What Every Lawyer Should Know About Electronic Evidence, by John Troxel


Most everyone with an email address has at some point received an inappropriate email. In a recent case, a semi-nude photograph of  “Mary” was emailed to everyone at the Los Angeles area law firm where she works. (She had the photo taken by a photographer, who displayed it on his website.) The email was sent from mary2000@yahoo.com, with the message, “Tell me what you think of this!” Mary obviously didn’t email this picture to all the lawyers at her firm, but someone went to the trouble to make it seem like she had, so the firm investigated.

The header information in the email suggested that it was sent from within the law firm. Internet logs on the network security software were queried, and four users were identified as being on Yahoo.com at the time the email was sent. One of the users, a fellow paralegal, was a known prankster, so he was the focus of the investigation. After everyone had gone home for the day, a forensic copy of that paralegal’s hard drive was captured and analyzed. Evidence showed that he had taken steps to attempt to cover his tracks, but cached web pages that showed that the email account “mary2000@yahoo.com” had been recently created and accessed on that computer, and its password was changed twice.

With evidence in hand, the managing partner confronted this paralegal, who was summarily terminated.

What is Computer Forensics?

Different than e-discovery, which involves the large scale production of electronic documents, computer forensics focuses on finding specific evidence – the needle in the haystack.  Computer forensics is the practice of collecting, analyzing and reporting on electronically stored  information  (ESI) using court approved tools and methodologies. Gathering viable evidence Gathering viable evidence from electronic media can be complex, and getting results requires trained specialists who know computers, how to conduct investigations, and are familiar with the rules of evidence.

Uses of Computer Forensics

Computers store client data, customer lists, proprietary data, confidential information, personnel data, medical records, contracts, payroll, accounting files, and much more. Accessing, changing, deleting or sharing such data, as well as inappropriate communications, can be harmful to an employer. It is not just the content of emails, documents and other files which may be of interest to investigators but also the metadata associated with those files, which tells us who created the file, when it first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions. Some of the common areas where computer forensics is employed include:

  • Intellectual property theft
  • Industrial espionage
  • Employment disputes
  • Fraud investigations
  • Forgeries
  • Matrimonial issues
  • Bankruptcy investigations
  • Data destruction
  • Inappropriate email and internet use in the
  • work place
  • Regulatory compliance

 General Guidelines

A computer forensics examiner conducts analyses as if every case goes to court. At all stages of the examination, admissibility is paramount in the analyst’s mind. While there are no real industry standards per se, here are some considerations:

Don’t touch anything. No action should change data held on a computer or storage media which may be subsequently relied upon in court. Simply turning on a computer alters data, so leave it running if on, and don’t power it on if it is off. Examiners will typically use a write protection device to preserve the integrity of the subject’s hard drive when making a forensic copy, and analyze that copy. If the computer is on, the examiner may opt for a live acquisition, and capture everything in live memory (RAM) as well.

If it is necessary to access data on a computer or storage media, that person must prove to be competent to do so and be able to support their efforts, explaining the relevance and the implications of their actions.

Documentation such as a chain of custody, identifying the make and model of all devices captured, and a record of all processes applied to electronic evidence should be created.

Use only court-tested methodologies, as well as applications like FTK, EnCase, etc.  Off the shelf products found at electronics department stores should be avoided.

Employ an analyst who has been trained and certified. Sometimes clients will instruct their IT personnel to do various things, which they think will help in the examination, but in actuality it may compromise evidence. In the words of Red Adair, “If you think hiring a professional is expensive, try hiring an  amateur.” IT folks are good at what they do, but if they don’t have the computer forensics expertise and training, then they should wait for direction from one who does.

John Troxel with Verdict Resources offers law firms, corporations, governmental agencies and high net worth individuals a broad range of investigative services.

About Bar