Keyword searches for a typical e-discovery production yield more predictable results because the searches are conducted on complete documents and files that remain intact on the system. However, many of the cases we work on involve data that has been deleted, requiring computer forensic techniques to recover. Simply searching the ‘unallocated space’ of the hard drive (where deleted documents reside) can be helpful, but often retrieves far too much information to be useful. This is because the data is no longer organized as individual files. It’s like hunting through a land fill in search of a penny.

Let’s look at a sample case involving Bill Smith. Bill Smith works for LP Corporation and is suspected of embezzling funds.  Counsel requests information such as Office documents, Acrobat files, emails, and web activity. An initial search for keywords such as “Smith”, “LP Corporation”, and “bill@lpcorporation” would return several hundred thousand hits when run across deleted and regular files. If we limit the search to only saved files, valuable information may never be found. However, when searching the ‘unallocated’ part of the hard drive we might see hundreds of thousands hits -  too many to review. In Bill Smith’s case, we have 678,354 hits that might represent deleted documents, fragments of documents, emails and web activity. This data is all in unallocated space and can only be retrieved using forensic techniques.

Many folks simply ‘carve’ through unallocated space to resurrect any dead files. This can result in a high number of corrupted or irrelevant hits. How do we avoid this problem? We use keywords as we’re recovering deleted files. This technique provides us with live files that contain relevant keywords. These are now much easier to search than the land fill of unallocated files.

These live files can then be loaded into a forensic application. They are much easier to deal with and we can run additional searches on them producing information that may have been missed on the first pass. We keep searching and filtering down by relevant criteria until we come closer to finding the needle in the haystack. For example, we might search all the documents containing Bill Smith,from that set, we may eliminate all those that don’t contain relevancy to embezzlement. Reducing the search criteria further will reduce our hits so that the original 678,354 hits are now 1,200.

By only restoring deleted information that contains relevant keywords, we dramatically reduce the amount of work performed. By turning deleted information into live files, we can then easily search them and filter criteria yielding a compact, highly relevant set of data. This technique allows us to work more efficiently and save valuable computing and financial resources.

Working in the world of bits and bytes, one of the first things we will check during a document evaluation is metadata. Files such as Microsoft Word documents can contain hidden information known as metadata. Metadata is “data about the data.” If we were to use an analogy, if you were to investigate a homicide in which a gun was used, the metadata would be everything about the gun, including fingerprints on the handle and trigger, the type of bullet fired, the time and date it was fired, and the number of times it was fired.

The metadata embedded in a Microsoft Word document might reveal: the creator name, company name, when the file was created, where the file was saved, total editing time and potentially much more. This list is not exhaustive, instead just offering a peek of what most document metadata contains. Any of these elements can be used to show a document is authentic or not.

Unexpected Metadata Revelations
If someone is surreptitiously trying to backdate a contract created in Microsoft Word, one thing they might do is set the clock back and then save the document with an earlier date. Taking a casual look at the computer, you might see Windows shows that the document was created or modified on the earlier date. However, a deeper inspection of the document itself might reveal that the metadata embedded in the document is inconsistent with the Windows time/date stamps.

For example, Windows might show a Last Modified Date of Jan. 23, 2005 while the metadata embedded in the document itself might show a much later date and even a different author. The document metadata can also reveal the total document editing time. When a document is intentionally backdated by setting the clock back and then resaving the document, the total editing time indicated can be unrealistically high, sometime showing that the document was edited for years. Since typical document editing time is measured in hours or days, when we see a document that has been edited for years we become understandably suspicious.

Metadata used in conjunction with other elements of computer forensics such as internet activity, examination of emails and Windows time/date stamps can be used to determine if a document is the real deal or a forgery.

Is The Document Worth The Paper It’s Printed On?

Recently we have looked at a number of agreements, and letters of intent that are provided to us on paper. If the authenticity of the document is questioned, somehow the electronic version of the document is almost always difficult to get access to. However, in those cases where we are able to examine the electronic version of the document, often a very different story emerges, illuminated by the bright light of metadata.

Finding an anonymous party on a social network
In civil litigation it might be challenging to track down the identity of someone who’s posting defamatory or libelous material. If a suspect is the focus of a criminal investigation, it’s relatively simple for law enforcement to issue a subpoena to a social network such as Facebook, MySpace or Twitter and then collect the log files of IP addresses and messages for computer forensic analysis.

However, in a civil matter, learning the true identity of a blogger will typically require serving  a subpoena in connection with a John Doe suit to the social networking site, demanding the IP addresses of the poster. Once you’ve got the IP address of the blogger from Facebook or Twitter, you can then send a second subpoena to the ISP hosting the IP address, such as Time Warner, AT&T or many others. Typically, the ISP will inform their subscriber that a request has been made to reveal their identity. Generally speaking, if the subscriber does not object, the ISP will provide the requested information. If the subscriber does object they will have revealed their identity in the process.

Protecting your privacy on a social network
If you’re an attorney with a client who uses Facebook, MySpace or Twitter you might be surprised at what can easily be found out about them on the web. You don’t need a computer forensics specialist to see what’s out there. Simply Google their name and see what information is available. PC World reports that 78% of social networkers have their profiles visible in a Google search.  Ironically, Facebook is currently testing some privacy controls in beta that would make “status updates” available to everyone by default.  It’s clear Facebook is moving toward less privacy, not more. Facebook is in the business of selling ads and the more content they can make available to the general public the more pages they can serve up for advertisers. In order to increase privacy on Facebook from the low default settings go to Settings: Privacy. You can dramatically alter who can see or search for information.

