Digital Forensics in Anticipation of Litigation

by on April 7, 2010 in digital cameras, e-discovery, email, forensics, litigation, technology

Computers and the nearly ubiquitous smart phones (iPhones, BlackBerries, devices using the Palm and Android operating system, etc.) have become indispensable communication devices in today’s digitally connected society.  An endless torrent of electronic information that makes possible telephone calls, email, text messaging and Internet access passes through a vast network supporting these devices. The data comes in staggering quantities and is in a constant state of creation, modification, exchange and storage.  Not surprisingly, this technology that facilitates communication and the instantaneous sharing of information is frequently used for illegal and unethical purposes.  As a result, it is obvious to the modern legal professional that the information contained in computers, mobile phones, personal data assistants and a myriad of other electronic devices is increasingly playing a major role in legal matters.  Oftentimes, these devices will contain pivotal evidence in a case.

Perhaps becoming more than simply obvious, the search for digital evidence may have become a minimum professional standard of client representation.  Chief Judge of the United States District Court for the Southern District of New York, Judge Loretta Preska, “responding to a question once explained that it is ‘hard to say’ whether an attorney’s failure to seek electronic discovery in a case could support a finding of legal malpractice.  ‘The rules talk about the production of relevant information,” she said, “so we seem to create the burden to seek e-data.”  While noting that the increase cost associated with electronic discovery ‘have changed the game,’ she added that she can’t image how counsel who is responsible cannot seek relevant electronic information.” (Dorrian, Patrick F. “Jurists Offer Perspective, Tips on Electronic Discovery”.  Metropolitan Corporate Counsel, Nov. 2003)

Digital evidence is being employed effectively in all types of litigation.  From hostile work environment issues, criminal defense cases, intellectual property matters, financial fraud to family law practices, very few matters of litigation could not benefit from the services of a digital forensics examiner.  Today, the question of discovery has evolved from, “Is electronically-stored information available?” to, “What probative digital information is available and how do I collect that information in a way that will meet the standards of admissibility?

Electronic Discovery and Digital Forensics

Electronic discovery, more commonly referred to as e-Discovery, is the gathering, analysis and production of electronic documents in litigation discovery. Beyond word processor and spreadsheet files, electronic documents typically also include e-mails, their attachments, website information and other data stored on a computer, network, backup or other storage media.  In e-Discovery, the information collected usually only includes active and archived data that is easily accessed and has not been deleted, encrypted or hidden.  Typical data repositories include back-up disks or tapes, email servers and network server storage.  In e-Discovery data is accessed, but not analyzed.

The commonly accepted definition of digital forensics is “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of evidence derived from digital sources.”  More plainly, digital forensics is the art and science of finding, analyzing, preserving and the precise documentation of digital evidence, wherever it may be found, and then interpreting those findings in a way that makes it meaningful to any client or trier of fact.  It is a science in the sense that a digital forensic examiner’s approach uses the investigative method as well as certain industry-recognized protocols and standards.  It is also called an art because each examination involves the skills, techniques and abilities of the examiner to find the deleted and hidden files or other bits of information that would surely be missed through e-Discovery; every examination is unique (although each should produce the same results). An even simpler definition might simply be summed up this way, “Digital forensics is the transformation of raw data into intelligible information that meets the minimum standards of legal admissibility.”

The most important concept to understand is that the goal of every forensic examination is to produce “forensically sound” evidence.  The key to a sound examination hinges on the exact duplication of the evidence being collected; this insures there are no changes to the original evidence and there is no rule more important than preserving the original source of the collected data.  If the examiner makes a mistake during the imaging process and alters the source in any way, the forensic review must come to a halt and that source of data is lost forever.  Something as simple as turning a device off or connecting a USB to a computer virtually guarantees the corruption of any potential evidentiary value of the digital contents.

Forensic imaging, or copying, involves the following critical phases:

  • Securing and preserving the data source;
  • Imaging the items;
  • Documenting the approach and methods used to copy data;
  • Validating the accuracy of the evidence.

The essence of computer forensics begins with the procedures utilized to create a forensic image.  A proper forensic imaging process insures the integrity of the evidence by preserving it.

