Cracking the Computer Forensics Mystery

by Christopher Wall and Jason Paroff1

Only a few short years ago, the term computer forensics was

Computer Forensics 101: What is Computer Forensics?

a mystery to most attorneys. In the digital age, however, attorneys

are discovering that a basic understanding of computer forensics
and computer forensic protocol is crucial in both civil and
criminal lawsuits. Without a doubt, most information generated
today is stored electronically. In 2002, approximately 5 exabytes
of new information was stored in print, film, magnetic, and
optical storage media. 92% of that information was stored on
magnetic media, mostly in hard disk drives.2 Because of the
increasing trend toward creating and using electronic documents,
the computer is becoming a vital point of investigation in almost
every case. Computer forensics can be essential in uncovering
twenty-first century evidence.

A. Defining Computer Forensics

Computer forensics is the who, what, when, and how of electronic
evidence. Typically narrow in scope, it attempts to reconstruct
events, focusing on the computer-based conduct of an individual
or group of individuals. The types of cases involving computer
forensics are numerous and varied from the personal (i.e.
locating hidden assets in a messy divorce case), to the political
(i.e. investigating alleged misuse of government computers for
political gain), to the dramatic (i.e. What was your clients former
employee downloading from the Internet before he was fired
and brought suit for wrongful termination?).

A recent Minnesota sexual harassment and whistleblower case is

a good example of how computer forensics technology can be
used to solve a discovery mystery.3 In Anderson v. Crossroads
Capital Partners, L.L.C., the court ordered the plaintiff to furnish
the defendant with copies of all relevant documents that existed on
the plaintiffs personal computer, including deleted or corrupted
files. Pursuant to the judges order, the defendants computer
forensic expert examined the plaintiffs hard drive and discovered
that a data wiping software application had been installed after
plaintiff had agreed not to delete any existing documents. The
court noted that the plaintiffs exceedingly tedious and disingenuous claim of naivet regarding her failure to produce the
requested discoverydefies the bounds of reason and issued
an adverse inference jury instruction because the plaintiff intentionally destroyed evidence and attempted to suppress the truth.
Anderson is just one example of the ever growing host of cases
in which a computer forensic examination and expert have
helped decipher electronic evidence enigmas.4

CHRISTOPHER WALL is a Utah Bar member

and a Kroll Ontrack Legal Consultant
based in Washington, D.C.

10

Volume 17 No.7

According to the Sedona Conference, a legal and political think

tank founded for the purpose of establishing reasonable standards
and principles for handling electronic evidence, computer
forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues
relating to reconstruction of computer usage, examination of
residual data, authentication of data by technical analysis or
explanation of technical features of data and computer usage.
Computer forensics requires specialized expertise that goes
beyond normal data collection and preservation techniques
available to end-users or system support personnel.5
At the heart of computer forensics is the idea that within the
electronic realm of evidence, delete does not really mean delete.
The investigations into Enrons accounting irregularities illustrate
how persistent deleted information can be. Weeks before Enron
filed for bankruptcy, it became apparent that several major
financial institutions had helped Enron manipulate its numbers
and mislead investors with secret loans. During the subsequent
investigations, one piece of evidence that received broad attention
was an internal e-mail at JP Morgan Chase that described one of
JASON PAROFF is Director of Computer
Forensic Operations for Kroll Ontrack,
and is based in Secaucus, New Jersey.

Indeed, where relevant information can be expected to be located,

deleted data can be recovered and the results of the forensic
analysis can often yield a potential treasure trove of information.
Regardless of whether the information is beneficial or detrimental,
counsel can best assess the merits of the case the earlier he or
she knows about it.
B. The Computer Forensics Process
Given the wealth of electronic information available to individuals
and corporations today, laptop and desktop hard drives or
networked servers and backups are often the best place to begin
collecting potential evidence. An investigation involving computer
forensics typically begins by making a bit-by-bit image or copy of
the hard drive or electronic media in question, thereby preserving
the integrity of the original media. This image of the data includes
all of the unused and partially overwritten spaces on the electronic
media where important evidence may reside. When properly
done, a forensically sound image does not alter the information
on the original hard drive or electronic media.
Once the forensic image has been made, a computer forensic
expert can search for active data (data that was immediately
accessible to an individual using the computer when the image was
made), recovered data (files and directories that were recovered
after they had been deleted), and unused space (portions of the
media that are either free because they have never been used
or because the information contained there has been deleted,
and the computer has marked that space as available for use by
new information).
II. Computer Forensics Case Law: Civil and Criminal
Crackdowns
In the twenty-first century, the legal community is recognizing
the significant evidentiary role that computers play in civil and
criminal cases. Because of rapid advances in technology, case

