In almost every legal matter, critical and relevant evidence will be found on a computer. Proper collection and examination of computer evidence is critical to avoid spoliation, to preserve the evidence, and to manage costs. If proper procedure is not followed during the acquisition of evidence, any data recovered may lose its admissibility as evidence. Below are some of the common errors made by organizations with regard to computer forensics.
Using the internal IT staff to conduct a computer forensics investigation
A company suspects data on a computer and believes that it will be important to their case. The organization’s attorneys subsequently ask the IT technician to print, download, and/or save the data to portable media. The technician goes to the site, turns on the computer, opens the files, prints the data, and saves the data on a CD. At this point everything appears sound; the data has been collected and costs have been kept to a minimum.
Appearances can be deceptive. At this point, the situation is certainly not ideal, and in many ways it is quite unfortunate. First, all you have is information and data – there is no evidence. Unless your IT staff is certified in computer forensics and trained on evidentiary procedures, they have not maintained chain of custody or followed other accepted evidence techniques. Secondly, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Lastly, the act of turning on the computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer.
Even if extensive damage is done by the internal IT staff, a skilled computer forensics vendor may be able to salvage the damaged evidence. This, however, can be an arduous and time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence, especially meta-data timelines, from computers that have been mishandled. In addition, risk of professional malpractice may exist for a law firm that elects to use internal IT resources as opposed to trained computer forensics experts for an investigation. A good rule of thumb is to always use a certified external vendor for computer evidence collection.
Waiting until the last minute to perform a computer forensics exam
Since litigation can often be extremely expensive, it is not uncommon for opposing sides to agree to settle a matter, as opposed to bearing the full costs of litigation. Consequently, until a matter actually reaches the court (and sometimes even after that point), there can be great uncertainty as to how far a matter will be pursued. Therefore, it is not unusual and not necessarily imprudent for attorneys to delay or defer expensive litigation support services until they can be absolutely certain that these services will be required. This approach sometime requires the client to pay a premium for last minute or overtime services. However, this approach generally reduces the client’s total legal costs.
Computer forensics, however, does not follow this paradigm. Delaying or deferring forensics expenses cannot only significantly increase the costs to the client, but may even potentially damage their ability to win the litigation. This is all due to the unique nature of electronic evidence.
In general, electronic evidence in the form of undeleted standard user files is fairly robust and stable. Many matters, however, depend on the ability to authenticate user files, reconstruct timelines based on file usage, and recover deleted files. This type of evidence is extremely fragile and naturally degrades over time with computer use. Unless the evidence has been mishandled or intentionally destroyed, skilled certified forensics experts can generally, but not always, recover this evidence. Nevertheless, the longer this evidence has been allowed to degrade, the greater the odds that the information is unrecoverable and the more difficult, costly, and time-consuming the recovery effort will be.
Given the uncertainty related to settlement versus litigation, it would be inadvisable to perform a complete computer forensics examination in every matter. The nature of forensic collection provides an elegant solution to this quandary. Forensic collection is based on the principal of imaging, which creates an exact bit-by-bit copy from electronic media that is protected from further alteration. Thus, collecting evidence from a system preserves a snapshot of that system at that particular moment in time which can be examined later. Compared to forensic examination, the process is relatively simple and inexpensive. Typically, forensic examination cost three to four times more than forensic acquisition. A complex forensic examination can be as much as or greater than nine to ten times more expensive than forensic collection. A good rule of thumb is that if there is even a slight chance that evidence will be needed, a Quick Analysis or imaging should be completed immediately.
Too narrowly limiting the scope of computer forensics
In a complicated matter, it can often be very difficult to know which systems have evidence and which do not. Did the principals use their home computers? Did they use the file servers? Which email servers were involved? Is there data stored offsite or on portable media? One of the most common mistakes, both in investigations and discovery, is too narrowly limiting the scope of computer forensics. There are two principle reasons this occurs. First, it is an attempt to limit costs by restricting computer forensics. Second, it occurs because the individuals involved do not fully understand computer systems or forensics, and they do not know where to look for evidence.
As a cost mitigation approach, limiting the scope is closely related to Mistake #2 above. The outcome is identical. Servers or systems are not initially collected, evidence is later required from them and the cost of forensics increases significantly due to the degraded state of the data. The rule of thumb above applies in this situation too; if there is a 20% chance that evidence from the system will be needed, you should forensically collect it. Analysis of the data can always be deferred until there is more certainty about its necessity.
