Business Risk July 2011

The Case for Digital Evidence

Data forensics and electronic evidence recovery are powerful investigative tools for successfully resolving cases of alleged fraud, corruption, loss of intellectual property, theft of trade secrets and conflict of interests.

The flow of electronic information seems to be forever increasing. We now have incredible amounts of data being stored via the internet, cloud computing and hard-drive storage devices. Well over 90% of important business data is stored electronically and email is increasingly being used as a primary form of communication.

However, some corporations’ technical advisors and lawyers are inexperienced in the conduct of electronic discovery and handling of digital evidence. Subsequently, crucial digital evidence—often a material factor in winning or losing a legal action—is sometimes inadvertently destroyed, contaminated or simply overlooked.

Computer data is fragile and easily lost if searches for potential electronic evidence are not undertaken using forensically sound procedures. Simply switching on a computer may cause changes to critical data. Moreover, searching a computer system can be like looking for a needle in a haystack. If dedicated mining tools and procedures are used, a computer can be a valuable witness and evidence properly obtained from computer systems is compelling.

What is data forensics?
Data forensics is a methodology used in the search, seizure and analysis of computer-based evidence to help it later be accepted in a court of law. The process essentially involves several steps:

1. Forensic acquisition of hard drives or other computer media using specialist software
2. Recovery of deleted files
3. Preliminary searches using analytical tools such as keywords or phrases
4. More comprehensive analyses of data with searches tailored to the specific needs of the investigation. Analyses can include the reconstruction of documents and files; examination of logs and emails; timeline analyses; searches for images of recently printed documents; the examination of file signatures to ascertain if files have been hidden under a false extension; as well as the detection of malware, spyware and any other electronic hardware that may have been attached to the computers.

“Deleted” data
Wrongdoers often attempt to delete incriminating material (including emails) from their work computers. However, by following the proper data forensic procedures and protocols, experts can recover evidence that someone has tried to remove or conceal. Hardware does not need to be removed and imaging can be undertaken discreetly, so as to avoid alerting possible suspects, provided access is legally obtained. Analyses can be undertaken externally.

Critical need for expertise
The goal of electronic discovery is to deliver relevant information and evidence, as well as to ensure it is later admissible in court, if required. But it is important to stay within the bounds of one’s expertise. Just as litigators turn to experts for help in interpreting information in specialised fields such as accounting and forensic science, so too should they ask computer forensic experts to gather and interpret electronic data. Effective collection and reviews of computer-based evidence requires a degree of strategic involvement which is beyond the skills of the average litigator or IT specialist.

Though not all circumstances require forensic data collection, the process must be defensible. The best forensic software is useless in the hands of inexperienced personnel, even those with IT skills, if they do not understand the importance of proper procedures. Electronic data can be permanently destroyed by an error as simple as misaligning a drive connection. When securing electronic discovery, computer forensic experts use specialised software and a methodology designed to meet the highest evidentiary standards—their processes and procedures have been tried and tested in court.

Case study
Recently, FTI Consulting helped a client who had received anonymous information that some of its staff were getting kickbacks for diverting purchases to specified vendors and sales to customers at far below normal sale values. As part of a wider investigation, we forensically imaged a number of target computers and the firm’s email server.

Once we had recovered deleted data and categorised relevant information contained in the computers and on the servers, we established that several members of staff were communicating with vendors and customers via web-based email (Hotmail, Yahoo, etc.) and obtained evidence of wrongdoing. We also established that some of the staff were innocent of the allegations. Our client, therefore, was able to take effective action against guilty staff and improve its systems.