This may seem like an extreme case, but similar situations can happen in any business setting and can cost thousands of dollars to remedy, or more in lost revenue.  There are a number of ways employees can effectively “lock” their employer out of their company issued computer.

• Hard Drive Encryption: Employees can load free software to encrypt the hard drive and make accessing information and recovery difficult or impossible.
• Hard Drive Wipe: Employees can use commercial and free wiping tools to wipe their hard drive of information.
• Vanish Software:  A type of software that can destroy all copies of data after a period of time specified by the user – making the data unrecoverable.
• Password Protection of File: Employees can password protect files on the company computer and refuse to reveal the password, as evidenced in the case above.
• Destroy Computer: Employees can remove a computer hard drive and physically destroy it.

When employees use the above techniques to “lock” or destroy their hard drive, often, investigators can no longer access the drive’s contents, or the drive’s contents may be erased, leaving no information for the investigator to find.  Although the files and the information held within the files are unrecoverable, evidence of the above mentioned wiping tools can usually still be found.

As the City of San Francisco found out in 2008, it can cost employers thousands of dollars to regain control of their information, and can even result in lost court cases due to missing evidence, lost physical and intellectual property, and can also result in lost business and/or clients.

If employers are interested in protecting themselves from employee theft, information tampering or data destruction, the following list of considerations should be addressed to ensure information protection.

• Do you limit employees’ ability to wipe or encrypt company issued computer hard drives? It is possible to limit employees’ ability to download software like Drive Scrubber or TrueCrypt, making it difficult for employees to load harmful software on their computers.
• Do you disable user’s ability to write to external media (USB, CD, DVD, etc)? Disabling user’s ability to write to external media discourages the saving of files to media and taking off-site, and maybe to a competitor.
• Do you require employees to store all information on the network, not on desktops or laptops? Requiring employees to store all information on the network prevents information from being lost or stolen if a laptop is taken off-site.  Networks are also backed up.  If an employee was to delete or corrupt information, a backup would exist.  Additionally, many networks will provide an audit trail of user activity, which could help to link file activities to employee user accounts.
• Are strong policies written and in place for storage and use of information? Well written policies for storage and use of information are critical because they allow employees to understand their roles and responsibilities within predefined limits.  Employees understand how data is to be used, stored and accessed and a well written and instituted policy will hold employees accountable, and may spell out any legal liability.
• Are backup and data retention policies and procedures in place and followed to preserve documents and activity on the network? Backup and data retention policies are important for the preservation of information.  If data is deleted or corrupted, intentional or unintentional, a backup copy would exist and the data would be recoverable.
• Have you considered the risk of new technologies used by your employees? As technology advances, so does the opportunity for misuse.  PDAs and cell phones now allow a user to transport large amounts of information.  Users taking information off-site significantly increases the company’s risk of lost or stolen information.

Three recent court cases have illustrated how Computer Forensic investigations can assist in trade secrets, probate and estate investigations and employment law.

Deceuninck North America v. Michael Hutfless and Sensibuilt Building Solutions, Inc.
Computer forensic evidence assisted Deceuninck North American (DNA) in winning a $1.158 Million verdict in a trade secrets case against a former employee and the company he went to work for, Sensibuilt. DNA sued the former vice president and the deck manufacturing company he went to work for, for misappropriation of trade secrets. When DNA learned that the former employee had gone to work for Sensibuilt, a computer forensic investigation of his DNA work computer led to the discovery that he had downloaded more than 2,000 of DNA’s confidential documents onto a USB flash drive just prior to departing the company. The forensic investigation also uncovered that the employee “wiped” clean his home computer’s hard drive, further impairing discovery. For more information on wiping, please visit our previous article: Is it possible to permanently delete data off of a computer, making it unrecoverable?

Pool v. Diana, Court of Appeals of Texas, Third District, Austin. No. 03-08-00363-CV
In the case Pool v. Diana, a computer forensics investigation proved that allegations of will forgery were false and unfounded. A computer forensic examiner’s analysis of a will’s creation software showed that the software had been used a few weeks prior to the will’s execution, along with duplicate drafts of the will being stored on the machine. A comparison of the will residing on the machine, with the will that was executed for probate showed that the will was not a forgery.

Stengart v. Loving Care Agency Inc., Superior Court of New Jersey, No. A-3506-08T1
In a unanimous decision, the New Jersey Supreme Court ruled that attorney-client privilege applied to e-mails sent by an employee using a company-issued laptop to her lawyer through a personal Web-based email account, eliminating Loving Care’s contention that its electronic communications policy eliminated her expectation of privacy. A computer forensic expert hired by Loving Care recovered e-mails that were saved to the computer’s hard drive by Stengart’s web browser. Loving Care’s lawyers reviewed the emails and used the information during discovery, and Stengart’s attorney sought to have them returned under attorney-client privilege. The policy allowed for incidental personal use, but specified that the company reserved the right to “review, audit, intercept, access, and disclose all matters…with or without notice.”

The court disagreed, and found that Stengart had a reasonable expectation of privacy because she used a personal e-mail account; and the company’s policy didn’t specifically address use of private web-based email. This ruling highlights the importance of maintaining a precisely drafted electronic communications policy. Most companies don’t have this issue covered, and may need to add more specificity to existing e-communications policies to make it clear that, even where incidental personal use is allowed, there’s no expectation of privacy.

