WHAT INSPIRES YOU, INSPIRES US.
Insights : Article

Computer Forensic Technology: A Personal Look at Recovering the Truth

By   Brook Schaub

April 24, 2015

A friend of mine who has a master's degree in computer science and builds simulation labs for major government contractors. One simulation included a ten foot display depicting the working parts of a particular piece of military hardware in its design stage. In the display, each gear was clearly demonstrated and its movement traced to the interlocking pieces. The simulation followed the military hardware projectile as it headed downrange, over mountains, took a left at a truck, and flew into the second floor window to the target. Needless to say, it was impressive technology.

Despite her advanced knowledge of technology, when the flash card on her digital camera became corrupted, and her niece's first birthday pictures disappeared, she asked me for help. While I was reformatting the flash card, she was thoroughly convinced the pictures had been irreversibly lost. A few minutes later, the forensic software I was using recovered all the pictures of a one-year old enjoying her first birthday cake. A long discussion of "How did you do that?" soon followed. Computer forensics was outside her knowledge base, even with her intense background in computer technology.

When I entered the private sector of computer forensics, the Federal Rules of Civil Procedure outlined the policies and procedures for the retention and archiving of data, e-mail, voice messages and similar electronic records. In my work, I found that companies and law firms were content to pay for data recovery as it related to litigation cases, but seldom for data investigation. Why? Because few understand the difference between the two processes.

Let me explain. Data recovery encompasses the retrieval of lost data. Data Investigation, on the other hand, is true computer forensics and involves searching through billions of deleted 1s and 0s on a hard drive to find the "smoking gun" that can help a client continue to fight or decide to settle a case. Data investigation in civil litigation typically involves the search of archived data for key words relating to the case and can account for a very large part of the investigation.

One of the first cases I worked on in the private sector related to the difference between data recovery and data investigation in a civil litigation case. The case involved a property claim and palimony agreement of two individuals who both held high-level positions at the same company. When I entered the investigation, a considerable amount of time and money had already been spent by the client on "computer forensics," which amounted to data recovery and, therefore, no conclusive evidence.

I was asked to examine a computer not yet reviewed using data investigation methodologies. My examination revealed spoliation of the computer's files, which implicated the company's IT manager as part of the plot to delete and scrub the data files. The investigation findings included the exact time and date in which the IT manager scrubbed, or removed, the data files. These time and date stamps indicated that the IT manager scrubbed the files the same evening it was documented that he spent the night at the petitioner's home ... an interesting case finding. In this situation, the IT manager knew how to delete and scrub data, but he did not know that computer forensic technology would be able to uncover his actions.

The use of data investigation methodologies can uncover more than just changed time and date stamps, and can be used for more than civil litigation. The following examples showcase the variety of evidence computer forensics can uncover and the many different situations where data investigation can be utilized:

- A rapid settlement without further litigation costs was reached when the data investigation of a company proved that employees with non-compete clauses in their contracts had downloaded the company's strategic plan, customer lists and pricing strategies onto a CD one day before resigning.

- A sexual harassment case was successfully defended by a company when deleted e-mails containing attachments in violation of the company's acceptable use policy were recovered from the petitioner's account. Other deleted e-mails also helped the company's case; some of the recovered e-mails had been deleted more than four years prior to the recovery. 

- A deleted e-mail containing the words, "I'm not going to jail over this!" was recovered while performing computer forensics for a fraud case. This e-mail would not have been found or recovered using only the key words provided by the attorneys. A good computer forensics examiner will use his experience, as well as information from the client, to create a preliminary plan for the analysis. 

- Computer forensics can assist in divorce litigation. Through computer forensics, a plot discovered in a common chat file indicated that one respondent was concealing assets through a third-party. In another case, the character of one party was quickly tarnished in a custody battle when copies of e-mails that were submitted to the court as exhibits and purported to be genuine were found to be questionable and fraudulent.

Businesses and individuals can benefit from understanding data investigation methodologies and what they are capable of uncovering. Data investigation should not be viewed in the same light as data recovery, but instead, should be viewed separately as an investigation to locate evidence supporting or disputing a claim relating to civil or criminal litigation, divorce, human resources or other types of issues.

In any litigation, a sound plan on how to use electronic discovery is important. Determine if the case requires only data recovery or the use of computer forensics. A plan to investigate data must be fluid, as each new piece of evidence may lead the case in a different direction. One single e-mail, deleted years ago, may lead to a quick settlement and less litigation costs for the client, as uncovered evidence may eliminate the need for valuable resources to be dedicated elsewhere.

Most importantly, companies need to understand the extent of information that can be recovered and investigated through computer forensics. Like my friend's pictures, data that is seemingly lost forever can be recaptured. To recover lost documents efficiently and effectively, it may be useful to enlist the help of an IT specialist. A computer forensic examiner, on the other hand, may be more valuable in data investigation to uncover documents that could be important to proving or disputing a claim. With the help of the right person, lost photographs of a child eating birthday cake and deleted e-mails that could help solve a case are not gone forever ... they are just waiting to be recovered.