Working With Computer Forensics Experts — Uncovering Data You Didn't Know Existed Can Help Make Your Case

Working With Computer Forensics Experts — Uncovering Data You Didn't Know Existed Can Help Make Your CaseBy Jiyun Cameron Lee, Esq.Attorney Jiyun Cameron Lee discusses the steps that attorneys should take to discover and preserve electronic evidence.In this electronic age, the significance of electronic discovery is well known. Most lawyers understand that discovery of paper documents is not enough. E-mails, typed in haste and without much thought, have dealt devastating blows in many court battles.The field of computer forensics, however, remains a mystery to many. The phrase conjures up visions of white-coated lab technicians huddled around a deceased desktop PC.The field of computer forensics is a mixture of science and art. On the one hand, it involves the investigation and extraction of computer-related data using specialized tools. On the other hand, it involves creative sleuthing to resurrect lost evidence, sometimes with little or no knowledge of what you are looking for.Used correctly, computer forensics can be a highly efficient -- and often cost-effective -- means of uncovering critical electronic evidence.Active vs. Ambient DataElectronic discovery typically involves "active" computer files -- e-mails, word processing documents, spreadsheets, databases and design schematics -- that have not been deleted and are easily accessible to the ordinary computer user. Most users do not know, however, that large volumes of potentially critical evidence exist in hidden areas of computer storage devices.This hidden information -- "ambient" data -- exists in areas of electronic media (computer hard drives, floppies, optical discs, etc.) that are not accessible to average users. Ambient data may consist of fragments of deleted e-mails, back-up copies of word processing files, deleted directory structures and hidden files reflecting the Internet history of the computer. A careful examination of such ambient data may tell a very compelling story about document destruction or theft of intellectual property.A Case in PointImagine the following scenario: Mr. Smith, a longtime employee of ABC Company, resigns from ABC to join its direct competitor, XYZ Company. At XYZ, Mr. Smith assumes responsibilities identical to those he had at ABC.XYZ's product is suddenly transformed to resemble ABC's product. ABC suspects that Mr. Smith has taken its trade secrets to XYZ, but cannot prove it. In discovery, Mr. Smith denies having taken anything belonging to ABC.My firm faced this very familiar scenario in a recent case involving the misappropriation of trade secrets. Using computer forensics, we were able to show not only that Mr. Smith had lied under oath but had destroyed documents to avoid getting caught.In our case, the forensic evidence came from Mr. Smith's home computer. (Names and details have been changed.) Based on our prior experience in similar cases, we knew that computer forensics may provide the evidence we needed to establish our case. We hired New Technologies Inc. (www.dataforensics.com), based in Gresham, Ore., to conduct the forensic analysis.The forensic analysis yielded a treasure trove of information, including the following:Two weeks before his resignation from ABC, Mr. Smith created a new directory on his home computer called "Business Strategy." The directory contained ABC's business plan and its proprietary market analysis;The "Business Strategy" directory was deleted from Mr. Smith's home computer three months after his resignation from ABC, just days after ABC filed suit against XYZ and Mr. Smith;Registry information (information contained in a special operating system file) found on Mr. Smith's home computer showed that the "Business Strategy" directory had been unzipped from a floppy disk. The floppy disk had never been produced; andThree days before his resignation, Mr. Smith downloaded an extensive database from ABC's server onto his home computer.The forensic evidence destroyed Mr. Smith's credibility and transformed the case.Not Hocus-Pocus, But TeamworkThere is no doubt that the evidence against Mr. Smith could not have been found without sophisticated software tools used by our computer forensics expert. However, it is also true that the evidence against Mr. Smith would not have been found in the absence of collaborative teamwork between counsel and expert.Teamwork is key in computer forensics because typically, neither counsel nor the expert knows what he or she is looking for. This was true in the case of Mr. Smith.We did not know what Mr. Smith did before he left ABC. Mr. Smith had been a 15-year employee