Fall 2007 • Issue 26, page 6

When, Why and How Should Receivers Use Computer Forensic Experts to Build an Administrative Base and Prevail in Litigation?

By Kaplan, Ronald*

Can a receiver appointed over a business rely upon the integrity of records seized? Can he or she rely upon the truthfulness and candor of the principals and employees of the company? Sadly, the answer to both questions is “Usually not.” This creates a need for computer forensics experts to vet the business records and create a trustworthy financial foundation for the receiver’s administration.

Virtually all businesses use computers for record keeping and correspondence. Many businesses faced with failing finances and imposition of a receiver modify or delete damaging material, leaving little or no audit trail. In this way the computer becomes a tool for fraud and deception. But a computer forensic expert can often find and reconstruct the modifications and deletions — and in a manner that is easy to understand and will pass evidentiary hurdles.

Lawyers are learning the value of thoroughly searching electronic data. Searches by skilled experts may turn up missing documents, pertinent email messages, drafts of deleted documents, internet search activity, and a host of additional information and activity that may have a major impact on a case (or on a receiver’s administration).

“...potential treasure trove...”
This potential treasure trove can’t be properly accessed without the assistance of an expert. The challenge is greater than just finding the smoking gun – the expert must also locate and preserve all the data that still exists before it is (intentionally or unintentionally) made irrecoverable.

One case I worked on illustrates this. My examination of company computer records revealed that a second set of books was kept by the company, hiding on the hard drive. The records that had been produced at the request of counsel up to that point had been screened and sanitized, showing only a fraction of the real ongoing activity. My team resurrected the real, complete records and produced accurate reports and transaction logs. This allowed my client to make (and prove) a more accurate assessment of the damages caused by defendants.

Courts recognized that electronic record keeping is ubiquitous, and reported decisions have established case law governing electronic discovery procedures, cost sharing, privileges, and discoverability. For example, in adversarial discovery situations it is nearly impossible to prevent discovery of electronic data. The law is clear that employees do not have any right of privacy with respect to the information stored on company-owned computers they utilized. Further, if a personally-owned computer is used to conduct company business, that computer is also subject to discovery. New federal discovery and preservation rules instituted at the end of 2006 create additional obligations for litigants in terms of electronic data.

Most computer users cannot even remember everything they created and viewed on their computer in the last week, much less last month or last year. Users feel secure that a deleted document or email will never resurface. Wrong. The fact that virtually all computer activity is date and time stamped and retained in a computer’s hard drive memory makes computers an invaluable resource for pinpointing details that are often lost or forgotten. Deleted information that still resides on the hard drive can neither be easily located and produced by a user who needs it nor wiped by a user trying to cover his tracks.

When is Forensic Searching Cost Effective?
Cost is always a factor when conducting computer investigations. All the potential “hardware suspects” must be identified, evaluated and prioritized. Consideration should be given to searching file servers, email servers, hard drives of local machines, and Blackberry or other PDA (personal digital assistant) devices, depending upon what is in issue. It can be very expensive (if even possible) to obtain data from third party service providers like AOL, Yahoo, Gmail and host of others. Gaining access to and locating relevant data is far more likely in hard drives under the litigant’s control.

Determining what to search can be very difficult, especially if you don’t know the precise object of your searches. I have been involved in cases where the contract at issue was believed to be fraudulent. We identified the computers where the document could have been produced and searched using words believed to be unique to the document. We found multiple copies of the document on a single hard drive – not an unusual result.

Where the search is of a more nebulous nature, like finding activity documenting intellectual property theft, structuring and executing the search is much more difficult. These searches are often an iterative process, where the list of search terms grows as initial search results are reviewed. The best places to start are local hard drives of any individuals who might have created or received any relevant documents or email. Hard drives from these PCs must be preserved at the earliest possible time. It may also be very important to preserve other network devices like firewall machines, DHCP servers, file servers, etc., depending on the goals of the forensic examination.

“...spoliate hard drive data.”
I recall a matter where we fought hard to force the plaintiff to produce the hard drive from his laptop computer. While we were unable to get the plaintiff to produce the hard drive to us, we were able to have the drive examined and data recovered by a third party expert. This produced a report listing all recoverable files on the drive — several thousand pages of file names with associated file dates and times. Our analysis of the report led to the conclusion that the plaintiff lied in his deposition about when the laptop was last used and about his efforts to spoliate hard drive data. We presented our evidence to the Court, and shortly thereafter the plaintiff changed his demands and agreed to a settlement.

What Is the Cost of a Forensic Search?
There are three categories of search cost: preservation, examination and reporting. In the preservation step, computers are forensically imaged and the entire disk is digitally copied. In other words, the entire 100GB of a 100GB source drive is placed onto a destination drive, even if the source drive shows only partial use. It is very important that all potentially valuable drives are imaged (preserved) as soon as possible. The cost of preservation, i.e. the difficulty and time required to create a valid image, depends upon the number of drives, the size of each drive, the drive interface technology (e.g. SCSI interface, RAID, IDE) and the reliability of the data on the drive. A good rule of thumb is 2 to 4 hours per drive.

