K&F Consulting: E-Discovery, Computer Forensics and Damages Quantification

K&F Consulting Inc.

What Evidence is Obtained Through Computer Forensics?
By Todd L. Dietrich and Gregory Fordham

Introduction
What is Metadata?
What You Can Learned From E-mail, Appointments, Contacts and Journal Entries.
Databases
Deleted Data, Temporary Files, Hidden Files and Encrypted Files
Internet History, Cookies and Instant Messaging
If its Discoverable, Does That Mean its Admissible?

Often people do not completely understand the differences between classic e-discovery and computer forensics. Starting with the most basic level, which is acquisition, a computer forensic examiner will make a “bit-for-bit image” of the subject media. This image is an exact duplicate of the media including all active space and unallocated space resident on the media at the time of the imaging.

In order to verify that the image is an exact duplicate, the forensic examiner will run one or more hashes to compare the original and the image. A hash is a mathematic algorithm which essentially takes a measurement of a particular data set. This measurement is better than that of DNA testing. The data set can be a single file, a folder or directory containing numerous files, or it can be an entire hard drive.

In recent years mathematicians have been able to “crack” some of the more common hashing algorithms, namely MD5 and SHA1. These cracks are called forced collisions What they have essentially proven is that it is possible for two files to have the same MD5 or SHA1 hash. While this is nice, it is irrelevant in most every situation in which a hash is used in computer forensics. A forensic expert will hash an entire hard drive and/or image of a hard drive, and record that hash value. If any changes are made to either the hard drive or the image, then subsequent attempts to hash either will result in hash values which do not match the original. So the fact that another hard drive might be forced to collide with the suspect media is irrelevant. The only concern is with the suspect media and verifying its hash value has been maintained over time. A simple way to eliminate this issue altogether is to use two algorithms to hash your data. No one has yet proven a method of forcing a collision of the MD5 and SHA1 hashes on the same data.

After creating the image and verifying the hashes, a forensic examiner will analyze the image of the media using specialized forensic tools, which do not alter the image in anyway. The analysis will often include conducting keyword searches which identify any files in which the keywords are found. Usually the internet and email activity will be analyzed as well, and once the analysis is complete, the forensic expert may be asked to export certain files for production.

If the amount of exported evidence is relatively small, it can be burned to read-only media, (CD-ROM or DVD-ROM) and sent directly to the attorney for further review and/or analysis. If the amount of exported evidence is large, it can be processed in a more traditional e-discovery method. This processing will see the files sorted, indexed, de-duped and converted into either .pdf or .tiff format. From there the evidence can be imported into litigation support software, such as Concordance or Summation.

A traditional e-discovery vendor will simply harvest data from the suspect custodians. Usually this will not be a “bit-for-bit image”, but will instead be limited to only active files and emails. Thus, if the smoking gun was deleted prior to harvesting, it will be missed entirely. After the harvesting, the e-discovery vendor will proceed with the sorting, indexing, deduping and converting the files to either .pdf or .tiff format. In many cases, this is all that the lawyers or clients request. Even if this type of process is all that is initially needed, a better method would be to do a full forensic “bit-for-bit” imaging of all suspected media no matter what. This will cause all data to be preserved, whether it is to be initially processed and analyzed or not. By preserving all the data on the front end, the potential to seek a full blown forensic examination, at a later date would still exist.

In order to help determine the scope and level of the analysis needed in your particular situation, here are some questions you really need to know the answers to:

a) How many custodians are involved?

b) What type of network is involved?

c) Are there custodians located in remote office locations?

d) Which operating systems are in use on the servers and workstations/laptops? Is a firewall used?

e) What type of machines are in use in the environment? Do they use laptops, Blackberrys or other personal mobile devices?

f) Which applications are being used? Are they using common applications for email, word processing, spreadsheets etc? Are they using any internally developed proprietary applications?

g) What type of backup system is in use? What is the backup schedule? Is there a rotation that needs to be suspended? Where are the tapes stored?

h) Who is the systems administrator? Is he/she involved in the issue being litigated?

i) Are home computers used for business? Is there remote access? Can it be terminated or suspended during the preservation phase?

j) Do they have an e-mail server? If so, where is e-mail stored for transmission, retrieval and archiving?

k) Who is the internet, and/or WAN service provider?

Hiring an expert is a big decision, one that requires some level of financial commitment. If you are tempted in an effort to save some money and just “use the IT guy”, consider that reputable computer forensic experts have received considerable specialized training. An amateur is very likely to alter data and, quite probably make it inadmissible in court. However, you should be aware of experts who just buy a software package, set up shop and hold themselves out as computer forensic experts. There are numerous certifications specific to computer forensics. Ask your expert what certifications they hold, and which ones are directly related to computer forensics. Also, ask about their technical experience, and if they have ever qualified for trial as an expert. You may also want to ask them to describe the tools they use. A reputable expert will most assuredly use more than one tool. Often they will rely on, among other things, both the two heavyweights in the field, EnCase and FTK.

Another reason to hire a computer forensic expert is that they are far better prepared to access evidence more quickly and easily than an untrained individual. You can also use the expert's knowledge to help you develop discovery requests specific to the case. To capture and analyze data requires more than just forensic software tools, it also requires some unique hardware tools that an amateur is not likely to possess. On top of that, a typical exam machine in a forensics lab is itself, a specialized piece of equipment with fast processor(s), lots of RAM and very large hard drive capacities.

An area that having a computer forensic expert will help alleviate headaches is when it comes to preserving the chain of custody, and eventually attesting to the authenticity of the evidence. An expert is trained to preserve the very volatile nature of ESI. A paralegal, an attorney, or the IT guy is not trained in this area, and is not likely to withstand charges from the other side that the ESI they’ve handled is now somehow unreliable. Once you realize that ESI is involved, you should hire an expert or have one on retainer as your firm’s consulting expert. Even if a full forensic analysis is not initially needed, a consulting expert can oversee the acquisition of the ESI and maintain the chain of custody.

Next >

Printable Version

When Every Move Matters

2550 Northwinds Parkway, Suite 275, Alpharetta, Georgia 30004
Copyright 2008 K&F Consulting Inc. This site is for informational purposes only. For technical advice please contact a representative.