Opportunities To Challenge Computerized Evidence

By: David Nolte, Principal of Fulcrum Inquiry

Increased use of computerized data in disputes also increases the number of times that incorrect conclusions are reached because the data has not been properly obtained, handled and interpreted.  Whether presented by you or your opponent, attorneys should understand what could go wrong. 

If the computer evidence has not been properly obtained, consider excluding the potential evidence altogether. Here are items to consider:

1. The acquisition of electronic evidence is the most critical phase since data can be unintentionally modified.  Consequently, forensic evidence acquisition must follow established protocols.  Ensure that this is occurring with your evidence that you wish to use, and challenge the methods employed when faced with evidence that you wish excluded.  As a shortcut in this area, examine the qualifications of the person who acquired the evidence, and the analyzing examiner.

2. Evaluate what might have happened to the data before the computer forensic expert arrived.  For example:

    a. An expert should examine the hard drive to establish the users of that system.  It may be possible to prove a different user performed the action or creation of evidence.

    b. Are there any Trojan horses, viruses, spyware, or other back-door applications that may have created the actions or evidence?

    c. Could the information found already have been present on the computer prior to the party receiving access to the computer?  Companies often recycle computers when employees leave.  Companies rarely completely clean the hard drive before passing the computer to a new employee.

3. Verify the authenticity of the evidence.  When a hard drive image is created, a unique signature file (or hash) is generated.  If the proposed evidence does not match the original signature, the data has been altered, raising the issue that the proposed evidence should not be accepted.

4. Evaluate whether reasonable expectations of privacy have been violated.  For example:
    a. A wife may not access information without authorization, and then use the information as evidence if the husband used separate accounts or passwords to which the wife did not have access.

    b. An employer may not access employee information without authorization, and then use the information as evidence, unless the business visibly has policies that allow such access and enforces such policies.

    c. In criminal cases, warrants need to be issued prior to seizing information.
5. Compare the timeline of the evidence and the alibi of the client.  Was there any attempt to conceal (erase) information before the forensic examination?  For more information, see Evaluating Electronic Evidence.

Electronic evidence provides information that would not be obtained in the normal discovery process.  But, this additional evidence faces its own pitfalls and frailties.

Fulcrum Inquiry performs electronic discovery assistance and computer forensic examinations.

About the Author: David Nolte is Principal of Fulcrum Inquiry and has worked with a broad range of firms/industries in both litigation and non-litigation settings.  His ability to analyze and explain complex financial matters has proved useful in numerous commercial disputes.  He may be reached at dnolte@fulcruminquiry.com.