South
Florida's Leader in Electronic/Computer Forensics
By
Wayne Jahn
The president of a financial institution has just received reports from two internal sources that a vice president was running a second business out of his office on company time. An internal investigation immediately begins and the preliminary findings confirm the reports. Most troubling to the president are reports that the VP has instructed the administrative staff members to delete certain files. Once the information is confirmed, he is immediately terminated.
Fast-forward this story to three weeks later, the VP files an improper termination lawsuit against the company.
At the direction of legal counsel, a private investigator interviews the VPıs staff. The staff confirms his instructions to delete files, and a computer forensic expert is hired to retrieve the deleted documents. After exhausting almost all avenues of discovery, a single backup tape with 800 deleted documents pertaining to the case is found. Once the findings are communicated to opposing counsel, the lawsuit is dropped.
Collection and Preservation of Electronic
Evidence The collection, preservation and analysis of complex computer evidence are encountered by most trial lawyers. The use of a computer to create and store information leaves behind "electronic footprints" that can actually make or break a criminal case. Sensitive data such as e-mail, documents, temporary files, passwords, time and date stamps and other potentially valuable information are written to remote locations on computer hard disk drives and floppy diskettes as part of the normal operating process. Most perpetrators are unaware that such information even exists, and therefore are extremely careless in covering their tracks.
Lawyers are now using electronic evidence with great success in many types of cases. Tort suits: Computer records of accidents may support a claim that a particular product or place was dangerous. Divorce: A spouseıs home computer might show evidence of assets, such as on-line stock trading. Employment: A personnel database could contain evidence of a "pattern and practice" of discrimination. Criminal law: Dates and times attached to computer files could prove or disprove a defendantıs alibi. Bankruptcy, sexual harassment, bribery and embezzlement cases can all benefit from electronic evidence discovery.
Looking for this new type of evidence, however, can pose some problems. Lawyers need to know how to tailor discovery requests, make sure evidence is preserved, support a request to seize or review an opponentıs computers and maintain a chain of custody.
Tailor your Request for Discovery
Since the amount of electronic data can be overwhelming, lawyers should be very specific when requesting it. You should first focus on the computers and network drives of individuals involved in the case. You also should depose the information systems manager of the computers in question. Talking to the IS person is often the fastest way to find out what kind of hardware and software is used, where relevant information is stored, how long it is kept, who has access to what and which passwords are used.
Home computers, laptops, Palm Pilots, electronic organizers, floppy disks, Zip disks, server hard drives and even voice-mail are other information sources that should not be overlooked.
Preservation of Evidence
The preservation of evidence is one of the most important steps in electronic evidence collection. If you think there may be relevant electronic information present, get there early, before it can be erased. This kind of data can disappear very quickly because it gets recycled or overwritten.
One way to put the other side on notice is to send a "preservation letter." The letter should tell your opponent not to discard any evidence, including electronic data. This might require a change in the producing partyıs normal document deletion policies. The letter should also warn that destroying evidence, even if inadvertent, could spoil the case and lead to possible sanctions.
Maintaining the Chain of Custody
Proper documentation of the steps taken during the evidence processing is top priority. Good documentation tied to sound processing procedures is essential for success in computer crime cases. Without the ability to accurately reconstruct what has been done, the integrity and legal value of crucial evidence may be questioned. The qualifications of the expert witness can also become an issue if the computer evidence processing is done haphazardly.
Bringing in the Experts
Computer forensics is as much about meticulous documentation of investigative actions as it is about the technology. Many companies are under the misguided belief that their internal MIS department is capable of performing a computer forensic investigation. This belief may be true for technological competency, but the data is usually gathered and documented improperly, resulting in a loss of information and credibility in court.
Because electronically stored data is often so voluminous, without the help of a forensic expert to help determine what to ask for, where to look for it, and how to get it, litigation costs can be driven up dramatically. Computer forensic experts are trained in investigative, evidence gathering and evidence documentation techniques. They are also entrusted with the responsibility of securing computer information for possible future analysis by other investigators.
These experts help craft interrogatories, locate relevant data, create image copies of hard drives and recover lost files. A data recovery company has programs that you cannot buy off the shelf that can recapture deleted files not in the file directory. They can also recover older versions of the same document.
Historically, computer cases have rarely gone to trial in the United States. Such cases have typically resulted in negotiated guilty pleas because computer evidence has been thought to be irrefutable. This trend, however, is changing. Defense attorneys are becoming versed in computer crime and how to challenge expert witnesses. With more computer cases going to trial, the computer evidence is more likely to be subjected to close legal scrutiny by the defense counsel, the court and even the jury. Computer evidence issues may be extremely complex to a jury. It is the job of the forensic computer expert to distill complex technical computer issues into digestible snippets.
Choosing the right forensic expert to handle your casesı computer evidence is essential. With the right mix of technical and investigative knowledge, the sky is the limit when it comes to uncovering hidden, deleted, password protected and encrypted files. This is the information that might be the break you need to close the case, and the difference between a quick settlement and a long, drawn out proceeding.
Wayne Jahn is a retired police officer from Union City Police and a computer crime investigator with the Hudson County Prosecutors Office in New Jersey. He is currently a partner of The Forensic Technology Group (FTG), an experienced team of forensic accountants, investigators and information technology specialists who assist attorneys, private investigators and police departments dissect complex technical and financial information to solve crimes.
