| |
|
|
 |
 |
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
info@OnlineSecurity.com
© 2012 Online Security
All rights reserved.
|
|
|
Forum| Posted: 06/25/2003 | 5 Common Mistakes in Computer Forensics
| | By 5 Common Mistakes in Computer Forensics | The statistics are familiar; 70% of all corporate data is stored electronically, 93% of new data is stored electronically, and approximately 75% of this information is never printed. Consequently, in almost every legal matter, critical and relevant evidence will be stored electronically. Proper collection and examination of this evidence is critical to avoid spoliation, to preserve the evidence, and to manage cost. Computer forensics is the methodology to ensure that electronic evidence is properly handled, so that it may maintain its evidentiary status. Nevertheless, for most attorneys, computer forensics is still a relatively nascent discipline, and as they can be unfamiliar with the nuances of the field, they may be prone to procedural mistakes which will be quite costly.
This article discusses five costly procedural mistakes that are most commonly committed by attorneys of all levels of expertise when conducting computer forensics investigations.
Mistake #1 - Using the internal IT staff to conduct a computer forensics investigation
A client has data on a computer that they believe will be important to their case and they have provided access to the computer to their attorneys. The attorneys ask their IT technician to go with the client and print, download, and/or save the data to portable media. The technician goes to the client site, turns on the computer, opens the files, prints the data, and saves the data on a CD. At this point everything appears great, the data has been collected and costs have been kept to a minimum.
Appearances can be deceptive. At this point, the situation is certainly not great, and in many ways it is quite bad. First, all you have is information and data, there is no evidence. Unless your IT staff is specifically trained (and very few are) on evidentiary procedures, they have not maintained chain of custody or followed other accepted evidence techniques. Second, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Third, turning on the computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer.
Depending on the damage done by the internal IT staff, a skilled computer forensics vendor may be able to salvage the damaged evidence. This, however, can be an arduous and time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence, especially meta-data timelines, from computers that have been mishandled. This could create the risk of professional malpractice for a law firm that elected to use internal IT resources as opposed to trained computer forensics experts for the investigation. Thus, a good rule of thumb is to always use a qualified external vendor for computer evidence collection.
Mistake #2 - Waiting until the last minute to perform computer forensics
As litigation can often be extremely expensive, it is not uncommon for opposing sides to agree to settle a matter as opposed to bearing the full costs of litigation. Consequently, until a matter actually reaches the court (and sometimes even after that point), there can be great uncertainty as to how far a matter will be pursued. Therefore, it is not unusual and not necessarily imprudent for attorneys to often delay or defer expensive litigation support services until they can be absolutely certain that these services will be required. This approach sometime requires the client to pay a premium for last minute or overtime services. However, this approach generally reduces the client¡¦s total legal costs.
Computer forensics, however, does not follow this paradigm. Delaying or deferring forensics expenses cannot only significantly increase the costs to the client, but may even potentially damage their ability to win the litigation. This is all due to the unique nature of electronic evidence.
In general, electronic evidence in the form of undeleted standard user files is fairly robust and stable. Many matters, however, depend on the ability to authenticate user files, reconstruct timelines based on file usage, and recover deleted files. This type of evidence is extremely fragile and naturally degrades over time with computer usage. Unless the evidence has been mishandled or intentionally destroyed, skilled forensics experts can generally, but not always, recover this evidence. Nevertheless, the longer this evidence has been allowed to degrade, the greater the odds that the information is unrecoverable, the more difficult and time-consuming the recovery effort will be, and hence the recovery process may be extremely expensive. Note this additional cost does not include any service premium for short notice.
Given the uncertainty related to settlement versus litigation, it would be inadvisable to perform a complete computer forensics examination in every matter. The nature of forensic collection provides an elegant solution to this quandary. Forensic collection is based on the principal of mirroring, which creates an exact bit-by-bit copy from electronic media that is protected from further alteration. Thus, collecting evidence from a system preserves a snapshot of that system at that particular moment in time which can be examined later. Compared to forensic examination, the process is relatively simple and inexpensive. Typically, forensic examination cost 3 to 4 times more than forensic collection; complex/deep forensic examination can be as much as or greater than 9 to 10 times more expensive than forensic collection. A good rule of thumb is that if there is a 20% chance that the matter will progress to needing the evidence, the forensic collection should be completed.
Mistake #3 ¡V Too narrowly limiting the scope of computer forensics
In a complex matter, it can often be very difficult to know which systems have evidence and which do not. Did the principals use their home computers? Did they use the file servers? Which email servers were involved? Is there data stored offsite or on portable media? One of the most common mistakes, both in investigations and discovery, is too narrowly limiting the scope of computer forensics. There are two principle reasons this occurs. First, it is an attempt to limit costs by limited computer forensics. Second, it occurs because the individuals involved do not fully understand computer systems or forensics to know where to look for evidence, see mistake #5 below.
