Computer Forensic Examinations

New York Boston Washington, DC

San Francisco Los Angeles Las Vegas

Chicago Denver Albany Redmond

Europe Asia South America    

Computer Forensics Electronic Discovery Security Auditing
Home | Contact | Site Map

 

COMPUTER FORENSICS Forensic Services

Email Forensics

INCIDENT RESPONSE

TRAINING
CORPORATE SERVICES
ATTORNEYS

PRIVATE INVESTIGATORS

COMPUTER FORENSIC FAQ

COMMON MISTAKES

QUICK ANALYSIS PLAN

FORENSIC PROCESS

CASE STUDIES

CORPORATE CV

REQUEST A QUOTE

FORENSIC LINKS

 

ELECTRONIC DISCOVERY
E-DISCOVERY SERVICES

DISCOVERY CONSULTING

EXPERT WITNESSES
CASE STUDIES

EVOLUTION OF DISCOVERY

STATE OF THE LAW

E-DISCOVERY LAW

E-DISCOVERY LIBRARY

SPOLIATION CASE LAW

E-DISCOVERY NEWS

REQUEST INFORMATION

CORPORATE CV

 

DATA SECURITY
MAINFRAME SECURITY
APPLICATION SECURITY

NETWORK SECURITY

SECURITY ALERTS

END USER TIPS

SECURITY LINKS

 

SOFTWARE
MaxPatrol

KEY FEATURES

ACCURACY

SCAN QUALITY

PERFORMANCE

RELIABILITY

COMPARISONS

CASE STUDIES

DATABASE

UPDATE SYSTEM

DOWNLOAD

 

RESOURCES
CONTACT INFO
COMPUTER FORENSICS
ELECTRONIC DISCOVERY
PARTNERS
PRIVACY POLICY

TERMS OF USE

 

 

New MaxPatrol Demo Available!
New Demo version includes new intelligent algorithms for detection of blind SQL-injection vulnerabilities in ANY (including custom) web-applications.

 

Go to Demo Download page

 

Common Mistakes Made During A Computer Forensic Analysis

The statistics are familiar; 85% of all corporate data is stored electronically, 93% of new data is stored electronically, and approximately 75% of this information is never printed. Consequently, in almost every legal matter, critical and relevant evidence will be stored electronically. Proper collection and examination of this evidence is critical to avoid spoliation, to preserve the evidence, and to manage cost. Computer forensics is the methodology to ensure that electronic evidence is properly acquired and handled, so that it may maintain its evidentiary status.

Mistake #1 - Using the internal IT staff to conduct a computer forensics investigation

We suspect data on a computer and believe that it will be important to the case and they have provided access to the. The attorneys ask the IT technician to print, download, and/or save the data to portable media. The technician goes to the site, turns on the computer, opens the files, prints the data, and saves the data on a CD. At this point everything appears great, the data has been collected and costs have been kept to a minimum.

Appearances can be deceptive. At this point, the situation is certainly not great, and in many ways it is quite bad. First, all you have is information and data, there is no evidence. Unless your IT staff is specifically trained (and very few are) on evidentiary procedures, they have not maintained chain of custody or followed other accepted evidence techniques. Second, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Third, turning on the computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer.

Depending on the damage done by the internal IT staff, a skilled computer forensics vendor may be able to salvage the damaged evidence. This, however, can be an arduous and time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence, especially meta-data timelines, from computers that have been mishandled. This could create the risk of professional malpractice for a law firm that elected to use internal IT resources as opposed to trained computer forensics experts for the investigation. Thus, a good rule of thumb is to always use a qualified external vendor for computer evidence collection. (See GDF’s additional notes in Q&A section)

 Mistake #2 – Don’t wait until the last minute to perform computer forensics

as litigation can often be extremely expensive, it is not uncommon for opposing sides to agree to settle a matter as opposed to bearing the full costs of litigation. Consequently, until a matter actually reaches the court (and sometimes even after that point), there can be great uncertainty as to how far a matter will be pursued. Therefore, it is not unusual and not necessarily imprudent for attorneys to often delay or defer expensive litigation support services until they can be absolutely certain that these services will be required. This approach sometime requires the client to pay a premium for last minute or overtime services. However, this approach generally reduces the client’s total legal costs.

