Locating evidence on computers is an important part of today’s discovery process. The reasons for pursuing computer-based evidence are compelling. It is estimated that over 70 percent of data stored on computers such as email and database files are never reduced to printed form. In addition, computer-based files often contain embedded information that can only be viewed in their electronic version. True date and time information may only be available in the computer file. Discovery without a review of computer files is incomplete.
Although many lawyers ask for electronic evidence, they may not have had experience collecting and analyzing the data they seek. What follows is some practical advice on how to collect relevant data and ensure it can be authenticated and admitted as evidence.
1. Send a preservation of evidence letter.
It is critical to put all parties on notice as soon as possible, informing them that digital data will be sought through discovery. A letter should identify as specifically as possible the types of information to be preserved. If necessary, obtain a protective order requiring all parties to preserve digital data and set out specific protocols for doing so.
2. Include definitions, instructions, and specific questions about digital data in your written discovery.
- Make clear that electronic documents, as well as paper, are being sought. Define documents as data compilations, electronic mail, and electronically stored data.
- Use a series of interrogatories to get an overview of the target computer system.
- If necessary, include a request for inspection to examine the computer system firsthand and retrieve any relevant data.
3. Take a 30(b)(6) deposition of staff from the information systems department.
This form of the “custodial” deposition may be the single best tool for discovering types of electronic information stored on your opponent’s computer systems. Include questions about the specific hardware and software used and how data is used and stored. Be sure to include questions about backup procedures. Backup tapes can be an important source of historical information.
4. Collect backup tapes.
Routine data backups, created to help companies recover from a disaster (system or natural disaster), are normally stored on high-capacity tapes. Backups are often created daily and/or weekly. It’s common for one backup set (such as data backed up on the last day of the month) to be pulled from rotation (i.e., not re-used or overwritten) and stored for one year. Using this backup schedule, a company would have 12 monthly backups on hand for the year. This is often enough data to provide a highly detailed picture of corporate activity.
5. Collect CD-ROMs, “Zip” drives, and other removable media.
It’s essential to collect and examine all media with files created by key witnesses. Computer users often create “ad hoc backups” of files and email. Such data sets can be kept indefinitely by users.
6. Ask every witness about computer usage.
Each witness and his/her assistant(s) must be questioned about how they organize and store data on their computer. Perhaps the most overlooked source of electronic evidence is the witness or assistant’s home computer. Data can be transferred to and from the workplace via diskettes and portable media, or by logging onto the company network from home. Palmtop devices, another source of evidence, can allow users to make notes and use email. Notebook computers, often shared among a number of users, can also be a rich source of evidence.
7. Make image copies.
To capture residual data, you must make an “image copy” of the target drive. An image copy duplicates the disk surface sector-by-sector as opposed to a file-by-file copy, a process that does not capture residual data.
Residual data can be recovered from hard drives and floppy disks. Residual data includes, deleted files, fragments of deleted files, and other data that is still extant on the disk surface. With computers, the term “deleted” does not mean destroyed. When a file is deleted, the computer makes the space occupied by that file available for new data. However, the bits and bytes of the file remain on the hard drive until they are overwritten by new data or “wiped” through the use of specialized software. If neither has occurred a “deleted” file may still be recovered from the disk surface.
8. Write protect and virus check all media.
To maintain the integrity of electronic media you must write protect it before doing anything else. This ensures the evidence you gather is not altered or erased. All media should be checked with current virus software to keep evidence from being altered. If a virus is detected, make a record of all information and notify the party producing the media. Do not take steps to clean the original media or this could change the evidence produced.
9. Preserve the chain of custody.
Digital evidence can be easily altered. Maintaining a clean chain of custody is critical. At a minimum, be prepared to assure that:
- no information has been added or changed.
- a complete copy was made.
- a reliable copying process was used.
- all media was secured.
A reliable copy process has three characteristics:
- It must meet industry standards for quality and reliability; including image capture software and media.
- The copies must meet the independent verification standard. In other words, their expert must be able to read and verify your expert’s copy.
- The copies created must be tamper-proof.
10. Hire an expert.
An expert will help fine-tune your discovery and maximize the amount of relevant data you recover. The expert can also provide resources for copying and examining data. Restoring backup tapes and image copies often exceeds the technical talent and system resources of clients and lawyers.
Direct forensic examination of data, tape restoration, and copying or printing services can range from $150 to $375 per hour.
Experienced experts can help draft deposition outlines, sit in on depositions, help educate the court or discovery magistrates, and help parties prepare stipulations for protocol and cost sharing. Rates for these services can range from $375 to $600 per hour.
The goal of computer-based discovery is to find useful information and collect it in a manner that assures it can be admitted into evidence. While technology will undoubtedly continue to change, these basic techniques for collecting electronic evidence should continue to prove effective.
Joan E. Feldman, President
Computer Forensics Inc.™
Sources : http://www.forensics.com/html/resource_articles.html
