The situations when a company usually needs a computer forensics analyst involve people as much as computers. Well before a lawsuit is filed, you must often make decisions on how to deal with situations involving employees. Notification from a competitor that your new employees are accused of taking proprietary data or receiving a visit by law enforcement concerning employee misconduct are situations where you must carefully consider what your next steps should be. It is always most cost-effective to take action early to understand your company’s exposure and, at a minimum, preserve the right data.
I am often approached by employers on the plaintiff’s side of situations involving the theft of proprietary data. Evaluating the scope of the data theft right away will help in negotiating with the opposition or in preparing your case. Engaging a computer forensics expert early in a matter will help you identify, preserve and interrogate the right data.
Calling a computer forensics expert early does not mean that the clock on billable hours should start ticking away unchecked. Often in the early stages of an engagement, the scope of work done by your forensics expert can be limited to a small window of time for simply determining what systems are relevant, how best to preserve them and what analysis or ESI processing might need to occur down the road. In a recent engagement, simply taking custody of the hard drive from the system of a terminated employee was enough. Knowing we could perform the forensic image backup and analysis later gave the company’s counsel an option to keep in her back pocket when negotiating with the terminated employee. The situation was resolved with very little time and money having been committed to reviewing the computer.
Another common situation is evaluating data on legacy devices, such as backup tapes. Efficiently obtaining information on the contents of hundreds of backup tapes or assisting in your negotiation of reasonable review protocols of nonstandard data sets are other tasks for your forensic consultant. Working out the technical and practical aspects of an inspection protocol with an opposing expert will save time and money. Many times in my career, attorneys have written instructions which were less than ideal from a technical point of view. Having your computer forensics expert in on a scoping call with your opposition may help you negotiate an efficient and effective inspection protocol. Other considerations such as preserving mobile device data or dealing with device or file encryption are among the challenges your forensics expert will help you deal with during prelitigation investigations or in discovery projects.
For systems that are in service, that is, the laptops, desktops, servers and other devices your company’s employees are using now, incorporating your computer forensics expert in the legal hold process will help you identify and prioritize preservation of data sources. Also, investing some time in interviewing IT administrators and important custodians will also ensure you are aware of how legal hold instructions are being carried out. Your computer forensics expert can provide an experienced eye to supervise non-lawyers performing important discovery tasks. Auditing the legal hold process and documenting systems and data sources give you additional tools to respond with when attacks are made on your preservation steps and for ensuring the legal hold process was effective.
I have often worked in enterprise IT environments, first as a federal agent, one of the guys with the blue jacket with large yellow letters stenciled on the back, and later as a computer forensics consultant in hundreds of civil litigation cases. I have rarely entered an IT department and found technical staff not juggling projects, user requests and urgent operational issues. This is while also attempting to attend to discovery requests. You also have to consider whether your star IT administrator is the person you want to turn into your star witness. If the stakes of a case warrant it, remember that your forensics consultant will have experience in testimony on information systems and will not open up vulnerability in other issues the opposition may choose to probe.
Although having your computer forensics expert involved early is important, that person’s contribution will normally extend through the life of a matter. Forensic analysis that is integrated with the work being done by your case team may contribute to the success of the matter. I have found that often discovery and forensic analysis are seen as separate processes. However, your case team has the best grasp of issues as they prosecute your case. It is important that your computer forensics expert work closely with the case team and apply the case team’s insight from what is learned during document review to the other data and artifacts that do not make it into a legal review database. Reviewing Internet browser history, determining if removable media was used, recovering deleted data fragments, and performing analysis of mobile device data can be coordinated with the case team to pin down issues revolving around the transfer of hot documents or to show when key files were altered or deleted. Often the timing of activity on computer devices becomes very important, and the analysis your computer forensics expert provides to augment the document review by the case team uncovers additional relevant evidence. Depending on the stakes of a case, regular conference calls or meetings to coordinate forensic analysis with the documents review will yield results.
A key to staying within your case budget is to work closely with your computer forensics expert to stage and scope forensic analysis work to get the most effective analysis without unnecessarily running up the tab.