Drive examination costs are even more difficult to anticipate because of the variety of applications and data formats that may be present. This requires the following steps:

Loading the preserved image into the appropriate search software;
Defining and loading the loading terms;
Launching the search;
Reviewing the results;
Review of the results may involve manual filtering of the search hits.

The final cost category is reporting. The purpose of the report must be considered. If, as is often the case, the report is to go to opposing counsel for privilege/privacy review, a report which enables the recipient to review and mark privilege/privacy items must be created. It must be done in a format consistent with the software available and must be simple to use. The amount of data selected for the report, the purpose of the report, and the format(s) of the data reported all contribute to the cost.

Hourly rates for services vary between $100 and $500 per hour, depending on the testifying experience, technical expertise, and geographic location of the forensic experts involved. It is imperative that the processes utilized do not compromise the value of the data under examination when dealing with electronic data. A documented chain of custody and use of proper, defensible tools and procedures are critical to establish and preserve the credibility of the information found.

Computer forensics experts are expensive, trying to save a few dollars by using a computer technician as a substitute can be a mistake. A technician may find what you are looking for but, in the process, may contaminate the hard drive and render the evidence inadmissible or invalid. Be assured that the validity or authenticity of the “smoking gun” data discovered will be challenged.

What Is the Admissibility of the Discovered Data?
Electronic data and the associated metadata (generally defined as “data about data”) can make electronic evidence more valuable than hard copy evidence. Multiple versions of a single email or word processed document often can be located on a hard drive. The date and time stamp on the electronic file can validate the date and time the document was created. Attempts to manipulate the system data or time stamp can be found in system files. The date of hard copy documents is far more difficult to crosscheck. Further, electronic data may make it possible to establish the context of a single document.

Computer forensic information can be misinterpreted. In a recent case experts for opposing council interpreted the presence of a very large amount of zeros (or blank space) as evidence of data spoliation. While it was unusual to see such a large amount of unused disk space, a careful examination of the data on the drive and a few questions to the user of the computer established a provable and entirely innocent explanation for all the blank space.

Often the subject of the dispute is the date when an agreement was made, when correspondence was sent, or when funds were paid or received. If electronic records are maintained the computer’s method of logging, organizing and sequencing information can provide an option for independent validation. Email or other computer records when printed can be manipulated to support the position of one party. But the electronic version of the very same record contains information not available in the printed form, information that may enable validation of the record or document.

What Is the Likelihood of Success?
One can’t establish a likelihood for the success of electronic discovery – it is as variable as the likelihood of success in non-electronic discovery situations. But estimates are that as many as 90% of documents created on a computer are never printed. Not looking for electronic evidence may mean you are looking at only 10% of the documents created. Information on a computer hard drive may establish when an employee was at work, what he or she was working on on a particular day, whether they were using company time for non-work related activities and an array of other information not available elsewhere.

When Should One Contact the Forensic Expert?
The first rule of evidence is to preserve. Since electronic data is very volatile, the best time to preserve is immediately. You may not get everyone to agree on what is relevant and how to screen out privileged or private data, but that should not stop a preservation effort. Hard drive data can be preserved and handed over to a neutral to hold until a procedure for extracting relevant data can be established. The courts recognize the criticality of preserving electronic data at the earliest point possible. Preservation must be done properly, documented and a chain of custody established. If this is not done by an experienced professional, expect your findings to be flawed and/or challenged. An experienced professional can also be helpful in providing guidance on what to examine, providing questions for technical personnel, and to help in establishing a discovery plan and priorities.

To Summarize…
In summary, computer forensic investigations are combinations of art and science. The art involves how to get to the core documents, to the smoking gun. Individual disk drives are very large reservoirs of information. The investigator’s job is to assist counsel in establishing priorities for searching drives, directories and document types. This is where the experience of the examiner and the art of forensic examinations come in.

The science aspect encompasses the tools used to capture, sort and select the data for review by counsel. An expert brings a wealth of knowledge about how computers operate and where programs and operating systems store data or encode information about where and when information was placed on a computer’s hard drive. Those experts who excel at combining the art and science of forensic searching are most helpful in supporting and assisting counsel in making those arguments that win cases.

*Ronald E. Kaplan, a nationally-published management consultant and computer forensic expert with SICons in Los Angeles, holds an MS in computer science and an MBA in business administration from UCLA. He has been involved in computer forensics for more than 10 years, has testified and performed expert examinations for a wide range of industries and many law firms. He is frequently quoted in publications such as Forbes and PC Week. His testimony was cited by name by California Appellate Judge J. Epstein in a 1999 precedent setting case related to terminating sanctions for computer data spoliation, R.S. Creative, Inc., vs. Creative Cotton, Ltd., 75 Cal. App. 4th 486 (1999). Mr. Kaplan can be reached at (310) 551-0400 ext. 527 or at rkaplan@sicons.com.