• About Us
  • Executive Team
  • Careers at eMag
  • Facilities
  • Quality
  • Our Customers
  • About Patriarch
• Law Firms
  • Electronic Discovery Solutions
  • General Data Services
• Corporations
  • Corporate Counsel
  • Information Technology
  • General Corporate Risk
• Government
• Partners
  • eMag Partner First Program
  • Partner FAQs
  • Become an eMag Partner
• Services
  • Electronic Discovery Preparedness Consulting
  • Data Restoration
  • Data Conversion
  • E-Mail Processing
  • Electronic Discovery Processing
  • Data Recovery
  • Computer Forensics
  • Enterprise Content Management Optimization
  • Departing Employee Data Capture Program
  • Data Culling
  • Other Services
• Products
  • eMag PreVu
  • MediaMerge/PC
  • MediaMerge/UNIX
  • Tape Management System
  • Software Support
• News & Events
  • Trade Show and Events
  • Newsletters
  • Whitepapers and Legal Resources
  • Education
  • The eMag Blog
  • eMag On Twitter
• Contact Us

Return to Home

The eMag Link Monthly Articles

December Edition

View previous articles
 

Computer Forensic Investigations Require the Skills of Trained eDiscovery Specialists
Precautions to Take with Water Damaged Tapes

Computer Forensic Investigations Require the Skills of Trained eDiscovery Specialists*

When it comes to white-collar crime these days, the answer to the age-old question, "Whodunit?" is frequently being discovered in a series of zeroes and ones. E-mail correspondence, computer documentation, and electronic files of all sorts leave an indelible trail of clues that - more often than not - tip the balance in contentious corporate lawsuits.

This means that the emerging field of computer forensics - the collection, preservation, analysis and presentation of computer-related evidence - will only grow in importance. Without exception, investigations involving the search for electronic evidence demand that companies rely upon sophisticated techniques employed by experts with specialized IT training because evidence retrieved or collected in an inappropriate manner may have highly adverse effects on the outcome of litigation. Data that appear to have been altered or damaged, for instance, may be ruled inadmissible - thereby undercutting a company's defense against wrongdoing, or rendering useless vital information that might lead to judgments against guilty parties. In fact, to ensure they produce documents of unimpeachable integrity, most companies turn to technology partners that specialize in computer forensics.

E-discovery Mistakes can be Costly

One doesn't have to look far to see proof of the importance of irreproachable e-discovery. There have been a number of cases in the past few years where the methods used to produce evidence was called into question and, ultimately, had a dramatic effect on the outcome of the litigation:

• In United States v. Philip Morris, a number of e-discovery mistakes were made and resulted in $2.75 million judgment against Philip Morris;
• In the recent settlement levied against Morgan Stanley, the court discovered multiple e-discovery abuses, which led to $1.5 billion jury verdict;
• In Zubulake v. UBS Warburg LLC, spoliation of evidence occurred due to failure to preserve e-mails and backup tapes, which resulted in a $29.3 million wrongful termination verdict.

Electronic technology has forever changed how evidence is produced and viewed by the legal system. Computers make it easy for companies to document, duplicate and distribute great volumes of information. Plus, for good or ill, these networks and intranets leave a permanent electronic "paper trail," so to speak. Even after e-mail correspondence or documents are deleted, they can nonetheless be reconstructed - or, at the very least, experts can uncover indications that they existed at an earlier time. Likewise, today's technology produces metadata to record information like the date a document was created, modified and deleted, as well as email tracking information like the contents of the to/from/subject lines and relevant internet addresses.

Courts recognize that electronic evidence can be searched easily and so require that it be introduced whenever possible. At the same time, attorneys savvy in computer forensics can spot indications that data has been altered or deleted - and can use such information to discredit evidence. The result: companies have learned to rely upon only the most expert IT professionals to conduct computer forensic investigations.

When conducting such an investigation, experts must consider a multitude of factors: operating and network systems; application and backup software; and data sources that include file servers, storage devices, desktop computers, laptops, PDAs, cached files, temporary files, deleted files, unallocated space, slack space, system logs, internet cookies, and swap files.

Spoliation of Data is Major Risk

The very complexity of these searches compounds the risk of error or mishandling of data. The most common hazard affecting computer forensics, for instance, is spoliation of evidence. The legal system holds that individuals and corporations have a duty to preserve evidence that relates in any way to ongoing or imminent litigation. Simply put, this means parties named in law suits must be extraordinarily careful not to misplace or destroy relevant information - either intentionally or through negligence - not only during litigation, but from the very moment the party suspects a suit might be brought.

While it seems straightforward enough, corporations are often shocked to learn how easy it is to violate this dictum. The very act of searching a computer, server or network to uncover electronic evidence can alter the data unless proper forensic techniques are used. The damage can range from total erasure of critical files, to alteration of metadata that establishes the credibility of the information itself. Even accidental spoliation can occur throughout the e-discovery process - while accessing, copying or compressing files, for example, or while information is being burned to CDs and DVDs.

No matter how innocent, alterations to electronic evidence call the veracity of the data into question. The credibility of the materials is tainted and, ultimately, the evidence may be ruled inadmissible - which means litigants could be prohibited from producing information that favors or defends their position, or which contributes to a level of suspicion regarding their integrity.

