Basics of Computer Forensics

In pursuit of vital evidence in the discovery stage, recovering a telling document or a deleted e-mail message could result in winning the case or accelerating a favorable settlement.  As an example, in Linnen v. A.H. Robins Co., the surviving family of a woman whose death was the result of taking a combination of prescription diet pills called fenfluramine and phentermine (commonly referred to as fen-phen) sued the pharmaceutical companies. The claim made by the plaintiffs, was that the combination of the two drugs when taken by the deceased resulted in the development of a fatal lung disorder. Forensic examiners retained by the plaintiffs were successful in recovering a telling internal e-mail message from an A.H. Robins’ employee to another that read: “Do I have to look forward to spending my waning years writing checks to fat people worried about a silly lung problem?” Soon after this discovery, the case was settled.

 

Consider the startling statistics that have surfaced in the past year that compel attorneys to consider digital evidence discovery in cases requiring documents and e-mails to be requested or provided to support or refute a claim arising from a lawsuit. Over 93 percent of all commercial documents are produced and stored on computers of which only 0.003% was ever printed on paper. An estimated total of 3.25 trillion e-mails were generated by U.S. businesses in 2002. Just over 14% of U.S. corporations were ordered to produce employee e-mails in a pending civil litigation or regulatory investigation matter in 2002. In a recent 2003 ABA survey, corporate attorneys acknowledged that over 83% of their business clients have no formal documentation retention/destruction policies in place.

Evidence is often difficult to collect in the best of circumstances, but when that evidence is electronic in nature, an investigation is faced with extra challenges.  Because electronic evidence has none of the permanence that conventional evidence has, and it is even more difficult to form into a coherent argument.

The processes of collecting electronic evidence are quite strict and exhaustive.  The systems affected may be unavailable for regular use for long periods of time, and analysis of the data acquired must be performed.  So, why even bother collecting the evidence in the first place?  For two simple reasons—future preservation and submission as evidence in court proceedings.

Forensic Bit-Stream Copy- is the technical term for the end-product of a forensics acquisition of a computer’s hard drive.  The bit-stream copy is much more thorough than a standard back-up or mirror image of a hard drive.  The bit-stream copy involves the copying of every bit of data on an “evidence” hard drive, which includes the file slack, and unallocated file space in which 'deleted' files and e-mails are frequently recovered from. For more detailed information you can download a bit-stream v. mirror image white paper.

Deleted isn’t always deleted- a most common assumption by computer users when electing to delete a document or e-mail on his or her computer is that that file is forever gone.  This could not be further from the truth.  In fact, the deleted file has been re-assigned to the slack space of the hard drive.  While the deleted file is no longer readily apparent to the user, a bit-stream copy and subsequent examination of the slack space will likely reveal the contents of the entire document or e-mail.

What types of Storage Media can be Examined?- in addition to computer hard drives, most alternatives can also be targeted for forensic examinations such as: floppy diskettes, CDs, DVDs, Zip drives, Zip disks, Thumb drives, external hard drives, tape back-ups, and even certain Personal Digital Assistant (PDA) devices.

What Methods of Examination are Used?- once the bit-stream copy of the storage media has been acquired, the examination stage can commence.  The forensics examiner works closely with the litigation team in identifying the specific scope of the search and the parameters to be followed.  The examination process is directly linked to the dates, words, names, phrases, addresses and other pertinent references that once compiled are loaded into a search database that will attempt to find a match through every bit and byte of the bit-stream copy of the hard drive.  Once those “hits” are located, the individual findings are reviewed for importance and relevance to the case.

Why is the Bit-Streaming Approach the Only Court-Approved Method?- the state and federal courts have weighed in on this matter for the last several years and have concluded that the bit-stream acquisition of a hard drive withstands all challenges of the authentication and validation for admissibility.  Anything less than a bit-stream copy is unacceptable to the courts.  

Top of Page

Quantifiable Benefits of Computer Forensics for Your Client’s Case

While normal discovery processes can produce mounds of paper evidence, you may not have realized that it could be only a small piece to the entire puzzle.  Evidence could be hidden, deleted, or simply overlooked that may reside on the computer hard drive you requested the information from.

By using a certified computer forensics examination firm, a bit by bit copy of the suspect’s entire hard drive can be seized.  By capturing a forensic copy of suspect hard drives, a litigator will have the potential of putting together the story line with corroborating evidence including dates, authorship, communications with other third parties, and even intent behind the act or claim in dispute.  

Digital Evidence is preserved on media that can be examined at a later date:

• Just like physical evidence, once it is acquired, it can be analyzed over and over again for more information than what simply was produced on paper.
• Time of analysis of e-evidence establishes pre and post actions and behavior of the suspect and his/her computer.
• State and Federal Courts will only accept electronic evidence that has been acquired and handled by certified forensic examiners that can demonstrate the forensic e-evidence was acquired and handled by accepted chain of custody procedures.
• The very nature of e-evidence makes it necessary to petition to the court ASAP for the court’s sanction to capture the forensic image of all suspect hard drives before important evidence is overwritten or subject to spoliation. 

