The Forensic Collection Process

We hear about “forensic” processes a lot these days, especially on TV, where exceedingly attractive people investigate a crime scene involving violence and intrigue. They use a lot of cool technology, too, but an important part of the equation, the forensic process, tends to be left out.

What It Is.

To demystify the subject, “forensic,” according to my online dictionary, is an adjective meaning: relating to or denoting the application of scientific methods to the investigation of crime or relating to courts of law. So simply put, forensic collection means doing it the right way—following a set of procedures recognized by the expert community, in a repeatable, scientifically grounded, and defensible manner. For those in this expert community, the fact that a repeatable process is necessary may be obvious. But the ability to make lay people and attorneys understand this can often be the difference between success and failure.

Why It’s Important.

In legal parlance, forensic collection—the defensibly sound preservation and harvesting of electronic evidence—has taken on much greater importance as the preponderance of evidence has shifted from paper to electronic. People hardly ever send letters anymore; they send e-mail. But computer files have characteristics that paper never had. They are easily susceptible to inadvertent changes or deletion, not to mention intentional mischief. So the process of collecting electronic evidence must be undertaken with particularity in order to render the evidence trustworthy. That process is called forensic preservation and collection. And all involved need to know that it should be implemented at the very first inkling that litigation may be in the wings.

Now anytime we talk about scientific processes that involve “their” business, people get nervous. And when one contemplates touching a client’s e-mail, one enters the inner sanctum of the concentric circles of closeness. Being able to explain the process will help your clients understand and agree to this intrusion as necessary for you to be able to help them. Really, it all boils down to nuts and bolts, just like old-fashioned discovery.

Definitions

Let’s define a few key terms before we get too far. These definitions are designed to help those without too much technical expertise.

Metadata.

This term is finding its way into our vernacular particularly in legal opinions, but it’s really just a scientific sounding word for information created by our computers as we create documents on them.

Our computers register a creation date, track every time we change a file, or even open one. These are examples of metadata.

Each of our computers has a name, whether we gave it one or our systems people set them up with something generic. When we create a document, our imprimatur goes with it: metadata.

When we write and make changes to a document, many programs track those changes: again, metadata.

There are many other examples but the simple point is there is more to an electronic document than shows on the printed page. Preserving metadata is necessary to establish the trustworthiness of the document because it can reveal mischief if there has been any.

Metadata can also enable one to find and evaluate evidence much more efficiently, and at considerably lower per document cost, than under a paper discovery regime. Accordingly, metadata is both useful and fragile.

Deleted Files.

We all delete files; we have to. If we didn’t it would be like never throwing away a piece of paper, no matter how useless or defective the information on it might be. It’s just so much easier to accumulate junk on our computers, but delete we do.

Sometimes files are deleted for the wrong reasons though. Despite what most computer users believe, deleted files don’t just go “poof” and disappear. The address that tells the computer where to find the file when we command it to open is all that’s affected when we delete a file. But the file remains until we overwrite it.

With proper forensic tools, those files can be restored. Under the right circumstances, that restoration can make the difference between winning or losing a case.

Fragments and Slack Space.

Slack space is the part of our hard drives that we haven’t written data to, or that don’t contain active files. It’s the place our deleted files go while waiting to be overwritten. And when they’re overwritten, it doesn’t all happen at once. Bits and pieces of files are overwritten, leaving fragments of the original files intact.

Again, forensic tools can access these fragments and in more than one case I’ve managed, operate as proof for the existence of the document to support the parole evidence of the proposition for which it was offered. This is useful on many levels, including to prove the negative: that there wasn’t any such document as may be claimed, or at least no tangible evidence of it’s having existed. Preserving this evidentiary realm is only possible if done properly and early.