As a cost mitigation approach, limiting the scope is closely related to mistake #2 above. The outcome is identical. Servers or systems are not initially collected, evidence is later required from them and the cost of forensics increases significantly due to the degraded state of the data. The rule of thumb above applies in this situation too; if there is a 20% chance that evidence from the system will be needed, forensically collect it. Analysis can always be deferred until there is more certainty about its necessity.
Mistake #4 ¡V Not preparing the client to preserve electronic evidence
Given the ubiquitous use of computers and electronic storage of information, any company, regardless of size, should expect and be prepared to preserve electronic evidence. The emerging case law standard is that the duty to preserve electronic evidence begins when the future litigants have a reasonable belief that there may be future litigation. Yet, the majority of corporations do not have a plan in place to respond to a preservation order.
Failure to preserve electronic evidence can be exceedingly costly to a client and by extension their external counsel. In a recent case, a company was fined $1,000,000 and faced courtroom sanctions because while they had instructed employees not to delete files, they neglected to stop the automatic overwriting of backup tapes. The company, in turn, fired their external counsel, and hired a new firm which was able to reduce the fine and mitigate the impact of the sanctions. Nevertheless, this could have all been avoided if the first law firm had properly prepared the client for the preservation order.
As few companies have proactive plans to handle the preservation of electronic evidence, it often falls to outside counsel to advise them in how to respond. Unfortunately, outside counsel is not always well positioned for this role. First, they rarely have sufficient IT knowledge to assess how their client¡¦s IT infrastructure relates to and interacts with the preservation order. Second, as illustrated in mistake #1 above, external counsel typically does not have the forensics capabilities necessary to preserve electronic evidence. Nevertheless, a qualified computer forensics team working with the external counsel and the client¡¦s IT and legal team can provide the point expertise in electronic evidence to prepare a client to respond to a preservation order. Consequently, even when there is just a ¡§reasonable belief¡¨ that there may be litigation, thereby invoking the duty to preserve, it is a good rule of thumb to consult with your qualified computer forensics vendor on proactive electronic evidence preservation.
Mistake #5 ¡V Not selecting a qualified computer forensics partner
If an attorney is seeking to avoid the first four mistakes discussed above, they will have to rely on an external computer forensics provider. As electronic evidence is often critical in the outcome of a dispute, it is essential that one¡¦s computer forensics provider be capable and qualified. Selecting the wrong firm could increase costs, lose a case, or even destroy a client relationship. Computer forensics, however, is a new and emerging discipline; there are many companies and individuals that are offering ¡§computer forensic services.¡¨ So, what makes a ¡§qualified computer forensics partner?¡¨
The first thing to consider is that computer forensics is more than just using EnCase to collect and analyze evidence. EnCase is a forensic product for the Windows operating system and is an essential and accepted tool for that environment. Nevertheless, many matters require the collection of evidence from UNIX, Macintosh, AS400, or legacy systems which EnCase will not support. A qualified computer forensics vendor must have the capability to work across platforms and with legacy systems. This expertise should also enable them to act as expert witnesses on you or your client¡¦s behalf.
The second thing to consider is that your computer forensics vendor needs to be a trusted advisor. They must be able to understand the cost trade-offs associated with late versus early or narrow versus broad forensic collection and analysis. This requires that they have the capability to look beyond the transactional cost of an analysis to the total cost of litigation both for the law firm and the client. Ultimately, this extends to the ability to provide trusted and accurate advice to a client when they receive a preservation order for electronic evidence.
The third thing to consider is that like attorneys or any other professional service, price is not necessarily an adequate metric of quality and service. Inexpensive providers are not necessarily unqualified and expensive providers are not necessarily overpriced. It is essential, therefore, to interview and assess the forensics firms. Here are 6 questions to consider:
- Do the follow accepted protocols and procedures?
- Can they handle the nuances of different systems and hardware?
- Do they know how to balance the cost of early versus late and broad versus narrow forensics collection and analysis?
- Can they advise you and/or your client on discovery and preservation strategies?
- Have they served as expert witnesses?
- Who are their references?
Conclusion
Computer forensics may be an unknown and mysterious discipline to many attorneys, but it is easy to avoid the most common procedural mistakes. First, use a forensics partner and do not rely on the internal IT staff for computer forensics investigations. Second (and third), if there is a 20% chance that evidence from a computer system will be needed, forensically collect the evidence. Forensic analysis can always take place later, but by early and broad collection, the total cost of computer forensics is reduced. Fourth, leverage your forensics partner to prepare your clients to respond to electronic evidence preservation orders so that they may avoid fines and sanctions. Finally, choose your forensics vendor carefully ensuring that they have a breadth of technical knowledge, fully understand electronic evidence, and are highly recommended.
|
|
|
|
|
