Michael Michalowicz
[a1]March 31, 2005
The term "Data Forensics" sounds like a high tech process reserved only for those select cases encompassing proprietary technology. However, data speaks volumes, and Data Forensics can really make it talk. Recent news coverage of the Martha Stewart trial, the resignation of Connecticut Governor John Rowland, Verizon’s prosecution of an employee that stole $20M in PIN codes, and ongoing investigations at Enron and WorldCom have demonstrated the importance of Data Forensics, which is now routinely being used in cases of all types. Whether it be discrimination, breach of contract, theft of intellectual property, or sexual harassment, Data Forensics will likely play a role. The fact is over 93% of all commercial documents are produced and stored on a computer system. (University of California, Berkeley study from October 2000.) Most people are now comfortable using a computer and consider it a standard, everyday tool, so much so that an estimated 147 million people across the country use e-mail, almost every day.(eMarketer.com) Computer data is now ubiquitous, and Data Forensics has quickly become a legal necessity.
It must be noted that E/Discovery (electronic discovery) is not the same thing as Data Forensics. E/Discovery is the process of collecting large amounts of electronic records, while Data Forensics is the process of extracting specific pieces of information with surgical precision. The critical differentiator is that E/Discovery typically considers files that are easily accessible, such as active files on a network file server, while Data Forensics typically examines hidden and deleted files, and even left-over fragments of files that have long been discarded. In laymen’s terms, E/Discovery refers to collecting the haystack, while Data Forensics refers to searching for the needle in the haystack.
Searching through digital evidence could recover a hidden document or deleted e-mail message which may accelerate a favorable settlement or even win the case. The topic of Data Forensics can be confusing and is often times neglected due to lack of knowledge on how it may apply to a particular matter. In order to fully employ Data Forensics, one must understand the technical basics, be able to identify the quantifiable benefits to the client’s case, and understand how Data Forensics can be scaled into large cases where such an exercise would typically be cost-prohibitive.
Consider the case example of a female executive that sued her former employer for sexual harassment. In her complaint, the plaintiff contended that she had been harassed by the CEO of the company for a period of eighteen months. She stated that she did not come forward sooner for fear of being labeled an outcast in her community, when she was, in fact, a self-proclaimed loyal wife, mother, and churchgoer. She included a chronology which contained numerous instances of alleged infringements, so many that she advised that it was actually broken into two documents. The first included entries for the initial ten-month period, the second for the following eight months. Why two documents? She claimed that the first file became so large that she was afraid of losing the information, so she filed it away and created a second. When the company cross-referenced the two documents to the CEO’s calendar, it was startled to find that in every single instance, the scheduling of the CEO and female executive coincided, even though the CEO adamantly denied any wrong-doing when he was in her presence. With such substantial evidence against the CEO, the company decided to initiate settlement talks. A settlement of $1.5M was discussed by both parties, but before it was agreed to, the company took the unconventional step of hiring a Data Forensics firm.
Upon initial analysis of the two chronology documents, it was discovered that both were created on the exact same day, precisely one hour and ten minutes apart from one another, and just thirteen days prior to the former executive being terminated. It was further determined, with 100% accuracy, that the CEO’s calendar was opened on another window while the two documents were being created – suggesting that the author was able to view the CEO’s calendar at the same time each entry was made. To make matters worse for the plaintiff, AOL e-mail records left behind on her computer strongly implicated her in a relationship with a co-worker from another state. Internet records "hidden" on her hard drive uncovered frequent airfare purchases to the other state, all being billed to the company. The company then asked that the computer of the suspected lover and current employee also be analyzed, and it was confirmed that the two were romantically involved. Digital photographs were found in a hidden folder, which showed the plaintiff and her lover on various trips. It was also revealed, based on file creation dates, that when the company sent the plaintiff to a week-long seminar in Florida, she opted instead to go on a cruise with her significant other. In an e-mail message found on her partner’s computer, the plaintiff stated that she knew she was about to be terminated for lack of performance – blamed for the most part on their ongoing affair. She vowed to seek revenge against the CEO if, in fact, he fired her. She later referred to her proposed settlement of the sexual harassment claim as being the same as winning the lottery. In the end, she quickly dropped all charges once the Data Forensics evidence was disclosed.
As can be seen from the above case study and contrary to popular belief, Data Forensics does not pertain only to matters involving theft of IP on large computer systems, or an embezzlement matter after such a procedure is first suggested by the forensic accountants. But, as illustrated in the above case, its actual application is far reaching. How, then, is one to know if he or she will benefit from the employment of a Data Forensics firm? What information is available, and how does one go about procuring it?
