Computer Forensics

Essay by Ralph Losey

Sherlock Holmes in the 21st CenturyComputer forensics is one of the most interesting, yet least understood areas of e-discovery. Using the Sherlock Holmes analogy, we will explore the Definitions and Limits of Computer Forensics, Forensic Copies and Forensic Examinations. Although forensic discipline should always be applied in e-discovery procedures, forensic exams of computers should be done sparingly. For more information try the audio webinar CLE I did for West Legalworks with John Patzakis, J. William Speros and Michael Michalowicz.

Sherlock Holmes in the 21st Century

If Sherlock Holmes were alive today, he would surely be a master of computer forensics. Just as he sometimes used his chemistry set in the 19th Century to analyze clues, today he would use forensic software to examine digital devices. Holmes would know how to make forensic copies of computers, i-phones, thumb-drives and other ESI storage devices, and also know when not to waste his time doing so. No doubt Dr. Watson would be amazed at what evidence he would sometimes uncover.The forensic examination of computers is an important tool in twenty-first century detective work, but it is no panacea. Sherlock Holmes of all people would know that it is not a substitute for clear thinking and rational deductions, and is not appropriate in every case.

Lots of trial lawyers do not really understand computer forensics, and are prone to think that a full scale forensic examination of all computers is needed in every case. They want their tech-guys to make "forensic copies," work their mumbo-jumbo on each, and like Sherlock Holmes, come up with an amazing and unexpected clue that solves the case. Sometimes this fantasy comes true, but only rarely. The attempt to search every bit and byte of every computer, including the deleted files and slack space, is expensive. Most experts agree that this kind of "deep dive" forensic examination work should be done sparingly, and is not needed in most e-discovery cases. Even when a special case suggests it may be needed, such forensic exams rarely produce the killer email that wins the day. The lawyer who uses this kind of full scale forensics approach in every case is setting himself up for major disappointments and wasting his client's money.

What is computer forensics, and the related terms, forensic copy and forensic exam? Let's begin by defining "forensic copy," which is fairly simple. A forensic copy is an exact bit-by-bit copy of the entire physical storage media, including all active and residual data and unallocated space on the media. This is also sometimes called an "image copy" or "mirror image." See The Sedona Conference Glossary: e-Discovery & Digital Information Management, The Sedona Conference Working Group Series, May 2005.

A forensic copy allows for a "forensic exam" of the copy. You do not search the original because the act of searching it would in itself change it. (This is called the Heisenberg principle of computer forensics.) In a forensic exam, all of the information on a disk is carefully probed and searched, even the otherwise hidden information, the deleted files, residual data, unallocated space, corrupted files, encrypted files. In a forensic exam everything that is scientifically possible to restore and search is searched, including ESI classified as not-reasonably-accessible under Rule 26(b)(2)(B).

laptopgavelThe definition of the more general term "computer forensics" is more challenging. It is not a specific procedure like forensic copy or exam, it is an entire field of study or scientific discipline. The National Institute of Standards and Technology special publication (SP) 800-86 Guide to Integrating Forensic Techniques into Incident Responses provides an authoritative definition of computer forensics:

. . . the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way. . . .

The NIST explains how the process of computer forensics has four basic phases:

Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.

Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting of particular interest, while preserving the integrity of the data.

Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.

Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.

A well known IT site,, provides another good definition of" computer forensics:"

Computer forensics, also called cyberforensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.

Forensic investigators typically follow a standard set of procedures. After physically isolating the computer in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the hard drive. Once the original hard drive has been copied, it is locked in a safe or other secure storage facility to maintain its pristine condition. All investigation is done on the digital copy.

Investigators use a variety of techniques and proprietary forensic applications to examine the hard drive copy, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files. Any evidence found on the digital copy is carefully documented in a "finding report" and verified with the original in preparation for legal proceedings that involve discovery, depositions, or actual litigation.

The Sedona Conference Glossary also defines computer forensics:

Computer Forensics (in the context of this document, "forensic analysis") is the use of specialized techniques for recovery, authentication and analysis of electronic data when an investigation or litigation involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel, and generally requires strict adherence to chain-of-custody protocols.

A recent commentary by forensic expert, Ken Zatyko, in Forensic Magazine focused on the difficulty of defining what he called "digital forensics," which for purposes of this article, I consider equivalent to "computer forensics." Ken Zatyko is a recently retired Air Force Lt. Colonel who was the director of the Department of Defense Computer Forensics Laboratory for many years, and is now an Adjunct Professor with John Hopkins University. Ken reviews several other definitions as I have done, and then settles on his own definition that he urges others to adopt:

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

This is the best definition I have seen, and my personal favorite, perhaps because it includes "validation with mathematics," a reference to my favorite subject in computer forensics, hash analysis (See i.e. my Blog Essay, HASH, and my law review article on this subject: HASH: The New Bates Stamp). Zatyko then goes on to delineate an eight step forensics process:

1. Search authority
2. Chain of custody
3. Imaging/hashing function
4. Validated tools
5. Analysis
6. Repeatability (Quality Assurance)
7. Reporting
8. Possible expert presentation

The various definitions make clear that "computer forensics" is a disciplined, scientific approach to electronic discovery and evidence validation. Computer forensics in this general sense should be followed whenever electronic evidence is involved in a legal proceeding, which is today's world means almost every case. In that sense, the trial lawyer may need a person familiar with computer forensics on every case to supervise e-discovery activities. Trial attorneys must be able to verify that proper procedures, authenticity and chain of custody were followed inorder for the ESI discovered to be admissable as evidence at trial. This is, however, a far cry from a full scale Sherlock Holmes forensic examination of all computers. It is important for attorneys to understand the difference between forensics as a general discipline to lay a proper predicate for evidence, and forensic copying and forensic examinations as particular applications of this discipline, applications that are not necessary in every case.

forensics evidence marked and ready for admission into evidence

One person who has a good grasp on this difference is John Patzakis. He is the General Counsel of Guidance Software, makers of EnCase, the forensics software tool used by over 80% of computer forensics experts. Although it might be tempting for him to push the over-use of forensics, he does not do so. John Patzakis was interviewed in 2007 by Forensic Focus, a website for "computer forensics news, information and community." John's interview provides some good advice on the prudent and restrained use of computer forensics in e-discovery.