Copyright İ 2000 by Wayne K. Jahn
The president of a financial institution has just received reports from two internal sources that a vice president was running a second business out of his office on company time. An internal investigation immediately begins and the preliminary findings confirm the reports. Most troubling to the president are reports that the VP has instructed the administrative staff members to delete certain files. Once the information is confirmed, he is immediately terminated.
Fast-forward this story to three weeks later, the VP files an improper termination lawsuit against the company.
At the direction of legal counsel, a private investigator interviews the VPıs staff. The staff confirms his instructions to delete files, and a computer forensic expert is hired to retrieve the deleted documents. After exhausting almost all avenues of discovery, a single backup tape with 800 deleted documents pertaining to the case is found. Once the findings are communicated to opposing counsel, the lawsuit is dropped.
Collection and Preservation of Electronic
Evidence The collection, preservation and analysis of complex computer evidence are encountered by most trial lawyers. The use of a computer to create and store information leaves behind "electronic footprints" that can actually make or break a criminal case. Sensitive data such as e-mail, documents, temporary files, passwords, time and date stamps and other potentially valuable information are written to remote locations on computer hard disk drives and floppy diskettes as part of the normal operating process. Most perpetrators are unaware that such information even exists, and therefore are extremely careless in covering their tracks.
Lawyers are now using electronic evidence with great success in many types of cases. Tort suits: Computer records of accidents may support a claim that a particular product or place was dangerous. Divorce: A spouseıs home computer might show evidence of assets, such as on-line stock trading. Employment: A personnel database could contain evidence of a "pattern and practice" of discrimination. Criminal law: Dates and times attached to computer files could prove or disprove a defendantıs alibi. Bankruptcy, sexual harassment, bribery and embezzlement cases can all benefit from electronic evidence discovery.
Looking for this new type of evidence, however, can pose some problems. Lawyers need to know how to tailor discovery requests, make sure evidence is preserved, support a request to seize or review an opponentıs computers and maintain a chain of custody.
Tailor your Request for Discovery
Since the amount of electronic data can be overwhelming, lawyers should be very specific when requesting it. You should first focus on the computers and network drives of individuals involved in the case. You also should depose the information systems manager of the computers in question. Talking to the IS person is often the fastest way to find out what kind of hardware and software is used, where relevant information is stored, how long it is kept, who has access to what and which passwords are used.
Home computers, laptops, Palm Pilots, electronic organizers, floppy disks, Zip disks, server hard drives and even voice-mail are other information sources that should not be overlooked.
Preservation of Evidence
The preservation of evidence is one of the most important steps in electronic evidence collection. If you think there may be relevant electronic information present, get there early, before it can be erased. This kind of data can disappear very quickly because it gets recycled or overwritten.
One way to put the other side on notice is to send a "preservation letter." The letter should tell your opponent not to discard any evidence, including electronic data. This might require a change in the producing partyıs normal document deletion policies. The letter should also warn that destroying evidence, even if inadvertent, could spoil the case and lead to possible sanctions.
Maintaining the Chain of Custody
Proper documentation of the steps taken during the evidence processing is top priority. Good documentation tied to sound processing procedures is essential for success in computer crime cases. Without the ability to accurately reconstruct what has been done, the integrity and legal value of crucial evidence may be questioned. The qualifications of the expert witness can also become an issue if the computer evidence processing is done haphazardly.
Bringing in the Experts
Computer forensics is as much about meticulous documentation of investigative actions as it is about the technology. Many companies are under the misguided belief that their internal MIS department is capable of performing a computer forensic investigation. This belief may be true for technological competency, but the data is usually gathered and documented improperly, resulting in a loss of information and credibility in court.
Because electronically stored data is often so voluminous, without the help of a forensic expert to help determine what to ask for, where to look for it, and how to get it, litigation costs can be driven up dramatically. Computer forensic experts are trained in investigative, evidence gathering and evidence documentation techniques. They are also entrusted with the responsibility of securing computer information for possible future analysis by other investigators.
These experts help craft interrogatories, locate relevant data, create image copies of hard drives and recover lost files. A data recovery company has programs that you cannot buy off the shelf that can recapture deleted files not in the file directory. They can also recover older versions of the same document.
Historically, computer cases have rarely gone to trial in the United States. Such cases have typically resulted in negotiated guilty pleas because computer evidence has been thought to be irrefutable. This trend, however, is changing. Defense attorneys are becoming versed in computer crime and how to challenge expert witnesses. With more computer cases going to trial, the computer evidence is more likely to be subjected to close legal scrutiny by the defense counsel, the court and even the jury. Computer evidence issues may be extremely complex to a jury. It is the job of the forensic computer expert to distill complex technical computer issues into digestible snippets.
Choosing the right forensic expert to handle your casesı computer evidence is essential. With the right mix of technical and investigative knowledge, the sky is the limit when it comes to uncovering hidden, deleted, password protected and encrypted files. This is the information that might be the break you need to close the case, and the difference between a quick settlement and a long, drawn out proceeding.
Wayne Jahn is a retired police officer from Union City Police and a computer crime investigator with the Hudson County Prosecutors Office in New Jersey. He is currently a partner of The Forensic Technology Group (FTG), an experienced team of forensic accountants, investigators and information technology specialists who assist attorneys, private investigators and police departments dissect complex technical and financial information to solve crimes.
Copyright İ 2000 by Wayne K. Jahn