Computer forensics, however, does not follow this paradigm. Delaying or deferring forensics expenses cannot only significantly increase the costs to the client, but may even potentially damage their ability to win the litigation. This is all due to the unique nature of electronic evidence.

In general, electronic evidence in the form of undeleted standard user files is fairly robust and stable. Many matters, however, depend on the ability to authenticate user files, reconstruct timelines based on file usage, and recover deleted files. This type of evidence is extremely fragile and naturally degrades over time with computer usage. Unless the evidence has been mishandled or intentionally destroyed, skilled certified forensics experts can generally, but not always, recover this evidence. Nevertheless, the longer this evidence has been allowed to degrade, the greater the odds that the information is unrecoverable, the more difficult and time-consuming the recovery effort will be, and hence the recovery process may be extremely expensive. Note this additional cost does not include any service premium for short notice.

Given the uncertainty related to settlement versus litigation, it would be inadvisable to perform a complete computer forensics examination in every matter. The nature of forensic collection provides an elegant solution to this quandary. Forensic collection is based on the principal of imaging, which creates an exact bit-by-bit copy from electronic media that is protected from further alteration. Thus, collecting evidence from a system preserves a snapshot of that system at that particular moment in time which can be examined later. Compared to forensic examination, the process is relatively simple and inexpensive. Typically, forensic examination cost 3 to 4 times more than forensic acquisition; complex/deep forensic examination can be as much as or greater than 9 to 10 times more expensive than forensic collection. A good rule of thumb is that if there is a chance that the matter will progress to needing the evidence, a “Quick Analysis” or just the imaging should be completed.

 Mistake #3 – Too narrowly limiting the scope of computer forensics

If you are not sure and in a complex matter, it can often be very difficult to know which systems have evidence and which do not. Did the principals use their home computers? Did they use the file servers? Which email servers were involved? Is there data stored offsite or on portable media? One of the most common mistakes, both in investigations and discovery, is too narrowly limiting the scope of computer forensics. There are two principle reasons this occurs. First, it is an attempt to limit costs by limited computer forensics. Second, it occurs because the individuals involved do not fully understand computer systems or forensics to know where to look for evidence, see mistake #5 below.

As a cost mitigation approach, limiting the scope is closely related to mistake #2 above. The outcome is identical. Servers or systems are not initially collected, evidence is later required from them and the cost of forensics increases significantly due to the degraded state of the data. The rule of thumb above applies in this situation too; if there is a 20% chance that evidence from the system will be needed, forensically collect it. Analysis can always be deferred until there is more certainty about its necessity.


 Mistake #4 – Not preparing the client to preserve electronic evidence

Given the ubiquitous use of computers and electronic storage of information, any company, regardless of size, should expect and be prepared to preserve electronic evidence. The emerging case law standard is that the duty to preserve electronic evidence begins when the future litigants have a reasonable belief that there may be future litigation. Yet, the majority of corporations do not have a plan in place to respond to a preservation order.

Failure to preserve electronic evidence can be exceedingly costly to a client and by extension their external counsel. In a recent case, a company was fined $1,000,000 and faced courtroom sanctions because while they had instructed employees not to delete files, they neglected to stop the automatic overwriting of backup tapes. The company, in turn, fired their external counsel, and hired a new firm which was able to reduce the fine and mitigate the impact of the sanctions. Nevertheless, this could have all been avoided if the first law firm had properly prepared the client for the preservation order.