law and legislation dealing with computer forensics is changing

daily. Some of the important computer forensic case law in both
criminal and civil cases includes cases dealing with cyber sabotage, email investigations, deleted data, Internet activity, and
spoliation.
A. Cyber Sabotage
Because computer crimes are increasing at alarming rates, law
enforcement officers, investigators, lawyers and judges are
increasingly barraged with technical issues. Accordingly, an
understanding of current computer forensics law is vital in
offering accurate and thorough computer expert testimony. In a
2001 case, U.S. v. Lloyd, testimony by computer experts led to
the conviction of an individual charged with a modern cybercrime.8 Without testimony from the computer experts, evidence
of the computer time bomb that sabotaged operations at an
engineering company would not have been recovered.

Articles Cracking the Computer Forensics Mystery

these secret loans called a prepay. The email chain began,

Enron loves these deals as they are able to hide funded debt
from their equity analysts because they (at the very least) book
it as deferred [revenue] or (better yet) bury it in their trading
liabilities. Another internal e-mail expressed concern: Five
[billion] in prepays!!!!!!!!!!!!!!! The reply? Shut up and delete
this email.6 JP Morgans employees apparently were not aware
of what some courts have said about deleted email. According
to one court, Technically, email messages are permanently
recorded since most email programs keep copies of every
message a user ever wrote, every message the user ever received,
and every message the user deleted....A deleted file is really
not a deleted file, it is merely organized differently.7

B. Email Investigations
Perhaps more than any other technological innovation, email
has become an integral part of daily activity and electronic
discovery. As such, computer forensic engineers are regularly
called upon to investigate and analyze email communication.
United States v. Bach, a child pornography case, illustrates
precisely how computer forensics can be used where email is at
issue.9 Pursuant to a search warrant, Yahoo! computer experts
retrieved all of the information contained in the defendants
email account. Because police were not present when the
defendants email account was searched, the lower court ruled
that the seizure of the emails by Yahoo! was unlawful. The
appellate court reversed the lower court decision, finding that
Yahoo!s search of the defendants email account without a police
officer present was reasonable under the Fourth Amendment
and did not violate the defendants privacy rights.
C. Deleted Data
Unless steps are taken to hide or remove deleted data more
permanently, computer forensic engineers can recover and
examine deleted information. And lest counsel think that the
deleted information is not subject to discovery, significant case
law suggests the opposite.10 The case law, both at the State and
Federal level, is full of civil and criminal decisions where the
individual quite clearly failed to understand that the delete
key on the keyboard is not the equivalent of a paper shredder.
For example, in United States v. Tucker, Utah District Court Judge
Campbell found Jeffrey Tucker guilty of knowingly possessing
child pornography.11 Computer forensic evidence gathered from
deleted Internet cache files that still resided on Tuckers hard

Utah Bar J O U R N A L

11

Cracking the Computer Forensics Mystery Articles

drive, even after being deleted, were an integral part of the case
against him. The cache files were stored on his hard drive when
he visited various websites containing child pornography. Even
though the files had been deleted, they were still recoverable by a
computer forensics expert. Cases like Tucker illustrate how critical
computer forensics can be in finding seemingly deleted data.12
D. Internet Activity
Computer forensics can also play a vital role in criminal investigations. State v. Guthrie, a case dealing with a criminal prosecution
for murder, is a good example.13 In Guthrie, a preachers wife
was found dead in the bathtub, a victim of an apparent suicide.
Suspicious of the apparent suicide, investigators began looking
into the case. Shortly thereafter, a suicide note appeared. Investigators enlisted the aid of a computer forensics expert, who
discovered that Guthries computers at home and at church had
been used to conduct numerous Internet searches on subjects
related to bathroom deaths. Additionally, the forensic analysis
revealed that the computer-printed suicide note, offered to
exculpate the defendant, was created several months after the
victims death. Needless to say, Mr. Guthrie now finds himself
preaching to a congregation of a different stripe.
E. Spoliation of E-Evidence
Courts will not hesitate to admonish or sanction parties for bad
faith maneuvering, rule violations, and negligent or intentional
spoliation. Sanctions for such conduct have included adverse
inferences or presumptions, preclusion of evidence, monetary
sanctions, and dismissal or default. Procter & Gamble Co. v.
Haugen demonstrates that Utah courts are not hesitant to
impose sanctions for electronic discovery violations.14 Procter &
Gamble was an unfair competition case in which the defendant
moved for sanctions, alleging that the plaintiff violated its duty to
preserve relevant email communications of five key employees.
Finding that the plaintiff breached its duty to preserve, the court
sanctioned the plaintiff $2,000 $10,000 for each of the five
employees. The court also granted the defendants motion to
dismiss the case without prejudice, since the plaintiff failed to
preserve relevant electronic data that it knew was critical to the
case. The court determined that the plaintiffs violation of four
separate discovery orders made defending the case basically
impossible since the crucial electronic evidence was apparently
no longer available.
An Illinois federal district court also imposed sanctions for
deleting electronic evidence in a recent patent infringement
case, Kucala Enters. Ltd. v. Auto Wax Co.15 Based on digital
clues left on the hard drive, computer forensic experts were
able to determine that the plaintiff used Evidence Eliminator,

