As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, e-discovery, and cybersecurity service provider.
The Vestige team that you know and trust will continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow us to serve you and your clients even better.

It’s the 11th hour…do you know where the evidence supporting your case is?

Articles

It’s the 11th hour…do you know where the evidence supporting your case is?

Author photo
Senior Director, Digital Forensic & E-Discovery
BS, EnCE, DFCP

It is unfortunate that the start of the NFL season is marred with the tragedy involving former Baltimore Ravens running back Ray Rice. However that story provides two very good lessons for those of us in the electronic discovery and digital evidence world.

For those of you that haven’t been following the story, back in the Spring a video was released showing Rice dragging his then fiancé out of an elevator. He had struck her and knocked her out. The prosecutor gave him a suspended sentence and the NFL suspended him only 2 games much to the dismay of the public.

Just this week a new video emerged. This video showed Rice striking his fiancé with his fist in the elevator. Outraged ensued and he was cut from the team and suspended indefinitely. The NFL responded to the cries of cover up by saying it had not seen that video.

Taking actions without having all of the evidence is a recipe for disaster. Either your action was too light or too harsh. This advice is very appropriate when talking about electronic discovery and digital evidence.

Do you have all of the appropriate sources of relevant data? What process have you undertaken to identify all of those relevant sources and are you ready to testify to that process? Have you processed the data existing on those devices properly? Who is going to attest that you were thorough in this regard and met the standards set by the courts?

Computers, cell phones, tablets, digital recorders, memory sticks, USB devices, internet email accounts, social media accounts, cloud accounts, gaming consoles, websites, etc. commonly come into play these days in a variety of investigative matters. Investigative matters include: bankruptcy, class actions, compliance, contract, criminal, defamation, legal discovery, domestic relations, employee terminations, fraud, harassment, improper use of corporate assets, intellectual property infringement, internal investigations, malpractice, negligence, intellectual property theft, shareholder disputes, wage disputes, workers compensation and wrongful death claims.

..having your hands around your evidence early along with getting answers to your questions about the data early can go a long way to preventing problems in the future.

It is almost inevitable that during the course of electronic evidence discovery something takes a wrong turn. I have sat on countless phone calls where someone represents that backups occur at specific times, items have been placed on litigation hold and other claims regarding the data. The experienced teams are the ones that dig into those claims and document what really is taking place. Finding out that information up front allows the team more time to plug the gaps by collecting other data before it goes away.

Not only do you need to have devices (computers, cell phones, social media, emails, etc.) properly identified and collected, but you also have to consider if you have looked in all the right places in that evidence. When working on an investigation keyword searches often uncover just some of the misdeeds. Performing a digital artifact analysis on a computer can provide much more.

What is an artifact analysis? At a high level an artifact analysis examines the data left behind on a computer after an action is taken. Maybe that action was plugging in a USB drive and transferring data. Maybe it is accessing a website that turns out to be a repository for relevant data. Artifacts are also used to trace when documents are opened, created, located and how long the document has been edited. Artifacts show what searches someone performs on the web and what types of personal email addresses someone is using. Artifacts also tell us when that iPhone was reset or whether someone is deleting documents from their computer.

The artifact analysis is often done by trained forensic analysts who spend a good portion of their time studying how a computer works and the data left behind by various actions. The analyst knows where to look for the answers and how to properly interpret the data presented. Computers don’t just come out and say “Bob plugged in a Seagate drive with a 1 TB capacity on April 1, 2014 at 8:53 AM”. If it was that easy, we’d all have Staples “That was Easy” buttons on our desks. >No, instead extensive observation and testing is conducted in order to take the artifacts from being an entry into a log file or registry key to a human understandable action.

Is an artifact analysis necessary for every e-discovery matter? Certainly not. However, those types of cases that call for some type of artifact analysis, but do not have one performed, are those cases that often end up turning to battling arguments of spoliation, trickery and deceit instead of the merits of the case. Employment cases are the ones that come to mind.

Right now the NFL is battling questions of what they knew and when they knew it. More specifically, were they turning a blind eye to the real problems in the hopes that the public would not find out what those problems were.

How that relates to e-discovery is simple and ties in with what you have been reading over the last few minutes. Inevitably as you get your hands around the evidence with your client, you may find holes or gaps in that evidence. It is also possible that surrounded by your team consisting of the client and counsel advocating the client you may suffer from a myopic point of view as to any issues you may have. Having someone from the outside taking a look at the situation early may head that off.

Vestige was involved in a matter years ago involving some emails. The client had one of the more popular email archiving applications. When employees left the company, their mailbox was removed to free up system resources. The thinking was that all of the email was in the archiver. That thinking was correct, but what the client didn’t contemplate was that the archiver just captured the emails. The archiver didn’t track whether the email was ever read or not, nor did it track in what folder the custodian filed the email. Those questions ended up being rather important to the case. Not having the answer early made for some more expensive work done later.

As we often discuss on our blogs, having your hands around your evidence early along with getting answers to your questions about the data early can go a long way to preventing problems in the future. Having an outside eye, even for just consulting or providing quality assurance can provide comfort that you are on the right path.

Greg Kelley - Vestige CTO lft smallby Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations