Computer forensics played a large role in the Casey Anthony trial. Among the forensic tricks that the public learned about from watching the trial was the ability of analysts to recover old Google searches from Internet browsers. Forensic searches of "cookies" tiny text files sent from a website to a user's hard drive can also be used to recreate a user's Internet searching habits.
One of the more recent developments in the ongoing game of forensic evasion is the use of anti-forensic software, often called "wiping" software. Users can deploy this software to erase all forensic evidence of a deleted file from a hard drive. Think of this as the forensic version of nuking a hard drive.
But even this method is not foolproof. Trained computer analysts can sometimes detect the use of anti-forensic software (which can itself be strong evidence of computer theft) because malicious employees or criminals forget to delete the software itself from the system. The wiping software can also leave a digital signature that forensic analysts can sometimes detect.
Advanced computer forensic analysis incorporates many other routines. Without going into detail, examples include analysis of volatile data, such as RAM, pattern and activity analysis (which analyzes server logs to detect incriminating patterns of user activity) and the use of Shellbags, a Microsoft registry program that caches the file names on a device plugged into the computer. Suffice to say, if data existed at one time on a hard drive, there is a good chance that a trained forensic analyst will be able to recover it, at least in part.
When is Forensic Analysis Appropriate in Civil Litigation?
As exciting and potentially revealing as computer forensics may be, it is an expensive and intrusive process. To conduct forensic examinations, a party must take a forensic image of the hard drive, capturing the slack and unallocated space (this is often called a bit-by-bit image), and then hand the image over to forensic analysts to poke and probe their way through the digital artifacts. Of course, for every piece of potentially relevant information an analyst may uncover, there are many more irrelevant ones to say nothing of the private or potentially privileged documents that may be swept into the forensic dragnet.
For this reason, most courts take the view that a party in civil litigation is not generally entitled to a forensic examination. This position is echoed in the Sedona Principles, a leading treatise on electronic discovery often relied upon by state and federal courts. But that is not to say that forensic examinations are never appropriate. Most courts will permit a forensic examination upon a showing of special need.
Oftentimes, this burden can be met where there is evidence that a company or employee has purposefully deleted electronic documents. In such a case, forensic examination may be the only way to recover potentially relevant evidence. Sometimes the accidental deletion of electronic documents can be sufficient to trigger forensic examination, particularly if the deleted files are central to the litigation.
Forensic examinations are often ordered (or sometimes agreed to by the parties) when there is a specific allegation of employee wrongdoing. Cases involving misappropriation of trade secrets, for example, often hinge on forensic examinations. In these cases, side-switching employees are alleged to have stolen proprietary files from one company and smuggled them to their new employer. Plaintiffs in such cases will typically demand forensic examination of the employee's old computer as well as his or her new computer to locate evidence of data theft.
Other cases that may justify forensic examination include those where allegations of document shredding are central, as well as cases involving the alleged manipulation of data, document backdating, improper communications or suppression of negative information (such as bad clinical trial results).
Litigators who must comply with a court-ordered or agreed-upon forensic examination should take care to ensure that protocols are established to review potentially privileged documents, as well as confidential or private information. The use of clawback agreements, protective orders and the negotiation of search terms is a standard feature of negotiations concerning forensic examinations.
Civil litigators considering a potential forensic examination should know that there is a potential gold mine of evidence that can be retrieved from a hard drive or mobile device. But forensic examinations are expensive, highly intrusive and can end up being a wild goose chase, so choose your battles wisely. Understanding the basics of computer forensic analysis can help litigators articulate a reasonable basis for a forensic examination or defend against one.
Philip N. Yannella is a partner in the litigation department and practice leader of the e-discovery and data management group at Ballard Spahr. He is also a member of the consumer financial services, commercial litigation and product liability and mass tort groups. He manages e-discovery issues in high-profile litigation, counseling clients worldwide on data preservation, retrieval and privacy matters. He has significant experience representing Fortune 500 companies on e-discovery and data management issues in bet-the-company litigation.