The Details of Digital Forensics
What is Digital Forensics and What is it Not
Before we begin, let’s dispel a myth or two about digital forensics: digital forensics is not what you see on CSI. For starters, you cannot power up a computer with potential evidence and begin pilfering through the information. Those actions will modify and destroy evidence potentially preventing admissibility into court (Attorneys: remind your clients of this). Secondly, digital forensic investigations can be very detailed and time-consuming: it isn’t going to happen in an hour. Lastly, we are not nearly as attractive as the people on television.
Digital forensics is the ability to obtain great detail related to activities performed on computers. Digital forensics can also provide information typically not available from conventional eDiscovery requests; deleted information, Internet activities, social network usage, and detailed timeline activity of actions taken by a computer user.
Let’s walk through an example demonstrating the benefits from digital forensics.
Digital Forensics Case Study
Our client employed a valued engineer for years. This person was a model employee and contributed greatly to the success of the company. Unexpectedly, the employee resigned to work for a direct competitor. Our client indicated that they were very shocked at the resignation and were concerned that he may have taken their “widget” designs. We were asked to analyze the computer of the former employee.
The digital investigation uncovered many artifacts of value to the client and their counsel. Computers are very detailed when monitoring the activities that occur on them. This enables us to perform very detailed timeline analysis. In the analysis of the computer, we found that:
- By analyzing Internet histories from a few weeks before the resignation, we discovered Google queries related to the competing company.
- Two weeks before the resignation, we found that the former employee copied an entire folder of widget designs to the desktop folder of the computer. This folder contained our client’s current product and prototype design drawings.
The copying of this “designs” folder has to be taken in context: Was it normal behavior for the employee to copy the information to the desktop folder? We found that this was the first time that the employee had ever copied this folder to the computer.
When we analyzed the computer, we determined that the designs folder had been deleted. I will explain the significance of this a little later.
- The night before resignation, the laptop computer was powered on.
- During the boot process, the computer recognized and configured a USB drive. This was the first time this USB drive had ever been used in this computer.
- From the information, we were able to pinpoint the vendor, model and serial number of the USB drive that was being used at that time.
- We also determined that this was the first and last time that the USB drive was used in this computer.
- The designs folder was then moved to the USB drive. When files are moved, they are first copied, and then subsequently “deleted” from the file system. This put the files in a deleted status as I previously described. Proper analysis allowed us to chronologically determine exactly each file name moved during this process…Bingo.
- The move process stopped a couple of hours later and the shutdown process was started immediately afterwards.
By analyzing when the computer was normally powered off and on, along with the normal usage of the computer, we determined this was not normal behavior.
As you are well aware, eDiscovery is becoming “the norm” in most cases to review email communications, documents, etc. However there are instances in which your matter requires the analysis of activity rather than the contents of files. In these situations, digital forensics will provide you with the needed information.