Vol. 83, No. 2, February 2010
By now, most lawyers know what e-discovery is. They know about electronically stored information (ESI), have mastered the 2006 e-discovery amendments to the Federal Rules of Civil Procedure and subsequent changes,1 and are keeping track of the proposed e-discovery changes to the Wisconsin civil procedure statutes.2 Most try to keep up with the area’s rapidly evolving case law. Some may even know the difference between a computer forensics expert and an e-discovery expert and the differences in the types of services each provide.
Most lawyers know a “deleted” file is not necessarily a file that cannot be recovered, and that computer forensics examiners can analyze computer hard drives, often restoring deleted files. Computer forensics examiners can determine when an external storage device like a thumb drive or external hard drive has been attached to a computer and from that information infer that files have been copied to the external storage device. Lawyers know these examiners can track Internet history and usage and analyze system-related information to determine when computer files were created, who created them, and when they were last accessed or modified.
On the other hand, most lawyers haven’t faced the challenge of presenting electronic evidence to a jury through the testimony of a computer forensics expert. Based on the author’s personal experience and discussions with nationally known computer forensics experts who have testified in court, the lawyers who have faced the challenge simply relied on the “talking head” to present the expert’s opinions to the jury. That is a risky strategy. Without the use of appropriate demonstrative evidence to describe how the ESI was secured, how it was analyzed, and what information was important to justify your position in the case, you risk confusing a jury with unintelligible technical jargon. You risk exposing your expert to impeachment on the basis of qualifications or methodology simply because the jury did not understand what the expert did or why his or her opinions should be deemed reliable. You risk putting the jury to sleep during your expert’s key testimony.
How Electronically Stored Information is Created and Collected
To know what should be presented in court and why, lawyers first need to understand the basics of electronic evidence. Whenever ESI is acquired from a computer, proper steps must be followed so the data acquired is not altered in the copying process and can be verified as an exact duplicate of the original. You cannot simply copy and paste a file from a computer hard drive to a thumb drive and then analyze the copy. The copying process alters the metadata associated with the file. Metadata is the unseen information that is part of the electronic file; it is data about the data in the file. In a Word document, metadata includes, among other information, the date and time the document was created, the date and time the document was last accessed or modified, and any comments or editing information created when using the track-changes function. In an Excel spreadsheet, metadata includes, among other things, the unseen formulae that are used to manipulate the visible data in the spreadsheet. In an email, metadata includes the detailed header information that tracks the journey of the email from the source computer through intermediary servers to the recipient’s computer.
If, for example, it is important in your case to know when a particular file was created, modified, or last accessed, copying and pasting the file will destroy your ability to obtain this information for both the original file and for the copy. Even opening and looking at a file without copying or modifying it will change the last-accessed date on the original file. Thus, if you want to be able to prove something based on evidence contained on a computer, you must be able to establish that proper acquisition procedures were followed. The risk of inadvertent spoliation is ever present, and that is why it is important to find the right person to make a forensically valid image of the source computer’s hard drive. Do not let your client’s employees or internal IT staff simply copy ESI for you, or “ghost” a hard drive, unless you are prepared to address spoliation sanctions, or you have a clear-cut agreement with the opposing party that standard forensics procedures need not be followed.
Standard Protocol for Forensically Valid Copying of ESI
A standard protocol has been developed that computer forensics experts follow to ensure the acquired data is unaltered and verified during the copying process using an MD5 or SHA-1 hash value. Think of a hash value as the electronic fingerprint for each computer file. The process known as hashing involves the application of a computer algorithm to the data to assign a unique electronic identifier to each file. If even a single letter in a word-processing file is changed, the hash values of the original and the copy will differ and the data alteration will be exposed. When a forensic image of the hard drive is made, part of the process is to assign hash values to the data, which are then compared at the end of the process to ensure they are identical. If the hash values are identical, you have a forensically valid copy of the data to analyze.
