Posted on: July 31, 2015in Blog
Forensic Investigations Unlock Key Digital Evidence
Look around in any direction and there is a decent chance you can identify a device that contains digital storage capabilities. Drive through a toll booth on the way to work and your journey is being recorded. Go through a red light and “snap”, a ticket arrives in the mail three to four weeks later. Take money out of the ATM on your way to work and it is tracked by the bank. Access your computer at work and announce your arrival by tweet, check your stock portfolio, respond to a few Facebook requests and it is all being recorded on the hard drive.
Nearly every task we perform each day is tracked and stored electronically and this information may be obtained by law enforcement if it relates to criminal activity or is part of an investigation.
Involving an Expert in Computer Forensics Investigations
Even the information you believe to be private, such as emails and Facebook communications, may potentially be discoverable in civil litigation. These sources of digital evidence are never ending, and ever-changing, and continuously prove to be a challenge to those involved in the acquisition and analysis of electronic evidence. This is true for the computer forensics investigator at the local police department as well as the litigation support professional supporting lawyers in civil proceedings.
Another layer of complexity is the law that dictates the admissibility of electronic evidence. A few years ago it was big news in the computer forensic community when a legal proceeding or court opinion mentioned a hard drive or the discovery of evidence stored on electronic media. That trickle has turned into a deluge of case law surrounding electronically stored information. In fact, an estimated 93% of all data created by corporations is in electronic format. Subsequently, the number of sanctions levied against parties who improperly handle electronic evidence also continues to increase.
Obtaining digital evidence for court proceedings requires specialized forensic software for the collection of data. At the simplest level, these programs identify the deleted files and show the files as “live” again, allowing for a full examination by an investigator. In some cases, a greater level of reconstruction is necessary for analysis. If the directory entry or the file itself has been overwritten it may be impossible to recover the prior contents of the file or disk area. Utilizing the software properly ensures that data maintains its integrity for legal proceedings.
Forensics Software Used in Moonlighting IP Theft Case and Plaintiff Awarded Over $100m in Damages
A large chemical company believed one of its employees engaged in trade secret misappropriation. Proving this type of accusation would be difficult so a computer forensic company was hired for forensic imaging the individual’s work laptop. The goal was to search for any nefarious activities or evidence the individual was engaged in a side business. Once the laptop's contents had been imaged, the examiner used various software and tools to analyze the large quantities of data and find the relevant datasets. Once the relevant information was located, the examiner uncovered the fact that the individual was indeed running a side business in addition to stealing and selling proprietary technology. Reviewing the browser history, the examiner was able to provide information supporting the individual’s use of a third-party document collaboration website that hosted the chemical company’s proprietary and confidential trade secrets.
Evidence was also uncovered that the individual was communicating via Yahoo mail with his co-conspirator and other third parties to whom he was selling the secrets. The examiner was able to recover deleted emails, which clearly showed the employee acknowledged the information was stolen and knowingly sold the information for profit. There were also emails to the company purchasing the trade secrets, which provided the login credentials for the third-party collaboration site.
Once presented with this overwhelming amount of evidence, the chemical company was able to obtain a temporary restraining order, which enjoined the individual from purging any potential evidence of his scheme. Furthermore, the court permitted for the imaging and review of the individual’s home computer, where it was expected additional incriminating evidence would be found. The forensic examination of the individual’s home computer proved even more fruitful than anticipated as hundreds of additional emails were uncovered, all having evidentiary value.
Additionally, it was uncovered that within minutes of receiving the temporary restraining order, the individual attempted to delete over 2,000 files related to the stolen information. Recovering deleted temporary Internet files depicted the individual's Yahoo Inbox clearly showing the electronic fax was received prior attempting to delete the files.
The outcome of the case was a finding in favor of the chemical company. The plaintiff was awarded in excess of 100 million dollars in damages.
All of this evidence could only have been identified and collected through the use of specialized forensics software and the right know-how. Without the initial evidence uncovered by computer forensics there may have been no way to secure a temporary restraining order and the ultimate discovery of the extent of the scheme employed by the individual and his co-conspirator.
Framed Employer Proves Innocence with Forensic Investigation
The use of social media sites proved to be a critical part of a case against a small business owner being accused of sexual harassment by a former employee. The owner maintained his innocence and insisted he was being framed. The company’s attorney suggested employing a third-party computer forensic expert to forensically examine the accuser’s work computer. The owner agreed but could provide little guidance on what exactly the examiner should be searching for. Ethical computer investigators do not conjure evidence, but the owner of the company insisted that there would be no proof of sexual harassment on the employee's computer. Besides being able to provide guidance for the type of information, examiners are often presented with little direction where to look.
Through the use of computer forensics techniques and software the examiner uncovered portions of deleted “MySpace” chat logs between the accuser and other employees, proving the owner's innocence. Furthermore, the accuser only open discussed her disdain for the owner but explained her scheme to get back at him. Even more incriminating evidence was found, which showed the accuser was also having an affair with two other people in the office, one of whom was married. The accuser repeatedly and openly asked for gifts from the individuals she was carrying on with. She even went on to threaten the married individual, stating that she would reveal the tryst to the man’s wife if he did not buy her an expensive piece of jewelry. This evidence certainly did not speak well of the accuser’s character. When confronted with this evidence the accuser decided to drop the suit immediately.
The examiner was able to piece this entire scenario together solely through the examination of recovered deleted chat logs. Without the use of computer forensics there was a strong possibility this case could have gone much further and ruined the lives of the owner and possibly everyone at the company. Traditional discovery would not have uncovered the deleted chat logs and without computer forensics no one would have been aware of the accuser’s shenanigans.
The computer forensics industry has evolved significantly in the past few decades. In the past, an examiner may only have had to deal with a floppy disk or a small hard drive that contained a few hundred megabytes. Today’s hard drives can store terabytes of information.
As the discipline matures, practitioners will face a continual change in laws, technology and types of evidence to be gathered and analyzed. GPS devices, iPads, video capture devices, social media sites, video game units, or something basic like a DVD can all store information that could potentially be requested in civil litigation. The list of devices and cloud systems storing digital evidence today is nearly endless and forensic consultants must keep abreast of the latest technology, media, and operating systems. As the courts continue to tackle the issues surrounding ESI and its submission in proceedings it will look to computer forensic experts to assist.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted October 20, 2016
3 Areas of Focus When Migrating Data to a New Document Review Tool
Posted October 13, 2016
3 Best Practices for eDiscovery Custodian Interviews
Posted October 06, 2016
Latest Developments in U.S. FCPA Enforcement
Posted September 22, 2016
The Hybrid Approach to an eDiscovery Managed Services Model
Posted September 15, 2016
5 Document Management Best Practices for Beginners
Posted September 13, 2016
Innoxcell Annual Symposium 2016 | Shanghai Series
Posted September 08, 2016
Maintaining a Great Wall of Data Control in eDiscovery
Posted September 08, 2016
PREX16 | 5th Annual Conference on Preservation Excellence
Posted September 01, 2016
Uncovering Enterprise Vault Stub Files and Their Missing Attachments
Posted August 25, 2016
How to Use the eDiscovery PST Export Tool in Office 365