Data Forensics – The smoking gun may be a click away

First published September 2004


Lewis is the founding partner of PG Lewis & Associates of Whitehouse Station, a data forensics firm.

Enquiries to Rob Kleeger,

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

This article is reprinted with permission from the SEPTEMBER 13, 2004 issue of the New Jersey Law Journal. ©2004 ALM Properties, Inc. Further duplication without permission is prohibited. All rights reserved.

The term “data forensics” suggests a high-tech process reserved only for cases centered around proprietary technology. However, data speaks volumes and data forensics can really make it talk. Recent news coverage of the Martha Stewart trial, the resignation of Connecticut Governor John Rowland, and ongoing investigations at Enron and WorldCom have demonstrated the importance of data forensics which is now routinely being used in cases of all types. Whether it is discrimination, breach of contract, theft of intellectual property, or sexual harassment, data forensics will likely play a role. Computer data is now ubiquitous, and data forensics has quickly become a legal necessity.

Searching through digital evidence could recover a hidden document or deleted e-mail message, which may accelerate a favorable settlement or even win the case. Consider the case example of a female executive that sued her former employer for sexual harassment. In her complaint, the plaintiff contended that the CEO of the company had harassed her for a period of eighteen months. She stated that she did not come forward sooner for fear of being labeled an outcast in her community, when she was, in fact, a self-proclaimed loyal wife, mother, and churchgoer. She included a chronology of numerous instances of alleged infringements, so many that she advised that it was actually broken into two documents.

The first included entries for the initial ten-month period, the second for the following eight months. Why two documents? She claimed that the first file became so large that she was afraid of losing the information, thus filed it away and created a second. When the company cross-referenced the two documents to the CEO’s calendar, they were startled to find that in every single instance, the scheduling of the CEO and female executive coincided, even though the CEO adamantly denied any wrongdoing when he was in her presence. With such substantial evidence against the CEO, the company decided to initiate settlement talks. Both parties discussed a settlement of $1.5M, but before it was agreed to, the company took the unconventional step of hiring a data forensics firm.

Upon initial analysis of the two chronology documents, it was discovered that both were created on the exact same day, precisely one hour and ten minutes apart from one another, and just thirteen days prior to the former executive being terminated. It was further determined, with 100 percent accuracy, that the CEO’s calendar was opened on another window while the two documents were being created — suggesting that the author was able to view the CEO’s calendar at the same time each entry was made. To make matters worse for the plaintiff, AOL e-mail records left behind on her computer strongly implicated her in a relationship with a coworker from another state. Internet records “hidden” on her hard drive uncovered frequent airfare purchases to the other state, all being billed to the company.

The company then asked that the computer of the suspected lover and current employee also be analyzed, and it was confirmed that the two were romantically involved. Digital photographs were found in a hidden folder, which showed the plaintiff and her lover on various trips. It was also revealed, based on file creation dates, that when the company sent the plaintiff to a weeklong seminar in Florida, she opted instead to go on a cruise with her significant other. In an e-mail message found on her partner’s computer, the plaintiff stated that she knew she was about to be terminated for lack of performance — blamed for the most part on their ongoing affair. She vowed to seek revenge against the CEO if, in fact, he fired her. She later referred to her proposed settlement of the sexual harassment claim as being the same as winning the lottery. In the end, she quickly dropped all charges once the data forensic evidence was disclosed.

When determining whether or not a computer hard drive should be pre- served and analyzed, there are several factors that must be considered. First, there must be the likelihood that the hard drive does, indeed, contain information of value. If an event allegedly occurred in 2002 and a new computer is purchased in 2004, it is highly unlikely that any information of value will be contained on the new computer unless, of course, older data was copied to it. Conversely, if a suspect was known to be in constant contact with another individual, there may be the potential that evidence exists on both parties’ hard drives. In the end, cost is the determinant factor since most data forensics firms bill by the hour. The number of drives to be preserved and analyzed usually translates directly into a linear increase in the overall cost.

In the typical case, a hard copy document is analyzed, and the lawyer can only engage in direct or cross examination on the basis of information printed on the page. It is difficult to determine the document’s authenticity, original author, or edits made while still a workin- progress. However, documents created in Microsoft Word or other leading word processing systems are likely to contain a plethora of information that is not displayed on the screen and not printed to the printer. A forensic examiner is able to discover a wealth of additional information with regard to the document in what is called “metadata.” Metadata is a description or definition of electronic data, or data about data. Often, metadata can only be accessed in certain viewing modes. Metadata can include descriptive ‘tags’ and information about when a document was created, and what changes have been made on that document.

For example, it is possible (and probable) that your adversary may be able to read your edits if a data forensics expert is employed. For example, assume a settlement offer is drafted for $100,000. After further discussion, the document is edited to reflect an offer of only $75,000. The document is then forwarded to the other party via e-mail for consideration. If the other party hires a forensic examiner, they are likely able to see that the original offer was for $100,000, but was changed before being set to $75,000. This may prove to be important and valuable knowledge when a counter offer is then returned. We are not suggesting that negotiations not take place electronically or that every legal transaction needs forensic analysis, but you can begin to understand the ramifications of our digital age.

Internet logs also may provide valuable evidence. The rule of thumb is that if information was displayed at some time on a computer screen, it can generally be recovered from that computer. If, for example, a user checks her account balance online, it is likely that information can be retrieved at a later date. This general rule can be applied to data of all types.

The failure to analyze digital data is at best inexcusable, and at worst, ineffective assistance of counsel and malpractice. With the vast majority of documents being created on a computer system, and with so many written communications taking place electronically, attorneys now have both the luxury of easily and quickly validating a controversy and the responsibility of doing so.

Data forensics was all but unknown just a few short years ago, but today is considered a standard and routine practice in legal matters of all types. With so much evidence “hidden” away on computers, data forensics is a stone that cannot be left unturned.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles