If you’re working in litigation, I’m sure you’ve frequently wondered how to get your vendor to conduct the most effective keyword searches and not break the bank. How can you find information that might be critical to the case? We’ve learned that keyword searching is an art as much as it is a science. Every project has some kind of resource limitation, so we have developed search strategies to make the most of real-life budgets, time and computing power.

Keyword searches for a typical e-discovery production yield more predictable results because the searches are conducted on complete documents and files that remain intact on the system. However, many of the cases we work on involve data that has been deleted, requiring computer forensic techniques to recover. Simply searching the ‘unallocated space’ of the hard drive (where deleted documents reside) can be helpful, but often retrieves far too much information to be useful. This is because the data is no longer organized as individual files. It’s like hunting through a land fill in search of a penny.

Let’s look at a sample case involving Bill Smith. Bill Smith works for LP Corporation and is suspected of embezzling funds.  Counsel requests information such as Office documents, Acrobat files, emails, and web activity. An initial search for keywords such as “Smith”, “LP Corporation”, and “bill@lpcorporation” would return several hundred thousand hits when run across deleted and regular files. If we limit the search to only saved files, valuable information may never be found. However, when searching the ‘unallocated’ part of the hard drive we might see hundreds of thousands hits -  too many to review. In Bill Smith’s case, we have 678,354 hits that might represent deleted documents, fragments of documents, emails and web activity. This data is all in unallocated space and can only be retrieved using forensic techniques.

Many folks simply ‘carve’ through unallocated space to resurrect any dead files. This can result in a high number of corrupted or irrelevant hits. How do we avoid this problem? We use keywords as we’re recovering deleted files. This technique provides us with live files that contain relevant keywords. These are now much easier to search than the land fill of unallocated files.

These live files can then be loaded into a forensic application. They are much easier to deal with and we can run additional searches on them producing information that may have been missed on the first pass. We keep searching and filtering down by relevant criteria until we come closer to finding the needle in the haystack. For example, we might search all the documents containing Bill Smith,from that set, we may eliminate all those that don’t contain relevancy to embezzlement. Reducing the search criteria further will reduce our hits so that the original 678,354 hits are now 1,200.

By only restoring deleted information that contains relevant keywords, we dramatically reduce the amount of work performed. By turning deleted information into live files, we can then easily search them and filter criteria yielding a compact, highly relevant set of data. This technique allows us to work more efficiently and save valuable computing and financial resources.

It’s no secret that Twitter’s star has rapidly ascended to become a beacon of information coming out of Iran during the June elections. Faced with state enforced censorship of traditional communication channels such as cell phones and text messaging, opposition bloggers have turned to new mediums such as Twitter to post photos, videos and messages from the streets of Tehran.  As Western media was largely banned from leaving their offices, the flood of news, live from the protests, has likely had Iranian authorities trying to track down rogue tweets.

Finding an anonymous party on a social network
In civil litigation it might be challenging to track down the identity of someone who’s posting defamatory or libelous material. If a suspect is the focus of a criminal investigation, it’s relatively simple for law enforcement to issue a subpoena to a social network such as Facebook, MySpace or Twitter and then collect the log files of IP addresses and messages for computer forensic analysis.

However, in a civil matter, learning the true identity of a blogger will typically require serving  a subpoena in connection with a John Doe suit to the social networking site, demanding the IP addresses of the poster. Once you’ve got the IP address of the blogger from Facebook or Twitter, you can then send a second subpoena to the ISP hosting the IP address, such as Time Warner, AT&T or many others. Typically, the ISP will inform their subscriber that a request has been made to reveal their identity. Generally speaking, if the subscriber does not object, the ISP will provide the requested information. If the subscriber does object they will have revealed their identity in the process.

Protecting your privacy on a social network
If you’re an attorney with a client who uses Facebook, MySpace or Twitter you might be surprised at what can easily be found out about them on the web. You don’t need a computer forensics specialist to see what’s out there. Simply Google their name and see what information is available. PC World reports that 78% of social networkers have their profiles visible in a Google search.  Ironically, Facebook is currently testing some privacy controls in beta that would make “status updates” available to everyone by default.  It’s clear Facebook is moving toward less privacy, not more. Facebook is in the business of selling ads and the more content they can make available to the general public the more pages they can serve up for advertisers. In order to increase privacy on Facebook from the low default settings go to Settings: Privacy. You can dramatically alter who can see or search for information.

The amount of discoverable data available has dramatically increased with the rocketing popularity of social networks. Computer forensic experts from the private and public spectrum are rapidly adapting to the new landscape and it will no doubt be a challenge for litigation to keep up with the pace of change.

Federal Forensics Group demonstrates cell phone spyware for Fox 11 News in Los Angeles.

Spyware is a type of malware that is downloaded onto a victims cell phone by an attacker which allows monitoring of conversations, email and text messages.

Often times I am relied upon to examine email in the workplace in connection with violations of company policy. While most employees are prohibited from using company email for personal use, email forensics may reveal more than just loss of worker productivity.

Email forensics frequently uncovers information detailing inappropriate disclosures of trade secrets to clients and competitors, theft of intellectual property, and in some instances, the use of company resources by employees managing a competing business on the side.

Other concerns include interpersonal problems, such as harassing or threatening messages which may endanger an employee or prompt a law suit. All of these pose significant liabilities to the health and competitiveness of the company. An effective email forensic process may be employed to counteract these various problems and mitigate any potential damage.

It is important to keep in mind that email is a powerful tool that has all but revolutionized business communications. It is also very effective at recording the details of the messages exchanged, even in cases where the message has been deleted. In such cases, recorded data can be scattered across a computer’s hard drive. Email forensics is the process of reconstructing the bits of data to reveal the contents of the message. This process can also provide dates and times when the message was sent, IP address of the sender, and any files that may have been attached. A proper forensic analysis can be used to develop a narrative for the computer user’s activity.

Traditionally, email forensics will be relied upon to prove a case once a breach has been discovered. For example, a company looses a software contract with a client prior to resignation of a manger. It is discovered that the manager has subsequently gone to work for the client, and his employer becomes suspicious. A computer forensics analysis of the manager’s work computer reveals that the he had revealed proprietary information to the client during negotiations allowing them to outsource development of the program to a third vendor at a discount. Though the damage has been done, email forensics would be the vehicle for discovery of evidence to submit to the court in a claim for damages.

More significantly, an email forensic examination should be employed at the first sign of a potential problem in order to gain information as early as possible to prevent further damage from occurring. In a recent case it was suspected that an employee was sending/receiving inappropriate messages at work. Forensic examination of the computer yielded sexually explicit emails and attached images. Further analysis revealed that these messages were being exchanged with other co-workers. The organization in this case was able to react before the risk of sexual harassment was actually realized in the work place.

Many companies establish polices as a code of employee conduct. These policies announce expectations of appropriate work-time behavior and email usage. Minor breaches can have a relatively benign impact. However, computer forensics provides a valuable resource in assessing the situation, and a properly conducted analysis could help to mitigate potential damages, and prove invaluable in cases involving more egregious violations.