Common Mistakes Made During A Computer Forensic Analysis
The statistics are familiar; 85% of all corporate data is stored electronically, 93% of new data is stored electronically, and approximately 75% of this information is never printed. Consequently, in almost every legal matter, critical and relevant evidence will be in the form of Electronically Stored Information (ESI). Proper collection and examination of this evidence is critical to avoid spoliation, to preserve the evidence, and to manage cost. Computer forensics is the methodology to ensure that electronic evidence is properly acquired and handled so that it maintains its evidentiary status.
Mistake #1 – Using the internal IT staff to conduct a computer forensics investigation
Important data is suspected to reside on a computer and it is believed that it will be important to the case and access to the site and system has been provided. The attorneys ask the IT technician to print, download, and/or save the data to portable media. The technician goes to the site, turns on the computer, opens the files, prints the data, and saves the data on a CD. At this point, everything appears great, the data has been collected and costs have been kept to a minimum.
But appearances can be deceptive. At this point, the situation is certainly not great, and in many ways it is quite bad. First, all you have is information and data, not evidence. Unless your IT staff is specifically trained (and very few are) on evidentiary procedures, they have probably not maintained a proper chain of custody, or followed other accepted evidence techniques. Second, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Third, turning on a computer changes caches, temporary files, and slack file space, which along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer.
Depending on the damage done by the internal IT staff, a skilled computer forensics vendor may still be able to salvage the damaged evidence. This, however, can be an arduous and time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence, especially meta-data timelines, from computers that have been mishandled. This could create the risk of professional malpractice for a law firm that elected to use internal IT resources as opposed to trained computer forensics experts for the investigation. Thus, a good rule of thumb is to always use a qualified external vendor for computer evidence collection. (See GDF’s additional notes in the FAQ section)
Mistake #2 – Don’t wait until the last minute to perform computer forensics
As litigation can often be extremely expensive, it is not uncommon for opposing sides to agree to settle a matter as opposed to bearing the full costs of litigation. Consequently, until a matter actually reaches the court (and sometimes even after that point), there can be great uncertainty as to how far a matter will be pursued. Therefore, it is not unusual, and not necessarily imprudent, for attorneys to often delay or defer expensive litigation support services until they can be absolutely certain these services will be required. This approach sometime requires the client to pay a premium for last minute or overtime services. However, this approach generally reduces the client’s total legal costs.
Computer forensics, however, does not follow this paradigm. Delaying or deferring forensics expenses cannot only significantly increase the costs to the client, but may even potentially damage their ability to win the litigation. This is all due to the unique nature of electronic evidence.
In general, electronic evidence in the form of undeleted standard user files is fairly robust and stable. Many matters, however, depend on the ability to authenticate user files, reconstruct timelines based on file usage, and recover deleted files. This type of evidence is extremely fragile and naturally degrades over time with computer usage. Unless the evidence has been mishandled or intentionally destroyed, skilled certified forensics experts can generally, but not always, recover this evidence. But, the longer this evidence has been allowed to degrade, the greater the odds that the information is unrecoverable, and the more difficult and time-consuming the recovery effort will be. Hence, the recovery process may be extremely expensive, not even including substantial service premiums which may be required for short notice work to be performed.
Given the uncertainty related to settlement versus litigation, it would be inadvisable to perform a complete computer forensics examination in every matter. The nature of forensic collection provides an elegant solution to this quandary. Forensic collection is based on the principal of imaging, which creates an exact bit-by-bit copy from electronic media that is protected from further alteration. Thus, collecting evidence from a system preserves a snapshot of that system at that particular moment in time which can be examined later. Compared to forensic examination, the process is relatively simple and inexpensive. Typically, forensic examinations cost 3 to 4 times more than forensic acquisitions; complex/deep forensic examinations can be as much as, or greater than, 9 to 10 times the expense of a forensic collection. A good rule of thumb is that if there is a chance the matter will progress to litigation requiring the evidence, a “Quick Analysis,” or at a minimum, at least the imaging should be completed.
Mistake #3 – Too narrowly limiting the scope of computer forensics
If you are involved in a complex matter, it can often be very difficult to know which systems have evidence and which do not. Did the principals use their home computers? Did they use the file servers? Which email servers were involved? Is their data stored offsite? Is it on portable media? One of the most common mistakes, both in investigations and discovery, is too narrowly limiting the scope of computer forensics. There are two principle reasons this occurs. First, it is an attempt to limit costs by limiting computer forensics. Second, it occurs because the individuals involved do not fully understand computer systems or forensics enough to know where to look for evidence. See mistake #5 below.
As a cost mitigation approach, limiting the scope is closely related to mistake #2 above, the outcome is identical. Servers or systems are not initially collected, evidence is later required from them and the cost of forensics increases significantly due to the degraded state of the data. The rule of thumb above applies in this situation too; if there is a 20% chance that evidence from the system will be needed, forensically collect it. Analysis can always be deferred until there is more certainty about its necessity.
