Part 2 of What Every Lawyer Should Know About Electronic Evidence, By John Troxel (Cover story)

Part 1 was published in the July edition of CITATIONS and can be viewed at

The Examination

There are several phases to the process when conducting a computer forensics examination:

Evaluation – This focuses on the direction of the investigation, the types of data sought, where the data resides, hardware considerations, how to obtain the data, and financial considerations.

Collection & Preservation – Data must be acquired in a forensically sound manner, and preserved in a format that prevents changes to the data. That means bit-bybit copies. Sometimes it happens at night after employees go home, or at times it is taken back to the examiner’s office for copying. The chain of custody starts here. This phase is critical due to the volatility of electronic data.

Analysis – The data is processed into a forensics application, making it searchable as well as putting the files in categories such as image, spreadsheet, email, etc. The results of analysis must be thorough and repeatable by opposing counsel’s expert. A variety of tools are available for analysis and the examiner should use any court-tested tool.

Reporting – This phase usually involves the examiner’s report on findings addressing what was discussed at the evaluation phase, as well as other key observations.

The report contains evidence as well as a discussion of the evidence.

Potential Concerns

There are a several issues to be aware of when examining Electronically Stored Information (ESI), which are grouped into Technical and Legal Issues:

Technical issues

Lawyers and employers must have an appreciation for the technical challenges involved with the analysis of computer evidence as it goes well beyond simple data recovery.

Encryption – Encrypted files or hard drives can be impossible for investigators to view without the correct key or password. A password could reside in RAM, which is a reason to do a live acquisition, if possible.

Timeliness – Data is volatile. When files are deleted, they are recoverable until they are overwritten. Continued operation of a computer results in overwriting deleted files.

Hard drive sizes – They continue to get much, much larger. Copying a hard drive, and verifying the copy’s integrity, takes about one minute per Gigabyte. That was not a big deal when the average size was 80GB, but now the average is 300-500GB. Processing that much data is time intensive as well.

Data storage – Data is typically stored on a computer’s hard drive, but it can often be stored on a network server. More and more people are employing cloud storage, which is online and offsite, and makes recovery of deleted files unlikely. Data is also stored on USB flash drives, SD cards, PDAs, and many other types of devices.

Anti-forensics – There are programs that are designed to defeat potential forensic analyses, such as  Evidence Eliminator and Ccleaner.

Legal issues

The Trojan Defense – the user will assert that his computer was hacked by a malicious code that caused certain actions to occur without his knowledge, such as becoming a repository for pornography.

Wasn’t Me – the user will state that he left his computer on and logged in, yet unbeknownst to him, someone accessed his computer and initiated the suspected activities.

Some Considerations

Demand for Inspection – When going after data on a subject’s computer, consider first the reciprocal demand. Is there anything on your or your client’s computer that may prove detrimental to your case? Examine your computer first.

Timeliness – ESI is volatile, so capturing the data as soon as possible is critical to the success of evidence recovery. If the allowance of forensic analysis is being disputed, then at the very least make certain that a forensic copy of the hard drive is made early on to prevent the possibility of evidence being destroyed. Previously deleted files will remain on the hard drive until they overwritten. If a person downloads movies through iTunes, (very large), then deleted files have certainly been overwritten. Also, hard drives work until they fail, they are like light bulbs. Addressing a failed hard drive can be expensive and sometimes will destroy data.

Preservation Letter – This plays an important role in a judge considering whether a party acted in good  faith in preserving ESI. Directions to not delete anything are inadequate. The key is to make sure that a copy of the hard drive is made immediately. There are numerous examples of preservation letters floating around the Internet, which you should review, but here are a few thoughts:

ESI is not well suited for being printed, so it must be preserved in original format. For example, an Excel spreadsheet when printed will show the data, but it will not show any formulas that may be assigned to certain cells. The data on hard drives is volatile, and data, such as deleted files, can be easily destroyed by unrelated operations. Mere normal computer use runs the risk of spoliation. In fact, viewing data can effect changes.

Storage media types are always changing. How many 100MB or 250MB ZIP drives are still out there? Bernoulli drives? 3.5” or 5.25” floppies? They have morphed into USB flash drives, digital cameras, PDA/cell phones, etc. The issue coming up now is cloud storage.

One may open and edit files, without deleting them, however, the data can be changed. Unlike editing serial hardcopies, drafts are not always kept on the computer.

The preservation form must be addressed.  A forensic copy is best. Get back-ups, if available, as well as passwords for encrypted files.

Analysis may be disputed, so at least get the data copied. Opposing counsel can retain that copy, as can a third-party examiner.

Remove the burden of production by providing a third-party examiner to forensically (and non-invasively) copy opposing litigants’ computers. The examiner can obtain the copies at times that are convenient, such as after employees leave for the day.

About Bar