Bruce A. Olson, Marquette 1981, is president of ONLAW Trial Technologies LLC, a trial technology, e-discovery, and computer-forensics consulting company. He formerly was a shareholder in Davis & Kuelthau s.c. He is a national Board of Trial Advocates-certified civil trial specialist. He is a coauthor of The Electronic Evidence and Discovery Handbook: Forms, Checklists and Guidelines (American Bar Association). He was named “TechnoLawyer of the Year” in 2002 by Technolawyerblog. Reach him at bcom olson onlawtec onlawtec olson com.
The process typically applies to the imaging of hard drives that have been removed from computers or servers. A device called a write blocker is attached to the source hard drive. The write blocker prevents any changes or modifications to the files on the source drive during the imaging process. A complete bit-for-bit copy of the original is made on the destination drive. It includes not only the active files but also the information contained in what is called the unallocated space. The unallocated space is where a computer forensics expert goes to find evidence of deleted files. Before copying, the destination drive has been wiped to ensure there is no residual data on the drive from any other source. Typically, a pristine copy and a working copy are created, and subsequent forensics analysis is always done on the copy. The software used to create the image will hash both drives during the copying process and compare the results at the end of the process. If the hash values are identical, a forensically sound image has been created.
Different techniques apply for acquiring live data from active computer systems. Because the active system is live, it is impossible to acquire the information in a forensically verifiable fashion using hash values. Data is constantly changing in live systems, and it cannot be frozen in time without taking the system down. There are, however, tools and methods that can be used to create a forensically defensible copy of the live information. A proper expert with proper equipment must perform the process and must be prepared to testify to the reliability of the acquired ESI if the method is later challenged in court.
Forensics Analysis of the ESI
Once the working copy is made, appropriate analysis can occur. In a typical case the forensics examiner may be asked to find files within a given date range or files that contain certain words. Deleted files are usually examined, and when relevant they are restored. In some situations the entire deleted file cannot be restored but fragments of the file can still be found and presented in court. To explain to a jury how a deleted file can still be recovered after it has been deleted, the forensics expert will need to explain how a hard drive stores information, how forensics software works to retrieve the deleted files, and why the information that is presented in court should be assumed to be reliable. Internet usage is also typically examined. When appropriate, system files are also analyzed. This type of analysis can tell who was logged on to a computer, when and for how long, when files were copied to external drives, and the types of storage devices that were attached to the source computer.
Give the Jury a General Foundation First
When presenting the evidence, give the jury a general foundation first so jurors can later understand the more technical issues. Although it is possible to elicit all the necessary information through oral testimony alone, doing so raises a risk that the jury will not understand or believe the testimony. A better presentation method is to use a combination of oral testimony and demonstrative evidence. Using demonstrative evidence does not mean simply dropping a screen capture or two from a forensics software report into a PowerPoint slide. It means using a compelling mixture of different types of demonstrative evidence to educate the jury – and the judge – about several factors. To believe the expert’s ultimate conclusions, the jury must understand how the computer hardware that holds the ESI works; what software was used to create the information; what metadata is; what metadata associated with key evidence was created or altered; and how the metadata might be relevant to your theory of the case. The jury must understand what forensics hardware and software was used by your expert to harvest the information in a forensically valid way to avoid charges of spoliation or falsification of data. In the process of presenting your case, the demonstrative evidence should be used to subconsciously condition the jury to believe your expert is knowledgeable and credible.
Use Multimedia to Present Evidence
Use a multimedia approach that includes physical evidence, graphics, PowerPoint, and trial presentation technologies. If the pertinent information is on the hard drive of an individual personal computer (PC), consider using an exemplar computer in court that has been prepared for easy disassembly. Most jurors have no idea what is under the hood of a PC. Giving a simple anatomy lesson in which your expert pulls the cover so jurors can see the different components will help make them comfortable with the concepts they are about to learn. It also is a way to demonstrate visually how your expert followed proper protocol, and harvested the data by removing the hard drive, used a write blocker to protect the data before it was copied, and so on. Also consider displaying an actual hard drive that can be opened up to show the jury how it works. Granted, you could do the same thing with pictures, or just describe the process, but by using tangible evidence you engage the jury’s attention and begin to establish a rapport with the jury. To engage the jury, it always helps to have something to pass around the jury box, even if it is just a disassembled hard drive.