Not being prepared to preserve electronic evidence
Given the ubiquitous use of computers and electronic storage of information, any company, regardless of size, should expect and be prepared to preserve electronic evidence at a moment’s notice. The case law standard is that the duty to preserve electronic evidence begins when the future litigants have a reasonable belief that there may be future litigation. Yet, the majority of corporations do not have a plan in place to respond to a preservation order.
Failure to preserve electronic evidence can be exceedingly costly to a client, and by extension, their external counsel. In a recent case, a company was fined $1,000,000 and faced courtroom sanctions because while they had instructed employees not to delete files, they neglected to stop the automatic overwriting of backup tapes. The company, in turn, fired their external counsel, and hired a new firm which was able to reduce the fine and mitigate the impact of the sanctions. Nevertheless, this could have all been avoided if the first law firm had properly prepared the client for the preservation order.
As few companies have proactive plans to handle the preservation of electronic evidence, it often falls to outside counsel to advise them how to respond. Unfortunately, outside counsel is not always well-positioned for this role. First, they rarely have sufficient IT knowledge to assess how their client’s IT infrastructure relates to and interacts with the preservation order. Second, as illustrated in Mistake #1 above, external counsel typically does not have the forensics capabilities necessary to preserve electronic evidence. Nevertheless, a qualified computer forensics team working with the external counsel and the client’s IT and legal team can help prepare a client to respond to a preservation order. Consequently, even when there is just a “reasonable belief” that there may be litigation, it is a good rule of thumb to consult with your qualified computer forensics vendor on proactive electronic evidence preservation.
Not selecting a qualified computer forensics team
If a company or an attorney is seeking to avoid the first four mistakes discussed above, they will have to rely on an external certified computer forensics provider. Since electronic evidence is often critical in the outcome of a dispute, it is essential that one’s computer forensics provider be capable and qualified. Selecting the wrong firm could increase costs, lose a case, or even destroy a client relationship. There are many companies and individuals on the market today that offer computer forensic services. The important question is, what makes a qualified computer forensics partner?
The first thing to consider is that computer forensics is more than just using EnCase or any other programs to collect and analyze evidence. Operators may be certified in the use of a single program only, and are not certified computer forensics analysts. EnCase is a forensic product for the Windows operating system and is an essential and accepted tool for that environment. Nevertheless, many matters require the collection of evidence from UNIX, Macintosh, AS400, or legacy systems which EnCase will not support. A qualified computer forensics vendor must have the capability to work across the newest platforms and with older legacy systems. This expertise should also enable them to act as expert witnesses on you or your client’s behalf.
The second thing to consider is that your computer forensics expert needs to be a trusted advisor. They must be able to understand the cost trade-offs associated with late-versus-early or narrow-versus-broad forensic collection and analysis. This requires that they have the capacity to look beyond the transactional cost of an analysis to the total cost of litigation both for the company and law firm. Ultimately, this extends to the ability to provide trusted and accurate advice to a client when they receive a preservation order for electronic evidence.
The third thing to consider is that like attorneys or any other professional service, price is not necessarily an adequate metric of quality and service. Inexpensive providers are not necessarily unqualified, and expensive providers are not necessarily experts. It is essential, therefore, to interview and assess the forensics firms carefully.
Here are 6 questions to consider when choosing a computer forensics firm: 1. Do they follow accepted protocols and procedures? 2. Can they handle the nuances of different systems and hardware? 3. Do they know how to balance the cost of early versus-late and broad-versus-narrow forensics collection and analysis? 4. Can they advise you and/or your client on discovery and preservation strategies? 5. Have they served as expert witnesses? 6. Who are their references? 7. How many years have they been in business? 8. How quickly can they react? 9. How large of a service area can they help your clients/branches? 10. Do they comply with DOJ practices in their own labs?
Computer forensics may be an unknown and mysterious discipline to many attorneys, but it is easy to avoid the most common procedural mistakes. First, use a forensics partner and do not rely on the internal IT staff for computer forensics analyses. Secondly, if there is a 20% chance that evidence from a computer system will be needed, you should forensically collect the evidence. Lastly, leverage your forensics partner to prepare your clients to respond to electronic evidence preservation orders so that they may avoid fines and sanctions. It is a wise business move to choose your forensics vendor carefully, ensuring that they have a breadth of technical knowledge, fully understand electronic evidence, and come highly recommended by other organizations.
At Tampa Computer Forensics we know the best way to get your business is to answer all your questions. Call us at (813) 305-7969, or click the big green button below to schedule a free consultation.
If you’re a professional with a computer forensics application, why not get answers and information from a live person? Please call us at (813) 305-7969, or click the big green button below to schedule a free consultation. There’s no charge and no commitment.