Vol. 85, No. 4, April 2012
A disgruntled employee decides it is time to get a new job and obtains employment with a direct competitor of his current employer. Late in the day, and trying to be quiet and not be noticed, the employee inserts a thumb drive into his computer and begins copying large numbers of computer files containing important proprietary information. The employee then provides to his new employer things like client lists, marketing strategies, copies of contracts with customers and suppliers, and a myriad of other sensitive data. A few weeks later, customers start switching to the employee’s new company, and managers at the old company begin to wonder what is happening. They suspect theft of their confidential data has occurred, and they turn to their lawyer for help. The lawyer realizes she must begin the process of finding out what happened by having the former employee’s computer forensically imaged and examined.
Or perhaps an employer receives complaints that one of its employees is harassing another employee by sending threatening email or by using the computer in an unauthorized way to view inappropriate content while in the presence of the harassed employee. Fearing a lawsuit, the employer takes steps to preserve the computer evidence of the suspected harassment and then examine it to see if any actionable activities have taken place. The starting point of the investigation is the forensic imaging and examination of the harassing employee’s computer.
In yet another scenario, a woman contacts a lawyer to discuss her suspicions about her spouse and whether to get a divorce. The lawyer might contemplate contacting an old-school private eye, the type who lurks in the bushes or in a car with a camera and telephoto lens or combs through trash bins looking for an incriminating receipt. But nowadays, the lawyer should call on the investigative skills of a computer forensics examiner first, to look for the husband’s electronic communications with other people or to find evidence of the use of the computer for the viewing of illicit materials.
The use of computers to commit crimes such as identity theft is an increasing problem. Computers also may be home to relevant evidence in other areas of the law. In this digital age, each of us leaves tracks across the hard drives of the computers, iPads, and smart phones we use every day. Consequently, attorneys must have a basic understanding of the kinds of evidence that can be recovered through use of computer forensics from the digital devices we use in our daily lives. The electronic evidence needs to be preserved and discovered, and attorneys need to know what steps to take to deal with such evidence.
Computers and Electronic Devices as Sources of Evidence
A personal computer or laptop can be a treasure trove of information that might play a role in employment, family law, breach of contract, and many other types of legal disputes. Cell phones and smart phones, too, can be useful sources of evidence. Digital cameras may contain recoverable photos or videos with embedded metadata identifying the location and time the photos or videos were made. Personal digital assistants (PDAs) may contain appointment data or contact information that is suspicious. Global positioning system (GPS) devices may contain relevant information concerning a user’s past whereabouts.
Finding Financial Assets and Other Evidence
In cases dealing with financial assets, the forensic examination of computers and phones may disclose efforts to hide assets using online or off-shore bank accounts or other hidden investment accounts. A small-business owner may keep a duplicate set of books hidden on a thumb drive. Thumb drives also may be used to hide many other types of evidence. A person’s work computer might indicate violations of permitted-use policies for the Internet, which in some cases could rise to the level of creating a hostile work environment. A person’s home computer might reveal evidence about the person’s nonmarital relationships. Evidence of online gambling, excessive purchases, or the use of PayPal accounts may indicate a wasting of spousal assets. Even the fact of being on the Internet for many hours a day might be significant in litigation, for example, as evidence of neglect of children or a spouse or as having a negative effect on the user’s earning capacity, which could become an issue in spousal support disputes.
Use of Electronic Communication
Use of instant messaging or Internet chatrooms may be significant in family law disputes or in terms of communication between parties who may become involved in litigation, and logs of such communications may be recoverable. Cell phones maintain records of calls that were placed and received and of text messages, which may be recoverable. Use of Hotmail, Yahoo, Gmail, and other Web-based email accounts may be suspicious both in the workplace environment and in terms of contacts outside the marital relationship. Records can be recovered showing the use of such accounts and who the sender and recipients were of Web-based email, even if the emails themselves are not recoverable from the computer. Use of Facebook, LinkedIn, or other social media sites may provide evidence relevant to litigation. Efforts to use evidence-eliminating software or to reformat or defrag a hard drive to cover a user’s tracks may be discovered through computer forensics and used as evidence of spoliation.
Role of the Computer Forensics Expert
In most cases, attorneys needing computer information need to obtain assistance from a person who has expertise in computer forensics. One thing attorneys definitely should not do is boot up the computer and begin to poke around by themselves. Even the process of booting the computer can alter information, and certainly accessing and reviewing files on the computer will alter file metadata. This could result in serious spoliation of evidence and the imposition of sanctions. Thus, the attorney needs to turn to someone who can ensure that the original evidence will not be altered and who can then access and analyze the electronic evidence in a meaningful way. This is the role of a computer forensics expert.
