Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The business and legal communities have become well aware that computers can contain evidence of significant — sometimes overwhelming — importance. Whether it’s in the form of files (documents, spreadsheets, images, etc.) or data recovered from erased files, operating system-created files, or “slack space” (supposedly unused space at the end of a file), electronic evidence cannot be ignored. But computers are not the only form of electronic evidence that businesses should think about when evaluating what evidence should be produced or requested in a particular case. A number of other “e-evidence” sources leave trails of data that can protect or damage your company — yet are often overlooked by corporate counsel, IT managers and executive management. E-evidence provides insight into what events transpired, who was involved and when things happened. Computer records can be decisive, or at least helpful in many cases, but they are not the whole story. A recent case provides an almost textbook example of the breadth and depth of a more comprehensive investigation for e-evidence. In this incident, the computer-based evidence revealed that a serious act of computer sabotage originated at a specific workstation at a specific time. The suspect employee whose workstation was under investigation claimed to have been taking a cigarette break outside the building at that time, but had left the computer logged in, so anyone could have entered the destructive codes. The computer log files relied on in this case could not absolutely tie this person — or anyone else, for that matter — to the deliberate destruction of several major systems. So we looked for collateral electronic evidence. Crucial evidence was found in three places: � The building access control system showed that the access card assigned to the suspect employee was used to enter the work area containing that person’s cubicle three minutes before the destructive codes were entered into the computer. � The building security surveillance system showed the suspect entering the building five minutes before the incident occurred. And the employee was not visible in any of the designated smoking areas at the time of the attack of sabotage. � A check of the telephone system revealed that the telephone at the suspect’s desk was in use at the time of the incident, and that at the time the destructive codes were entered, someone had dialed the unlisted phone number of the suspect’s mother. Here are the opportunities and problems associated with using these systems as electronic evidence sources. A large percentage of corporations, both large and small, have installed access control systems to regulate who can enter various areas of the building. Most often, these take the form of cards issued to employees (and other authorized persons) and a set of card readers. The card readers can require that a card be placed into a slot, run through a magnetic stripe reader, or simply be held near the reader. In some higher-security offices, the person may also have to enter a pass code on a keyboard. If the person is authorized, the door is opened or a turnstile is unlocked. Access control systems have the capability of keeping track of building access in a log file — but that file must be turned on in order for a trail of data to be preserved. In most systems, this is a file that records the card number (and often the name of the person to whom the card is assigned), the date and time of entry, and the number (or location) of the accessed reader. In other cases, the log may be printed on a continuous stream of paper. One obstacle in using this evidence is that access control log files have a short life span. Most companies retain these records for only a short period of time. When litigation arises, corporate counsel need to think both offensively and defensively about managing electronic evidence. Preservation memos should be sent to all employees who have potentially relevant data, specifically identifying each type of system records that may have relevance to the case. Monitoring preservation compliance is extremely important in avoiding spoliation sanctions. In-house counsel may want to work with outside counsel in acquiring more information about the opponent’s electronic data through a combination of interrogatories, requests for documents, and depositions. A request for “all electronic data” will likely result in an objection based on burden or expense. Therefore, discovery requests should be narrowly drawn, limiting the media type, time and scope to data with potentially relevant information. Observation can go a long way. Visiting the premises should reveal whether there is an access control system and whether there may be cameras videotaping activity in the lobby or other areas. Visual clues can provide insight into other sources of evidence, such as how many employees have computers located at their desks, how savvy is the company’s IT infrastructure, which employees have access to the company’s server room, etc. Answers to these questions might help in drafting more specific discovery requests and depositions. SECURITY TV CAMERA SYSTEMS Where closed-circuit camera systems exist, they may be recorded either on a continuous tape basis or on a time-lapse basis. While new systems exist that can record video images directly to computer hard drives, most businesses use special time-lapse machines that can record up to 10 days of images on a single videotape cassette. In many cases, the company will cycle through several tapes, while in other situations, the same tape is reused over and over. Again, if there is potentially useful evidence on a business’s TV system, counsel will have to take quick action to prevent tapes from being reused or erased. TELEPHONE SYSTEM RECORDS Company telephone systems (also called switches) generally have the capability to keep a record of every call dialed, and in some cases, the time and duration of each inbound call. Not all companies utilize their phone logs (sometimes called the Station Detail Message Facility), and like other forms of e-evidence, most organizations keep phone logs for only a limited time. This is another situation in which preservation notices, interrogatories, document requests and depositions of information technology directors will help pull the e-evidence puzzle pieces together. The various systems that may contain e-evidence — computer servers, PCs, cell phones, PDAs, access control systems, closed-circuit TV systems and telephone systems — all have clocks to track the time that files are created or deleted, doors opened, phone calls made, messages sent, etc. These time-tracking devices are inherently important in computer forensic investigations, but may be challenged in court if their reliability and accuracy cannot be proven. While the importance of timekeeping is growing, most of the clocks associated with electronic devices are not perfect. They may have been set to an incorrect time. They may not keep time correctly. They are most likely not coordinated. It is absolutely vital to consider any errors that exist in clocks that are relevant to the investigation. Here are procedures for finding out the exact time and checking the accuracy of the suspect clocks: 1. If a laptop computer is available, go to www.time.gov and select your time zone. A small JavaScript application will be loaded into your computer that will display the time, derived from an atomic clock time standard, which will be accurate within a few tenths of a second. 2. Take your laptop to each of the systems you are timing. Compare the time showed on the access control system, phone system, videotaping system or computers to the time shown on your laptop. Record the difference. For example, you may note that when the access control system indicates that it is 11:43:00 a.m., the laptop indicates that it is really 11:41:30 a.m. The access control system clock is 90 seconds fast. 3. Use the correction factors to adjust the times recorded on the devices. For example, if the access control system log indicates that an entry was made at 3:41:13 p.m., applying the correction factor of 90 seconds results in an actual time of 3:39:43 p.m. 4. If you don’t have a laptop that can access the Internet, you can call the local phone company or the National Institute of Standards and Technology to determine the correct time ( www.boulder.nist.gov/ timefreq/stations/sig.html). Then, proceed as above. Today, e-discovery and computer forensics have become commonplace in a corporate counsel’s vocabulary. However, companies of all sizes need to consider other forms of electronic evidence that could be used against them, or that they could use against an employee suspected of wrongdoing. Access systems, video monitoring systems, and phone logs all track data that could be crucial to an investigation or lawsuit. As technology continues to advance, other vital sources of electronic evidence will develop. No longer can an investigation be limited to an employee’s filing cabinet or PC. Instead, corporations and their counsel must keep looking outside the computer box. Kristin M. Nimsger ([email protected]) is the product line manager of the Electronic Evidence Services business unit of Kroll Ontrack Inc. Alan E. Brill (a[email protected]), CISSP, CFE, is senior managing director of Kroll Technology Services Group. Kroll Ontrack Inc. provides data recovery and electronic evidence services to corporations, law firms, federal agencies and individuals.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.