A bit stream copy is much more valuable than simply copying the file from one drive to another (mirror imaging):   

• A forensic bit stream copy allows the examiner to analyze all of the activities that have occurred on the hard drive, not just those files that currently exist.  By copying all of the information at the bit-level, the examiner can search for and locate deleted files and communications (e-mails).
• Temporary Internet files are another “bounty” that only comes from a true forensic bit stream copy.  Once examined and analyzed, such files often provide details about specific Internet sites that the suspect was looking at.
• Chat room conversations using Instant Messaging programs (IM), which are not logged to a file, can be rebuilt from fragments found in temporary disk space.
• E-mail accounts, both corporate and Internet-based, can be searched to uncover information.
• Meta-data fields can be examined on the files showing the creation, modification, or deletion dates as well as a wealth of other information i.e. whether the files were copied to external media or attached to e-mails.
• By having a bit-stream copy of the entire hard drive; the forensic examiner if required to testify in court, will be able to validate that the entire examination was conducted on an exact duplicate copy of the original suspect hard drive with no capability to add, delete or modify any content whatsoever.  Submission of electronic evidence originating from any duplication of content from a suspect hard drive or other digital media that has not been acquired through a certified forensic bit-stream image, has always been ruled as inadmissible in the courts. 

Keyword searches are conducted across the entire contents of the drive including both active and deleted files.   

• The forensic examination can be initiated on a broad search basis to uncover areas and/or files for closer analysis. Other examinations might start with a refined list of names, dates, phrases, and terms that will yield faster results in locating useful information about your case.
• The speed and efficiency of thoroughly analyzing both active and deleted files has been proven to be far more cost effective than the search and analysis process of conventional electronic document discovery which never includes examination of deleted files and e-mails.

Using CyberControls, LLC™, as a member of your litigation team will positively impact your entire e-evidence discovery process. 

• From the very start, the CyberControls’ forensic examiner is prepared to follow your directions in conducting the preparations necessary to successfully acquire the electronic evidence.  Our team will often assist in the pre-filing discovery stage with strategic and tactical practices to insure the court’s acceptance of an electronic evidence discovery request.
• By working as a member of your litigation team, we commit to agreed upon time-sensitive updates throughout the entire examination and analyses i.e. update every 5 or 8 hours of analysis performed. This communication process will keep you and your team informed on all aspects and progress being made as well as the amount of time and professional fees being accrued thus far.
• Your client will receive the benefit of a more thorough and complete investigation at a reduced cost in a shorter period of time.

Top of Page

Is computer forensic discovery scaleable?

For CyberControls’ clients, the examination of a storage media can be performed on a real-time basis without acquiring a bit-stream copy of a hard drive initially.  This capability arises in a number of scenarios such as situations in which numerous computers are in question.  The examiner will setup the examination on a per PC basis, conduct the search, and report any specific findings of relevance to the attorney or judge.  On a larger scale project, the examination of dozens or even hundreds of computers can be accomplished using an enterprise forensic tool which provides the examiner with a network access capability to perform the examination.

Once the examination has located useful evidence on one or more computers, the forensic bit-stream acquisition can be performed over the network without any disruption to the user’s of the PCs.

The three most common objections to an e-discovery request by defense attorneys are: 

Privilege Issues:  With traditional document requests, standard operating procedures require the producing party’s counsel to review every document for privilege exemptions.  What is most decidedly missing from document production examinations is the existence of relevant “deleted” files.

With the advent of a forensic real-time examination option, a complete search for all “deleted” documents and e-mails may be conducted in a much shorter period of time in order to identify items of privilege.

Burdensome: Again, when the production of documents or e-mail back-up tapes involves dozens of boxes of documents and tens of thousands of e-mails, the work involved can take weeks if not months.  The argument often waged is that efforts required by the client to conduct the search for and subsequent review of massive amounts of data will create an undue burden upon the client’s business. 

CyberControls ability to streamline the examination of multiple hard drives on an enterprise basis without interruption to the users of the PCs should eliminate the argument of undue burden.  In fact, the time to examine and or acquire bit-stream copies of multiple hard drives is a fraction of the time as compared to conventional document search and review methods commonly used. 

Costs: The costs for document production printing alone, can range between .12-.15 cents per page.  Add to that the additional costs associated with attorney review of all documents and e-mails (including attachments), and it's no wonder how the costs can easily escalate into the hundreds of thousands of dollars. With the advancement of computer forensic tools and their searching capabilities, defense attorneys can significantly reduce their client's costs associated with evidentiary review and adhere to court-ordered production timelines.  This is achieved by forensically acquiring all data pertaining to the production request the first time in order to perform a a comprehensive search for all related documents and e-mails pertaining to the request.  The culled data retrieved from the search will likely be a small percentage of the total data inventory originally acquired thus reducing attorney review time considerably.  This will also safeguard the client's data having made a forensic copy of same, thus avoiding any potential of inadvertent spoliation of prospective evidence.