Forensic, General & Medical
Expert Witnesses

Early Engagement of a Computer Expert Maximizes the Value of Electronic Evidence


     By Interhack Corporation Computer Forensic Expert Witness: Data Breach, Information Security, Cybersecurity

PhoneCall Lee T. Ayres, CISSP at (614) 545-4225


Expert Witness: Interhack Corporation
Finding answers to the questions that arise in litigation often hinges on the proper acquisition, preservation, analysis, and presentation of electronic evidence. Reliance on electronic information is sure to increase as computer systems continue to integrate into more aspects of modern life. An experienced computer expert can
provide key insight into making the best use of electronic evidence in a case.
Consider a case where a group of employees within a company strikes off to form a competing enterprise. Plaintiff's counsel suspects that the employees met at a coffee shop shortly before resigning. They are believed to have collected data in their possession, proprietary to the plaintiff, that would be useful in getting their enterprise started. Evidence suggests that to gain a competitive advantage, prior to returning their issued laptops, they deleted email contact information for some hot sales leads. Now What?

Our computers record when we turn them on and off, when we log in, when we send email, when we browse the Web and what we look at, even when we use the printer or the CD burner. Even our cell phones know who we called and when; our GPS receivers remember where we were and where we were going. Some of our cars keep tabs on when we hit the gas or brakes and how fast we are going at the time.

Even when an event is not explicitly logged by a computer, the effects of the event may leave traces. Reading a document with a program such as a word processor changes the "last accessed" time stamp of that document. Deleting a document can leave traces in the Recycle Bin and on unused portions of the hard drive.

In our example, at the direction of a computer expert, the laptops returned by the ex-employees are imaged forensically, and data that had been deleted from them is recovered. When the data were deleted can be demonstrated to a high degree of scientific certainty. Computers are searched for log information that identifies a specific storage device, including manufacturer and serial number, that was plugged into all of the laptops in question on the same day around the same time. This device is included in discovery. The laptops all contain traces of having connected to the coffee shop's free wireless network at around the same time, providing evidence that the subjects were together in the same place at the same time.

When dealing with electronic evidence, timing may be critical. Several forces work to erode the usefulness of digital information. If every event logged by a computer were stored in perpetuity we would run out of available drive space. Hence, most log entries are overwritten after a predetermined period of time. The ability to read data that were deleted degrades as the old data is overwritten by the new. Time lines that could be established by file system activity time stamps can be impacted as new time stamps replace old ones. This blurring of evidence could mean that even data that has not been materially corrupted may be called into question by informed counsel.

Consultation with a computer scientist experienced in the legal context may provide value in the formation of strategy early in the development of a case. Understanding what an expert can and cannot establish with digital evidence may improve chances for success. Preliminary analysis can provide direction. Information that may be discovered by opposing experts may be uncovered as strategy is being developed to avoid surprises later on.

Prior to depositions in our example case, being aware of the typical retention period of Internet service providers, the computer expert suggested that counsel subpoena the new company's email records. When questioned about the deleted contact information the defendants assert that they intended to erase personal contacts unrelated to the business and deleted the others as an unintentional consequence. The subpoenaed email logs show that soon after the new company was formed, most of the deleted contacts were sent messages.

While the specifics of a case may warrant a different approach, in some casessimply taking a forensic image for future review may provide a great deal of value, and need not be a heavy burden. A properly performed forensic acquisition is not likely to impact the data on a computer, and generally after an acquisition there is no technical reason the computer cannot be put back into service.

Not all data analysis techniques are equal: a forensic computer scientist can use critical information about systems that consumer grade services would never see. If the plaintiffs in our example used a commodity "undelete" utility to recover the contact list, they might have eliminated all evidence that the data had been deleted in the first place. Simply powering on the computer hoping to see what might have happened could affect file time stamps and overwrite critical log information. Eachof these events a ects the legal claims that can be supported by scientific analysis.

The right approach for handling the array of digital evidence available to an attorney can vary widely between cases. A qualified computer scientist can help in making the best use of the data at your disposal, in ensuring that you acquire what is needed while it is still available, and in reducing the surprises you may face as the case unfolds.

Copyright 2008 Interhack Corporation

ABOUT THE AUTHOR: Lee T. Ayres, CISSP
Lee Ayres is a Senior Analyst at Interhack Corporation a Columbus-based information assurance and forensic computing firm, providing expert testimony, forensic analysis, and electronic dis-covery for attorneys all over the country. Interhack's work is used to find the right questions to ask and the best answers science can provide.

Copyright Interhack Corporation

More information about Interhack Corporation


While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.
For specific technical or legal advice on the information provided and related topics, please contact the author.

Find an Expert Witness