To avoid these problems and ensure that litigants aren't exposed to additional risk because of faulty computer forensic techniques, leading corporate executives frequently turn to trained professionals to assist. In doing so, they have benefited from three distinct advantages:

1. Computer forensic specialists can actually help avert lawsuits that may have been brought because important data, documents or exculpatory evidence had been destroyed or overlooked during previous litigation.
2. Professionals trained in the intricacies of computer forensics can prevent the loss, destruction or inadvertent alteration of computer evidence (accidental overwriting of a hard drive, for example) during data searches - and, by doing so, can insure the admissibility of this information in court, or at hearings and other proceedings.
3. Experts can ensure that all potential electronic evidence is uncovered. Because of their comprehensive training, they are well versed not only in examining likely data sources (e.g., hard drives and backup systems), but also the less obvious repositories (e.g., internet cookies, cached files and unallocated space).

Trained Specialists Preserve Integrity of Data

Computer forensics specialists have developed a meticulous set of standards and procedures they employ to insure the integrity of all electronic files they produce. With the specific objective of finding all relevant material, but altering none of it, these professionals typically follow these five steps:

1. Specialists ensure that the examination in no way violates the integrity of the original media. To this end, computer forensic specialists almost never conduct discovery activities on the original media, but instead image the data, duplicating it to forensically sterile media. If there is indication of residual data on the media to which the original is copied, opposing attorneys can question whether or not the residue could have contaminated the evidence presented.
2. All potentially relevant hardware systems and software applications are examined and the process is thoroughly documented. All examinations are conducted using licensed software. During e-discovery, computer forensic specialists will ensure they have investigated the following elements -
   • data from the original HDD
   • boot record data, and user defined system configuration and operation command files, such as the CONFIG.SYS file and the AUTOEXEC.BAT file
   • password protected files
   • user data file in the root directory and each sub-directory (if present)
   • executable programs of specific interest
3. Besides investigating data currently in existence, experts dig deeper to ensure that all recoverable deleted files have been restored. In addition, they will examine unallocated and slack space for lost or hidden data, if appropriate. Finally, they will check the contents of the CMOS and the internal clock for the correctness of the date and time markers.
4. A listing of all the files contained on the examined media is constructed, and a printout or copy of all apparent evidentiary data is produced. The file or location where any apparent evidentiary data was obtained is noted on each printout. The specialist confirms that all exhibits are marked and sequentially numbered - and that they are ultimately properly secured and transmitted.
5. The computer forensic professional is also expected to certify the discovery process. A final report, including findings and comments, is produced and properly documented.

Although no corporation wants to contemplate involvement in litigation or e-discovery activities, it is nonetheless a possibility each must be prepared for. If the situation arises when the skills of a computer forensics examiner is required, companies would be well served to ask the following questions when reviewing a vendor's level of expertise:

• Have computer forensic staff members received specialized and comprehensive computer forensic training from a recognized training school?
• Did that training include the use of sound forensic procedures, like those described earlier?
• Do the vendor and individual investigators understand "chain of custody" and how to maintain it as it relates to a specific e-discovery project? A legal concept, chain of custody relates to the process used during the handling of all evidence - where it was stored at all times, who had access to it, and if it was kept in a secure environment, for instance. If there are gaps in this chain, opposing attorneys have reason to attack the credibility of the evidence.
• Have the investigators assigned to the computer forensic examination received up-to-date training in the use of the most advanced forensic tools, as well as instruction in current techniques for data recovery?

Unfortunately, we operate in a highly litigious society - and the odds are great that most corporations will someday be involved in a lawsuit. With few exceptions, the field of computer forensics will have a tremendous impact on the outcome of these cases. If produced properly, electronic evidence can lead to a successful outcome but, if mishandled, it can have an equally adverse effect. It makes sense for IT leadership to recognize the specialized skills that are required and to be prepared to seek out expert assistance if - and when - the need for computer forensics arises.

*The following article was authored by Stephen Tarr of eMag Solutions, and it was printed in the December 05 issue of The ISSA Journal.

Back to top

Precautions to Take with Water Damaged Tapes

With the recent spate of hurricanes and the predictions that the bad hurricane seasons will continue for the foreseeable future, we wanted to put out some basic tape cartridge precautions in case you're company is faced with the unfortunate situation of water damaged tapes. It's very important that these precautions are followed in order to minimize downtime and to avoid further damage to the tapes.

Precautions

• Act quickly. The effects of temperature, humidity, water damage, etc. can become gradually worse over time.
• Handle wet tapes gently.
• Speed is of the essence, but it's important to keep the tape wet until the recovery can begin. Place the tapes in a secure plastic bag with a wet sponge.
• Keep the tapes in a cool (not freezing) environment to avoid the growth of mold.
• Don't try to hurry up the drying process. The tape can react badly to fast changes in temperature, humidity, etc. In addition dried sediments can further damage tapes.
• If the tape has been exposed to mud rinse carefully and quickly with distilled water
• If the tape has been exposed to salt water rinse carefully and quickly with distilled water
• Never try running on a production drive. Any moisture present will cause tapes to stick to the head like cellophane and stretch or break the tape.
• When sending tape media for recovery, be sure to package securely. Be aware that water escaping from tape media can disintegrate the packaging. Ensure the package is water tight and padded.

eMag has had extensive experience in recovering water damaged tapes, and if you follow these basic precautions, you can signicantly reduce the chances of data loss if damage does occur. Please don't hesitate to contact us if you have additional questions.

Back to top

This article may be re-published as long as the following resource box is included at the end of the article and as long as you link to the email address and the URL mentioned in the resource box:

Article by eMag Solutions. For more articles on eDiscovery and Data Restoration, subscribe to our e-mail Newsletter by sending a blank email to newsletter@emaglink.com or by going to http://www.emaglink.com.