Attorney Defense Support

return to home

	FRCP Amendments

	Plaintiff (Discovery Party) Support Services

	Defense (Producing Party) Support Services

	Basics of Data Forensics

	Data Forensic Procedures at CyberControls, LLC

	Practice - Specific Applicatons for Data Forensics

	Court Rulings on Computer Forensics

	Pro Bono Services

	Standard & Advanced Data Forensics Coverage

	Corporations

Defense Support for Opponent's Use of Computer Forensic Evidence

CyberControls is qualified to conduct a comprehensive challenge to all computer evidence, particularly the manner in which it was seized. Submission of computer forensic evidence in criminal cases or in commercial litigation is frequently compromised at the earliest stages by sloppy procedures or careless examiners who cut corners. As an example, careful review of the manner in which the computer system or hard drive was seized, whether the evidence was transported and by whom? The chain of custody review will carefully scrutinize whether the digital evidence was stored properly. Another area of focus would be a step by step review of the forensic examination process to determine whether the examination firm consistently utilizes sound forensic methods.

Our defense examiners will then review the qualifications and expertise of both the person who acquired the digital evidence as well as the person who conducted the evidence examination. Often, something as simple as whether the forensic examiner turned on the suspect computer before making a forensic copy of the hard drive could result modifying critical evidence for your client. If the challenge in any of these areas is successful, valuable evidence may not be admissible.

When challenging the admissibility of digital evidence, the defense’s examiner will evaluate:

•	Review exactly in what state was the media or computer found in when the examiner came into possession of the original storage media or devices? Was the computer in the on or off mode? Was the hard drive still installed in the computer prior to examination? Was the examination and subsequent evidence acquisition conducted at the custodian’s place of business or somewhere else? If somewhere else, did the examiner request full detailed information on exactly where the media or devices came from? Who had custody of the media/devices prior to delivery to the forensic examiner and how was it transported?
•	Establish whether the examiner can authenticate that the forensic images acquired are beyond any reasonable doubt exact duplicates of the original hard drives.
•	Determine whether every precaution was taken in order to preserve the reliability of the data on the computer’s hard drive once it was in the forensic examiners possession.
•	Thoroughly review exactly what procedures were followed to insure that the computer or hard drive was secured and transported using acceptable methods.
•	Determine what steps were taken to establish the identities of all possible users of each individual target computer whose drive was examined i.e. other individual user’s e-mail accounts, ISP accounts, Instant Messaging (IM) accounts, folders, directories, log-on passwords, PDA backups?
•	If other users were identified as having access to the individual computers in question, what steps were taken by the forensic examiner to determine specifically which evidence files belonged to which user?
•	Review the chain of custody procedures-review evidence logs, transfer of custody logs, and review of security measures in storing evidence throughout entire period of possession of evidence.
•	Determine whether the examiners discovered and inventoried the existence of any Trojan horse, malware or other know spyware viruses/worms on the evidence hard drive prior to performing the forensic examination.
•	Establish the fact that if the forensic examiners failed to look for and inventory the existence or of such viruses or worms, the possibility of tainted evidence is a possibility.
•	The qualifications of the person(s) who conducted the forensic examination.
•	Determine whether the examiner may have overstepped the search parameters agreed upon prior to examination.
•	Whether all forensic software used by the examiner(s) was properly licensed at the time of conducting the examinations.
•	The seized hardware was physically examined and the description noted, including evidence photographs of the original location and state of evidence before a forensic acquisition commenced or equipment was removed.
•	If it was noted whether the computer had an available Internet connection at the time?
•	Determine if the examiner had determined whether the subject computer had a local area network interface (LAN).
•	Did the forensic examiner establish what percentage of the subject’s hard drive was “unallocated” file space versus used space?
•	Determine whether all areas and sectors of the media were examined, including slack space.
•	Verify whether proper steps were followed in assuring that the forensic imaging media was thoroughly sterilized.
•	If there was any exculpatory evidence on the computer.
•	Review all processes and procedures taken to safeguard the original media from being altered or harmed in any way.
•	Determine whether there was a full and complete inventory made of all of the files contained on the computer.
•	Whether the evidence found on the computer was properly documented, how many backup copies were made, what if any data was removed for privacy or privilege reasons.
•	Determine the cumulative time logged for the entire effort in conducting the examination. How many word search examinations in total were conducted? Who was responsible for compiling the list or search parameters?
•	Determine whether the examiner documented all temporary files and internet activities including an inventory of all cookies stored on the computer.
•	Determine whether evidence that might be favorable to the defense was recovered.

Findings Review:

•	Review the examiner's report for thoroughness.
•	Review the report to verify that it adequately explains technical issues.

Additional Support Services for Defense:

•	Provide current trends in Court Sanctions for Computer Discovery abuses.
•	The steps to take to find Computer E-mail Records.
•	Assist with the presentation of computer evidence in Court so that the jury will understand it.
•	Preparation of computer evidence interrogatories.