12

Volume 17 No.7

a software wiping utility, to delete and overwrite over 12,000

electronic files. An expert further determined that 3,000 additional files had been deleted and overwritten three days earlier.
Although there was no clear indication that relevant evidence
existed among the destroyed files, the court described the plaintiffs
actions as egregious conduct and emphasized the plaintiffs
apparent intent to destroy evidence that it had a duty to maintain.
The magistrate judge recommended to the district court that the
plaintiffs case be dismissed with prejudice and that the plaintiff
be ordered to pay the defendants attorney fees and costs
incurred in defending the motion.
As Procter & Gamble and Kucala illustrate, courts will not hesitate
to impose sanctions for intentional or negligent spoliation of
electronic documents. Spoliation cases dealing with electronic
evidence are legion, and the cases cited here are but a sampling
of how some courts are dealing with the issue.16
III. Computer Forensics Best Practices: Decoding the
Computer Forensics Mystery
When it comes to gathering and searching computer data for
relevant information, many attorneys may feel inexperienced.
Multiple computer systems may be involved, each of which may
contain hundreds of gigabytes of data or more. Complicating
matters, many different types of computers may also be involved,
and each can contain a different operating system (i.e. Windows,
Macintosh, Linux, etc.) or serve unique functions (i.e. email,
database, file/print/antivirus server, etc.). Each may require
different handling methods in order to effectively retrieve, copy,
and search the data they possess. Listed below are three basic
guidelines that counsel and their clients should follow when
facing a computer forensics issue in litigation.
A. Clueing in on the Computer Forensics Process
When retrieving electronic data, the following steps should be
taken: (1) consultation with clients and computer forensic experts,
(2) data preservation, (3) data collection, (4) data recovery
and analysis, and (5) expert testimony and reporting.
First, an attorney should consult with the client and a computer
forensic expert to create a strategy for collecting, analyzing, and
processing the data. The strategy may include analysis of where
the critical information could exist as well as the identification
of properly qualified individuals to perform the work.
Next, attorneys should take proper precautions to preserve data.
In many cases, a computer forensics expert using industry best
practices will first make a mirror image, which is a bit-by-bit
copy of a hard drive that ensures the computer system is not
altered during the imaging process. Additionally, the expert will

A forensic experts job does not necessarily end with recovering

a lost or deleted smoking gun document. Often, the expert can
also determine whether an electronic file has been tampered
with, altered, damaged or removed. In essence, the expert can
help recreate a course of events relating to the primary user of
the computer in question as if the hard drive itself were the
scene of a crime or event. Once that analysis is complete, the
computer forensic expert can provide expert reporting and
testimony to assist the court, counsel, or the fact finder in resolving
a case.

Once the relevant data has been identified, a computer forensic

expert can retrieve data from virtually all storage media and
operating systems, including legacy and obsolete hardware
systems. During the data recovery process, the expert will recover
active data, deleted data, and/or email and access inactive and
unused data storage areas. Finally, a computer forensic expert
can help win a clients case by offering expert testimony and
reporting. The expert can customize reports about the data
collected and produced to support the case, provide data for
affidavits or other pleadings, and provide expert testimony at a
trial or hearing.

C. Solving the Computer Forensics Mystery in Court

People have been known to falsify evidence, alter it, or attribute
it as something other than what it really is. As a result, courts
have a right (and an obligation) to question the validity of
electronic evidence. Maintaining a chain of custody on pieces
of relevant media is the best way to proactively ensure admission
of the data into evidence at trial. A proper chain of custody
ensures the reliability of evidence and minimizes any risk that
evidence was changed, altered, or modified from its original
form on the hard drive.

