Computer Forensics In Business Litigation – Ask The Expert

Many business litigation cases require experts in various fields.  I am going to feature experts on this blog in an "ask the expert" series of interviews.  Disclaimer:  I am not endorsing any experts that I feature on this blog or the opinions expressed.  I am posting these interviews to offer my readers some insights from the various professionals that get involved with business litigation cases.

Monique Ferraro is an expert in computer forensics and the principal of Technology Forensics, LLC.  She is also an attorney. The following is my recent interview with Monique. 

Q: What issues do you see in business disputes involving computer forensics:

 

A: Mostly, we see parties seeking email and deleted email. Increasingly, lawyers are asking for email and all electronically stored information containing metadata in their discovery requests. When they don’t get what they asked for initially, or if the party is not able to produce the information on their own, they call us. We figure out the best way to obtain the information requested without disrupting the business process while maintaining the integrity of the potential evidence and providing a solid chain of custody.

As far as the types of cases, we see computer forensics being requested in every type of litigation, from contract disputes to debt collection, employment litigation and even motor vehicle accidents.

 

 

Q: Many people think that when they delete computers docs and emails, its deleted.  In laymans terms, what really happens to it?  Can it be recovered?

 

A: It’s important to remember that computers were designed by engineers, not lawyers. Lawyers are concerned with precision of language. If you say you deleted something, then you deleted something. It’s gone. Unrecoverable. Engineers think in terms of efficiency.

 

When computer systems were designed, the engineers who developed them figured it would be more efficient to simply mark the space where information is held as available for reuse rather than truly deleting the file. The process uses less energy and is more efficient than truly deleting the file.

So, when we hit the ‘delete’ key, information isn’t deleted.

 

What happens is that the computer software goes to the table that keeps track of all the files and where they’re located and makes a check mark indicating that the space where that file is kept can be used for something else. Next time the computer goes to save a file, it can save it to this newly open space. However, because the size of computer storage is so large now, the space left open by the ‘deleted’ file is rarely reused. The original file stays there, lying in storage but with the space marked as available until it is either overwritten or ‘wiped.’

 

‘Wiping’ refers to really deleting a computer file. To really delete a computer file by wiping, a process is used that both marks the space as available and overwrites the space. Usually, the space is overwritten several times in order to obliterate any data remaining.

 

Because deleted data isn’t really deleted in the true sense unless it is wiped, most of the time deleted files can be retrieved and fully restored. That is true for files that have been consciously saved as well as data that has not been saved is held in temporary storage, as with Internet data.

 

Q: What are you seeing in the courts in terms of road blocks to getting access to servers and hard drives?

 

A: Most of the time, courts have been quite willing to grant discovery of electronically stored information. It gets tricky when litigants ask for a specific file or folder on a network or a targeted hard drive. Parties resist requests that involve having the opposing party’s expert on site, which is what litigants often request when seeking a specific storage device, folder or file. Of course, few businesses welcome the opposing party coming in and accessing their systems and data.

 

The objections are usually based upon keeping their business and client data secure and confidential and preventing disruption of their business. If there haven’t been discovery abuses and the party is trustworthy, the court usually allows the business to hire its own expert. To validate the acquisition of potential evidence, there are several methods that can be used, from documenting the process in writing to videotaping it, that can minimize the intrusion into business information and keep business disruption to a minimum.

 

Q: How do attorneys get access to emails that are on ISP accounts like Comcast, or third party servers like Gmail?

 

Most ISPs require a subpoena or court order to release information. It depends on the service provider, the information you’re looking for and who you’re requesting the information about. It’s best practice to contact the legal department of the ISP and ask them what they need and how they want it in order to get the results you seek. It may be that you’re legally entitled to the information, but if you don’t request if in the form that the ISP wants you to ask it in and from the person they designate, you won’t get what you’re looking for. It’s important to bear in mind that quite a lot of Internet service provider information is held in storage for a limited amount of time and that by the time there’s a lawsuit pending, the information is long gone.

 

Q: What issues have you seen with forensics and social media sites like Facebook, MySpace and Twitter?

A: Usually, we’re asked to mine data from social media sites as part of the whole process of investigating a specific person or case. It’s often an adjunct to the larger inquiry that helps to establish that we have the right information or to identify someone a target is communicating with. Of course, in some cases, the use of the social media is an issue in a case, and gaining the posting history is the challenge for the forensic examiner.

 

Q: Is it a good idea to work with an attorney early in an investigation?

 

A: We prefer to contract with the attorney representing the business because that’s the best way to protect our work product from being discovered by the opposing party. Attorney-client privilege extends to us if the attorney contracts with us. That provides the business with the same sort of protection of confidential information that they enjoy in their relationship with their attorney.

Q: What can someone in a business dispute do to preserve critical ESI (electronically storied information) when they know they are going to be in a lawsuit

 

A: Every business will be involved in litigation at some point. As with all things, planning saves a lot of labor and expense. Every business today holds at least some electronically stored information- email, accounting information, transaction information. Businesses need to know what electronic data they have, who accesses it and where it’s stored. A big issue we see is that electronic data is being held on business-owned as well as personally owned resources such as smart phones and laptops. It’s essential for the business owners to know where their data are stored so that they can ensure its preservation and production in the event of litigation.

  

 

Q: What mistakes do people make before business disputes that end up hurting them after the case is in court?

 

A: By far the biggest mistake people make is deleting electronic records. The fundamentals of litigation have changed. Whereas it was once possible to shred documents (which was spoliation, but was harder to prove), electronic storage of data makes it very difficult to destroy information without leaving behind a trail of evidence documenting the destruction. 

 

Q: What if you do not control the servers, infrastructure, how can you save critical ESI for later use in a lawsuit:

 

A: If you don’t control the storage media, you need to have your attorney issue a letter that informs the other party of your intent to sue and tells them of their duty to preserve relevant data. It’s best if the party who doesn’t have access has a good understanding of where the data are maintained so that discovery requests can be crafted intelligently. Without knowing how the data are stored and where, it’s more difficult to know whether you’re getting all the information when the other party produces it.

 

The good news (sort of) is that if a party knowingly or intentionally destroys electronically stored information, there are pretty harsh sanctions and a separate cause of action available to the person harmed by the loss of data. The intentional destruction of potential evidence is called spoliation. It’s a fairly easy proposition for a digital forensics examiner to determine if spoliation of electronically stored information has occurred and document it. Armed with the proof that spoliation occurred, courts have ordered pretty severe sanctions that range from ordering an adverse inference about the evidence (meaning that the jury should assume that the evidence was damaging) to default judgments. Money damages have also been awarded, some going into millions of dollars. In Connecticut, spoliation of evidence is a separate civil cause of action for which damages can be awarded.