Data Forensics – The smoking gun may be a click away

First published September 2004

By PAUL G. LEWIS

Lewis is the founding partner of PG Lewis & Associates of Whitehouse Station, a data forensics firm.

http://www.pglewis.com

Enquiries to Rob Kleeger, [email protected]


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

This article is reprinted with permission from the SEPTEMBER 13, 2004 issue of the New Jersey Law Journal. ©2004 ALM Properties, Inc. Further duplication without permission is prohibited. All rights reserved.

The term “data forensics” suggests a high-tech process reserved only for cases centered around proprietary technology. However, data speaks volumes and data forensics can really make it talk. Recent news coverage of the Martha Stewart trial, the resignation of Connecticut Governor John Rowland, and ongoing investigations at Enron and WorldCom have demonstrated the importance of data forensics which is now routinely being used in cases of all types. Whether it is discrimination, breach of contract, theft of intellectual property, or sexual harassment, data forensics will likely play a role. Computer data is now ubiquitous, and data forensics has quickly become a legal necessity.

Searching through digital evidence could recover a hidden document or deleted e-mail message, which may accelerate a favorable settlement or even win the case. Consider the case example of a female executive that sued her former employer for sexual harassment. In her complaint, the plaintiff contended that the CEO of the company had harassed her for a period of eighteen months. She stated that she did not come forward sooner for fear of being labeled an outcast in her community, when she was, in fact, a self-proclaimed loyal wife, mother, and churchgoer. She included a chronology of numerous instances of alleged infringements, so many that she advised that it was actually broken into two documents.

The first included entries for the initial ten-month period, the second for the following eight months. Why two documents? She claimed that the first file became so large that she was afraid of losing the information, thus filed it away and created a second. When the company cross-referenced the two documents to the CEO’s calendar, they were startled to find that in every single instance, the scheduling of the CEO and female executive coincided, even though the CEO adamantly denied any wrongdoing when he was in her presence. With such substantial evidence against the CEO, the company decided to initiate settlement talks. Both parties discussed a settlement of $1.5M, but before it was agreed to, the company took the unconventional step of hiring a data forensics firm.

Upon initial analysis of the two chronology documents, it was discovered that both were created on the exact same day, precisely one hour and ten minutes apart from one another, and just thirteen days prior to the former executive being terminated. It was further determined, with 100 percent accuracy, that the CEO’s calendar was opened on another window while the two documents were being created — suggesting that the author was able to view the CEO’s calendar at the same time each entry was made. To make matters worse for the plaintiff, AOL e-mail records left behind on her computer strongly implicated her in a relationship with a coworker from another state. Internet records “hidden” on her hard drive uncovered frequent airfare purchases to the other state, all being billed to the company.

The company then asked that the computer of the suspected lover and current employee also be analyzed, and it was confirmed that the two were romantically involved. Digital photographs were found in a hidden folder, which showed the plaintiff and her lover on various trips. It was also revealed, based on file creation dates, that when the company sent the plaintiff to a weeklong seminar in Florida, she opted instead to go on a cruise with her significant other. In an e-mail message found on her partner’s computer, the plaintiff stated that she knew she was about to be terminated for lack of performance — blamed for the most part on their ongoing affair. She vowed to seek revenge against the CEO if, in fact, he fired her. She later referred to her proposed settlement of the sexual harassment claim as being the same as winning the lottery. In the end, she quickly dropped all charges once the data forensic evidence was disclosed.

When determining whether or not a computer hard drive should be pre- served and analyzed, there are several factors that must be considered. First, there must be the likelihood that the hard drive does, indeed, contain information of value. If an event allegedly occurred in 2002 and a new computer is purchased in 2004, it is highly unlikely that any information of value will be contained on the new computer unless, of course, older data was copied to it. Conversely, if a suspect was known to be in constant contact with another individual, there may be the potential that evidence exists on both parties’ hard drives. In the end, cost is the determinant factor since most data forensics firms bill by the hour. The number of drives to be preserved and analyzed usually translates directly into a linear increase in the overall cost.