Since electronic evidence does not have the permanence afforded by traditional evidence, it may seem difficult to collect and to form into a coherent argument. The process of collecting digital evidence is tedious, strict, and may be exhausting, and the systems which potentially contain evidence may be buried within a corporation. Even when the systems are physically identifiable, it may be difficult to take them off-line for an extended analysis. For this reason, the initial step in any Data Forensics investigation is to make an exact duplicate of the evidence. This is also done to accomplish the first and most critical step of the analysis: preservation of information. Without such preservation, the data could be quickly altered, resulting in spoliation of evidence. In order to create the duplicate, a strong set of standards must be employed, and the data must be handled with extreme caution. A Data Forensics expert will be able to explain the process, establish chain-of-custody, and institute a duplication method that has been identified as a "proven and accepted practice" by both state and federal courts. This critical phase generally utilizes a bit-by-bit forensic duplication approach which copies not only active files, but also deleted files, hidden files, and file slack space that is not normally captured with conventional or "MIS caliber" duplication efforts.
Thus, Data Forensics specifically refers to the preservation and analysis of digital evidence before or after the discovery phase, and in many cases before the actual litigation is filed. It is typically focused on a subset of devices and is used primarily to search for very specific keywords. It is sometimes advisable for a corporation to assess its internal data prior to filing a motion or complaint, in order to gain a better understanding of the facts. An example may be a potential case of theft of intellectual property where a former employee resigns and immediately begins working for a competitor. If the company conducts an analysis of the former employee’s computer and finds concrete evidence suggesting theft, it will be able to conscientiously proceed with litigation. However, if no such evidence exists, it could mean that the former employee acted appropriately, and the could thereby avoid a lengthy and expensive battle to arrive at the same conclusion in the form of a verdict, or worse, an application for sanctions for a frivolous lawsuit.
When determining whether or not a computer hard drive should be preserved and analyzed, there are several factors that must be considered. First, there must be the likelihood that the hard drive does, indeed, contain information of value. If an event allegedly occurred in 2002 and a new computer was purchased in 2004, it is highly unlikely that any information of value will be contained on the new computer unless, of course, older data was copied to it. Conversely, if a suspect was known to be in constant contact with another individual, there may be the potential that evidence exists on both parties’ hard drives. In the end, cost is the determinant factor because most Data Forensics firms bill by the hour. The number of drives to be preserved and analyzed usually translates directly into a linear increase in the overall cost.
It is also important to know that, during the discovery phase of a case, it is illogical to ask the opposition to preserve ‘all’ computer records. Such a task is daunting and extremely expensive, and fee-shifting arrangements may be imposed making it cost-prohibitive for both parties. Instead, a more surgical approach can be deployed whereby the overall systems are analyzed to determine the most appropriate places to collect information. While computers are usually the first hardware devices to come to mind, it is important to consider other less traditional devices as well, such as CDs, DVDs, Palm Pilots, USB Drives, Voice Mail Systems, and any other device that may contain data. It should be noted that most office photocopy machines now contain a hard drive, and that documents that are simply copied may be recorded to and recovered from such a hard drive.
In virtually all legal matters, it is likely that such devices were used at some point during the pre-litigation interaction of parties. For example, a contract negotiation may have taken place in part via e-mail or an agreement may have been copied to a floppy diskette. In either case, the application of Data Forensics will likely produce information not found in the hard copy counterpart of the digital document.
In the typical case, a hard copy document is analyzed, and the lawyer can only engage in direct or cross examination on the basis of information printed on the page. It is difficult to determine the document’s authenticity, original author, or edits made while still a work-in-progress. However, a document created in Microsoft Word or other leading word processing systems are likely to contain a plethora of information that is not displayed on the screen and not printed to the printer. For example, a document produced in MS-Word is likely to provide the following items of information when analyzed by a Data Forensics expert:
Furthermore, a forensic examiner is also able to discover a wealth of additional information with regard to the document in what is called "metadata." Metadata is a description or definition of electronic data, or data about data. Often, metadata can only be accessed in certain viewing modes. Metadata can include descriptive ‘tags’ and information about when a document was created and what changes have been made on that document.