Computer forensics is the identification, preservation, acquisition, extraction, documentation, and interpretation of digital evidence. Computer forensics examiners are trained to identify potential sources of data from computers, cell phones and smart phones, digital cameras, GPS units, photocopiers, and other electronic devices.
Computer forensics examiners are trained to follow an appropriate protocol to collect such evidence and to create forensic images of the original media in a way that ensures that the data on the source device is not altered during the collection process. They use appropriate equipment and techniques to establish that the data that is copied forensically is an exact, verifiable duplicate of the data stored on the source device, and they prepare chain-of-custody documentation.
When a forensic image is made, the examiner copies not only the files that are visible to the average user but also the unallocated space from which deleted files may be recovered. Appropriate forensics software is used to analyze the recovered evidence and learn about an individual’s use of electronic devices.
Evidence may be gathered from computer hard drives, including both internal and external drives; compact discs and DVDs; thumb drives; flash cards and SIM cards; and other types of electronic storage devices. In some cases, photocopiers and multipurpose scanner/printers contain computer memory from which potentially relevant evidence can be recovered.
Preservation Obligations Start Early
As soon as possible after being contacted by a client, a lawyer should determine whether computers or other devices exist that may contain relevant data. If so, preservation steps should be considered, even if ultimately the decision is made not to analyze the recovered data. One solution is to take the computer out of circulation and impound it, making sure no one boots it until it is determined whether a forensics examination is warranted. It is also possible to create a forensic image for preservation purposes at a reasonable cost and then simply leave the forensic image on the shelf for possible later use. The longer the delay in deciding whether to preserve computerized information, the more likely it is that recoverable data will be lost.
Computer Imaging Protocol
The first step in examining a computer is the creation of a forensic image. The PC is turned over to the examiner, who must properly document receipt of the computer. Subsequent activities will also be logged in writing. The examiner takes photographs of the computer, paying particular attention to the serial number and the computer’s overall condition. The examiner then opens the computer case and takes more photos. The examiner notes the condition of the interior of the computer. Normally, there will be a great deal of dust inside a computer that has been in use for some time, including dust on the installed hard drive. A hard drive that is quite clean in comparison to the case as a whole immediately creates the suspicion that the hard drive has been swapped by someone. The examiner then removes and photographs the hard drive to document its make, model, and serial number as well as surface appearance.
The examiner next turns to the imaging of the hard drive. When a computer or other imaging device is used to access files on the source computer for copying, the potential exists for data on the source computer to be altered by the copying computer or device. To prevent this, write blocking, which blocks the writing of data back to the source drive, is used. Several different devices can be used, some of which are built into devices used to make the forensic copies.
It is typical for the examiner to make two copies of the source hard drive. One is a pristine evidentiary copy that is bagged, tagged, and then stored and only accessed if there is a dispute whether the second copy, the working copy, contains accurate data. The examiner creates a working copy to use for subsequent analysis. While the hard drive is out of the computer, the computer is booted and the bios time-clock settings are checked and compared to real time. This is done to ensure the accuracy of any later interpretation of time-stamp information for files created using the computer. If there is a time difference, adjustments must be made when reporting the times reflected on computer files found noteworthy in the forensic examination. The examiner then reinstalls the hard drive into the source computer, which is returned to the owner.
Recovery of Deleted Information
Recovering deleted information is an especially important role for a computer forensics examiner. A computer forensics examiner will be able to copy the unallocated space on the hard drive where information about deleted files resides. The examiner will use specialized software that will be able to recover deleted files, even after they have been emptied from the recycle bin, unless they have been overwritten. In some cases they may be partially overwritten, and only parts of a deleted file may be recoverable.
Deleted files are randomly overwritten by the normal operation of a computer’s operating system. This makes electronic evidence extremely volatile. The longer one waits from the time a file is deleted to the time a recovery effort is made, the more likely it is that the file will have been overwritten. The time between deletion and overwriting depends on the size of the hard drive, with smaller hard drives being overwritten more often. Cell phones and smart phones in particular overwrite data much more often than do personal computers. Consequently, it is important to try to collect such evidence as soon as possible.
