Let’s imagine a common scenario — an employee decides to leave a company they have spent many years with to move to a direct competitor down the street. Management begins to suspect the employee may have taken proprietary company information with them — for salespeople, that might mean client lists and pricing spreadsheets. For engineers, that could mean CAD files or software code. Regardless, when employee theft of digital assets is suspected, it is essential that the company takes proactive steps to preserve digital evidence to aid subsequent investigations. And, just as importantly,
As an attorney, you need to have a good understanding of the principals of digital forensics and e-discovery so that you can effectively advise your clients and guide initial discovery efforts. The purpose of this article is to provide seven important
So, let’s move forward with the scenario described above — it’s Monday morning, and you receive a call from your corporate client. They have strong suspicions that their former employee took proprietary company information with him. The company has the
#1: Do: Isolate the computer
The absolute first thing you should advise your client to do is to isolate the computer in question. If it is already off, leave it off. The laptop should be stored in a secure location and steps should be taken to ensure that no one powers it on. If the machine is already on, we advise that you disconnect the computer from the network and leave it on until you can get instructions from a digital forensics examiner. Again, make sure that no one interacts with the machine.
Most people don’t realize that the act of booting up or shutting down a computer can affect hundreds of files as the operating system engages in a set of housekeeping tasks when transitioning power states. Metadata can be updated, caches may be purged, and unallocated space can be overwritten.
#2: Don’t: Ask the IT department to help
Just because your client has a competent IT department doesn’t mean they should be engaged to look for evidence. Even the most well-meaning examination of the computer will alter the data on that hard drive. Opening, reviewing, or copying files can modify crucial underlying metadata that will affect the quality of the discoverable evidence. At this point, performing a search on the employee’s computer is like trampling around in an active crime scene.
You need to protect the integrity of the computer data. Before you do any search, a forensic copy of the computer’s hard drive must be created. That leads us to step #3.
#3 Do: Call your digital forensics professional
As early as possible, you need to engage a digital forensics professional. Your digital forensics professional will provide you with immediate guidance on the next steps in the process. They will let you know what you need to do with the digital device in question.
Your digital forensics professional has specialized hardware and software tools that allow them to capture a forensically-sound copy of the targeted hard drive; the result is an exact bit-for-bit copy of the storage device and will include all visible data as well as all hidden data located in unallocated space.
The forensic copy is preserved along with a hash value, a type of digital signature that can be used to assure that the forensic copy remains 100% faithful to the original source. Searches should be performed only on forensic copies of data.
#4 Do: Identify other potential sources of data
In today’s world, it’s not uncommon for employees to be issued additional digital devices and Internet accounts that should be preserved as well. Hardware might include USB drives, backup drives, phones, tablets, and other smart devices. Internet accounts might include cloud storage platforms like DropBox, email platforms, or collaboration software. Your digital forensics professional will have the knowledge and tools to extract information from cloud accounts better than you probably realize.
Additionally, you should catalog any recently retired digital devices. Employees periodically replace laptops and phones — you need to identify these items and determine what data may still be on these devices if they are still available.
#5 Don’t: Abdicate your responsibility for providing legal guidance
Attorneys still need to make sure they use proper ethical and legal judgment to guide
Electronic discovery can bring a Pandora’s box of issues. What do you do when you find personal files on the company-issued computer? What if you find the employee has personal accounts loaded on the laptop with login credentials intact? Having inadvertent access to an
You will need to exercise caution and make a determination about what files are fair game for electronic discovery. I would point you to an excellent article from the American Bar Association that will help you understand your ethical and legal obligations during a digital forensics investigation (See: Forensic Examination of Digital Devices in Civil Litigation: The Legal, Ethical and Technical Traps.)
#6 Do: Contain the scope and cost
It is essential to make sure that you accurately define the intended scope of the investigation with your chosen digital forensics professional before any forensics work is performed.
You may simply wish to limit examination to a cursory search of company emails. Alternatively, you may want to engage in a thorough digital archeology expedition, attempting to unearth deleted files or recover information from hidden data caches. Your digital forensics professional needs to understand your expectations and budget.
You should have a clearly defined statement of work or engagement letter that spells out what actions should be performed and make sure you have a common understanding of the costs of those services. While the scope of work may change based on initial findings (it often does), it is crucial that your digital forensics professional knows what you expect of them.
#7 Do: Enforce a chain of custody
While all qualified forensics professionals will do this already, it is your responsibility to make sure a proper chain of custody for evidence is maintained. Whenever Data Narro engages in a digital investigation, we take the necessary steps to ensure that our evidence is forensically sound and suitable for admission in a court of law. That means our tools and procedures are forensically-validated. That means we maintain
There you have it – the seven do’s and don’t of preserving digital evidence for civil litigation. This article was intended as a quick primer to help you get started thinking about digital forensics and e-discovery. Please feel free to contact Data Narro if you have any questions concerning electronic discovery, computer forensics, or e-discovery! We are helpful and friendly, always willing to help steer attorneys in the right direction.
Data Narro, LLC is