B. Hiring a Cybersleuth
Computer forensic investigators must have advanced computer
knowledge, with specialized data recovery and computer investigation analysis skills. Ideally, such experts should have some
formalized training such as law enforcement training courses
offered by large departments and agencies and certification
courses offered by recognized private sector companies. Not
every computer forensics specialist has deep systems knowledge,
and most information technology specialists know little about
computer forensics procedures. The needs of a client can be
broad, and often a team of individuals with different skill sets may
be required to effectively handle a case heading for, or involving,
litigation.
Reliable techniques and protocols may include:
Recreating a specific chain of events or user activity, including
Internet activity, email communication, file deletion, etc.;
Searching for key words and dates and determining what
resulting data is relevant;
Searching for copies of previous document drafts;
Searching for potentially privileged information;
Searching for the existence of certain programs such as file
wiping programs; or
Authenticating data files and the date and time stamps of
those files.

Articles Cracking the Computer Forensics Mystery

ensure that no possible evidence is damaged and that no computer

viruses are introduced. Techniques that are generally understood
within the industry and are considered to be reliable must be
established for the handling of data. Though not an exhaustive
list by any means, examples include chain-of-custody control,
protection from magnetic fields and other dangers that can
damage data, mirror imaging, and duplication techniques that do
not alter the data and can verify that an exact copy was obtained,
and analysis tools that accurately convey the information being
reviewed.

When called to testify, a computer forensics expert might be

asked the following questions and provide the following hypothetical responses:
1. What is the evidence, or what does it purport to be?
Forensics Expert: This is a printout of data that I recovered on
1/1/04 from the hard disk drive primarily used by John Doe of
the Acme Corporation.
2. Where did it allegedly come from?
Forensics Expert: The hard drive was taken from the office of
John Doe on 12/15/03. It was contained within a Generic PC
bearing model XXXX and S/N YYYY.
3. Who created, discovered, or recovered it?
Forensics Expert: The data appears to have been created by
John Doe. I discovered and recovered it from his hard disk
drive using computer forensic techniques.
4. How was it created, discovered, or recovered?
Forensics Expert: I made an image of the hard disk drive using
a forensic imaging device. This device is designed to make a
perfect copy of a disk and does not alter the data on the disk
being copied.
5. Were there any material changes, alterations, or modifications during the recovery of the evidence such that it may no

Utah Bar J O U R N A L

13

Cracking the Computer Forensics Mystery Articles

longer be what it once was?

Forensics Expert: No. Our processes as well as the tools that we
use are designed to ensure that no changes whatsoever occur to
the original media and data we work on. We use write-blocking
devices as an extra precaution in this regard. We test our tools,
both software and hardware in order to validate that no changes
are made to the original media, and to insure that a perfect
image is made of that media.
6. What has happened to it since the time it was created,
discovered, or recovered? Is there any chance that the evidence
was changed, altered, or modified between the time you
imaged the drive and today?
Forensics Expert: Here is our chain of custody documentation
which indicates where the media has been, whose possession it
has been in, and the reason for that possession. There is no
chance that during that time any of the evidence was changed/
altered/modified from the form in which it existed on the drive
that we imaged on 12/15/03.
After a computer expert is able to verify the authenticity and reliability of the evidence, a court is well within its province to admit
the evidence for consideration by a jury. Accordingly, an attorney
will be in the best position to argue to the judge or jury the weight
that should be given to the evidence. Just as the computer has
become essential in modern times, computer forensic evidence
is becoming a crucial aspect of many investigations and legal
matters. A solid understanding of electronic evidence concepts
will help attorneys solve any computer forensics mystery.
1. The authors gratefully acknowledge the assistance of Charity J. Delich, Kroll Ontrack
Electronic Evidence Law Clerk and second year law student at William Mitchell
College of Law.
2. Ninety-two percent of new information is stored on magnetic media, primarily hard
disks. Film represents 7% of the total, paper 0.01%, and optical media 0.002%.
http://www.sims.berkeley.edu/ research/projects/how-much-info-2003/
execsum.htm#summary
3. Anderson v. Crossroads Capital Partners, L.L.C., 2004 WL 256512 (D.Minn. Feb.
10, 2004).
4. See, e.g., In re Lorazepam and Clorazepate Antitrust Litig. v. Mylan Lab., Inc., 300
F.Supp.2d 43 (D.D.C. 2004) (requiring Plaintiff to take CD-ROMs to a computer
forensic expert); Physicians Interactive v. Lathian Sys., Inc., 2003 WL 23018270
(E.D.Va. Dec. 5, 2003) (directing that discovery must be done with the assistance of
a computer forensic expert); Playboy Enters., Inc. v. Welles, 60 F. Supp.2d 1050
(S.D. Cal. 1999) (appointing a computer expert who specialized in the field of
electronic discovery to create a mirror image of Defendants hard drive).
5. The Sedona Principles: Best Practices, Recommendations & Principles for
Addressing Electronic Document Discovery (Sedona ConferenceSM Working Group
Series 2004). http://www.thesedonaconference.org
6. Brown, Gary M. Senate Investigator to Enrons Lawyers: Its Not Over. Corporate
Board Magazine, Special Legal Issue, 2003. http://www.boardmember.com/issues/
archive.pl?article_id=11523

