Computer Forensics: How It Can Impact Legal Cases

Data recovery can reveal more than you may want people to truly know. I mean, that is what the ‘empty from recycle bin’ button was invented for; we wanted to remove all traces of something which may come bite later on. However, speaking to Steve Burgess, President of Burgess Consulting and Forensics, we find out that often our (‘questionable’) browser history and secret documents may not truly be deleted, even if we clear cache and remove all traces.

He says: “I was there from the start: I saw the data recovery industry in 1985 when Bobby Brown’s manager came begging to this former floppy drive repair company (yes, floppy drives!) to recover data from his crashed 10MB (yes, 10 MB) DOS hard disk. Developing methodologies for recovery, an industry was born.”

From floppy disks to our smartphones, we speak to Steve about how even though technology is everchanging, its impact in legal cases remains.

Why is computer forensics important to legal cases?

Users generally don’t notice or realise that when we start a document and every time we reopen, revise, or print it, additional partial or complete copies may be automatically made. We also don’t generally realise that when a document or a file is deleted, it doesn’t just go away. In fact, very little happens to it. A deleted document may be recoverable even years later.

That’s not just true for documents – with internet history, hundreds of thousands of web and network visits stick around for years after the history seems to have been deleted, even when we are using “incognito” or privacy modes. We rarely find fewer than a hundred thousand deleted history entries when we go looking for them. These very same web visits automatically download many files, often photographic images, into the computer’s cache, which similarly can stick around for years.

Spoliation of data can be a big problem.

How often do you think cases are impacted by false claims of ‘losing data/files’?

Happens all the time. I don’t have a particular statistic on it, but a significant percentage of cases I take include recovering lost data – whether done purposely or accidentally. In many cases, the user doesn’t even know that such data existed. In others, there are outrageous actions that intentionally try to lose the data.

In more than one case I’ve had, the user has actually thrown away the computer or the computer’s disk drive.

In another, the user reformatted the computer with a different type of file structure, then wrote a boatload of data to it. We still found the incriminating data, however.

In yet another case, I was scheduled to go to a site to forensically image a dozen computers. They needed to delay the time for my arrival by three days. Once I reviewed the data, I saw a log of the thousands of files they had been trying to shred in the three days that they had delayed letting me show up.

Spoliation of data can be a big problem. Missing data can, of course, make it difficult to winnow out the truth. But the very fact of purposefully destroyed data can result in sanctions for the side spoiling the evidence. In more than one case, the discovery of an act of spoliation lost the case for the spoiler.

In many cases, one side will present electronic evidence that is only a purported scan or printout of an email or another document, without providing the underlying actual electronic evidence.

From the above, what are signs that those claims are false?

From a forensic perspective, a sign that the claims are false are when the data exists, as it often does. Pretty much all documents start on a computer. The making, editing, printing, and otherwise accessing these documents, leaves many unnoticed and invisible traces behind. Forensic techniques can bring those documents or artefacts to surface.

Are there any regulations which can block the process of you and your team locating deleted files?

Not regulations so much as agreements between the parties. Typically, in order for the team to be allowed to investigate, the parties involved agree to a stipulation that limits the team to specific types of searches or procedures. If the devices containing the evidence are instead ordered by the judge to be produced, there still are likely to be limits to what we can search for. In some cases, we are required to act as the gatekeepers of the evidence, producing only responsive data no matter who has hired us or is paying us. If additional data is drawn out besides what was required in the stipulation, there is a “clawback” provision that keeps it out of evidence.

It’s easy enough for an officer to grab a phone from a suspect and take it to a local FBI or local law enforcement kiosk and suck everything off of it.

You have worked on cases determining fake documents: how is this determined? How can such a result impact legal cases?

In many cases, one side will present electronic evidence that is only a purported scan or printout of an email or another document, without providing the underlying actual electronic evidence. We forensic guys barely consider that to be evidence. The underlying headers of email contain Message IDs and the names and IP addresses of the mail servers traversed on the way from sender to recipient. Tracing these back can show fakery.

There was one case where we had only a scanned document that was purportedly a printout of an email. It was hard to find what was underlying it, until we noticed that the time/date header said PDT (Pacific Daylight Time) on a date that was actually in PST (Pacific Standard Time).

With added concerns of cybersecurity and data placement, can you share what you predict you will be instructed on in Courts?

Generally, we are instructed to dig deeper to find what may have been compromised. Computers contain many logs that are helpful in putting together a picture of what happened. There are records of successful remote logins and of unsuccessful remote logins. There may be IP addresses embedded in malware install files that have been deleted but are recoverable. There may also be IP addresses embedded in remote access logs or VPN (Virtual Private Network) logs. And of course, there’s malware galore.

 The expert witness will need to understand the underlying operating systems and structures, how the forensic programs derive their results, and to be able to explain them in simple enough terms for attorneys, judge, and jury to understand.

Are phones and mobile devices a significant part of your work?

Yes. More and more over the past 10 years, mobile devices are significant parts of evidence, especially in Criminal Law and Family Law.

It’s easy enough for an officer to grab a phone from a suspect and take it to a local FBI or local law enforcement kiosk and suck everything off of it. Various jurisdictions limit what can be reviewed because our whole lives might be on there. Because it just fits in our pocket, we often don’t realize we’ve got a portable supercomputer with large amounts of storage that we’re carrying around with us. My iPhone holds more than 25,000 times the data of the first hard drive data recoveries I did at the beginning of my career.

I would say that mobile devices are involved in more than half of the criminal defence cases I see these days.

And of course, a philanderer may have the names, phone numbers, photos, and conversations with his or her extracurricular love interest sitting right there, inches away from their spouse. It doesn’t take much to review all of that incriminating – and often racy – information.

What does the future hold for digital forensics and testimony?

I think we will see smarter and smarter programs automating more and more of the process of discovery. Artificial intelligence will make inroads into the tools we use.

When I began in this career, everything was manual – we had to search for individual letters and punctuation across 10 million bytes. But hard drives now hold trillions of bytes and a manual search of modern storage devices and complex data structures would take half of forever, so more advanced tools are necessary.

But pressing a button isn’t all that is involved. The expert witness will need to understand the underlying operating systems and structures, how the forensic programs derive their results, and to be able to explain them in simple enough terms for attorneys, judge, and jury to understand. I expect we’ll have human experts in the courtroom for a long time to come.

Steve Burgess

Burgess Consulting and Forensics

3421 Empresa Drive, Suite B

San Luis Obispo, CA

866-345-3345 / 805-349-7676

steve@burgessforensics.com

 

 

I’m Steve Burgess, President of Burgess Consulting and Forensics.

Personally, I’ve written and spoken widely and contributed the comprehensive Computer Forensics section to the text, “Scientific Evidence in Civil and Criminal Cases (5th edition),” by Moenssens, et al. Many of our written and video articles can be found in various legal journals as well as on the BurgessForensics website at http://burgessforensics.com/articles.php and on YouTube.

I am deposed and qualified as an expert witness in State, municipal and military courts, and labor boards in California and Texas.

 

 

Steve’s company has performed data recovery, electronic data discovery and forensic analysis on more than 15,000 hard disks and other digital media for firms and individuals in 22 states and several countries.

One successful recovery for the World Security Council resulted in improved negotiations and breakthroughs in George H.W. Bush’s summits with Mikhail Gorbachev.

The company mentor students and entrepreneurs in Santa Barbara and San Luis Obispo Counties, for  Californian Polytechnical Institute students, as well as for local high school teams. They also participate in Startup Weekends in Santa Barbara and San Luis Obispo Counties – mentoring, coaching, and judging.