For example, consider a user that routinely recycles and re-uses the same fax cover sheet. When a new fax is sent, the user will generally type over the existing contact information from the previous fax and substitute instead the new contact data. What the user doesn’t know is that the old data may never leave the document; instead, the new data may be appended to the digital version of the document. Therefore, by analyzing a digital copy of a fax cover sheet, a Data Forensics examiner will likely be able to tell the name, fax number, and message for every fax sent by that user because when text is deleted from a document it never really is removed from the document. Instead, the word processor is simply instructed not to display or print that data. This becomes extremely important information when an agreement is circulated between parties electronically.
For example, it is possible (and probable) that your adversary may be able to read your edits if a Data Forensics expert is employed. For example, assume a settlement offer is drafted for $100,000. After further discussion, the document is edited to reflect an offer of only $75,000. The document is then forwarded via email. A forensic Examiner in this case, would likely able to see that the original offer was for $100,000 but was changed to $75,000 before being sent. This may prove to be important and valuable knowledge when a counter offer is then returned. We are not suggesting that negotiations not take place electronically or that every legal transaction needs forensic analysis, but you can begin to understand the ramifications of our digital age.
Similarly, a Data Forensics examiner is able to produce data that has long been deleted or destroyed. While this may seem like "magic," it actually has to do with the way data is stored on a computer hard drive. When a file is deleted from a computer hard drive, it is actually never purged from the system. Instead, the only change that occurs to the document is that the first letter of the filename is changed to a symbol that tells the computer system the file is deleted. For example, if one has a file named CLIENTLIST2004.XLS on his or her computer hard drive and deletes the file, the file is simply renamed to ~LIENTLIST2004.XLS. Because the first character tells the system that the file is deleted, it will not appear in any folders or directory listing on the computer. However, the entire contents of the file remain on the hard drive and may be recovered by a Data Forensics examiner. An analogy can be made to an LP record. If a user wishes to play the third song on the record album, he simply moves the needle to the third black groove on the face of the record. If the song in this example is then "deleted," it would be equivalent to simply erasing the third black groove. However, if the user knew by other means exactly where to place the needle, the entire song could be played without missing a single note. Deleting a file on a computer system does not mean it is gone, and it is usually easily recovered in whole or in part on even the most ancient personal computers.
Similarly, formatting a hard drive does not destroy the data. For example, in an actual PG Lewis & Associates case, a New Jersey law firm updated their computer network and donated the old system to a local high school. They were careful to first format all of the hard drives, seemingly to destroy the data that existed. They were horrified to later learn that some of the hard drives were "unformatted" and volumes of privileged information appeared on a website created by a student at the high school.
Since it is possible to recover data using computer tools created for just that purpose, a Data Forensics examiner has the ability to provide a story line with corroborating evidence including dates, authorship, communications with third parties, and even intent behind the act or claim in dispute. The benefits of providing an analysis on a duplicate computer image over the traditional approach of reading through paper documents are immense.
The rule of thumb is that if information was displayed at some time on a computer screen, it is generally able to be recovered from that computer. If, for example, a user checks her account balance online, it is likely that that information can be retrieved at a later date. This general rule can be applied to data of all types.
When a Data Forensics Expert Should Be Retained
A Data Forensics expert should be retained in cases where digital evidence may exist that will substantiate the outcome of a matter albeit inculpatory or exculpatory. If it is believed that important documents were created on a computer, or if electronic communications are believed to have occurred between the parties, it is important to seek the assistance of a Data Forensics expert. More importantly, if the adversary has named a Data Forensics expert, it is critically important to also retain an expert to professionally assess and critique the opposition’s findings.
A Data Forensics firm must be able to conduct a comprehensive challenge to all digital evidence, and, in particular, to the manner in which it was seized. Collection of digital evidence is often times compromised in the earliest stages by shoddy procedures or careless examiners. A careful review of the manner in which the computer systems or hard drives were seized is required. The chain-of-custody review will carefully scrutinize whether the digital evidence was stored properly, and a step-by-step review of the forensic examination process will determine if the opposing expert consistently utilized proper forensic methods.
How to Retain a Data Forensics Expert
Once it is determined that a Data Forensics firm is necessary, it is important to consider how that firm will approach the matter. If the matter covers a large geographic territory, it may be advantageous to employ a firm that has many locations. If the matter is relatively confined, a local firm may provide a higher level of service. In either case, it is important to know up front how your case will be handled, including expected delivery of work product, standard policies and procedures, and experience with other such matters. While it may seem logical to call a computer service company for assistance, it is unlikely that such a company will have the experience necessary to conduct an investigation, and it will likely lack knowledge and training in the tools necessary for the analysis. If the tools that are used are not recognized by the court, it is unlikely the evidence that is presented will be admissible. Most Data Forensics firms will not reveal a client list; however, most should be able to give multiple attorney references. If you have not engaged the firm in the past, it is important to call on its references and to visit its facility if at all possible. Your case may not go to trial for a year or more, so it is important to know that the firm you employ will still be in business when needed. For this reason, independents and part-timers should be avoided.
