First published May 2005
By Susan Steen and Johnette Hassell, Ph.D.
Electronic Evidence Retrieval, LLC
www.electronicevidenceretrieval.com
Thirty years ago computers were colossal machines utilized only by government agencies and prodigious corporations. These early machines were so large and complex that they required their own temperature-controlled rooms in order to function properly. Since that time they have metamorphosed into ordinary domestic devices that are as much a part of our daily lives as the telephone or the television. Because Americans use personal computers to communicate, work, learn, plan, and entertain, we have come to view our PCs as extensions of ourselves. For this reason, computers often contain important information, which can be used as evidence in legal proceedings, even if the information is not directly related to computers. This computer-based evidence can be anything from e-mail, to photographs, to confidential documents. Most importantly, the data frequently can be retrieved from a suspect computer, even if the user has deleted the information, defragmented the drive, or even reformatted the drive.
Computer forensics is the specialized practice of investigating computer media for the purpose of discovering and analyzing available, deleted, or “hidden” information that may serve as useful evidence in a legal matter. Computer forensics can be used to uncover potential evidence in many types of cases including, for example:
– Copyright infringement
– Industrial espionage
– Money laundering
– Piracy
– Sexual harassment
– Theft of intellectual property
– Unauthorized access to confidential information
– Blackmail
– Corruption
– Decryption
– Destruction of information
– Fraud
– Illegal duplication of software
– Unauthorized use of a computer
– Child pornography
Computer forensics combines specialized techniques with the use of sophisticated software to view and analyze information that cannot be accessed by the ordinary user. This information may have been “deleted” by the user months or even years prior to the investigation, or may never have been saved to begin with – but it may still exist in whole or in part on the computer’s drive.
It is always in the best interest of the attorney, the client, and the matter to locate a forensics specialist who can assist in all stages of building a case, including:
– Ascertaining whether the computer(s) in question may contain information relevant to the matter.
– Assisting in preparing and responding to interrogatories.
– Retrieving and examining information that is accessible only through the use of forensics programs and methods.
– Developing court reports.
– Planning and providing expert testimony.
In order to determine whether a computer holds information that may serve as evidence, the professional must first create an exact image of the drive. The examiner examines only this image drive to protect the original from inadvertent alterations. These images must be actual bit-by-bit or “mirror” images of the originals, not just simple copies of the data. Acquiring these kinds of exact copies requires the use of specialized forensics techniques.
These mirror images are critical because each time someone turns a computer on, many changes are automatically made to the files. In a Windows® system, for example, more than 160 alterations are made to the files when the computer is turned on. These changes are not visible to the user, but the changes that do occur can alter or even delete evidence, for example, critical dates related to criminal activity.
Assuring chain of custody is as important to the specialist who oversees drive imaging and evaluation of the data for its evidentiary value as it is in medical forensics. The forensics specialist uses hash codes to assure chain of custody.
Hash codes are large numbers, specific to each file and each drive, that are computed mathematically. If a file or drive is changed, even in the smallest way, the hash code will also change. These hash codes are re-computed on the original and images at various points during the investigation in order to ensure that the examination process itself does not modify the image being examined.
Computer forensic analysis is often useful in matters that, on the surface, seem unrelated to computers. In some cases, personal information may have been stored on a computer. In one embittered divorce case, a husband hid joint funds in a secret bank account. In another, an employee renamed software developed by his current employer to begin his own company. In still another, a male employee sent suggestive e-mails to a female co-worker over a period of months. Although all of the parties in these scenarios had deleted the information from their computers, computer forensics specialists were able to retrieve damning evidence from the drives.
