6 Ways Attorneys Can Ruin a Computer Forensic Case by Martin Prinsloo, CFE, CISA, CITP, CFF; and Gabriel Campos
This article originally appeared in Daily Business Review.
Many disputes have been decided based on digital data collected and recovered from computers and cellular phones. In today’s always-on, always-connected environment, there is very little business or personal information that cannot be traced back to an electronic device, an application or a cloud-storage platform. In this age of big data and expanding digital footprints, legal professionals are faced with a multitude of challenges. They must preserve the integrity of an overabundance of digital evidence; protect it from loss, contamination and destruction; and ensure it is forensically sound and credible for use in legal proceedings.
Following are six common ways that business professionals and their legal counselors unintentionally alter or destroy digital evidence, complicating forensic investigations and exposing themselves to legal risks.
Turn on the Computer and Attempt to Save or Transfer Files
The simple task of pressing a button to turn on a computer is enough to compromise the data it contains. During the start-up process, a computer’s operating system, hard drive, disks and software go through a sequence of behind-the-scenes boot-up activities that, unbeknownst to the average computer user, change dates, logs and other potential case-pertinent information. These activities also involve automatic backup and cleanup processes, which may unintentionally infringe upon litigation-hold requirements. The same is true when users plug in a thumb drive and attempt to transfer files to it to use as a part of their legal defense.
When an attorney receives a client’s computer, he or she should, at the very least, consult with forensic experts before turning the device on or off or reviewing data on the device. Failure to do so may cost a client tens of thousands of dollars down the road in attempts to recover old, deleted files, as well as the loss of improperly preserved metadata that could have proven critical in their cases. Moreover, the attorney who turns on the computer could face questions of spoliation from the opposing side due to a lack of proper forensic preservation. Our firm has successfully defended attorneys in these matters, which not only prove costly, but also impact the overall trial schedule.
Keep Devices Connected to Networks
When evidence of a crime is suspected, digital devices and media containing critical evidence should be quarantined and disconnected from Wi-Fi, internet, cellular and Bluetooth connectivity, all of which can inadvertently corrupt or destroy data. This is especially relevant to smartphones, which are often turned on when submitted for evidence and exposed to the risk of being wiped remotely.
Under these circumstances, counsel might consider enabling the smartphone’s airplane mode or requesting that the phone be turned off prior to its preservation. It is critical for attorneys to recognize these data repositories and develop appropriate procedures to mitigate risks of data spoliation all while seamlessly conducting client interviews and case assessments.
Rely on a Client to Properly Preserve Evidence
Forensic investigations and electronic discovery require specialized tools and skills to preserve, verify and secure digital evidence for proper use in legal proceedings. Proven forensic procedures must be followed in a specific order to carefully recover digital assets and create an exact, byte-by-byte duplicate, mirror image from which data may be properly collected, handled, preserved, analyzed and prepared according to the rules of evidence. After all, forensic investigations and analysis should only be performed on duplicate images and never on the original evidence, which could be altered and therefore excluded from evidence.
No matter how knowledgeable or credentialed information technology (IT) staff may be, they should not be relied on to preserve or collect digital evidence. Their well-meaning expertise does not necessarily apply to a litigation context and can result in spoliation and loss of evidence, thereby exposing legal counsel to liability.
We worked on a case in which opposing counsel retained as its preservation experts the IT support team of a big-box retailer rather than forensic professionals. When the time came for the opposing side to produce responsive items, they could not provide a properly preserved copy, and their selected vendor could not provide any additional e-Discovery assistance. Needless to say, the court was unsympathetic.
Assume You Cannot Recover Data from a Broken or Mangled Device
People often assume that a laptop and its hard drive are the same thing. Nothing can be further from the truth.
A computer’s hard drive is comparable to an airplane’s black box flight recorder in that it captures and saves data in real time and is constructed to withstand a significant amount of physical shock and adverse conditions. It is, in fact, possible to recover data from a hard drive, even when an individual required to produce throws a laptop to the ground in an attempt to thwart a forensic investigation.
Fail to Review a Storage Device Before Producing it to Opposing Side
Take special precautions when providing opposing counsel with production on reusable devices, such as USB drives, which may contain previously used data not readable by the average user. Always open the device and carefully double-check that it contains only the files you intend to share, and then compare the contents against a list of inventoried files.
When reusing USB devices, follow a comprehensive data-destruction procedure, which may include steps normally taken when disposing of computers and mobile devices. Better yet, purchase a new drive and avoid the risks of providing opposing counsel with a windfall of responsive documents.
Neglect Cloud-Based Sources of Data Storage and Retention
Most everything that consumers use or save of their computers or mobile devices, from documents and photos to emails and social media post, are backed up into the cloud. Even when users deleted files from their devices, copies often remains in the cloud. As a result, legal counsel should identify and address cloud-storage and data backup platform providers with the same level of urgency that they pay to computers, USB drives, and phones. This may involve sending timely litigation hold (preservation) letters to platform providers. While these data repositories do not store items for an unlimited period of time, it is possible to recover deleted versions of documents and files from sources that include OneDrive, Dropbox, Google docs and Word Online.
A lot can go wrong during a computer forensic investigation. However, legal counsel has the ability to minimize these risks and proactively preserve digital evidence, especially when they work with forensic investigators early on in the planning process.
The professionals with Berkowitz Pollack Brant’s Forensic and Advisory Services have deep experience analyzing large quantities of data to uncover a trail of financial facts in a range of complex matters involving divorce and family disputes, complex business litigation and business disputes, bankruptcy and reorganization, and claims of fraud brought by corporations and governmental regulatory agencies.
About the Authors: Martin Prinsloo, CFE, CISA, CITP, CFF; is an associate director with Berkowitz Pollack Brant’s Forensic and Advisory Services practice, where Gabriel Campos is a manager of forensic technology. They can be reached at the CPA firm’s Miami office at (305) 379-7000, or via email at firstname.lastname@example.org.