. Preserving and Protecting Computer Evidence

http://www.electronicevidenceretrieval.com/preserving_protecting_evidence.htm


. Preserving and Protecting Computer EvidencebyJohnette Hassell, Ph.D. and Susan Steen  

Introduction

 The realm of discovery has changed vastly during the past twenty years. A key change is that today information is stored, hidden, and even "deleted" from computers as well as many other varieties of electronic media.Computers are no longer just tools for engineers and scientists. For many people, computers are now a primary mode of communication. Network news reported an instance in which a teenage girl, who had witnessed a friend killed and wanted to be with her friends to grieve, went straight to her computer to "instant message" them.Even criminals involved in non-computer activities, such as drug running, fraud or larceny, use computers and leave electronic evidence--evidence that may be in the form of e-mail and other forms of electronic communication.Discovery of such electronic evidence poses challenges that are different from those of discovery of paper and other tangible documents, but such new techniques have not been incorporated into all law school curricula. In this article we discuss the issues and techniques involved in assuring that electronic evidence is properly protected from loss or damage.The destruction, or spoliation, of electronic evidence can occur as the result of a variety of seemingly innocuous events. Being armed with the knowledge necessary to avoid such spoliation can mean the difference between triumph and defeat in the courtroom, even when, upon first assessment, a case may not appear to involve the use of computers.

Volatile/Transient Nature of Electronic Evidence

There are at least four ways electronic evidence can be compromised.

Inadvertent Spoliation

Even the most careful of computer users occasionally delete something they should not have deleted or neglect to do a backup of important files. Computer operating systems hide many internal operations from the user and what a user sees is not necessarily all that is going on inside the system. Since merely starting a computer changes every drive it has access to, anyone accessing a computer can unintentionally cause changes and not be aware of it.For example, when the Microsoft Windows® operating system starts during the boot-up process, it writes to every disk on the system and changes approximately 160 files. Many dates are changed in this start up process, and "who knew what, when" evidence may be unintentionally destroyed.In one case investigated by the authors, an attorney had custody of a client's computers. Information technology staff from the opposing counsel's office insisted on knowing the size of the plaintiff's drives. An obliging legal assistant booted the systems and reported the disk sizes. When the drive was subjected to a proper forensic investigation, 192 files had been changed and the "last modified" dates corresponded to the time the assistant started the machines. For more detailed information on a proper forensic examination see Demystifying Computer Forensics.In the case of R.S. Creative Inc. v. Creative Cotton Ltd. (1999), 75 Cal.App.4th 486, the need to protect the content on drives suspected of containing evidence was recognized by the parties who stipulated that the computers would not be turned on until the computer forensics expert examined them. Violation of this stipulation resulted in the Court's finding of evidence spoliation and dismissal of the case.