Mistake #4 – Not preparing the client to preserve electronic evidence
Given the ubiquitous use of computers and electronic storage of information, any company, regardless of size, should expect and be prepared to preserve electronic evidence. The emerging case law standard is that the duty to preserve electronic evidence begins when the future litigants have a reasonable belief there may be future litigation. Yet, the majority of corporations do not have a plan in place to respond to a preservation order.
Failure to preserve electronic evidence can be exceedingly costly to a client and by extension their external counsel. In a recent case, a company was fined $1,000,000 and faced courtroom sanctions because while they had instructed employees not to delete files, they neglected to stop the automatic overwriting of backup tapes. The company, in turn, fired their external counsel and hired a new firm which was able to reduce the fine and mitigate the impact of the sanctions. Nevertheless, this could have all been avoided if the first law firm had properly prepared the client for the preservation order.
As many companies do not have proactive plans to handle the preservation of electronic evidence, it often falls to outside counsel to advise them in how to respond. Unfortunately, outside counsel is not always well positioned for this role. First, they rarely have sufficient IT knowledge to assess how their client’s IT infrastructure relates to, and interacts with, the preservation order. Second, as illustrated in mistake #1 above, external counsel typically does not have the forensics capabilities necessary to correctly preserve electronic evidence. Nevertheless, a qualified computer forensics team working with the external counsel and the client’s IT and legal team can provide the point expertise in electronic evidence to prepare a client to successfully respond to a preservation order. Consequently, even when there is just a “reasonable belief” that there may be litigation, thereby invoking the duty to preserve, it is a good rule of thumb to consult with your qualified computer forensics vendor on proactive electronic evidence preservation.
Mistake #5 – Not selecting a qualified computer forensics Team
If a company or an attorney is seeking to avoid the first four mistakes discussed above, they will have to rely on an external certified computer forensics provider. As electronic evidence is more critical today in determining the outcome of disputes than ever before, it is essential that one’s computer forensics provider be capable and qualified. Selecting the wrong firm could increase costs, lose a case, or even destroy a client relationship. Computer forensics, however, is a constantly evolving discipline and there are many companies and individuals that are offering “computer forensic services.” But what makes a “qualified computer forensics partner?”
The first thing to consider is that computer forensics is more than just using EnCase or any other popular programs to collect and analyze evidence. Operators may be certified in the use of a single program only, and are not fully certified computer forensic investigators. EnCase is a forensic product for the Windows operating system and is an essential, useful and accepted tool for that environment. However, many matters require the collection of evidence from UNIX, Macintosh, AS400, or legacy systems which EnCase will not support. A qualified computer forensics vendor must have the capability to effectively work across platforms and with legacy systems. This expertise should also enable them to act as expert witnesses on your or your client’s behalf.
The second thing to consider is that your computer forensics expert needs to be a trusted advisor. They must be able to understand the cost trade-offs associated with late versus early, or narrow versus broad forensic collection and analysis. This requires they have the capability to look beyond the transactional cost of an analysis to the total cost of litigation, both for the client and law firm. Ultimately, this extends to the ability to provide trusted and accurate advice to a client when they receive a preservation order for electronic evidence.
The third thing to consider is that like attorneys, or any other professional service, price is not necessarily an adequate metric of quality and service. Inexpensive providers are not necessarily unqualified and expensive providers are not necessarily overpriced. It is essential, therefore, to interview and assess the forensics firms. Here are 6 questions to consider:
- Do they follow accepted protocols and procedures?
- Can they handle the nuances of different systems and hardware?
- Do they know how to balance the cost of early versus late and broad versus narrow forensics collection and analysis?
- Can they advise you and/or your client on discovery and preservation strategies?
- Have they served as expert witnesses?
- Who are their references?
- How many years have they been in business?
- How quickly can they react?
- In how large of a service area can they help your clients/branches?
- Do they comply with DOJ practices in their own labs? (Beware if they don’t have a forensics lab at all)
Computer forensics may be an unknown and mysterious discipline to many attorneys, but it is easy to avoid the most common procedural mistakes. First, use a proven forensics partner and do not rely on the internal IT staff for computer forensics investigations. Second (and third), if there is a 20% chance evidence from a computer system will be needed, forensically collect the evidence. Forensic analysis can always take place later, but by early and broad collection, the total cost of computer forensics is reduced. Fourth, leverage your forensics partner to prepare your clients to respond to electronic evidence preservation orders so they avoid eDiscovery related fines and sanctions. Finally, choose your forensics vendor carefully, ensuring they have a wide breadth of technical knowledge, fully understand electronic evidence, and are highly experienced and recommended by past clients.