Thank you for sharing!

Your article was successfully shared with the contacts you provided.
It’s no secret that care needs to be taken in preserving electronic data during the discovery process. However, there are a number of steps that attorneys can take to ensure that such data will be admissible. It is critical to remember that computer evidence is fragile and can easily and unintentionally be altered or destroyed. In many cases, attorneys will turn to forensics specialists to process computer evidence, because it is at this stage that crucial evidence can be compromised, irreversibly damaged or lost. Trained experts both discover and document computer evidence using forensic software tools and evidence processing procedures. Both phases of the process are equally important to allow evidence to hold up in court. What follows is a list of some common mistakes that attorneys want to avoid to ensure that electronic evidence remains admissible. Mistake #1: Running the computer. The first rule is to never run any programs on the computer in question without taking precautions, such as write-protecting the system or making a system backup. Also, do not boot or run the computer in question using its existing operating system. The mere act of starting up a computer will destroy vital evidence. It is better to work from an exact copy of that drive, running on a specially configured machine that will not modify the data on the drive. Once data and/or programs have been destroyed, it becomes difficult to ever substantiate that the computer contained pertinent evidence, and may indeed result in charging the attorney with negligence in processing of the computer evidence. Mistake #2: Getting help from the computer owner/user. It is potentially a serious mistake to allow the owner/user of the computer to help the attorney operate the equipment in question. In a recent case, the defendant was asked to answer questions about the computer evidence and was allowed access to the seized computer in the process. He later bragged to his buddies that he had encrypted relevant files “right under everyone’s noses” without their knowledge. But, because the forensics specialists had made a bit stream backup of the computer before giving the defendant access to it, his destructive act became yet another nail in the coffin at trial. Mistake #3: Not taking precautions in the transport of computer evidence. We’ve said it before; computer evidence is fragile. Heat and magnetic fields can quickly destroy or alter it. Avoid exposing hardware or software containing potential evidence to extreme heat (such as in a car trunk during the summer) or placing it near high concentrations of radio frequency or other electronic or magnetic fields, such as radio transmitters or linear amplifiers. It is also imperative to remove batteries from portable devices, protect all equipment from jarring and vibration and, most important, don’t allow it to be dropped. If the attorney for the defense can show negligence in storing or transporting the computer equipment, the case may be in jeopardy. Mistake #4: Running Windows to view and examine files. The Windows swap file can be a valuable source of data fragments, passwords and network log-ons. Running Windows is quite invasive to hard drive files and, in fact, it not only destroys evidence that exists in the swap file, but much of the hard drive will be modified, as well. Furthermore, running Netscape or other Internet browsers can destroy or modify evidence stored in the form of bookmarks, graphic files and/or cache files. Running Windows to perform specific functions should be executed only as a last resort and after the drive has been imaged, processed and analyzed for potential data fragment evidence. ADVISING YOUR CLIENT When preparing to advise a client, determine if their organization has a corporate policy regarding the search of employee computers. Such a policy will act as a framework for the direction you provide for the client. If such a policy is not in place, the attorney must consult with the client to determine the appropriate course of action and assess the feasibility of establishing an interim policy before a computer can be searched. And in a case where your client has terminated an employee, advise the client to create a hard drive bit stream image that can be used at a later date as protection against a wrongful dismissal/discrimination lawsuit. To avoid the mistakes outlined above, an attorney’s best ally is knowledge. Because technology changes so rapidly, attorneys are obliged to stay abreast of the computer forensics field. Taking training or informational courses about computer forensics and the process of electronic discovery will allow for informed decision-making and provide attorneys with the information they need to advise the client. Such information will relate to processing computer systems and computer storage media used by a former employee for documents, e-mail, Internet browsing and messages related to corporate policy infractions. The attorney will need to advise the client about how to: � Quantify and date patterns of policy-violating activities through time-line analysis of computer activity, file creation, file accesses and file deletion. � Identify deliberate attempts to steal, damage or destroy computer related information. � Validate management actions and disprove “conspiracy theory” allegations by former employees. � Identify and document communications between employees in planning to set up a competing business and in the theft of trade secrets from the employer. ENSURING ADMISSIBILITY Maintaining the admissibility of evidence hinges on the steps that are taken to obtain it. This cannot be stressed enough: Attorneys must not take a step toward searching for electronic evidence without a clear plan, and they must have confidence that every action enacted to gain evidence will hold up in court. Electronic evidence, like paper evidence, should be stored in a highly secure location. It is also wise for the attorney to create photo documentation of the computer in question. Photograph all angles, and label wires to document the system’s hardware components and how they are connected. To guarantee the preservation of the best evidence, a mirror image backup (exact copy, down to the last bit of data) of a hard disk drive and other computer storage devices such as floppy and zip disks and CD-ROMs must be created. Doing so eliminates the need for making “best guesses” later on. However, as noted previously, it’s easy to make a mistake when running the computer. If the attorney is not confident about how to perform an accurate backup, this may be a juncture in which an expert should be called in. Before beginning a search of the computer in question, work with the client to create a list of key search words related to the suspected infringement. As the search is conducted, these key words will point to “red flag” URLs, e-mail messages, ICQ messages and other files. Leave no stone unturned in the search; evaluate all data from e-mail files, Internet use, Windows swap files, file slack and other unallocated space. And identify any file, program and storage anomalies. Once questionable use or sites are discovered, investigate further to determine the frequency with which these sites were visited or how often and how many e-mails were sent to particular individuals. Accurately documenting all findings and anomalies will strengthen the admissibility of the evidence and ensure a consistent and precise illustration of the alleged infringement. EVIDENCE MAKES THE CASE The best way to examine the strength of electronic evidence is to review actual cases. In one case, a woman employed by a defense contractor accused her supervisor of sexual harassment. Shortly after, she was fired on the basis of “poor performance.” She proceeded to sue her former employer and the ex-boss. The woman’s attorney called in computer forensic experts to help gain evidence against the ex-boss. Through a careful computer search and recovery of electronic messages, it was discovered that the ex-boss had a history of propositioning women for “special favors.” The evidence was hard, accurate and indisputable. The electronic evidence eliminated the subjective human factor and objectively presented the facts that led to the woman being reinstated and her ex-boss terminated. Another common infringement — visiting pornographic Internet sites on the job — was the subject of a wrongful dismissal claim. The attorney brought the claim on behalf of the employee, alleging he was unfairly terminated because the executive who fired him was also browsing inappropriate sites at work. Again, the attorney’s plan for discovery included the use of experts to thoroughly unearth supporting evidence for the client. By so doing, further allegations surfaced to substantiate the claim about the executive, plus evidence revealing the executive was also misappropriating company funds and resources. Through Internet investigations and computer forensics techniques, the allegations could be factually documented and the focus of the investigation shifted toward the executive. In the final analysis, attorneys will need to conduct discovery for electronic evidence. By obtaining the proper training and knowing when to rely on experts, attorneys will be able to avoid unfortunate mistakes, provide the best advice to their clients and, most important, gain greater assurance that evidence will remain admissible. Curt Bryson is a computer forensics and Internet investigations consultant for New Technologies Inc. (NTI), a Gresham, Ore.-based computer forensics and risk management company.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.