In the age of CSI, many civil litigators are aware that the secrets to unlocking a case may be buried deep within a party's computer, in the form of a deleted file, an incriminating Google search, or tell-tale cookie. But while litigators may be generally aware of the power of computer forensics, they do not always understand how forensic analysis works or when it is appropriate in civil litigation. This article will explain where deleted files and other important types of evidence can be located on a hard drive or mobile device, how forensic analysts actually track down hidden or deleted evidence, and the legal standard for conducting forensic examinations in civil cases.
What is Computer Forensics?
Computer forensics is a branch of computer science that focuses on the retrieval and analysis of data from hard drives and other media that are generally inaccessible to the layperson. One of the most common forensic techniques is "file-carving," which focuses on the identification and recovery of deleted files from a hard drive.
Some background: Computer operating systems typically store data in contiguous clusters on a user's hard drive. When the user deletes a file, the operating system notes on the hard drive that the file is now deleted and no longer accessible to the user. But the data in the file is not permanently deleted from the hard drive until the operating system assigns the clusters to new user-created files, which could be days or even months later. The space on the hard drive where the deleted file formerly resided is referred to as unallocated space. To recover and analyze deleted data that may occupy a hard drive's unallocated space, forensic analysts use very sophisticated tools, such as Encase, Scalpel and Magic Rescue. These tools metaphorically "carve" deleted data from the hard drive.
The power of file-carving was recently demonstrated in the case of the BTK killer in Kansas. Police obtained evidence against the infamous serial killer by checking the metadata of a deleted Microsoft Word file that was recovered from a floppy disk the killer sent to the police. The metadata showed that the document had been accessed by someone named "Dennis," and that the program was used by "Christ Lutheran Church." By searching the Internet for "Dennis Christ Lutheran Church," police were able to identify a suspect who was associated with the church Dennis Rader, who was later arrested and ultimately pled guilty to 10 counts of murder.
File-carving, however, is not the only technique forensic analysts can use to locate potentially relevant evidence. Computer forensics has evolved into a cat-and-mouse game in which rogue employees, corporate thieves and criminals attempt to evade forensic analysis through a range of tricks such as the use of anti-forensic software. Computer forensics, in turn, has responded by developing new software and incorporating new routines in standard analyses to expose these tricks. Summarized below are the more common steps that computer forensic analysts will take to locate potentially relevant evidence.
When the Evidence is Hidden in Plain Sight
One of the simplest ways in which criminals or malicious employees will attempt to hide illicit computer activity is by changing the file extension of important or revealing documents. For example, .xls is the extension for Microsoft Excel. To hide his or her digital footprint, a rogue employee might change the extension of an Excel spreadsheet from .xls to something else that would not be captured in a routine search for all .xls documents. To account for this possibility, forensic analysts will perform "header searches," instead of relying solely on file extensions to identify file type.
Another low-tech way in which criminals or malicious employees may attempt to hide key documents in plain sight is by changing the font size on a document to render it virtually unreadable. (Microsoft Word, for example, will allow you to save a file in 1-point font.) Changing the font color to white is another common way of hiding information within a file. Forensic analysts will take steps to spot these kinds of common tricks.
Encrypting documents that might reveal illegal activity is another common means of evading detection. One of the most important steps that forensic analysts can take is to identify and crack encrypted files. The development of programs such as TrueCrypt, which allow users to hide encrypted files on a hard drive, makes detection of these files more difficult and in some ways even more critical.
The registry on a Windows operating system contains a trove of potentially important information, including a list of all hardware and software loaded onto the system, as well as user preferences. Forensic analysts can review the registry to determine when a flash drive was inserted into a computer, as well as the serial number on the flash drive which can be very useful in uncovering the theft of intellectual property.
Temporary Files, Internet History and Cookies
Forensic analysts will also pay special attention to temporary files, which an operating system creates when a user is working on a particular document. Usually, the system will delete the temporary file once it is saved. But if the file is never saved say, because the user is attempting to cover his or her tracks the temporary file may be valuable evidence of nefarious conduct. Evidence that an employee has backdated a stock option, for example, may exist in such a file.