Find an Expert Witness

Forensic, General & Medical
Expert Witnesses

Following Procedure

Rules change is forcing organizations to establish processes for archiving, retrieving and handling data for evidentiary purposes.

The “Federal Rules for Civil Procedure” sounds like an instant cure for insomnia, but it’s keeping many people in the business and legal communities up at night.

Established by the Supreme Court and amended by the court and acts of Congress, the FRCP prescribes general rules of practice and of evidence for cases in U.S. district courts and courts of appeals. It recently underwent its first major overhaul in decades, and the impact of these changes on businesses is not yet clear.

“There’s a great deal of uncertainty, due in part to the fact that a change of this magnitude at the federal level has not occurred in a generation or more,” said Tom Smith, President of Ispirian Computer Forensics. “That was a time when our music might have resided on an eight-track tape rather than an iPod, and a computer filled a room and not a portion of a desktop. A lot has changed.”

Indeed, many of the changes to the FRCP have to do with electronically stored information. Smith, a forensic scientist and a member of the American College of Forensic Examiners Institute of Forensic Science, has been called upon recently to help attorneys and executives sort out what these changes mean.

“Organizations will need to organize and archive their electronic data so that it can be quickly located and restored if necessary, and so that relevant information can be extracted at least expense while guarding against data handling issues that might result in allegations of spoliation and the possibility of costly sanctions,” Smith said. “While this is a scary notion, there is a positive side for businesses. The revised FRCP makes it an action item for businesses to examine their data archival and retention policies.

“It also allows the information technology team to integrate the requirements of the FCRP into their backup and disaster recovery plans. So, apart from preparing for possible litigation, the process will undoubtedly place many businesses on firmer ground with respect to business continuity capabilities: They might be able to recover from a disaster recovery event because the planning actually took place.”

Computer Forensics Highlighted

Smith believes that computer forensics as a practice has benefited from the news of the revised FRCP, which went into effect December 1st of 2006. It has helped raise awareness of the proper processes for investigating computer equipment and digital media and ensuring that any electronically stored evidence collected can be used for litigation.

“The general public is more aware of forensics through TV programs like CSI,” Smith said. “In the corporate world, more and more executives are learning that computer forensics is a very specialized form of data recovery that applies scientific methods to digital media in order to establish factual information for subsequent legal or administrative review. It’s becoming increasingly important that an organization engage a computer forensic specialist - not an IT generalist - to handle any sensitive computer examination activities.”

Electronic data is fragile, and its collection and examination should be conducted by individuals with the proper training and skills. For example, a computer forensics examiner understands the necessity to preserve data in its original, unaltered form and to log every access of the data source. Examination of electronic data must be from authenticated exact copies of original media.

“The process of authentication involves the use of one-way cryptographic algorithms that operate from inputs of varying size, such as every bit of information contained on a given hard drive. This produces a fixed-length result called a message digest that is, in essence, a digital fingerprint representing the unique contents of the original media,” Smith said. “If the message digest of the original media is the same as the message digest produced from the forensic copy, the two are considered identical. Is it possible that two entirely different media sources having different content can produce the same message digest? Yes, it’s ‘possible, but the odds of this happening are considered computationally infeasible. The probability of this occurring using the MD5 algorithm is around 1 in 340 undecillion — that’s 340 followed by 36 zeroes. Thus, the message digest is considered more reliable than DNA and fingerprints.”

Collecting Digital Evidence

Even when you’re assured that a forensic copy is available for examination, how would you approach the examination of tens of billions of bytes of data? A “techie” might decide to start by attaching the hard drive to a Windows computer as a secondary hard drive without the use of a write-blocking mechanism. This will become a problem, because the Windows operating system immediately alters the contents of the volume for its own purposes. What if the same techie decided to just open a word processing document on that hard drive for “a quick peek?” Again, the operating system and the application update information (metadata) about files contained on the hard drive, even if it is just the date and time it was last accessed. How would this affect the evidentiary value of the document?

“The file could be essentially useless for litigation,” Smith said.

Computer forensic examiners understand how to avoid these pitfalls, as well as recover digital evidence that would elude even the most skilled technician. For example, computer forensic examiners have tools that can recover “deleted” e-mail and even establish the hierarchy of e-mail communications between individuals. Other special capabilities of forensic computer examiners include password cracking, file decryption, and full and partial file recovery from file slack and unallocated space.

“I am contacted frequently by organizations — usually from the information security department — who need guidance as a result of inquiries from their in-house legal departments. Most information security teams are already overburdened and, because of the need for specialized processes to collect and preserve electronic evidence, more and more organizations have been inquiring about services from firms like Ispirian. These calls can lead to requests for the oftentimes covert forensic collection and duplication of digital media to be found within their organizations.”

A computer forensics specialist also gains an understanding of a case that, when combined with their knowledge of operating system behaviors, file system architectures and forensic tools and methods, will safely streamline the examination and reporting processes. Working through counsel, these professionals can help business executives sleep better at night.

Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.

Find an Expert Witness