14

Volume 17 No.7

7. State v. Townsend, 57 P.3d 255 (Wash. 2002) (Bridge, J. concurring).

8. United States v. Lloyd, 269 F.3d 228 (3rd Cir. 2001).
9. United States v. Bach, 310 F.3d 1063 (8th Cir. 2002).
10. See, e.g., Dodge, Warren, & Peters Ins. Servs. v. Riley, 130 Cal.Rptr.2d 385 (Cal.
Ct. App. 2003) (ordering Defendants to allow a court-appointed expert to copy the
data, recover lost or deleted files, and perform automated searches of the evidence
under guidelines agreed to by the parties or established by the court); Simon
Property Group v.mySimon, Inc., 194 F.R.D. 639 (S.D. Ind. 2000) (requesting
party should have access to active and deleted data alike); Caldera, Inc. v. Microsoft
Corp., 72 F. Supp. 2d 1295 (D. Utah 1999) (finding that a series of intra-company
emails offered direct evidence that the corporation was actively trying to destroy a
competitor).
11. United States v. Tucker, 150 F. Supp. 2d 1263 (D. Utah 2001). See also, United
States v. Tucker, 305 F.3d 1193 (10th Cir. 2002).
12. See, e.g., State v. Townsend, 57 P.3d 255 (Wash. 2002) (Bridge, J. concurring)
(court affirmed that deleted information is fully discoverable if relevant).
13. State v. Guthrie, 654 N.W.2d 201 (S.D. 2002).
14. Procter & Gamble Co. v. Haugen, 179 F.R.D. 622 (D.Utah 1998), revd on other
grounds, 222 F.3d 1262 (10th Cir. 2000). See also, Procter & Gamble Co. v.
Haugen, 2003 WL 22080734 (D.Utah Aug. 19, 2003).
15. Kucala Enters. Ltd. v. Auto Wax Co., 2003 WL 22433095 (N.D.Ill. Oct. 27, 2003).
See also, Kucala Enters., Ltd. v. Auto Wax Co., 2003 WL 21230605 (N.D.Ill. May
27, 2003).
16. Procter & Gamble Co. v. Haugen, 179 F.R.D. 622 (D.Utah 1998), revd on other
grounds, 222 F.3d 1262 (10th Cir. 2000) (where Plaintiffs breached its discovery
duties, court imposed $10,000 in sanctions $2,000 for each of the five custodians);
see also Procter & Gamble Co. v. Haugen, 2003 WL 22080734 (D.Utah Aug. 19,
2003) (granting Defendants motion to dismiss with prejudice where the Plaintiff
failed to preserve relevant electronic data that Plaintiff knew was critical to the case,
violating four separate discovery orders requiring production of the data); Anderson
v. Crossroads Capital Partners, L.L.C., 2004 WL 256512 (D.Minn. Feb. 10, 2004)
(granting adverse inference jury instruction because the Plaintiff intentionally
destroyed potentially damaging evidence); Zubulake v. UBS Warburg, 2003 WL
22410619 (S.D.N.Y. Oct. 22, 2003) (ordering Defendant to bear the Plaintiffs costs
for re-deposing certain witnesses for the limited purpose of inquiring into the
destruction of electronic evidence and any newly discovered emails); Landmark
Legal Foundation v. Environmental Protection Agency, 272 F.Supp.2d 70 (D.D.C.
2003) (finding the EPA in contempt and concluding that the appropriate sanction
was Plaintiffs attorneys fees and costs incurred as a result of the EPAs conduct);
RKI, Inc. v. Grimes, 177 F.Supp.2d 859 (N.D. Ill. 2001) (ordering Defendant to pay
$100,000 in compensatory damages, $150,000 in punitive damages, attorneys fees,
and court costs).