banner ad

Experts.com-No broker Movie Ad
 
Create a free acount with PRWeb!
 
Deposition Designation Station
 
November 2004

Share |

Electornic Evidence Retrieval

Introduction

Discovery. Law schools teach the importance of, and methods for, effective discovery. However, in today's world, discovery regularly involves electronic information, a specialized field not generally addressed in law school. Discovery of electronic evidence poses special issues, issues different from those related to the discovery of paper and other tangible documents. In this article we discuss ways in which spoliation of electronic evidence can occur, case studies involving spoliation of electronic evidence, and the steps you can take to avoid such occurrences.

Computers are no longer just tools for engineers and scientists, nor are they just relegated to offices. Everything from answering machines and cell phones to washing machines and automobiles utilizes embedded computers.

For many people, computers are now a primary mode of communication. Network news reported an instance in which a teenage girl wanted to be with her friends to grieve after she witnessed a classmate killed. She went straight to her computer to "message" them.

Even matters that appear to have nothing to do with computer-crime, such as breech of contract or divorce, often involve evidence retrieved from the parties' computers, computers which contain email and other forms of electronic communication.

Volatile/Transient Nature of Electronic Evidence

There are at least four ways electronic evidence can be compromised.

Inadvertent Spoliation

Even the most careful of computer users occasionally delete something they should not have deleted or neglect to do a backup of important files. A well-intentioned staffer or IT person may inadvertently change evidence. Since a computer operating system hides many internal operations from the user, anyone accessing a computer can cause changes and not be aware of it.

For example, when the Microsoft Windows� operating system starts during the boot-up process, it writes to every disk on the system and changes approximately 160 files. Many dates are changed in this start up process, and "who knew what, when" evidence may be unintentionally destroyed.

In one case investigated by the authors, an attorney had custody of a client's computers. Information technology staff from the opposing counsel's office insisted on knowing the size of the plaintiff's drives. An obliging legal assistant booted the systems and reported the disk sizes. When the drive was subjected to a proper forensic investigation, 192 files had been changed and the "last modified" dates corresponded to the time the assistant started the machines. For more detailed information on a proper forensic examination see Demystifying Computer Forensics.i (Also available at www.ElectronicEvidenceRetrieval.com.)

In the case of R.S. Creative Inc. v. Creative Cotton Ltd. (1999), 75 Cal.App.4th 486, the need to protect the content on the drives suspected of containing evidence was recognized by the parties who stipulated that the computers would not be turned on until the computer forensics expert examined them. Violation of this stipulation resulted in the Court's finding of evidence spoliation and dismissal of the case.

Deliberate Software Spoliation

There is a thriving software industry dedicated to the secure deletion of computer files. Such software is inexpensive and readily available over the Internet. Users need not be particularly sophisticated to find and use such "overwriting" software.

In one trade secret case, the culprit had used this kind of software to delete directories and documents that held incriminating evidence, company-owned files he had previously copied to his home computer. Unfortunately for him, a forensic examination of his home computer revealed data showing the history of the documents he had stolen.

In 2003, an Illinois U.S. District Court Judge granted a defendant's motion for sanctions against the plaintiff and recommended that the case be dismissed with prejudice after it was discovered that the plaintiff had attempted to delete relevant discovery from his computer by running the Evidence Eliminator� software, which claims to defeat forensic analysis software.

Even simpler techniques, such as renaming files and their extensions in an attempt to hide the true nature of files, are known to many users. Such sabotage is particularly common in child pornography cases. However, computer files contain so-called "signatures" that indicate the true type of each file. Computer forensic software and techniques are able to read the signatures and reveal the actual nature of the files.

Changing the date or time on a computer is relatively easy; simply right click on the date in the task bar and you will find that you can adjust the date on the computer. One defendant, who was on notice that his computer would be examined on a given date, sought to obscure evidence of his misdeed. He turned the computer clock back two months, deleted the incriminating files, and tried to return the computer clock back to the correct time. Unfortunately for him, he reset the date incorrectly and the forensic examination of hidden log files quickly revealed what he had done.

More sophisticated users try to hide data by altering system components. Windows-based operating systems, such as Windows 98 and Windows XP, use tables to store information about the files on the system. These tables record the name, location and other information for each file on the system. Users may alter the File Allocation Table (in Windows 95 and 98) files, or the Master File Table (in Windows NT, 2000 and XP), making the directory information for their files incorrect. This has the effect of making the files undetectable to ordinary users. Computer forensic software, however, bypasses these tables and allows the forensic examiner to see the true file structure.