In the typical case, a hard copy document is analyzed, and the lawyer can only engage in direct or cross examination on the basis of information printed on the page. It is difficult to determine the document’s authenticity, original author, or edits made while still a workin- progress. However, documents created in Microsoft Word or other leading word processing systems are likely to contain a plethora of information that is not displayed on the screen and not printed to the printer. A forensic examiner is able to discover a wealth of additional information with regard to the document in what is called “metadata.” Metadata is a description or definition of electronic data, or data about data. Often, metadata can only be accessed in certain viewing modes. Metadata can include descriptive ‘tags’ and information about when a document was created, and what changes have been made on that document.

For example, it is possible (and probable) that your adversary may be able to read your edits if a data forensics expert is employed. For example, assume a settlement offer is drafted for $100,000. After further discussion, the document is edited to reflect an offer of only $75,000. The document is then forwarded to the other party via e-mail for consideration. If the other party hires a forensic examiner, they are likely able to see that the original offer was for $100,000, but was changed before being set to $75,000. This may prove to be important and valuable knowledge when a counter offer is then returned. We are not suggesting that negotiations not take place electronically or that every legal transaction needs forensic analysis, but you can begin to understand the ramifications of our digital age.

Internet logs also may provide valuable evidence. The rule of thumb is that if information was displayed at some time on a computer screen, it can generally be recovered from that computer. If, for example, a user checks her account balance online, it is likely that information can be retrieved at a later date. This general rule can be applied to data of all types.

The failure to analyze digital data is at best inexcusable, and at worst, ineffective assistance of counsel and malpractice. With the vast majority of documents being created on a computer system, and with so many written communications taking place electronically, attorneys now have both the luxury of easily and quickly validating a controversy and the responsibility of doing so.

Data forensics was all but unknown just a few short years ago, but today is considered a standard and routine practice in legal matters of all types. With so much evidence “hidden” away on computers, data forensics is a stone that cannot be left unturned.

Leave a Comment

Latest Videos

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 11:00 am

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

In this episode of the Forensic Focus podcast, Si and Desi explore the cutting-edge technology of deepfake videos and image manipulation. In addition to discussing the latest technological developments and efforts being made to detect manipulated media, they also examine the associated legal and ethical implications.

Show notes:

Boris Johnson image - https://www.theguardian.com/politics/2023/jan/10/spot-the-difference-boris-johnson-appears-scrubbed-from-photo-posted-by-grant-shapps

Deep Fake Neighbour Wars - https://m.imdb.com/title/tt21371376/

Stalin image - https://www.history.com/news/josef-stalin-great-purge-photo-retouching

Nvidia eye contact AI - https://www.polygon.com/23571376/nvidia-broadcast-eye-contact-ai and https://www.youtube.com/watch?v=xl87WTDrReo

Birthday problem - https://en.wikipedia.org/wiki/Birthday_problem

Same frightening woman in AI images - https://petapixel.com/2022/09/09/the-same-frightening-woman-keeps-appearing-in-ai-generated-images/

Inherent mysogeny of AI portraits - https://www.theguardian.com/us-news/2022/dec/09/lensa-ai-portraits-misogyny

Midjourney - https://www.midjourney.org/

Deepfake porn legality - https://www.theverge.com/2022/11/25/23477548/uk-deepfake-porn-illegal-offence-online-safety-bill-proposal and https://www.technologyreview.com/2021/02/12/1018222/deepfake-revenge-porn-coming-ban/

AIATSIS - https://aiatsis.gov.au/cultural-sensitivity

Fake tiger porn story - https://www.dailydot.com/unclick/tiger-porn-britain-law/

Group photo with no blinking - https://www.countrylife.co.uk/comment-opinion/curious-questions-group-photo-179102

Emma Watson deefake audio - https://www.thetimes.co.uk/article/ai-4chan-emma-watson-mein-kampf-elevenlabs-9wghsmt9c

Domestika - https://www.domestika.org/en/courses/981-introduction-to-interviewing-the-art-of-conversation

Investigative Interviewing - https://www.amazon.co.uk/dp/0199681899?ref=ppx_pop_mob_ap_share

Forensic Focus events calendar - https://www.forensicfocus.com/events/

Si Twitter - https://twitter.com/si_biles

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i41eg24YGZg

Deepfake Videos And Altered Images - A Challenge For Digital Forensics?

Forensic Focus 13th February 2023 10:30 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...