What Will a Data Forensics Firm Provide?
A top-tier Data Forensics firm should be able to provide not only a report of findings, but also should be able to assist in areas that are new or foreign to the attorney. For example, a Data Forensics firm should be able to:
A Data Forensics firm should be viewed as a strategic partner in a matter, and not just an ordinary expert. Since Data Forensics is still a very mysterious topic, it is likely the attorney will need to take crucial direction from the Data Forensics expert. For this reason, the expert must be particularly knowledgeable. Further, if the matter continues to trial, the Data Forensics expert will need to testify on his findings. Therefore, it is important to know who it is that will be testifying, his experience and background, and his general presentability.
At a minimum,the attorney should expect the Data Forensics expert to have a strong command of the processes and tools required to conduct an investigation, and to follow important protocol, such as establishing and managing a chain-of-custody. The generated work product must be professional and clearly illustrate the findings which support the legal theory. If the expert is not able to construct a professional findings report, he will not appear credible, no matter what piece of damning evidence is discovered.
What Data Best Assists a Case?
Digital evidence plays the same role as traditional evidence. However, unlike its paper counterpart, digital evidence – while copious – is easily searched through automated processes. Items of significant evidentiary value are sometimes recovered from e-mail systems, the suspect’s personal computer, or computers belonging to acquaintances of the suspect. A routine analysis will be able to pin-point data that may exist in documents, spreadsheets, e-mail, or any other type of file – even if those files have been deleted.
In many cases, a statement may have been made via e-mail that contradicts a statement taken at a deposition. Or, it may be discovered that some highly sensitive and confidential documents were e-mailed to an outside account or copied to a "thumb drive." In almost any case, Data Forensics will determine the who, what, where, when, and how of a particular incident. Assuming proper standards are followed, it is difficult for opposing counsel to explain away evidence retrieved during a Data Forensics analysis.
What is the Specific Method of Reviewing a Case?
Data Forensics examiners usually adhere to a common six-step process when involved in a matter. The six-step process is:
Before a forensic analysis may take place, it is important to first understand the case parameters and to devise a legal strategy. This may include preserving and analyzing data that is already in possession of the initiating party, or seeking a preservation order, which will require that the opposing party preserve data residing on specific devices. The most critical step in any forensic analysis is to properly preserve the evidence. Once the data has been properly duplicated and catalogued, the Data Forensics examiner will typically conduct an interview with counsel to clearly understand the desired search criteria and will then formulate a technical approach. Delivery requirements must also be discussed and agreed to at the onset of the examination. In many instances, the Data Forensics examiner will produce evidence that results in refined search parameters and a second or third pass. Once the data is collected, it will be assembled into a findings report which is shared and discussed with counsel. The data is clearly presented so that counsel is able to properly and accurately interpret the results. During this phase, additional suspects may be uncovered or new facts relating to the case may come to being. The Data Forensics examiner may be asked to commence a new investigation based on the initial findings, and may also be deposed and ultimately asked to testify during the trial.
In summary, the failure to analyze digital data is, at best, inexcusable and, at worst, ineffective assistance of counsel and malpractice. With the vast majority of documents being created on a computer system and with so many written communications taking place electronically, attorneys now have both the luxury of easily and quickly validating a controversy and the responsibility of doing so.
Data Forensics was all but unknown just a few short years ago, but today is considered a standard and routine practice in legal matters of all types. With so much evidence "hidden" away on computers, Data Forensics is a stone that cannot be left unturned.
[a1] Michael Michalowicz is a partner of PG Lewis & Associates, LLC, a Data Forensics firm with offices throughout the United States (www.pglewis.com). He is an industry recognized technologist and court appointed expert. Michalowicz has been featured in various periodicals including the New York Times. His firm provides Data Forensics services to local, regional, and national law firms in cases involving one to hundreds of PCs. Michalowicz has authored numerous published articles and is a frequent lecturer on the subject of Data Forensics. He regularly trains attorneys on how to properly manage matters involving digital evidence. Michalowicz may be reached at mmichalowicz@pglewis.com.