with ABC and had access to documents, databases, plans and source code. For all we knew, Mr. Smith had done nothing. But his rapid transition to his new duties at XYZ -- which mirrored his duties at ABC -- suggested that he was using ABC's information.The fact that we found ABC documents on Mr. Smith's home computer, moreover, told us nothing. Even though we were finding deleted fragments of ABC documents, that fact alone was easily refuted by Mr. Smith's claim that he sometimes used his home computer to do ABC work and deleted from his computer those documents he no longer needed.We clearly needed more. The expert, who was skilled at the science of computer forensics but did not know the detailed facts of the case, was hampered by the volume of information available to him on the computer hard drive.The lawyers, on the other hand, were hampered by the fact that we could not simply flip through documents to look for kernels of facts that may lead to more intriguing evidence, as we would have done in a typical case. We bridged this gap through extensive collaboration.The lawyers reviewed the fragments of deleted documents provided by the expert to identify those that were potentially "of interest." The expert attempted to resurrect every documentary fragment so identified, and to trace the document back to determine, where possible, when and how it was created on the computer and when it was deleted. Such collaboration ultimately allowed us to retrace Mr. Smith's steps.Working With Computer ForensicsIf you are faced with a situation in which a computer may contain potentially relevant evidence, consider the following.Prepare for discovery of not just "documents," but of original media. If you are representing the party seeking the discovery of electronic media, craft a discovery plan that targets the media, for example, a computer hard drive. Remember that in addition to "active" data in the form of word processing documents, spreadsheets and the like, "ambient" data may reveal relevant evidence.If you are representing the party who is the target of such discovery, keep in mind that most judges in most situations will be reluctant to order a forensic examination of electronic media unless there is some established evidence of evasion or wrongdoing. Work closely with your client to minimize your opponent's ability to levy such charges.Preserve the original hard drive. As soon as you are on notice that a computer may contain potentially discoverable evidence, preserve the original hard drive and do not allow anyone to use or access the hard drive. If the computer is in the possession of the opposing party, ask for preservation as soon as possible. This is because each time the computer is turned on, the mere operation of the computer can overwrite potential evidence. The prohibition on use and access should be extended to information management specialists employed by your client.Know your expert. As in any field, the range of skill and expertise varies greatly among those who work in computer forensics. Most computer forensic "experts," for instance, know how to retrieve deleted documents and e-mails. Many, however, do not possess the knowledge or tools to do more. Carefully interview the expert and check references to determine whether the expert has the skills and the tools to conduct the type of forensic analysis you need.Carefully craft the terms of the order allowing a forensic investigation. If a forensic investigation is allowed, you will need a stipulation or court order setting out the process for conducting such investigation. Regardless of whether you represent the party who is seeking to do the forensic examination or the party who is the target of such examination, propose terms that will give you, not your opponent, maximum control over the process. Understand how each provision in the stipulation or order will help or impair your ability to direct a forensic review by consulting with your expert.Recognize the limits of computer forensics. I have heard computer forensics experts proclaim that they can find information on a computer storage device (e.g., a floppy disk or hard drive) even if the information has been deleted and overwritten up to seven times with other data. This may sound good, but be aware that:In order to find it, you have to know what you are looking for;In order to know that

https://docs.google.com/viewer?a=v&q=cache:ypBwK6m9VR8J:https://ad-pdf.s3.amazonaws.com/Forensic_Issues_VHDs_Windows7.pdf+&hl=en&gl=us&pid=bl&srcid=ADGEESjMoul57xIXnT4cj2vqs7iIkcynjyl_jTBK6kP61Iozd80uaVVEeU_aB6W_GE0zF7RbipgEyqEnDt_795QpoB3AMwOigFlxyPk0YYrOytA4uDYlBnz6DH8jvCkM_jM05FMm6DVs&sig=AHIEtbRGivjUud9sCHJY4tFdPzcGm1bm5Q