Most litigation support staff understand the basic challenges of electronic discovery. However, while many forensic methods are used in e-Discovery, computer forensics is a unique discipline.

“[F]orensic science is the application of a scientific discipline to the law, the essence of all forensic disciplines concerns the principles applied to the detection, collection, preservation, and analysis of evidence to ensure its admissibility in legal proceedings. Computer forensics refers to the tools and techniques to recover, preserve, and examine data stored or transmitted in binary form.” 
— Kenneally, Erin, “Computer Forensics,” The Magazine of Usenix& Sage, August 2002 Volume 27-number 4

This article will focus on practical issues faced by litigation support professionals when the use of computer forensics techniques and analysis are required. The potential of computer forensics has been almost always confined to criminal cases, but it can be very useful in civil cases as well. The biggest mistake litigation support personnel make in evaluating their need for forensics is looking to their internal IT departments for forensic support.

Understanding Where Forensics Will Be Useful

(a) Collections. In the context of civil litigation, computer forensics are most frequently used in the collection of evidence. Forensics experts are trained in acquisition methods that ensure the authenticity of evidence. The mere act of turning on a computer causes information to be written to the computer’s hard drive. The forensics expert will gather the information from the computer using special hardware and software tools that will ensure no changes to the data stored on the computer. In many litigation matters, evidence is collected by in-house IT staff, and not by forensics experts. This method of collection always results in the loss of some metadata. This metadata is not always material to the lawsuit; however, the best way to ensure that evidence collected is forensically sound and admissible in court is to have evidence collected by forensics experts or technicians trained in forensic acquisition methods. The EDRM model does not specifically require forensic collection, but forensic collection – whether of a full hard drive or simply logical files – works well for the collection phase of the EDRM.

(b) Analysis. Forensic analysis can obtain considerable information from a hard drive. It is often possible to recover deleted files, and in many cases even deleted and reformatted partitions. The date that a file was created, by whom, when it was changed, if it was copied off to an external drive, if it was sent in email are all possibly recoverable. Forensic techniques can often identify and break encryption or find information that was hidden deliberately with tools like steganography (hiding documents in pictures). In addition to criminal cases, forensic analysis can be useful in a number of civil cases, particularly if there are issues of fraud, if timing is critical, or if lost documents are needed. Forensic analysis can be very useful in cases of intellectual property theft, and in actions for wrongful termination.

Finding Forensic Experts

Most litigation support personnel are very familiar with methods for finding experts. One additional consideration for forensics are forensic specific certifications. There are a number of certifications, both third party and from vendors. The Computer Forensics Certified Examiner (CFCE) for law enforcement personnel and Computer Certified Examiner (CCE) (the CFCE for non-law enforcement personnel) are respected vendor neutral certifications. Another frequent certification is the Global Information Assurance Certification Certified Forensics Analyst (GIAC-GCFA) which is primarily connected to the SANS Institute programs. The Encase Certified Forensic Examiner (“ENCE”) is a vendor certification, but well-regarded because it involves both a written a practical exam and because Encase is the most frequently used forensic acquisition and analysis software.

Understanding the Limitations of Computer Forensics

Many forensics experts fear the “CSI Effect”. This is the belief that many people get from watching CSI on TV that forensics is infallible and instantaneous. On CSI the forensic analyst turns on the computer, guesses the password as the suspects daughter’s name and magically all data on the computer is easily accessible. Computer forensics is incredibly powerful in its own way, but it is often painstaking and tedious. The analyst often must spend hours studying a hard drive, looking at hexadecimal code, counting the bits and bytes forward and back, in order to find the hidden information. If a password is involved and it is cracked, that is usually just a starting point for investigation.

Understanding That IT is Not Computer Forensics

Due to the uniqueness of forensics as a discipline, the IT staff is not likely to be forensically trained. Many times the IT staff will want to look at a hard disk with data recovery tools, but they are not forensics analysts. One of the ways in which evidence is often damaged is when IT staff start poking through disks without using write blockers. IT staff lack the training to get the information while leaving the original intact, and they lack the training to do in depth analysis. They may know quite a bit about file systems, but they are unlikely to have had the in depth training into all the virtual crevices on a hard drive that would be the province of a forensic analyst.

Conclusion

Whether using it as part of e-Discovery, or as a key tool in proving a case, computer forensics can be extremely valuable in litigation. The key is to use forensic collection methods, be aware of what forensic analysis can provide, be aware of what it cannot provide and make use of the right experts.