Digital Evidence

Forensic examiners typically target a specific personal computer, hard drive or other storage devices and mediums searching for and restoring deleted and hidden information.  Typical sources of digital evidence include personal computers, mobile communication devices (smart phones and mobile cellular telephones) and digital storage mediums including tape, floppy discs, compact discs, digital video discs, external or network hard drives, flash memory cards and USB “thumb” drives. Increasingly, digital forensic examiners are beginning to specialize in extracting data from often overlooked digital sources such as digital cameras, images and photographs, computer peripherals (printers, fax machines, scanners and copiers) as well as satellite navigation devices, automobile “black boxes” and web pages.  In fact, anything with a memory chip installed in it might store critical evidence!

Digital evidence comes in many forms depending upon its source.  Computers will generally produce the following types of information:

  • Hidden, deleted, temporary and password-protected files can be recovered
  • Documents and spreadsheets
  • Contact information and calendars
  • Email
  • Internet browsing history and habits
  • Pictures, graphics, videos and music
  • Event logs, hacker activity and break-in attempts
  • Software installed (illicit, pirated and legitimate)

Similarly, a wide range of information can be extracted from a mobile communication device:

  • Hidden, deleted, temporary and password-protected files can be recovered
  • Phone number and service provider information
  • Outbound and inbound call information
  • Text messages, instant messages and email
  • Address nooks and calendars
  • Global positioning system data and location information
  • Internet browsing history and habits
  • Photos, videos, music and voice recorder data
  • Predictive dialing directories and dictionaries
  • Ring tones

Files types and data often not considered or are overlooked altogether:

  • Spooler files – cached files sent to a printer
  • Virtual memory – memory that is transferred to a hard drive when a PC is running low
  • Temporary Internet files – where browsers load images and information about web pages
  • Automatic backup files – where document data is stored to insure against loss in the event of a power failure or operating system crash.
  • Recent link or used document files – the file path to documents and websites most recently visited.
  • Power saver files – Used especially by laptop computers before running out of battery power.
  • Metadata – In general, data about data is referred to as metadata.  In this case, metadata refers to additional information about the questioned documents or images, which is stored as a part of the entire document file. The metadata can contain the history of the document, including all users who have modified or saved it, names of printers it was printed upon, etc.

The Digital Forensic Examiner

The foundation of digital forensic examination rests on the following questions:

  • What is the evidence?
  • Where is it stored?
  • How is it stored?
  • How long will it be there?
  • How can it be forensically imaged?
  • How can that data be translated into intelligible information

The work of the digital forensic examiner falls into three broad categories:

First and foremost comes forensic imaging.  There are specific tools for acquiring forensic images of digital storage media without changing the contents.  It is not acceptable to merely copy and paste data files; the entire disk must be copied bit for bit.

Second, digital forensics incorporate established protocols for identifying and preserving digital files. The standard involves applying numeric procedures to the disk to produce a number, called a hash that is for all purposes unique to the disk. Digital forensic experts use and validate these techniques each time they access the data to demonstrate its veracity.

The third task of the forensic examiner is to interpret hidden, deleted, partial and temporary files. This analysis requires specific knowledge of how digital devices and the various software applications handle the storage of data. The specialist must be able to clearly explain his findings to the Court.

A computer forensic expert should be trained specifically in the type of media with which he or she is working.  He or she should able to assist the litigation team by helping to identify which targets will yield significant probative evidence, provide physical oversight during the seizure of evidence, recover and analyze information using peer-reviewed, industry standard techniques, software and equipment, prepare documentation in anticipation of litigation and then present testimony as an expert witness.  When choosing a digital forensics examiner look for service providers with professional certifications from forensic software developers such as enCase and FTK software and through such organizations as the High Technology Crime Investigation Association, International Society of Forensic Computer Examiners, Association of Information Technology Professionals and the Computer Technology Investigators Network.

Conclusion

There is so much more that can be written and learned about the application of digital forensics to almost any type or manner of litigation, in fact entire encyclopedias including dozen of topic-specific volumes of information have been created about this new and still maturing facet of e-Discovery.  In a world of technology that is evolving faster than any one person can keep up, one thing remains certain… digital forensics is more than undeleting deleted files and recovering deleted e-mails.  Electronic discovery presents numerous litigation management issues that should be addressed before legal action commences and must be done in concert with a competent digital forensic examiner who can address the likely scope and framework of an e-Discovery request.  Digital forensic examination, as a function of e-Discovery, will only be become more important as technology marches steadily forward.

Comments are closed.