Implications

Preserving the “slack space,” computer log files, and system metadata can be critical to one’s case. For example, in an employment matter, say theft of IP, our forensic experts are able to reconstruct what the custodian (the computer user) was doing within the last week or days of employment. Did he or she contact the confidential folder on the company server and download it to a personal machine? Send confidential information to a private e-mail account or copy it to a thumb drive? These types of determinations are found using special forensic tools and know how but are only available if the evidence was properly collected.

Most users do not understand that simply copying a file does change its metadata. It’s easy to illustrate, though: take an old file, copy it to your desktop, and then right click your mouse on “Properties.” You’ll see that of the three dates (created, accessed, and modified) two have changed to the current date (created and last modified). If you opened the file and saved it, the last modified date would be changed too.

How the Forensic Imaging Process Works

Forensic imaging of computer hard drives is essentially using special forensic tools to put a shell or container over the data, and with those tools, copying every byte and sector of the drive to create a mirror image of it. The reality is a little more complicated. Experts use a number of different tools depending on the configuration of the source files, the needs of the client and so forth, but basically, we create a duplicate of the original without altering any of the metadata on either the source drive or the target drive, including any deleted files, fragments, and slack space.

To better describe the resulting form of a forensic image, consider the analogy of a walnut. With a nut, the meat inside the shell is protected from damage or contamination from outside. The shell can take a beating, or be moved from hot to cold or sunshine to shadow, stepped on, pushed into the dirt, etc, and the meat will generally be fine.

What we do with digital files is similar in that we put a shell around the file so we can move it safely. Then, in order to process the data, we break the shell in our special lab, where we know its clean and safe, and we extract the data.

Working Outside the Operation System.

Forensic collection should take place outside of the computer’s operating system. The forensic process generally, though not always, includes the removal of the hard drive, utilizing a write blocker to prevent any changes in the source data, and a forensic tool to copy the media. A full forensic image is typically best because it captures and preserves everything on the drive. From that image it is possible to selectively pull case specific evidence.

Since the full image is preserved, it enables lawyers to go back for as many bites at the apple as necessary as new issues emerge or discovery indicates further exploration, including a possible CSI-type forensic investigation (although probably by less attractive scientists than those on the television show).

There are exceptions—there always are. When imaging servers for example, sometimes we are only after a subset of the data, such as a few custodians’ files or just a couple of e-mail boxes. In those cases, we have different forensic tools that are used within the computer’s operating system to avoid having to shut down a company’s server and disrupt their operation.

Because the data resides on multiple drives, RAIDed configurations often require imaging from a live computer, but with specialized know how and equipment. Nevertheless, in most cases where data is stored on a desktop or laptop computer, a full image is desirable, defensible and normally less expensive to acquire than other alternatives.

Need for Documentation.

Documentation of the process is essential. Contemporaneous collection logs memorialize what was collected, from who, what, when, where, why, and how, sufficient to support testimony if ever needed.

Likewise, chain of custody documents preserve a transit record of the evidence from source to courtroom to assure that you will meet the standards for admissibility when it counts. Experience teaches us that if your evidence is strong, your adversary is most likely to grasp straws by attacking the method of collection, or selection of what was collected or processed. Proper documentation and a thoughtfully developed process provides defensibility from such attacks.

Storage.

Once made, the image needs to be stored properly. A good strategy is to make a second image as a working copy and sequester the original image separately. Proper forensic procedure is very important to preserve the integrity of the electronically stored information (ESI). It’s just like the crime lab police shows on TV— improperly handled evidence is tainted and compromised evidence leads to bad results in the courtroom.

The term for tainted ESI is spoliation. The thing that differentiates ESI from paper is that it’s so easily changed, even inadvertently or innocently. Its trustworthiness can be called into question.

The Bottom Line.

Given the significant monetary and temporal investment in processing and review that are undertaken within the legal process, it is essential that the beginning of the process be free from doubt, able to withstand scrutiny, and conform to the established protocols and practices by the forensic community. In other words, why go through all of the hoops to prepare a case to find out that the evidence on which it’s built was defective from the get go? Proper forensic procedure builds in the necessary security.