The amount of discoverable data available has dramatically increased with the rocketing popularity of social networks. Computer forensic experts from the private and public spectrum are rapidly adapting to the new landscape and it will no doubt be a challenge for litigation to keep up with the pace of change.

Federal Forensics Group demonstrates cell phone spyware for Fox 11 News in Los Angeles.

Spyware is a type of malware that is downloaded onto a victims cell phone by an attacker which allows monitoring of conversations, email and text messages.

Email forensics frequently uncovers information detailing inappropriate disclosures of trade secrets to clients and competitors, theft of intellectual property, and in some instances, the use of company resources by employees managing a competing business on the side.

Other concerns include interpersonal problems, such as harassing or threatening messages which may endanger an employee or prompt a law suit. All of these pose significant liabilities to the health and competitiveness of the company. An effective email forensic process may be employed to counteract these various problems and mitigate any potential damage.

It is important to keep in mind that email is a powerful tool that has all but revolutionized business communications. It is also very effective at recording the details of the messages exchanged, even in cases where the message has been deleted. In such cases, recorded data can be scattered across a computer’s hard drive. Email forensics is the process of reconstructing the bits of data to reveal the contents of the message. This process can also provide dates and times when the message was sent, IP address of the sender, and any files that may have been attached. A proper forensic analysis can be used to develop a narrative for the computer user’s activity.

Traditionally, email forensics will be relied upon to prove a case once a breach has been discovered. For example, a company looses a software contract with a client prior to resignation of a manger. It is discovered that the manager has subsequently gone to work for the client, and his employer becomes suspicious. A computer forensics analysis of the manager’s work computer reveals that the he had revealed proprietary information to the client during negotiations allowing them to outsource development of the program to a third vendor at a discount. Though the damage has been done, email forensics would be the vehicle for discovery of evidence to submit to the court in a claim for damages.

More significantly, an email forensic examination should be employed at the first sign of a potential problem in order to gain information as early as possible to prevent further damage from occurring. In a recent case it was suspected that an employee was sending/receiving inappropriate messages at work. Forensic examination of the computer yielded sexually explicit emails and attached images. Further analysis revealed that these messages were being exchanged with other co-workers. The organization in this case was able to react before the risk of sexual harassment was actually realized in the work place.

Many companies establish polices as a code of employee conduct. These policies announce expectations of appropriate work-time behavior and email usage. Minor breaches can have a relatively benign impact. However, computer forensics provides a valuable resource in assessing the situation, and a properly conducted analysis could help to mitigate potential damages, and prove invaluable in cases involving more egregious violations.

Computer Security Breach- Top Ten Ways to Protect Your Clients’ Rights.

Please join us for an MCLE accredited 1 hour seminar hosted by Hallstrom, Klein & Ward, LLP. The seminar will address the most cutting-edge information securitythreats and appropriate response and remediation methods. » more

Webmail by its very nature can be challenging to recover. An email message sent or received through Yahoo!, Hotmail or Gmail exists as nothing more than a web page. Unless there is a preservation order directing the service provider to freeze the messages, the email artifacts will need to be recovered from the local computers of the sender and receiver.

Since a webmail is presented as a web page, searching for webmail entails the forensic reconstruction of that page. A single web page can be made up of dozens or more individual elements. Oftentimes, data is scattered around the hard drive, and key parts can sometimes go missing. Like an archeologist trying to reconstruct a skeleton, the computer forensic expert has to carefully hunt down the digital bone fragments and piece them back together again. It can sometimes be painstaking work, especially if parts of the email have been deleted.

This reconstructive process is at the heart of email forensics. Thus, computer forensic experts must keep current with the shifting sands of email and browser technologies. For example, since its release in September 2008, Google’s Chrome browser has captured 1.15% of the browser market and now Firefox commands nearly 22%. In email, Yahoo! still dominates the market, but Gmail has galloped to fourth place as of January 2009. These evergreen shifts in webmail and browser technologies mean that forensic experts must constantly research email functionality and utilize new techniques and tools.

Webmail fragments don’t exist solely on the sending and receiving computers. There are massive servers that store the emails in remote locations, so that someone can log in from anywhere on the globe and still access their webmail. From a litigation perspective, it is important to acknowledge this, because we’ve noticed a trend toward fewer recoverable webmail artifacts (on a local computer) than before. Gmail for example, leaves very few traces of recoverable emails. The newest version of Yahoo! mail is moving in the same direction. This means that it’s more important than ever to get subpoenas served early and with specific, appropriate language early in the litigation process.

While we still find important webmails on a computer, we’ve noticed a strong trend toward receiving email on handheld devices such as Blackberries, iPhones and Palms. When deciding what to subpoena, it’s important not to overlook these devices because they store webmail differently than a computer and can sometimes provide a swifter path to email recovery.

Eric Robi, computer forensics expert witness and President of Federal Forensics Group was interviewed on Fox 11 News in Los Angeles on “Scareware”.

Scareware is a type of malware that installs on a victim computer often by means of a compromised website or email attachment. It then informs the victim that his or her computer is infected and that in order to clean it, the victim must purchase the software. Unfortunately, even if the computer contains no malware, the victim is prompted for credit card information. The malware is very difficult to remove and sometimes requires a complete reinstallation of the operating system completely get rid of it.