As few companies have proactive plans to handle the preservation of electronic evidence, it often falls to outside counsel to advise them in how to respond. Unfortunately, outside counsel is not always well positioned for this role. First, they rarely have sufficient IT knowledge to assess how their client’s IT infrastructure relates to and interacts with the preservation order. Second, as illustrated in mistake #1 above, external counsel typically does not have the forensics capabilities necessary to preserve electronic evidence. Nevertheless, a qualified computer forensics team working with the external counsel and the client’s IT and legal team can provide the point expertise in electronic evidence to prepare a client to respond to a preservation order. Consequently, even when there is just a “reasonable belief” that there may be litigation, thereby invoking the duty to preserve, it is a good rule of thumb to consult with your qualified computer forensics vendor on proactive electronic evidence preservation.

 Mistake #5 – Not selecting a qualified computer forensics Team

If a Co. or an attorney is seeking to avoid the first four mistakes discussed above, they will have to rely on an external certified computer forensics provider. As electronic evidence is often critical in the outcome of a dispute, it is essential that one’s computer forensics provider be capable and qualified. Selecting the wrong firm could increase costs, lose a case, or even destroy a client relationship. Computer forensics, however, is a new and emerging discipline; there are many companies and individuals that are offering “computer forensic services.” So, what makes a “qualified computer forensics partner?”

The first thing to consider is that computer forensics is more than just using EnCase or any other programs to collect and analyze evidence. Operators may be certified in the use of a single program only, and are not certified computer forensic investigators. EnCase is a forensic product for the Windows operating system and is an essential and accepted tool for that environment. Nevertheless, many matters require the collection of evidence from UNIX, Macintosh, AS400, or legacy systems which EnCase will not support. A qualified computer forensics vendor must have the capability to work across platforms and with legacy systems. This expertise should also enable them to act as expert witnesses on you or your client’s behalf.

The second thing to consider is that your computer forensics expert needs to be a trusted advisor. They must be able to understand the cost trade-offs associated with late versus early or narrow versus broad forensic collection and analysis. This requires that they have the capability to look beyond the transactional cost of an analysis to the total cost of litigation both for the Co. and Law firm... Ultimately, this extends to the ability to provide trusted and accurate advice to a client when they receive a preservation order for electronic evidence.

The third thing to consider is that like attorneys or any other professional service, price is not necessarily an adequate metric of quality and service. Inexpensive providers are not necessarily unqualified and expensive providers are not necessarily overpriced. It is essential, therefore, to interview and assess the forensics firms. Here are 6 questions to consider:

 

  1. Do the follow accepted protocols and procedures?

  2. Can they handle the nuances of different systems and hardware?

  3. Do they know how to balance the cost of early versus late and broad versus narrow forensics collection and analysis?

  4. Can they advise you and/or your client on discovery and preservation strategies?

  5. Have they served as expert witnesses?

  6. Who are their references?

  7. How many years have they been in Business?

  8. How quickly can they re-act?

  9. How large of a service area can they help your clients/branches?

  10. Do they comply with DOJ practices in their own Labs?


Conclusion

Computer forensics may be an unknown and mysterious discipline to many attorneys, but it is easy to avoid the most common procedural mistakes. First, use a forensics partner and do not rely on the internal IT staff for computer forensics investigations. Second (and third), if there is a 20% chance that evidence from a computer system will be needed, forensically collect the evidence. Forensic analysis can always take place later, but by early and broad collection, the total cost of computer forensics is reduced. Fourth, leverage your forensics partner to prepare your clients to respond to electronic evidence preservation orders so that they may avoid fines and sanctions. Finally, choose your forensics vendor carefully ensuring that they have a breadth of technical knowledge, fully understand electronic evidence, and are highly recommended


 

New York ° Washington, DC ° Tampa ° Los Angeles ° Chicago

Boston ° Miami ° Denver ° Albany ° San Francisco ° Los Angeles

Phone 1-800-868-8189
phone 727-287-6000

FAX: 727-287-6011
Copyright 2005 Global Digital Forensics