How is it possible to retrieve deleted evidence? A computer’s operating system utilizes a directory that contains the name and placement of each file on the drive. When a file is deleted, several events take place on the computer. A file status marker is set to show that the file has been deleted. A disk status marker is set to show that the space is now available for another use. While the user can no longer see the file listed in any directory, nothing has been done to the file itself! This newly available space is called free or unallocated space and until the free space is overwritten by another file, the forensic specialist can retrieve the file in its entirety. Overwriting might be caused by a variety of user activities, such as adding a new program or creating new documents that happen to be written to the space where the “deleted” files exist. It is only when the data is overwritten by new data that part or all of the files are no longer retrievable through forensic techniques
The useable space on computer hard drives is divided into sectors of equal size. When a user needs to store information, the computer’s operating system automatically determines which sectors will be used to perform the task. In many instances the information being stored will not use up all of the space available in the designated sector(s). When this happens, information that was previously stored on the hard drive remains in the unused part of the designated sector, in what is called slack space. This means that even if part of the drive has been overwritten with new data, chances are that some implicating evidence will remain in the slack space. Critical data contained in slack space is also recoverable using forensic techniques.
Computer forensics specialists know how to access unallocated space and slack space as well as other hidden pockets of data and, with the proper tools, can recover their contents.
This hidden information is filled with details about what has taken place on the computer, such as Web sites visited, e-mail sent and received, financial-based Internet transactions, documents, letters, and photographs that have been created, modified or accessed, in many instances even if the data has not been saved on the computer.
How does this work? In order to make the user’s input visible on a monitor, the system stores the information in a temporary location. When the computer is later turned off, the information continues to exist in the temporary location, even if the user does not save it as a file.
When a user accesses the Internet, the browser keeps records of the sites the user has visited. Cookies are files that browsers use to track a user’s Internet activity. They may furnish passwords and other information about the user’s Internet practices. Cookies can be deleted if the user is aware of them, is conscientious about deleting them on a regular basis, and overwrites their locations. If not, forensics investigations can substantiate the Web sites the user has visited.
Particular programs, including Microsoft Word, retain facts about each document that it creates, modifies, or accesses within the documents themselves. These facts, known as metadata, chronicle the history of a document, including the identification of the user(s) who have modified and/or saved it, the directory structure of the computer(s) it has been saved to, and any printer it has been printed on. Computer forensics professionals can retrieve metadata readily and learn all there is to know about a document’s past life.
In many cases, even when the user has defragmented or reformatted a drive, evidence can still be retrieved. Many pockets of information are not altered by “defragging” a drive, because, as noted above, many documents contain internal information that describes dates, users, and other historical data that may be useful to the case. And while reformatting a drive rebuilds the file system, it does not remove the information that previously existed on the drive. A computer forensics specialist with the right software and experience can recover most of what was on the disk before the reformatting process took place.
What should the attorney do if he or she suspects that evidence may exist on a client’s computer? First, curb your curiosity! Repress your natural tendency to want to check it out. Remember that simply starting the computer changes files, many of those changes affect significant dates, and any access to the disk risks overwriting pertinent information and destroying the chain of custody.
Do your best to ensure that the computer remains untouched until a qualified forensics specialist can create a certified, bit-by-bit copy of the drive(s). The image can then be examined without jeopardizing the investigation.
Suppose you learn that someone has already tried looking at the drive. The best course of action is to leave the machine exactly as it is, whether it is on or off. Explain the situation to the forensics professional, who can manage the circumstances.
Note: This section has provided a simplified description of the most elementary facts surrounding computer forensics. It is not feasible to cite a complete account of the scenarios that computer forensics specialists might encounter, as the possibilities are virtually unlimited. However, the facts presented here are true in every case. For example, every investigation requires a non-invasive acquisition of a bit-by-bit image of the original disk(s), a non-invasive examination of the image, verifiable chain of custody, and assurance of the integrity of the data.
Similarly, since it is the intent of this section is only to provide some basic insight to the process, it would be impractical and excessive to describe in further detail the more technical aspects of drive analysis. For more detailed information concerning the technical aspects of computer forensics investigation, visit Electronic Evidence Retrieval, LLC or IACIS (The International Association of Computer Investigative Specialists).
