When, Why and How Should Receivers Use Computer Forensic Experts to Build an Administrative Base and Prevail in Litigation? By Kaplan, Ronald* Can a receiver appointed over a business rely upon the integrity of records seized? Can he or she rely upon the truthfulness and candor of the principals and employees of the company? Sadly, the answer to both questions is “Usually not.” This creates a need for computer forensics experts to vet the business records and create a trustworthy financial foundation for the receiver’s administration. Virtually all businesses use computers for record keeping and correspondence. Many businesses faced with failing finances and imposition of a receiver modify or delete damaging material, leaving little or no audit trail. In this way the computer becomes a tool for fraud and deception. But a computer forensic expert can often find and reconstruct the modifications and deletions — and in a manner that is easy to understand and will pass evidentiary hurdles. Lawyers are learning the value of thoroughly searching electronic data. Searches by skilled experts may turn up missing documents, pertinent email messages, drafts of deleted documents, internet search activity, and a host of additional information and activity that may have a major impact on a case (or on a receiver’s administration). “...potential treasure trove...” One case I worked on illustrates this. My examination of company computer records revealed that a second set of books was kept by the company, hiding on the hard drive. The records that had been produced at the request of counsel up to that point had been screened and sanitized, showing only a fraction of the real ongoing activity. My team resurrected the real, complete records and produced accurate reports and transaction logs. This allowed my client to make (and prove) a more accurate assessment of the damages caused by defendants. Courts recognized that electronic record keeping is ubiquitous, and reported decisions have established case law governing electronic discovery procedures, cost sharing, privileges, and discoverability. For example, in adversarial discovery situations it is nearly impossible to prevent discovery of electronic data. The law is clear that employees do not have any right of privacy with respect to the information stored on company-owned computers they utilized. Further, if a personally-owned computer is used to conduct company business, that computer is also subject to discovery. New federal discovery and preservation rules instituted at the end of 2006 create additional obligations for litigants in terms of electronic data. Most computer users cannot even remember everything they created and viewed on their computer in the last week, much less last month or last year. Users feel secure that a deleted document or email will never resurface. Wrong. The fact that virtually all computer activity is date and time stamped and retained in a computer’s hard drive memory makes computers an invaluable resource for pinpointing details that are often lost or forgotten. Deleted information that still resides on the hard drive can neither be easily located and produced by a user who needs it nor wiped by a user trying to cover his tracks. When is Forensic Searching Cost Effective? Determining what to search can be very difficult, especially if you don’t know the precise object of your searches. I have been involved in cases where the contract at issue was believed to be fraudulent. We identified the computers where the document could have been produced and searched using words believed to be unique to the document. We found multiple copies of the document on a single hard drive – not an unusual result. Where the search is of a more nebulous nature, like finding activity documenting intellectual property theft, structuring and executing the search is much more difficult. These searches are often an iterative process, where the list of search terms grows as initial search results are reviewed. The best places to start are local hard drives of any individuals who might have created or received any relevant documents or email. Hard drives from these PCs must be preserved at the earliest possible time. It may also be very important to preserve other network devices like firewall machines, DHCP servers, file servers, etc., depending on the goals of the forensic examination. “...spoliate hard drive data.” What Is the Cost of a Forensic Search? Drive examination costs are even more difficult to anticipate because of the variety of applications and data formats that may be present. This requires the following steps:
The final cost category is reporting. The purpose of the report must be considered. If, as is often the case, the report is to go to opposing counsel for privilege/privacy review, a report which enables the recipient to review and mark privilege/privacy items must be created. It must be done in a format consistent with the software available and must be simple to use. The amount of data selected for the report, the purpose of the report, and the format(s) of the data reported all contribute to the cost. Hourly rates for services vary between $100 and $500 per hour, depending on the testifying experience, technical expertise, and geographic location of the forensic experts involved. It is imperative that the processes utilized do not compromise the value of the data under examination when dealing with electronic data. A documented chain of custody and use of proper, defensible tools and procedures are critical to establish and preserve the credibility of the information found. Computer forensics experts are expensive, trying to save a few dollars by using a computer technician as a substitute can be a mistake. A technician may find what you are looking for but, in the process, may contaminate the hard drive and render the evidence inadmissible or invalid. Be assured that the validity or authenticity of the “smoking gun” data discovered will be challenged. What Is the Admissibility of the Discovered Data? Computer forensic information can be misinterpreted. In a recent case experts for opposing council interpreted the presence of a very large amount of zeros (or blank space) as evidence of data spoliation. While it was unusual to see such a large amount of unused disk space, a careful examination of the data on the drive and a few questions to the user of the computer established a provable and entirely innocent explanation for all the blank space. Often the subject of the dispute is the date when an agreement was made, when correspondence was sent, or when funds were paid or received. If electronic records are maintained the computer’s method of logging, organizing and sequencing information can provide an option for independent validation. Email or other computer records when printed can be manipulated to support the position of one party. But the electronic version of the very same record contains information not available in the printed form, information that may enable validation of the record or document. What Is the Likelihood of Success? When Should One Contact the Forensic Expert? To Summarize… The science aspect encompasses the tools used to capture, sort and select the data for review by counsel. An expert brings a wealth of knowledge about how computers operate and where programs and operating systems store data or encode information about where and when information was placed on a computer’s hard drive. Those experts who excel at combining the art and science of forensic searching are most helpful in supporting and assisting counsel in making those arguments that win cases. *Ronald E. Kaplan, a nationally-published management consultant and computer forensic expert with SICons in Los Angeles, holds an MS in computer science and an MBA in business administration from UCLA. He has been involved in computer forensics for more than 10 years, has testified and performed expert examinations for a wide range of industries and many law firms. He is frequently quoted in publications such as Forbes and PC Week. His testimony was cited by name by California Appellate Judge J. Epstein in a 1999 precedent setting case related to terminating sanctions for computer data spoliation, R.S. Creative, Inc., vs. Creative Cotton, Ltd., 75 Cal. App. 4th 486 (1999). Mr. Kaplan can be reached at (310) 551-0400 ext. 527 or at rkaplan@sicons.com. |