Operating systems allow users to divide disks into sections called partitions. Software to create and manage these partitions comes with the operating system itself, and numerous other versions of partition managing software are readily available on the Web. With the user manual for the software at hand, it is easy to create a partition on a drive and make it invisible to ordinary users. As in other scenarios of deception, forensic software bypasses the partition management software and provides information related to all partitions, hidden or otherwise.

In Computer Assoc. Int'l v. American Fundware, 133 F.R.D. 166 (D. Colo. 1990), American Fundware continued to destroy earlier versions of their software, in adherence with the company's policy, after the start of copyright infringement action and service of discovery requests. As a result, the Court found that the company had acted in bad faith and agreed with the Plaintiff's motion for default judgment.ii

Hardware Spoliation

In the authors' experience, spoliation due to hardware damage is infrequent. Occasionally we find a computer hard drive that was inadvertently corrupted. In such cases forensic techniques can often recover all or most of the drive contents. Obviously, good backup procedures by the forensic specialist will protect the image data.

Opposing parties occasionally try to make changes to computer hardware in order to hide data. We have even encountered computer cases in which some of the drives relevant to the case were disconnected from the system! Careful forensic techniques disclosed this attempted deceit without difficulty. The author was retained in another such case in which the defendant agreed to turn over the hard drives on a particular computer to the plaintiffs. When we conducted a proper examination of the drive, we discovered that the drive was not the so-called "C" drive of the computer, but a substitute installed by the defendant.

The Importance of Dates

When computers are suspected of containing evidence, following proper protocol is critical to the discovery process. Merely starting a computer changes files, and many of those changes affect significant dates. A computer's operating system usually records the date(s) on which each file was created, last modified, and last accessed.

In some cases, a client's defense may be based on someone else having access to the computer in question. While forensic software, in the hands of a skilled examiner, can access date and time information not available to users, it cannot retrieve overwritten data. This makes the proper forensic image described in later sections of this article imperative.

In the intellectual property dispute case of Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996), a reported "computer expert" used forensically invalid copies of the suspect hard drives to collect and analyze computer evidence. As a result of this improper, forensically unsound procedure, file date stamps were altered and the chain of custody was destroyed. Severe evidentiary sanctions were issued, as the Court recognized the "duty to utilize the method which would yield the most complete and accurate results."iii

A Proper Forensic Examination

In the forensic process, we first create an image of the drive(s) suspected of containing evidence. We speak of a proper forensic examination when the following three criteria have been satisfied:

  1. The image is an exact, bit-by-bit duplicate of the original computer drive.
  2. The image is taken in such a way as to guarantee that the original was not changed.
  3. The image is examined in such a way at to guarantee that the image is not changed.

Following proper forensic procedure, the forensic investigator takes appropriate actions to "ground" him or her self so as to not damage a drive via static electricity discharge. Next, the drive to be imaged is removed from the computer case. It is then placed in a write-protected device (or connected to a computer running a non-windows operating system such as MS DOS) and an exact copy of the drive is made. We use these seemingly extreme techniques to guarantee that the operating system does not write to the drive. After creating the image, the forensic technician leaves the premises to perform the research on the image, thus minimizing the disruption to the owner's business or home.

Verifying the Preservation of Data Using "Hashing"

We use hash codes to ensure the integrity of the forensic process. A hash code is a complex mathematical formula that gives a unique result when applied to a computer file. For example, consider two hash codes for the above heading. The value of the hash code for the heading as it appears above is: 95bace9c862e5095448860fdca58f5c6. The hash code for the same heading with a period at the end of the phrase is 3921f290de80a08a530eb5626a2ebfc1.

The hash code for each sector of the drive is computed several times during the imaging process. It is computed on the original disk before it is imaged, on the image file when it has been taken, and again on the original disk. All three must be identical for the image to be valid. If the codes do not match, a new image must be taken, as non-matching hash codes indicate that the image created was not an exact match of the original drive.

Hash codes are also used to assure the integrity of the investigation. Forensic tools, such as EnCase� and Forensic Tool Kit�, re-compute the hash code each time they open an image and again at the end of each session. As long as the hash codes remain the same, the investigator can assure the Court that the results are valid.

