By Erik Laykin

Digital evidence is fragile by nature and must be treated carefully to prevent spoilage or even the slightest appearance of improper handling or usage. Due to the complex issues and interconnected relationships between operating systems, software applications, databases and the multiple users who in many cases operate on the same network; a digital evidence investigator must simultaneously have both an understanding of the 'big picture' or Network Architecture as well as have the ability to bring relevance to the smallest of details.

Taking a common sense approach to preservation and analysis of digital evidence can help your case immensely. Overly complicating or unnecessarily simplifying the relevancy of the interactive relationships between information technology components is a pitfall which affects many case managers, lawyers and even Judges!

The usage of digital evidence specialists for both the acquisition, analysis and testimony aspects of your case can provide you with the peace of mind of knowing that the most elusive component of contemporary complex litigation is within your control.

Would you want your general practitioner to perform heart surgery on you?

It is incumbent upon litigants to have sound methods in place for the production and securing of its digital evidence. Failure to do so may cause either side to run the risk of greatly undervaluing the impact that this form of evidence can have on a given case. Improperly preserved digital evidence can be worse than having no evidence that all. Too frequently, members of the legal team or executive management will refer the job of securing evidence to information technologists with either a generalist or incompatible background. Such is the case in a recent matter involving a Fortune 500 company where a senior vice president charged with the responsibility of securing accounting data from an unprofitable division referred the matter to his regional information technology manager whose chief responsibility was the administration of the corporate intranet and associated networks.

While this “network administrator” had some of the requisite skills to capture evidence on the accounting computers of the division under scrutiny, his methodology was inconsistent with accepted standards of digital recovery. As a result, many of the deleted files which could have proven to be a “smoking gun” were irreversibly corrupted thereby preventing the internal forensic accountants from adequately completing their investigation.

Generally speaking, internal information technology resources such as network administrators are very willing to assist in the investigative process, however choosing them for this task can taint the objectivity of the investigation and more importantly corrupt the usability of the digital evidence gathered.

Stop the presses

The single most important component of the digital evidence capture process is securing the media where the evidence exists. Because of the structure of hard drives and the mechanical manner in which they capture or alleviate themselves of data any tampering or continued use of a drive or a system can permanently delete, destroy or corrupt the original evidence.

On a recent case involving a California retail chain, corporate security was called by the CEO to remove an employee who managed a department. The corporate security staff boxed belongings of the employee, completed an exit interview, changed the locks on the office and escorted the employee out of the building. What the corporate security staff failed to do, was to properly secure the desktop computer that was used by the manager.

The manager was relieved of their duties on Friday afternoon. A call was placed to corporate counsel notifying them of the firing. On Monday morning, senior management met and determined that a lawsuit should be filed against the employee for theft.

A lawsuit was filed and within a number of weeks the desktop computer of the fired employee was forwarded to corporate counsel as evidence for what appeared to be a brewing long-term battle of complaints and cross-complaints. On examination of the computer by the attorney and his paralegal, the anticipated documentation (digital evidence) which would help substantiate the employees fringing and subsequent lawsuit was nowhere to be found.

What the management and the security staff did not count on when securing the evidence on the day of termination was that the manager maintained a relationship with a co-worker within the department. During the weekend following the termination, the manager contacted the co-worker and successfully convinced them that it was in their interest to enter the facility over the weekend and access the manager’s computer over the network to complete a sophisticated process of deletion of all company and personal files that were on the computer.

Because the manager’s accomplice and co-worker had plenty of time to work with the evidence deleting files it was possible for the use of inexpensive and downloadable data wiping utilities to successfully remove all traces of the manager’s wrongdoing.

One of the most important steps that management, counsel or corporate security can take at the outset of an investigation that has a digital evidence or information technology component is to secure evidence and maintain its chain of custody. In the case of the California retail chain, had the corporate security manager simply turned off the computer it is possible that the accomplice co-worker would not have been able to access it through the network over the weekend. Had a corporate security manager turned off the computer, placed it in a box and removed it to the security office, it is virtually certain that the firm would still have the upper hand and would have maintained the entirety of the digital evidence which may have been on the computer that was used by the manager.

OnlineSecurity is a global leader in investigating high technology and cyber crimes and providing for the online protection of corporate and government assets. The company's services include implementing state of the art network security, electronic discovery, investigating Internet and digital thefts and frauds, and in providing high-technology litigation support. For more information, please visit http://www.onlinesecurity.com or email Mr. Laykin at erik@laykin.com.