Computer forensics: tips for handling electronic evidence

Originally published in The Lawyers Weekly

Has the typical citizen’s day become a scene from the science-fiction film Minority Report?

Maybe that person checks email on a Blackberry first thing in the morning, then uses it to make a call. On the way to work, the person’s car passes traffic control sensors as the driver chooses tunes on a digital music player equipped with a calendar and clock. The car’s GPS system keeps track of the entire trip from home to office, where the driver enters the workplace using an office passcard system.

Once inside, the worker signs in to a computer and starts a day filled with emails, phone calls, voice mail messages, web surfing, files copied to USB thumb drives and other activities.

As we accept more electronic gadgets and systems into our lives, we also allow them, knowingly or not, to record our activities. Such records increase the importance of computer forensics.

For several reasons, data forensics professionals claim their work is often straightforward. For instance, two widely available data protection tools – data encryption and password protection – are rarely used effectively. “Most people never use encryption unless it’s mandated,” said Sharon Nelson, a lawyer and president of computer forensics firm Sensei Enterprises, Inc. “It’s too much trouble.”

People often minimize the effectiveness of passwords. “I once saw password choices for more than 45,000 lawyers,” said trial lawyer and certified computer forensic examiner Craig Ball. He could guess at just about every one: the name of a favourite sports team, a pet, words like “password” or “lawyer,” or an important birthday. If he can’t guess, Ball would simply seek a file with a name like “My passwords.”

“No matter how much this is publicized, it remains a problem,” Ball said.

Both passwords and encryption are legitimate data security techniques that can hamper discovery efforts. Other methods, such as “wiping” data storage devices, don’t necessarily help a case.

But wiping programs vary in quality, and even the ones that work as advertised serve as a smoking gun. “I have yet to run across a wiping program that doesn’t leave traces,” said Sensei’s vice president John Simek. “When we do find traces on a machine, judges don’t care for that.”

If you suspect data theft or fraud but your radar isn’t that of an expert, it may be time to call an expert. Nelson recommends seeking referrals. “Computer forensics is an unregulated industry,” she said. “Ask if the expert has already testified in court. You don’t want a greenhorn who’s testifying for the first time.”

There’s no reason for lawyers to be greenhorns either, and the experts offer several basic tips.

As counterintuitive as this may be, don’t turn on any device that may contain evidence. “When you open electronic evidence, when you copy it, you change it,” said Ball, “possibly in ways that are considered spoliation.”

“As soon as you have a litigation hold, you have to scramble to figure out what you have, how to preserve it,” added Nelson. “Clients may call an expert to work with their IT staff to figure out what needs to be stopped.” She includes automated “janitorial” processes that continually delete information that has not been flagged for retention.

Essential to effective search is an effective meet-and-confer strategy. The same comprehensive list of questions must be asked of both the adversary in a lawsuit as well as the client.

“You can’t blindly rely on your client to say ‘No, I don’t have anything”” Ball said. “You have an obligation to identify, preserve and produce the evidence. If you don’t, you tacitly abet a fraud.”

Ball wants effective search strategies taught in law school. “Lawyers sit in a room and say ‘Well, why don’t we try these words? OK, let’s throw them against the wall and see what sticks.’ If you pull up a lot of noisy hits, a lot of irrelevant documents, somebody is being paid handsomely to review those documents and you run up your client’s bills unnecessarily.”

Nelson urges lawyers to document the ediscovery process to create evidence of prudent preservation and production. “Boo-boos happen to us all,” she said. “Documentation can keep you away from sanctions.”

“Demand files in their native format to reduce the time and expense of discovery. This may not be possible for all information but as Nelson noted: “Overwhelmingly, the electronic evidence that people want is email and documents. Those you can get native.”

Both Ball and Sensei Enterprises offer further reading on their web sites. For more information, please visit www.CraigBall.com and www.SenseiEnt.com.

To read the article as a PDF, click Computer_forensics.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.