Deliberate Software Spoliation

When a user deletes a file from a computer, the file usually still exists on the physical hard drive and can be recovered. However, there is a thriving software industry that specializes in software that totally erases files. Such software is inexpensive and readily available over the Internet. Users need not be particularly sophisticated to find and use such "overwriting" software. In one trade secret case, the culprit had used this kind of software to delete folders and documents that held incriminating evidence, company-owned files he had previously copied to his home computer. Unfortunately for him, a forensic examination of his home computer revealed data showing the history of the documents he had stolen.In 2003, an Illinois U.S. District Court Judge granted a defendant's motion for sanctions against the plaintiff and recommended that the case be dismissed with prejudice after it was discovered that the plaintiff had attempted to delete relevant evidence from his computer by running the Evidence Eliminator™ software, which claims to defeat forensic analysis software.Even simpler techniques, such as renaming files and their extensions in an attempt to hide the true nature of files, are known to many users. Such subterfuge is particularly common in child pornography cases. However, computer files contain "signatures" that indicate the true type of each file. Computer forensic software and techniques are able to read the signatures and reveal the actual nature of the files.Changing the date or time on a computer is relatively easy; simply right click on the date in the Windows task bar and you can adjust the date on the computer. One defendant who was on notice that his computer would be examined on a given date sought to obscure evidence of his crime. He turned the computer clock back two months, deleted the incriminating files, and returned the computer clock back to the correct time. Unfortunately for him, he reset the date incorrectly and the forensic examination of hidden log files quickly revealed what he had done.More sophisticated users try to hide data by altering system components. Operating systems such as Windows 98® and Windows XP® use system tables to store information about files. These tables record the name, location and other information for each file. Users may alter the File Allocation Table (in Windows 95® and 98®) files, or the Master File Table (in Windows NT®, 2000® and XP®), making the directory information for their files incorrect. This has the effect of making the files undetectable to ordinary users. Computer forensic software, however, bypasses these tables and allows the forensic examiner to see the true file structure. Operating systems allow users to divide disks into sections called partitions. Software to create and manage these partitions comes with the operating system itself, and numerous other versions of partition-managing software are readily available on the Web. With the user manual for the software at hand, it is easy to create a partition on a drive and make it invisible to ordinary users. As in other scenarios of deception, forensic software bypasses the partition management software and provides information related to all partitions, hidden or otherwise.In Computer Assoc. Int'l v. American Fundware, 133 F.R.D. 166 (D. Colo. 1990), American Fundware adhered to company policy and continued to destroy earlier versions of their software even after the start of copyright infringement action and service of discovery requests. As a result, the Court found that the company had acted in bad faith and agreed with the Plaintiff's motion for default judgment.(1)

Hardware Spoliation

 In the authors' experience, spoliation due to hardware damage is infrequent. Occasionally we find a computer hard drive that was inadvertently corrupted, but in such cases forensic techniques can often recover all or most of the drive content.Opposing parties occasionally try to make changes to computer hardware in order to hide data. We have even encountered computer cases in which some of the drives relevant to the case were disconnected from the system! Standard forensic techniques catch even low-tech attempts to hide data such as this. The authors were retained in another such case in which the defendant agreed to turn over the hard drives on a particular computer to the plaintiffs. When we conducted a proper examination of the drive, we discovered that the drive was not the so-called "C" drive of the computer, but a substitute installed by the defendant.

The Importance of Dates

When computers are suspected of containing evidence, following proper protocol is critical to the discovery process. Merely starting a computer changes files, and many of those changes affect significant dates. A computer's operating system usually records the date(s) on which each file was created, last modified, and last accessed.In some cases, a client's defense may be based on someone else having access to the computer in question. Such cases can be difficult because it is relatively easy to alter dates on files, and because merely accessing a computer changes file dates. While forensic software, in the hands of a skilled examiner, can access date and time information not available to users, it cannot retrieve dates once they have been altered. This makes the proper forensic image described in later sections of this article imperative.In the intellectual property dispute case of Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996), a reported "computer expert" used forensically invalid copies of the suspect hard drives to collect and analyze computer evidence. As a result of the improper, forensically unsound procedure utilized to copy the drives, file date stamps were altered and the chain of custody was destroyed. Severe evidentiary sanctions were issued, as the Court recognized the "duty to utilize the method which would yield the most complete and accurate results." (2)

A Proper Forensic Examination

Proper forensic examination calls for first creating an image of the drive(s) suspected of containing evidence. We speak of a proper forensic examination when the following three criteria have been satisfied:1. The image is an exact, bit-by-bit duplicate of the original computer drive.2. The image is taken in such a way as to guarantee that the original was not changed.3. The image is examined in such a way at to guarantee that the image is not changed. Following proper forensic procedure, the forensic investigator takes appropriate actions to "ground" him or her self so as to not damage a drive via static electricity discharge. Next, the drive to be imaged is removed from the computer case. It is then placed in a write-protected device (or connected to a computer running an operating system that won't write to the drive) and an exact copy of the drive is made. Such techniques are required to assure that the imaging process does not change the original evidence.After creating the image, the forensic technician leaves the premises to investigate the image, thus minimizing the disruption to the owner's business or home.

