Hey everyone,
I’d be really grateful if someone could give me a bit of advice. After being treated very unfairly, I’m taking and former employer to court and need them to disclose documents. However, they are denying the existence of certain documents that I know existed (mainly emails) that incriminate them. Because it’s a local tribunal and not the high court, they don’t really have the power/will to seize IT equipment to enforce compliance with disclosure orders.
Key emails will have been stored in the following places
o The company email server (MS outlook inbox, sent items and archived files)
o .Pst files on local machines – including company directors laps tops and my former lap top, which I instructed them to preserve as evidence (via email) immediately after leaving the company.
Will there by any system audit data that I can request disclosure of that will show if and when any emails have been selectively deleted?
Does windows have a system log file that records things like file deletion etc?
Will it tell me if they have used any of these ‘permanent data erasing’ programs to remove anything incriminating without traces being left to be detected? Or can they even hide that they have done this?
Is there anything that I can ask for disclosure of that will show evidence of tampering?
Btw, all relevant machines run Windows Vista. I’m pretty sure the emails are on a Microsoft exchange server.
I’m guessing they’ll have to disclose something – if they say “there are not audit trails on any of our systems” will that be an obvious lie?
They also have ISO 27007 compliance – will this require them to keep any audit data?
Thanks for taking the time to read this.
Does windows have a system log file that records things like file deletion etc?
I'm afraid yes. CF specialist can prepare timeline analysis with something called "MAC times", when he (or she) will see when file was modified, accessed and created
The short answer is that there is no one log to look at to determine tampering of evidence whether it is deleting of files or e-mails.
In the US, with respect to the preservation of electronic evidence, the general rule is when a party is involved in litigation or has a reasonable expectation to be involved in litigation they are obligated to preserve that which may lead to discoverable evidence. That would include computers. If the same rule applies in your jurisdiction, I would start with what was done to preserve the computers and when that occurred.
With respect to data destruction utilities there are techniques to find such applications but realize that sometimes those application will work to cover up their own activity.
Does ISO 27007 require back up of data? If so, what backups of e-mails or files do they have available for inspection?
I’d be really grateful if someone could give me a bit of advice. After being treated very unfairly, I’m taking and former employer to court and need them to disclose documents. However, they are denying the existence of certain documents that I know existed (mainly emails) that incriminate them. Because it’s a local tribunal and not the high court, they don’t really have the power/will to seize IT equipment to enforce compliance with disclosure orders.
My advice is to get legal advise about this from an experienced lawyer. Enforcing compliance, seizing equipment and an independent expert assigned by the court is sometimes possible.
Key emails will have been stored in the following places
o The company email server (MS outlook inbox, sent items and archived files)
o .Pst files on local machines – including company directors laps tops and my former lap top, which I instructed them to preserve as evidence (via email) immediately after leaving the company.Will there by any system audit data that I can request disclosure of that will show if and when any emails have been selectively deleted?
Does windows have a system log file that records things like file deletion etc?
There is no 100% guarantee but often it possible to determine if data has been deleted or tampered with. Often there is no single record that says it all. From experience I can say that a lot can be deducted from Exchange/Outlook.
Some technical documents on the subject can be found in the articles/papers part of this site.
"E-mail and appointment falsification analysis"
"Personal Folder File (PFF) forensics - Analyzing the horrible reference file format"
"Email Evidence – Now You See it, Now You Don't!"
Will it tell me if they have used any of these ‘permanent data erasing’ programs to remove anything incriminating without traces being left to be detected? Or can they even hide that they have done this?
There is no 100% guarantee but often these programs leave traces.
Is there anything that I can ask for disclosure of that will show evidence of tampering?
This highly depends on the legal scope of your case; again check with a lawyer on this.
Btw, all relevant machines run Windows Vista. I’m pretty sure the emails are on a Microsoft exchange server.
In case of deletion and tampering also the local machines and back-ups could be relevant.
I’m guessing they’ll have to disclose something – if they say “there are not audit trails on any of our systems” will that be an obvious lie?
They also have ISO 27007 compliance – will this require them to keep any audit data?
Most of the time there is no specialized audit registration of user activity on their mailboxes. However there often is data that a CF expert can use to reconstruct activity.
Will there by any system audit data that I can request disclosure of that will show if and when any emails have been selectively deleted?
Possibly, yes. As examples (too many real world scenarios to discuss, here) Outlook PST files, for example, do not garbage collect until they are compacted. So there is "slack" space in which the deleted messages may still exist. Also, if the e-mails had attachments and the attachments were read by the recipient, there may be records in TEMP space that show attachments with no messages. Get yourself someone who knows forensics, well, and get a good preservation order ASAP.
Does windows have a system log file that records things like file deletion etc?
One of the most frequently asked questions. Bottom line Windows, itself, does not log much in the way of file activity other than what is in the file metadata, the MFT and the log files. Deletions are not logged but can be inferred from the contents of unallocated space, Prefetch files, etc.
Will it tell me if they have used any of these ‘permanent data erasing’ programs to remove anything incriminating without traces being left to be detected? Or can they even hide that they have done this?
Again, it is possible. Most wiping programs aren't interested in removing traces of their activity, only in removing the data. There may be signs that a wiping program has been run in the Windows registry or Prefetch folder.
Is it possible to wipe unallocated space without any affirmative evidence? Yes, but difficult. But it is relatively easy to wipe files such that their contents cannot be recovered.
Is there anything that I can ask for disclosure of that will show evidence of tampering?
I don't know the specific laws or rules of evidence in the UK. In the US, a good forensic examination of the physical media can often establish a circumstantial case of wiping.
I’m guessing they’ll have to disclose something – if they say “there are not audit trails on any of our systems” will that be an obvious lie?
The language can always be a tricky thing. There may be a specific meaning to the term "audit trails" which would allow wiggle room. I always try to make the discovery motion/subpoena as generic as possible and avoid technical terms which could be too specific.
Your best bet would be to say 1) you want imaging for preservation purposes, ASAP. and that should be physical imaging wherever possible. This will preserve the raw data while you work out the language. Then 2) talk with someone who has done a lot of these and tell them everything that you suspect. There is no substitute for experience, here, especially if you get "one bite of the apple". Knowledge of what you are hoping to find in the hands of a good investigator will help to establish the path to find it.
They also have ISO 27007 compliance – will this require them to keep any audit data?
ISO27007 applies specifically to the security of a system and the means to audit that security. Depending upon what type of work they are in, what you are looking for may fall within ISO27007 guidelines but may very well not. Much more important will be their backup and document retention policies, which you should examine.
Wow, thanks for everyone's input. This is really useful!
My legal advice is that, in my kind of case the chances of getting a seizure order is very slim. I also couldn't afford the costs of a professional CF analysis.
However, I might be more likely to be grated disclosure of images. If there had been tampering, that might at least put enough fear into them to adopt a more reasonable stance.
Thanks again for everyone's help!
Helena,
Mostly all the companies do regular backups of the mailbox, even you had left the company they may have done a tape restoration .. and they do the same for pst … because they may be checked by compliance people inorder to make sure your emails were not leaking out companies information..
but the major problem is the tape restoration is a lengthy and costly process and no company will spend money on it, unless the company is at risk.
but the major problem is the tape restoration is a lengthy and costly process and no company will spend money on it, unless the company is at risk.
Tape restoration does not have to be costly at all. There are tools out there that can read data directly from tapes without restoring. Not only do we process tapes quickly and efficiently but sometimes we request it in lieu of downing a server to image it.