The Benefit to Attorneys
In many instances, the evidence resulting from a computer forensics investigation means the difference between winning and losing the case. Often the only evidence that exists, aside from circumstantial, is the evidence found as the result of a computer forensics investigation. Paper files can be shredded, lost, tossed, or in some cases, altered. Witnesses can forget the facts as they occurred or use “selective memory” on the stand. Computer forensics evidence cannot be refuted, as it is the result of a scientific process and exists in an obviously tangible form.
Technology and Its Deployment
Computer forensics specialists are trained in specific techniques applicable to the field. It is important to remember that experts in other computer-related fields are not generally trained in forensics. For example, experts in computer hardware or data recovery will not have the expertise necessary to successfully retrieve, analyze, and report accurate findings from computer media without specific forensics training.
Locating a capable professional is not a difficult task. Here are some guidelines that will ensure that the professional you select will be able to do the job.
1. Consider the need for a computer forensics specialist directly upon acceptance of a case. Depending upon the number of computers potentially involved in the case, the work may be quite time consuming, and it is in the best interest of your client to be certain that the specialist you select has ample time to conduct a thorough investigation and write an accurate report. As in most professions, the best professionals are often the busiest. Bottom line: Don’t wait until a week before the court date to consider the need for a computer forensics specialist.
2. Find a professional who can provide all the related support services you will need, such as responding to interrogatories, providing court reports, and providing expert testimony. This will add continuity to the case, save you time and effort, limit the number of consultants you will have to coordinate, and will be most cost-effective for your client. You can find qualified professionals listed on Internet sites created specifically for this purpose, such as this site or the National Law Journal Litigation Services Network (www.nlj.experts.com). Referral agencies such as FTI Consulting (www.FTIConsulting.com) or TASA (www.TASAnet.com) can also assist you in locating an experienced computer forensics specialist.
When interviewing prospective professionals, the following criteria will help you accomplish this task to the greatest benefit to you, your client, and the outcome of the case:
– Search for a computer forensics specialist who is an experienced expert witness. It is preferable for the expert witness to be able to explain and discuss how he or she conducted the investigation, came to various conclusions, and determined their findings, rather than relying on another expert witness to interpret your specialist’s investigation.
– Have the expert explain the process of computer forensics to you. Can he or she explain the process in language that a jury can understand or is it described using scientific jargon that will sound like gibberish to the court?
– Discuss the preparation of court reports. The expert you choose should have ample experience in the generation of court reports, and should be knowledgeable of the intricacies that should be contained in this documentation.
– Instead of e-mailing to receive a resume first, talk to experts on the telephone. Consider how an individual’s voice will sound in court. The expert you choose should be articulate and self-assured without sounding pretentious or arrogant.
3. During the first meeting with your chosen expert, explore his or her knowledge concerning the Federal Rules of Evidence, Daubert and its relation to the admissibility of expert testimony, the Hearsay Rule and its exceptions, chain of custody, and suitable documentation. The expert’s knowledge in these areas is critical – it could make or break the case and impact your reputation, as well.
Form a partnership with the expert. Be sure that the lines of communication between you remain open and that the expert is informed of every twist and turn in the case that might impact his or her role in the matter.
A Final Note: The earlier a forensics specialist is involved in the matter, the greater the chance that usable evidence will result from the investigation. Attorneys should do their best to ensure that non-forensic professionals, including IT professionals, do not have access to the drive. If someone has accessed the drive – even turned it on or off – since the time the computer became suspect, be certain to inform the computer forensics specialist.
Following is a list of government offices and watchdog groups that address various aspects of computer forensics:
– FBI: Federal Bureau of Investigations
– SEARCH: The National Consortium for Justice Information and Statistics
– HTCIA: High Technology Crime Investigation Association
– FACT: Forensic Association of Computer Technologists
– NC3: National White Collar Crime Center
– USPS: US Postal Inspection Service
Reproduced with kind permission from Susan Steen, Electronic Evidence Retrieval, LLC
Johnette Hassell, Ph.D., has more than 20 years experience as a national consultant and expert witness in areas ranging from software development to telecommunications to medical information systems. She also provides computer forensics training for CLE credit.