Use of Hash Verification
It is important to verify the accuracy of the created images during the imaging process, to be certain that an exact bit-by-bit copy of the source hard drive has been created. This process is called hash verification. A hash value is a unique alpha-numeric value that is calculated by the application of a mathematical algorithm against the data to be copied. The hard drive as a whole has a hash value, and it is possible to calculate a hash value for each individual file on the hard drive. Typically a MD5 or SHA-1 hash is used. The source computer is hashed before the copying takes place. After the copying process, the destination drives are hashed. The hash values are then compared, and if they match, the copy is accurate.
Analysis of the Electronic Evidence
The working copy of the hard drive is then available for analysis. Typically, the forensics examiner will use a software program such as EnCase, FTK, or X-Ways Forensics to begin the analysis. Other software may be used to analyze the Windows registry. Internet usage and chat history will be analyzed using NetAnalysis, CacheBack, Internet Evidence Finder, or a similar product. Different software is available for imaging and analyzing Macs. Other specialized equipment and software is used for the acquisition of cell phones and smart phones.
Obtain an Estimate of Cost
The computer forensics examiner must make a considerable investment in equipment and software to be able to perform his or her tasks. The analysis of the data itself is painstaking and often very time consuming. The attorney should always ask for a price estimate before work is begun and set expense thresholds that should not be exceeded without prior authorization. Be aware, however, that pre-analysis estimates are rough estimates. There is no way to accurately predict what will actually be encountered when the analysis starts.
Use of Thumb Drives and Related Storage Devices
Thumb drives can be used to store many different types of data. It is not uncommon to find that someone has installed a copy of QuickBooks, Quicken, or a similar program on the thumb drive itself, and that all the related bookkeeping data is stored on the thumb drive. A link to a thumb drive with a .QBW file extension suggests that a duplicate set of books is being maintained. Other relevant document, spreadsheet, image, or word-processing files also may be stored on a thumb drive. Many types of data could be hidden on a thumb drive. This same analysis applies to other storage devices, so in addition to thumb drives you need to look for external hard drives, flash drives, and links to DVDs or CDs.
Role of Link Files
When a file on a thumb drive is accessed from a computer, a link file is created on the computer hard drive that remains on the hard drive until it is overwritten. Thus, even without access to the thumb drive, you can tell the computer was used to access the thumb drive from the evidence remaining on the computer. Forensics software will allow the examiner to create a list of all link files, and the date of creation, date of modification, and date of access of the files accessed on the thumb drive will all be recoverable. Furthermore, the software will identify the drive letter of the thumb drive that was used, providing concrete proof of the use of external storage media.
Windows Registry Reports
An examination of the Windows registry will provide a list of every external device that has been plugged into the computer. A record of the last time of access for each device will also be available. Using the link-file analysis along with the Windows registry analysis, the examiner can determine that thumb drives have been used with the computer and that the computer has been used to create and access data on the thumb drive at a particular date and time.
Metadata and Proof of Copying of Data
If files are copied from the C: drive of the computer to an external source, other data can be looked at that will help establish that information was copied. Files for documents, spreadsheets, photos, and many other file types contain metadata. Some of the most important metadata is the time-stamp information. A computer will track when a document was created, when it was last modified, and when it was last accessed. An examiner can look at a hard drive and apply a filter so that only documents and spreadsheets are visible on the examiner’s computer screen. Then the files can be sorted by date of creation or date of access. When many files contain the same or close-together dates and times, a reasonable inference can be made that a mass copy event has taken place.
Bruce A. Olson, Marquette 1981, is president of ONLAW Trial Technologies LLC, Appleton, a computer forensics and e-discovery consulting company. He is an experienced, board-certified trial attorney and a certified computer forensics examiner. Contact him at firstname.lastname@example.org.
Internet usage is another very important source of information. Browsing history, browser bookmarks, chat history, and the use of Web-based email can all be determined. Bookmarks may exist for online bank and investment accounts that have not been disclosed, and access to online accounts can be established through the use of bookmarks.
Electronic evidence is now part of almost every litigated matter. From the moment of case intake, a lawyer must be aware of the role that electronic evidence may play in his or her case. Decisions about preservation and analysis must be made. The attorney must consider how electronic evidence will affect the development and handling of the case. The evidence generated by a computer forensics examination may be relevant at trial, in a hearing, or during mediation or settlement discussions. Someone might be willing to adopt a more reasonable position during settlement negotiations to avoid the embarrassment of some types of electronic evidence becoming part of the public record. A lawyer must always be aware of the potential role that computer-based evidence can play in a disputed matter and whether the assistance of a computer forensics expert is needed. Making the right decisions from the outset will help ensure that any issues concerning electronic evidence are properly addressed.