organizations should conduct a forensic investigation of the employee’s computer to understand what facts exist that may validate or rebut management’s initial suspicions.  Having a trustworthy and experienced forensics firm at your side can help your organization avoid unnecessary and costly employment litigation.

Please contact Forensicon today at 888-427-5667 for a complimentary consultation of your computer forensics investigation needs.

Tags: , ,

    Related Posts

  • Staff Recognized for Departing Employee Investigations - The first issue of Corporate Counsel Business Journal, CCBJ,  includes an interview with our Director of Digital Forensics, Yaniv Schiff, and Solutions Architect, Curtis Collette, on the evolution of departing employee investigations. Departing Employee: When Do Investigations Become Necessary? appeared in the print publication, online edition, and on CCBJ’s In-House Tech website. For Increasing Numbers of Employers, Departing Employee Investigations[...Read More]
  • Chicago Office Food Drive – The Results Are In - QDiscovery’s Chicago Office collected nearly 1,000 containers of food for the local food bank this Holiday Season!  Our office competed with sister offices in Indiana and Connecticut.  Alas, we came in third.  Our sister offices each collected nearly 2,000 containers for their local food banks.  Relatively new to the company-wide food drive, the Forensics Division[...Read More]
  • QDiscovery QMobile App Wins Innovation Award - QDiscovery’s QMobile is winner of a 2017 Relativity Innovation Award.  Presented at Relativity Fest, the Innovation Award celebrates organizations that create apps or integrations that extend the functionality of Relativity’s eDiscovery software.   Our development team created an application that makes the analysis of mobile collections much more manageable.  Relativity users can now produce and review mobile[...Read More]
  • Moving and Changing - Acquired by Connecticut-based QDiscovery in 2016, Forensicon’s capabilities multiplied overnight, both in forensics brain power and eDiscovery expertise.  As part of a leading provider of end to end litigation support, moving to larger offices that are more central to the Chicago legal community was inevitable.
  • QDiscovery Named One of the Top 20 Providers of Legal Services! - Leading industry publication, CIO Magazine, has named Forensicon’s parent company, QDiscovery, to it’s  Top 20 Providers of Legal Services.  The annual listing includes 20 companies that are at the forefront of providing legal solutions and impacting the marketplace.  Read the whole article here.  Featured in the publication alongside QDiscovery President, Dave Barrett, is Director of Digital Forensics, Yaniv[...Read More]