What You Can Do

As soon as you suspect that relevant data may be on a computer, consult a trained computer forensics expert. Even if you do not currently have physical custody of the computer, the expert can help you explain to the Court what you need and why. The computer may contain documents that bolster your case that you may not be aware of and an expert can help you assess that possibility.

Courts are now recognizing the importance of retaining properly trained, experienced computer forensic specialists. In United States v. Greathouse, the Court faulted the plaintiff's expert for not using current technology as well as for removing multiple computers from the site instead of using forensic software to "...more narrowly tailor the search and seizure."iv An experienced investigator should have protocols in place to accommodate just such situations and to avoid the resulting criticism.

If you can control the computer, cease using it immediately. It is human nature to want to "check out" possible evidence, but doing so risks spoliation. If there is any reason to believe the computer might be "booby trapped" to destroy data if it is not shut down in a certain way, just pull the plug on the machine.

Put the opposing side on notice to cease using the computer and not to modify or make deletions from the computer. This includes not installing new software, adding new documents, running secure deletion software, or otherwise modifying the computer. The prohibition on new software and documents is needed to prevent the user from filling up the computer's hard drive with nonsense characters and files, thereby overwriting data that may have evidentiary value.

Explain all the factors of your case carefully to your forensics expert; well trained, experienced technicians have techniques for expeditious and cost-effective searching and examining the drive.

Summary

The "bottom line" in spoliation of electronic evidence is simple: treat the computer as if it were the corpse in a murder case. Keep everyone away from it to avoid contaminating the scene, and call a forensic specialist to conduct the investigation.

References

Interested readers will find information concerning electronic evidence, forensically sound imaging of computer drives, and spoliation of electronic data in the following references.

Delmero, M. SPOLIATION: Analysis. (n.d.) Retrieved March 15, 2004 from http://cyber.law.harvard.edu/digitaldiscovery/library/spoliation/spoliationanalysis.html

Nimsger, K. M. (2003). Digging for e-data. Retrieved March 2, 2004 from http:// www.krollontrack.com/LawLibrary/Articles/trial_nimsger.pdf

Hassell, J. and Steen, S. Demystifying Computer Forensics, 50 The Louisiana Bar Journal, 278-280 (2002).

Leeds, G. S. and Marra, P. A. (2000, April 17). Discovering and preserving electronic evidence: how to avoid spoliation pitfalls in the computer age. Retrieved March 2, 2004 from http://www.spsk.com/Articles/artdscov.cfm

Patzakis, John (2002, January 30). Lawyers draft IT security professionals for litigation support duty. Retrieved March 4, 2004 from http://www.infosecnews.com/opinion/2002/01/30_04.htm


  1. For more detailed information on proper computer forensic examinations see: Hassell, J. and Steen, S. (2002) Demystifying computer forensics. The Louisiana Bar Journal Vol 50, no. 4, pp 278-280.
  2. Leeds, G. S. and Marra, P. A. (2000). Discovering and preserving electronic evidence: How to avoid spoliation pitfalls in the computer age. http://www.spsk.com/Articles/artdscov.cfm.
  3. Patzakis, John (2002). Lawyers draft IT security professionals for litigation support duty.http://www.infosecnews.com/opinion/2002/01/30_04.htm
  4. Victor Limongelli, United States v. Greathouse, Legal Corner, at http://www.guidancesoftware.com/corporate/examiner/2004-04.shtm#tag3 (April 2004).

Share |


Johnette Hassell, Ph.D. is president of Electronic Evidence Retrieval, L.L.C., headquartered in New Orleans, Louisiana. She has served on the faculty of the Tulane University's School of Engineering for 25 years. Dr. Hassell has more than 20 years of experience as a national consultant and expert witness in areas ranging from software development to telecommunications to medical information systems. She also provides computer forensics training for CLE credit.

Susan Steen is vice-president of Electronic Evidence Retrieval, L.L.C., which provides computer forensic services internationally. She received forensics training from AccessData, Inc., and New Technologies, Inc., a world leader in computer forensics training. Ms. Steen is experienced in both computer forensics research and copyright infringement assessment, and manages EER's Mississippi branch office.

See Electronic Evidence Retrieval's Listing on Experts.com.

©Copyright 2004 - All Rights Reserved

DO NOT REPRODUCE WITHOUT WRITTEN PERMISSION BY AUTHOR.