In general, eDiscovery tends to involve a "computer forensics like" approach, if you will, where aspects of traditional forensics such as chain of custody, metadata recovery and preservation, documentation and reporting and an overall defendable process are central requirements. Aspects of traditional forensics that are generally not as important include full disk imaging, deleted file and file fragment recovery, and deep dive analysis involving various artifacts.

This reference to "traditional forensics" is what most people think of when they hear "computer forensics," the expensive CSI type criminal investigations, where computer disks are imaged, and forensic exams are performed to restore and search deleted files, fragments, Internet cache, slack space, memory, and the like. A diagram providing a simple overview of the forensic examination process using EnCase software is shown below.

EnCase Forensics diagram

John Patzakis has written a very comprehensive treatise on electronic discovery law related to his company's software tools and forensic related issues called the EnCase Legal Journal (April 2007). At 143 pages and 446 legal citations, this is not your typical vendor white paper, and is well worth reading and using as a reference. Section 9.5 of the Journal is entitled "Cost-Effective Searching of Data." It pertains to my original point that many trial lawyers tend to over-use computer forensics and seek full-disk imaging and other "deep-dive" analysis in every case.

Collection and preservation of ESI must incorporate a defensible process that accomplishes the objective of preserving relevant data, including metadata, and establishing a proper chain of custody. With the right technology, these results can be achieved without full-disk imaging. However, full-disk imaging and deleted file recovery are emphasized by many eDiscovery vendors and consultants as a routine eDiscovery practice. While such deep-dive analysis is required in some circumstances, full-disk imaging is unwarranted as a standard eDiscovery practice due to considerable costs and burden. Large-scale, full-disk imaging is burdensome because the process is very disruptive, requires much more time to complete, and, as eDiscovery processing and hosting fees are usually calculated on a per-gigabyte basis, costs are increased exponentially. . . .

Generally, courts will only require that full forensic copies of hard drives be made if there is a showing of good cause supported by specific, concrete evidence of the alteration or destruction of electronic information or for other reasons. Balboa Threadworks, Inc. v. Stucky, 2006 WL 763668, at *3 (D. Kan. 2006); However, "[c]ourts have been cautious in requiring the mirror imaging of computers where the request is extremely broad in nature and the connection between the computers and the claims in a lawsuit are unduly vague or unsubstantiated in nature." Ameriwood Industries, Inc. v. Liberman, 2006 WL 3825291, (E.D. Mo. Dec. 27, 2006).

I wrote about the Ameriwood case in my essay, Employer Allowed to Mirror Employees-Home Computers and Obtain Inaccessible ESI. Ameriwood was one of the first decisions in the country to employ the new inaccessibility analysis under Rule 26(b)(2)(B). Although the court in Ameriwood was cautious, it decided to allow the employer to make a forensic copy of the employee's computer, and search for otherwise inaccessible ESI, the deleted files and slack space. The court only allowed this kind of forensic imaging because the employer had made a special showing of good cause under Rule 26(b)(2)(B). The general rule is to be cautious and not allow such forensic exams absent a showing of good cause. Good cause can come in a variety of forms, but usually arises from suspicious circumstances that suggest spoliation, such as a story of a midnight hacker erasing all of your files, or the loss of a laptop with all of your records just before a deposition duces tecum.

In another case, Hedenburg v. Aramark American Food Services, 2007 U.S. Dist. LEXIS 3443 (W.D. Wash. Jan. 17, 2007), the court applied the general rule and denied the application for a forensic exam. The employer requesting the forensic imaging did not provide good cause as required under Rule 26(b)(2)(B). I wrote about Hedenburg in my prior blog Forensic Fishing Expedition Rejected. This is an employment discrimination case where the employer wanted a forensic copy made of the employee's personal computers. The employer proposed that the copy then be examined by a computer forensic expert serving as a special master. The employer's attorneys had an expansive view of computer forensics not warranted by the facts or the law.

In a move reminiscent of Inspector Lestrade, employer's counsel provided no good reasons for the exam, and instead argued that such exams were common in these types of cases, and might lead to important clues. The Judge rejected the proposed forensics as a mere "fishing expedition." Blind hope may be a fisherman's credo, but it will not work in court, and is no substitute for the kind of cold logic and reasoned analysis made famous by Sherlock Holmes.

For more information check out the audio CLE I did for West Legalworks entitled: E-Discovery and Computer Forensic Investigations 101: When Does Your Case Warrant the Full "CSI" Treatment? With me on the panel for this 1.5 hour webcast were J. William Speros, Consultant and Principal, Speros & Associates LLC; Michael Michalowicz - Associate Director, Protiviti; and, John Patzakis, - Vice Chairman and Chief Legal Officer, Guidance Software.



For a good Sherlock Holmes photo tribute, play the You Tube video below.