You can then move on to using graphics to explain concepts like sectors and unallocated space on the hard drive. By this time, the jury will be in a better position to understand what happens when a file is deleted, and why and how data can actually be restored. You can use these techniques to demystify the idea that a deleted file is not necessarily deleted. Now you can begin to introduce basic concepts of data recovery through the use of forensics software. This basic lesson of how computers work can be helpful simply as a way to explain how information is stored electronically on a computer hard drive. You can expand on the lesson using other graphics to show how electronic information is stored on PDAs, Blackberries, mobile phones, iPods, digital cameras or other storage devices, as the facts or your case dictate.
You can also use these basic principles of electronic storage to discuss how a server works, and from there you can move on to an explanation of network architecture. There are many network mapping solutions available that can be used to generate compelling graphics of the network structure you are dealing with. Check with your client’s IT department, because it may already have such information available or it may be able to easily create a map for you. Typically, the output will be an image file that can be dropped into PowerPoint or shown using trial-presentation software.
Use Common Examples to Explain Technical Concepts
Explain technical terminology by demonstrating what is meant using everyday examples. Once the basics are covered, it is important to give a tutorial on metadata and system files before moving on to explain the forensics software used to capture and analyze the information. Use simple examples like a document or an email. Open a Word file and then examine its metadata, either using Word itself or a metadata analysis and removal program like Metadata Assistant or Workshare Protect. If system files are going to be an issue, this is a logical time to explain how an operating system works. If email is the big issue, you will need to explain what an email server is, how it was configured, and how it works on a day-to-day basis. Explain acronyms like SMTP (Simple Mail Transfer Protocol), IMAP (Internet Message Access Protocol), and POP (Post Office Protocol), and how email headers work to route email from the source to the destination computer. Everyone uses email, but most people do not know how it actually works. Use analogies like comparing email to a letter transmitted through the post office. Graphics using clip art and diagrams are helpful in showing how an email is created, transmitted, received, stored, and retrieved. Using simple animation techniques in PowerPoint can even make the explanation come alive.
Explaining the Expert’s Forensic Analysis
Only after you have laid the above basic foundation is it time to turn to the forensics tools involved. Typically, presenting computer forensics evidence will involve working with reports created using X-Ways, EnCase, or FTK software. At this point it actually may be useful to use a few (just a few) screen captures dropped into a PowerPoint to demonstrate what is on the forensics expert’s desktop when he or she performs the analysis. It helps from a credibility standpoint to briefly show how much information is available to be analyzed, and how it can be sliced and diced to ultimately arrive at the information that is relevant to your case. Avoid displaying page after page of data tables or information exported into Excel spreadsheets. Show just enough so the jury is convinced the expert knew what he or she was looking for and found it. From there the expert can turn to the restored files that are germane to the case, and then look at the documents or email and any related metadata. At this point, the expert can confidently offer ultimate opinions on how the email was altered or the document was deleted or that other nefarious activities occurred.
Recycle Your Demonstratives
Much of this basic demonstrative evidence can be reused from case to case, so it is worthwhile to invest the time and effort at the outset to create a compelling presentation. Presenting electronic evidence is not a passing fad. If you build the presentation logically and mix tangible items with graphics and live demonstrations, you have a much better chance of persuading a jury to believe your expert. Credibility is the key. After all, would you rather rely on a fast-talking computer geek telling the jury to just take him at his word, or on an expert who can show in understandable terms how and why she did what she did to arrive at her ultimate opinions?
See also Timothy D. Edwards & Matthew Stippich, Proposed Rules for Electronic Discovery, 82 Wis. Law. 10 (December 2009).