*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. ***
The cases in this month's newsletter illustrate how improper interference with a computer or electronic data prior to forensic review can compromise an investigation and leave a party vulnerable to charges of data mishandling. In Griggs v. Harrah's Casino, 929 So. 2d 204 (La. Ct. App. 2006), the plaintiffs successfully argued temporary data was lost when the casino technician deviated from normal protocol and turned off the slot machine. In another case, featured in last month's newsletter, Quotient, Inc. v. Toon, 2005 WL 4006493 (Md. Cir. Ct. Dec. 23, 2005), the court noted, "by the mere fact that a computer is turned on or off, the Operating System (OS) writes data to the hard disk, which could be overwriting data of possible evidentiary value."
As these cases indicate, when investigating electronic data, care must be taken to prevent against even the smallest change to the evidence, or an investigator may face charges of evidence tampering. Simply booting a computer or opening a file can change potentially valuable metadata #34; dates, times and other behind-the-scenes information about the data. Turning on a computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer. It is best to leave a computer under investigation "on" if it is "on" and "off" if it is "off" until someone trained in computer forensic best practices is able to access the media.
Listed below are steps a forensic expert should take to prevent data from being altered or damaged through improper handling:
Secure the computer system to prevent it from being tampered with by investigators, third parties or automated processes.
Avoid analyzing data on the machine from which it was collected.
Do not run programs on a computer under investigation.
Exercise minimal interaction with original evidence.
Make exact, forensically sound copies of data storage devices.
Protect extracted data from mechanical or electromagnetic damage.
Do not change date and time stamps or alter data itself.
Do not overwrite unallocated space, which may happen when rebooting.
Establish and maintain a proper chain of custody.
Failure to adhere to strict industry standards regarding data preservation can result not only in the loss of critical data, but also can impinge upon the credibility of any data that is recovered, potentially rendering it unreliable or inadmissible in a court of law.
No comments:
Post a Comment