Why do people who know better than to traipse through crime scenes blithely muck about with digital smoking guns? With computers, it seems we must trip over the corpus delecti and grab the knife before we realize we’re standing in a pool of blood!
Sometimes a computer holds evidence, and sometimes a computer is evidence. It’s a distinction with a difference when deciding whether to act in ways that will stomp on data essential to computer forensic examination.
In most e-discovery efforts, computers are just digital file cabinets, and the evidence is the e-mail and files stored within. Just as paper records require a modicum of care to avoid ripping and staining, digital documents require preservation of basic metadata akin to date stamps and margin notes on paper documents. But, we needn’t go to extraordinary lengths to protect this information. It’s either embedded in the files and e-mail messages as application metadata, or stored by the operating system as accessible system metadata — such as file names, folder locations and the dates files were created, modified and accessed. We use such stuff every day, so preserving it isn’t rocket science and needn’t be expensive or cumbersome.
But computers aren’t always simply repositories of evidence. They may be the instrumentalities of a crime, tort or conduct under investigation, or carry clues to the origins and integrity of suspect electronic evidence. In these instances, the computers, too, are evidence — virtual crime scenes where careless conduct compromises outcomes and diligence demands scrupulous protection and analysis of the revealing, complex and obscure data about data they hold. Now, we do have to go to extraordinary lengths to protect the information.
In civil litigation, computer forensic examiners often see the evidence only after some well-meaning soul has poked around and unwittingly changed last access dates and registry values. That’s the trade-off: Without that first look, the misconduct might have been discovered too late or overlooked altogether.
There’s precedent for this in other forensics work. If a victim might still have a pulse, good Samaritans and EMTs are coming through, fingerprints, fibers and DNA be damned.
Crime scene investigation offers another parallel, this one worth emulating for digital evidence. Some crimes — e.g., murder, sexual assault, kidnapping — are so heinous that bringing in the CSI is standard practice, and first responders know they must secure these scenes.
Likewise, some situations in civil practice are so likely to be bound up with electronic evidence requiring computer forensics that improvident metadata mauling could easily be avoided by applying the following rule of thumb:
Before allowing anyone untrained in digital forensics to access a computer that may be evidence, consider:
• Does the computer’s user occupy so crucial a position that an accusation of data tampering or destruction could hurt the company?
• Is the user suspected of stealing trade secrets, or poaching customers or employees?
• Is a suspected forged computer-generated document or communication involved?
• Does inappropriate e-mail or Internet use figure into the suspected misconduct?
• Did a departing employee bring a personal laptop, external hard drive or thumb drive to work?
• Did the size of the user’s server e-mail stores suddenly and significantly diminish, or are messages believed to be missing from the user’s server stores?
• Do server logs or indicators reflect atypical access to data areas?
• Has the user been notably secretive using company computers or been observed using other users’ machines without permission?
• Has the user recently requested that IT reinstall the operating system on his or her machine?
• Has the user asked about data destruction techniques, or been observed with wiping software?
I’ve heard lawyers claim, “Metadata doesn’t matter.” Their myopic view stops at application metadata; that is, tracked changes, embedded commentary and other potentially privileged or prejudicial information they fear opponents will dredge up. But in many cases — especially those involving allegations of data theft — it’s the system metadata, particularly the file dates and paths, that matter most. And it’s the system metadata that eager explorers fail to protect.
When you open or even preview a file, you alter its last access date and make it harder for forensic examiners to assess what previous users have done, and when. When you copy a file, it typically changes the creation date on the copy. When you save a file — even without making apparent changes — you alter its last modified date. Because it’s easy to copy the contents of huge folders or trigger antivirus applications that “touch” every file, even brief, well-intentioned peeks wreak havoc with thousands of files.
Messing with system metadata isn’t just a concern for computer forensics. We also depend on file names, dates and folder structures to search, sort and make sense of electronically stored information in e-discovery.
Making it harder to use electronic evidence is less egregious than destroying the evidence, but both bad outcomes can be avoided by resisting the impulse to poke around.
“Write protecting” a drive to safeguard metadata isn’t difficult, and tools run from free to a couple of hundred dollars.
If the IT person or your EDD service provider needs to look at electronic evidence, be sure they have the tools and know-how to protect it; and where computer forensic examination is foreseeable, treat the computer like evidence at a crime scene and call in the pros.
This article originally appeared in Law Technology News, a Legal affiliate based in New York. •
Craig Ball is a trial lawyer and computer forensics/EDD special master in Austin, Texas.