Are you Using it?
Purpose: This paper will describe the steps that one would need to take to preserve, analyze and present findings regarding deleted data. It is meant to inform both attorney and client on the need for deleted data in cases.
Disclaimer: I am not a lawyer. This writing is not meant to be legal advice on any case, rather it is meant to inform the attorney and the client about the use of deleted data in civil cases. Every case is different and requires specific tasks and objectives to find and present the evidence of the case.
Deleted data is used by law enforcement daily for felony crimes. It is almost second nature to look to the deleted data to help make a case. It is the backbone of computer forensics. On the flip side of the legal world in civil cases it seems that deleted data is commonly overlooked. It is on this topic that I wish to address the absolute necessity for deleted data in civil cases.
Deleted data can be almost anything that once resided on a memory based device. Pictures, videos, PowerPoint presentations, documents, audio files, call logs, text messages, emails and the list can go on and on. Attorneys know when you want electronic data from opposing counsel, you must make sure it isn’t destroyed through a preservation letter. This is a no brainer for attorneys, but it is worth mentioning.
Your preservation request can’t ask for everything electronic. Most judges will see this as burdensome, not to mention it can look like you are gearing up for a fishing expedition in the case. Your preservation request needs to be targeted and specific. If you are going after deleted data, you will want to request a full physical forensic image of the hard drive of the computer in question. If it’s an Android cell phone, you will want to request the three following images. Logical, File System and Physical (Where applicable). If it’s an Apple device, you will want to request a logical, file system, method one and method two images. Other items to be requested can be smart watches, USB drives, email accounts, GPS devices, voice recorders, cloud based accounts, any external hard drives that have been plugged into a computer in question would all be a good starting point. It is important to always request the metadata as well. This can be redundant, but ensures that you receive everything in an electronic format and shows that you will be examining the metadata in the case. I have assisted in crafting many preservation letters to ensure that are specific enough to show that we know our target, but broad enough to ensure that we are not missing anything.
Data collections are a key component in your case. Do it wrong and the evidence can be thrown out. Do it wrong and the key metadata can be altered and irreversible and potentially destroy your case.
Data collections need to be performed by an independent third-party. Having your client’s IT staff collect the data can present a conflict of interest. Most of the time they also do not possess the tools and skills to do this properly despite how great they are at configuring a firewall for the office. Data collections can take place for computers, email accounts, cell phones, tablets, social media accounts and the list can go on and on. Making sure the data is collected correctly is key to finding and using deleted data in your case.
Analyzing the Data
This is the second most important part of the entire process. Analyzing the deleted data is going to be the key to your success and can greatly enhance the electronic discovery process that most attorneys are used to. I have often thought that if the evidence in a case were critical, it would likely be deleted. It is human nature to hide what we don’t want discovered. It’s no different in electronic evidence. To reduce time and fees to the forensic examiner the more you can tell the examiner the better. Dates, search terms, type of document, timelines and websites can bring you closer to the deleted truth. I have personally seen deleted data be front and center as the crux of multiple cases. The data tells a story and reconstructing that story normally requires deleted data and the standard data you would find in your electronic discovery review.
Deleted data can reside in multiple places on a computer. Not only is it important to find it, but to be able to explain why it was found in a certain area of the computer is crucial. Piecing together the puzzle can go rather quickly in many circumstances. Today computer forensic software has evolved to allow the examiner to perform multiple tasks in a fraction of the time it used to take. Deleted data can uncover photos, videos, previous versions of documents, web history, chat logs and my personal favorite, deleted text messages to name a few.
Presenting Your Findings
This is the most important aspect of dealing with any type of data. Whether it is in a written report, deposition or in court the ability to present the data can make or break a case. I know many people in my industry that are excellent forensic examiners, but terrible at writing and even worse at speaking to people on the topic. I have read reports from experts that had no place in my daughters 8th grade English class, let alone handing over a professionally scripted paper.
For example, if I said, “The deleted data was found within the MFT and it held the EXIF data needed along with the timestamp found to lead us to believe that this was deleted after the time of the preservation order was given”.
Or you could say, “The deleted data was found in what is called the MFT. It stands for Master File Table. Think of it as card catalog in a library that can direct you to everything in the library you wish to find. When we delete something, the MFT it will hold onto the data even though it has been deleted. Part of that data is known as metadata, which simply means data about data. EXIF data is part of the metadata and refers to the GPS coordinates that are captured by different electronic files when they are created. The time stamp we identified as part of this piece of evidence was created after the preservation order went into effect and was then deleted based on where it was found within the forensic image that was examined.
Obviously, it’s still a mouthful, but allows for an explanation of terms normally only used by myself and my nerdy digital colleagues.
Deleted data is crucial in many applications of civil cases from family law, employment, intellectual property and corporate to insurance and securities to name a few. It is best to involve your forensic expert early when you start the discovery process. The best-case scenario would be to have your forensic expert and your electronic discovery vendor be the same entity, or companies that work closely together.