Verifying the Preservation of Data Using Hash Codes

We use hash codes to ensure the integrity of the forensic process. A hash code is a mathematical formula that gives a unique result when applied to a computer file. For example, consider two hash codes for the above heading. The value of the hash code for the heading as it appears above is: 95bace9c862e5095448860fdca58f5c6. Editing the heading to end with a period yields a hash code of 3921f290de80a08a530eb5626a2ebfc1.The hash code for each sector of the suspect drive is computed several times during the imaging process. It is computed on the original disk before it is imaged, on the image file when it has been taken, and again on the original disk after the image has been taken. All three must be identical for the image to be valid. If the hash code of the image does not match the hash code of the original drive, a new image must be taken, as non-matching hash codes indicate that the image created was not an exact match of the original drive.Hash codes are also used to assure the integrity of the investigation. Forensic tools, such as EnCase® and Forensic Tool Kit®, re-compute the hash code each time they open an image and again at the end of each session. Matching hash code values verify that the tools and technicians have not changed the image.

What You Can Do

As soon as you suspect that relevant data may exist on a computer, do whatever is within your power to assure that it remains untouched. It is human nature to want to "check out" possible evidence, but doing so risks spoliation. If the computer is on and there is any reason to believe it might be "booby trapped" to destroy data if it is not shut down in a certain way, simply unplug the machine from the electrical source.Next, consult a trained computer forensics expert. Even if you do not currently have physical custody of the computer, the expert can help the attorney explain to the Court how and why obtaining a forensic image of the computer may be crucial to the case. That is, the computer may contain hidden or deleted files that could bolster the case, and an expert can help assess that possibility. Courts are now recognizing the importance of retaining properly trained, experienced computer forensic specialists. In United States v Greathouse, the Court faulted the plaintiff's expert for not using current technology as well as for removing multiple computers from the site instead of using forensic software to "…more narrowly tailor the search and seizure." (3) An experienced investigator should have protocols in place to accommodate just such situations and to avoid the resulting criticism.The opposing side should receive notice to cease using the computer and not to modify or make deletions from the computer. This includes not installing new software, adding new documents, running secure deletion software, or otherwise modifying the computer. The prohibition on new software and documents is needed to prevent the user from filling up the computer's hard drive with nonsense characters and files, thereby overwriting data that may have evidentiary value.It is important to explain all the aspects of the case carefully to your forensics expert. Well trained, experienced technicians have techniques to accomplish expeditious and cost-effective searching and examination of the drive.The bottom line is simple: treat the computer in a computer crime case as if it were the corpse in a murder case. Keep it isolated to avoid contamination, and call in a forensic specialist to conduct the investigation as soon as possible.

References

Interested readers will find information concerning electronic evidence, forensically sound imaging of computer drives, and spoliation of electronic data in the following references.Delmero, M. SPOLIATION: Analysis. (n.d.) Retrieved March 15, 2004 fromhttp://cyber.law.harvard.edu/digitaldiscovery/library/spoliation/spoliationanalysis.htmlNimsger, K. M. (2003). Digging for e-data. Retrieved March 2, 2004 from http:// www.krollontrack.com/LawLibrary/Articles/trial_nimsger.pdfHassell, J. and Steen, S. Demystifying Computer Forensics, 50 The Louisiana Bar Journal, 278-280 (2002).Leeds, G. S. and Marra, P. A. (2000, April 17). Discovering and preserving electronic evidence: how to avoid spoliation pitfalls in the computer age. Retrieved March 2, 2004 from http://www.spsk.com/Articles/artdscov.cfmPatzakis, John (2002, January 30). Lawyers draft IT security professionals for litigation support duty. Retrieved March 4, 2004 from http://www.infosecnews.com/opinion/2002/01/30_04.htm(1) Leeds, G. S. and Marra, P. A. (2000). Discovering and preserving electronic evidence: How to avoid spoliation pitfalls in the computer age. http://www.spsk.com/Articles/artdscov.cfm(2) Patzakis, John (2002). Lawyers draft IT security professionals for litigation support duty. http://www.infosecnews.com/opinion/2002/01/30_04.htm(3) Victor Limongelli, United States v. Greathouse, Legal Corner, at http://www.guidancesoftware.com/corporate/examiner/2004-04.shtm#tag3Originally published in Evidence Tech Mag