legal e-discovery

Photo: William Warby, Flickr Creative Commons

In our previous blog, we discussed briefly how our digital forensics services can help you prove IP theft in litigation. Today, we’ll take a closer look at the types of information a Pittsburgh digital forensics investigation can uncover. By learning where evidence may be hiding, you will have a better understanding of how to incorporate digital forensics into your litigation strategy and achieve a positive outcome.

Deleted Files vs. Deleted Overwritten Files

Every device that is examined will likely contain deleted files. A forensic examination produces a list of deleted and deleted overwritten files. Files that are simply deleted can, for the most part, be recovered in full. However, when a file is deleted, the space it occupied on the hard drive is marked for deletion and noted as “unallocated space.” Once the operating system writes a new file to that space, the deleted file becomes overwritten and may no longer be fully recoverable. However, if the new data file is smaller than the file it has overwritten, a portion of the deleted file may still be recoverable.

If a device that is being analyzed shows no deleted files, further investigation can be made to check for evidence of data wiping software, operating system re-installation, or other data concealment.

Link Files (.lnk)

A link (.lnk) file is created by the operating system or the user as a shortcut to an application or file. Link files can show that a file was present and/or accessed on a system at some point, even if that file has since been deleted. They can hold valuable information such as:

  • The original path or location of the file – whether on a network, local drive, or external device
  • The creation, accessed, and modification dates of the file (metadata)
  • File size

External Devices

During certain IP theft investigations – such as an employee stealing from their employer – it is likely that external devices (such as thumb drives) played a role. External devices leave a trail on whatever computers they have been attached to, a trail that forensic investigators can uncover. Some external devices – such as hard drives – can leave a record of their make and model, or even the device’s serial number. This can provide enough probable cause to request that device for further analysis.


Metadata holds information about files, applications, and other data. This information includes:

  • Creation, accessed and modified dates and times
  • Who created the data
  • The last time it was printed
  • For pictures, it shows the device used to take the picture along with the date, time, and location it was taken

This can be helpful to prove where a design or idea originated, and in what variations.

Choose Precise, Pittsburgh’s Digital Forensics Experts

When it comes to leveling the playing field, Precise offers fast, efficient, and affordable digital forensics services in Pittsburgh. No matter the size of your case, our experts will quickly sort through your data, compiling all relevant data and helping you craft your litigation strategy. Don’t risk overlooking critical data: call Precise today!