Purpose: This insight describes the steps necessary to preserve, analyze and present findings regarding deleted data. It is meant to inform both attorney and client on the need for deleted data in cases.
Disclaimer: I am not a lawyer. This writing is not meant to be legal advice on any case, rather it is meant to inform the attorney and the client about the use of deleted data in civil cases. Every case is different and requires specific tasks and objectives to find and present the evidence of the case.
Deleted data is used by law enforcement daily for felony crimes. It is almost second nature to look to the deleted data to help make a case. It is the backbone of computer forensics. On the flip side of the legal world, in civil cases it seems that deleted data is commonly overlooked. I wish to address the absolute necessity of deleted data in civil cases.
Deleted data can be almost anything that once resided on a memory-based device. Pictures, videos, PowerPoint presentations, documents, audio files, call logs, text messages, emails—list can go on and on. Attorneys know when you want electronic data from opposing counsel, you must make sure it isn’t destroyed through a preservation letter. This is a no-brainer for attorneys, but it is worth mentioning.
Your preservation request can’t ask for everything electronic. Most judges will see this as burdensome, not to mention it can look like you are gearing up for a fishing expedition in the case. Your preservation request needs to be targeted and specific. If you are going after deleted data, you will want to request a full physical forensic image of the hard drive of the computer in question. If it’s an Android cellphone, you will want to request the three following images: logical, file system and physical (where applicable). If it’s an Apple device, you will want to request logical, file system, method one and method two images. Other items to be requested can include smart watches, USB drives, email accounts, GPS devices, voice recorders, cloud based accounts, any external hard drives that have been plugged into a computer in question, among others. It is important to always request the metadata as well. This can be redundant but ensures that you receive everything in an electronic format and shows that you will be examining the metadata in the case. I have assisted in crafting many preservation letters to ensure they are specific enough to show that we know our target but broad enough to ensure that we are not missing anything.
Data collections are a key component in your case. Do it wrong and the evidence can be thrown out. Do it wrong and the key metadata can be altered and irreversible and potentially destroy your case.
Data collections need to be performed by an independent third-party. Having your client’s IT staff collect the data can present a conflict of interest. Most of the time they also do not possess the tools and skills to do this properly despite how great they are at configuring a firewall for the office. Data collections can take place for computers, email accounts, cell phones, tablets, social media accounts, and the list can go on and on. Making sure the data is collected correctly is key to finding and using deleted data in your case.
This is the second-most important part of the entire process. Analyzing the deleted data is going to be the key to your success and can greatly enhance the electronic discovery process that most attorneys are used to. I have often thought that if the evidence in a case were critical, it would likely be deleted. It is human nature to hide what we don’t want discovered. It’s no different in electronic evidence. To reduce time and fees to the forensic examiner, the more you can tell the examiner, the better. Dates, search terms, type of document, timelines and websites can bring you closer to the deleted truth. I have personally seen deleted data be front and center as the crux of multiple cases. The data tells a story and reconstructing that story normally requires deleted data and the standard data you would find in your electronic discovery review.
Deleted data can reside in multiple places on a computer. It's important to find it and be able to explain why it was found in a certain area of the computer. Piecing together the puzzle can go rather quickly in many circumstances. Today, computer forensic software has evolved to allow the examiner to perform multiple tasks in a fraction of the time it used to take. Deleted data can uncover photos, videos, previous versions of documents, web history, chat logs and my personal favorite, deleted text messages.
This is the most important aspect of dealing with any type of data. Whether it is in a written report, deposition or in court, the ability to present the data can make or break a case. I know many people in my industry that are excellent forensic examiners but terrible at writing and even worse at speaking to people on the topic. I have read reports from experts that had no place in my daughters eighth grade English class, let alone handing over a professionally scripted paper.
For example, if I said, “The deleted data was found within the MFT and it held the EXIF data needed, along with the timestamp, lead us to believe that this was deleted after the time of the preservation order was given."
Or you could say, “The deleted data was found in what is called the MFT. It stands for Master File Table. Think of it as card catalog in a library that can direct you to everything in the library you wish to find. When we delete something, the MFT will hold onto the data even though it has been deleted. Part of that data is known as metadata, which simply means data about data. EXIF data is part of the metadata and refers to the GPS coordinates that are captured by different electronic files when they are created. The time stamp we identified as part of this piece of evidence was created after the preservation order went into effect and was then deleted based on where it was found within the forensic image that was examined."
Obviously, it’s still a mouthful, but allows for an explanation of terms normally only used by myself and my nerdy digital colleagues.
Deleted data is crucial in many applications of civil cases from family law, employment and intellectual property to corporate to insurance and securities. It is best to involve your forensic expert early when you start the discovery process. The best case scenario would be to have your forensic expert and your electronic discovery vendor be the same entity, or companies that work closely together.