The cases noted above illustrate how computer forensics can assist in establishing where documents are saved, copied or even deleted. Computer forensic investigation can also establish timelines of document and program use, including but not limited to, creation, modification, copy, and/or deletion. They also illustrate how important electronic communication policies have become to business.

If you think that a computer in your organization may contain important evidence, there are a few important steps that should be taken in order to preserve that evidence. First being, immediately cease any and all use of the computer in question, and be sure to secure the computer to prevent anyone from unknowingly using it. For advice on further steps, please visit our previous article: I think that a computer in my organization may contain important evidence. What are the first steps I should take?

“Just about every phase of our life has computers involved, well that carries over in the crime aspect as well,” said Mel Joiner, Supervisor with Computer Crimes Division at the National White Collar Crime Center, or NW3C.

The implications of an Always-Connected society are that so many things we do are based on an interaction with a computer device. For a forensic examiner this means that there are numerous sources that could contain the evidence you are searching for in your investigation. In the past, if a computer device was suspected of containing pertinent evidence, a computer forensics examiner would seize the computer device in order to perform a full forensic search.

While the full seizure and subsequent search may still be required in certain circumstances, it is no longer the only option. There are new computer forensic tools and techniques available that can significantly reduce the costs associated with performing a computer forensic investigation.

These forensic techniques called preview searches still maintain the integrity of the potential evidence and offer insight into the relevance of evidence that may be contained on that computer or device.

An example where preview searches can be deployed is in an internal human resources investigation regarding an employee’s internet conduct. In a recent investigation, we were asked to determine if an employee was spending time on internet auction sites during normal work hours. To aid in an efficient investigation, yet maintain evidentiary integrity, we performed a live preview search of the individuals work computer internet history. Upon determining that the employee had accessed the internet auction site eBay on a daily basis for 12 consecutive business days, it was determined that a full computer search was warranted. If we had not performed the preview search, time could have been wasted obtaining a full forensic image of the hard drive where no misconduct had occurred.

Preview search is also useful in determining if a computer contains documents or emails that reference certain individuals. If the preview search reveals that emails to and from a certain individual are present, a full forensic copy of the hard drive can be obtained for further investigation. If the preview search does not yield any relevant search hits, the computer could potentially be disregarded for the investigation or eDiscovery compliance.

There are two types of metadata, internal and external.  Internal metadata is metadata about a specific file and is saved by the program that created the file (i.e. Microsoft Word).  Computer operating systems also keep metadata of their own; this can be considered external metadata. 
 
The Windows operating system requires a filing system to know where each file is located to allow files to be accessed when called upon.  This filing system is called the Master File Table (MFT).  The MFT contains external metadata about each file and can include, but is not limited to:

• Date file was created, modified, accessed
• Location of file on the hard drive
• Physical and logical size of the file

An example of internal metadata can be found in every Microsoft document.  This information may include, but is not limited to:

• Name and/or initials of person who created the file
• Name of the computer on which the file was created
• Name of previous document owners
• Document versions

Microsoft Office (including Word, Excel, Access and PowerPoint) is not the only application that embeds internal metadata.  In fact, most applications do, including PDF files which have embedded author, title or other information.  JPEG image files also contain internal metadata that may include the following:

• Make and model of the digital camera
• Time and date the picture was taken
• Distance the camera was focused at
• GPS location information where the picture was taken
• Small preview image (thumbnail) of the picture

Metadata can be an important part of a computer forensics investigation when the author or timeline of a file related to the creation, opening or saving of that file is imperative to determine.  Metadata can be extracted using computer forensic software.  Recent examples of metadata usage in litigation include:

• Determining the date when a USB device was inserted into a computer
• Determining what user last saved and printed a Microsoft Word file
• Determining when a PDF file was first placed in a directory on a company’s main file server

• Officers applying to search digital devices have to waive the plain view doctrine
• The search must be conducted by a third party (i.e. Computer Forensics experts)
• The third party will then turn over only the evidence included in the warrant to the investigators
• If illegal material not covered in the search warrant (like child pornography) is recovered, it is to be destroyed
• Any other evidence not covered in the warrant would then be returned to the device owner.

To date, there have been no real implications of this decision in civil cases, although it may alter criminal matters.  Implications for criminal cases include third parties being required to conduct the search, requirements for specific search criteria within search warrants, and any recovered evidence not covered in the original warrant would be then required to be returned to the device owner.

The potential impact and lesson to be learned for civil cases is two-fold.  First, unlike criminal cases where illegal material not covered in the search warrant must be destroyed, in civil matters, forensic experts would be obligated to report to the appropriate authorities any recovered content that may be illegal.  Second, we can learn from the last requirement regarding evidence not covered in the warrant having to be returned to the device owner. The lesson to be learned and applied to civil matters is to ensure that the scope of any search performed by a computer forensic expert is clearly spelled out in advance.  This may be done via a protective order, including keywords to be searched in a writ of possession, or in an expert retention letter.

If the computer is on, it is important that you do not go through a normal shutdown process. Instead, call a computer forensic expert for immediate instructions on what to do next. It is also imperative that you do not allow the internal IT staff to conduct a preliminary investigation. At this point all you have is information and data; there is no evidence. Unless the internal IT staff is certified in computer forensics and trained on evidentiary procedures, they may not have maintained the chain of custody or followed other accepted evidence techniques. Secondly, even if proper evidence handling techniques have been used, the collection process itself has been altered and likely tainted the data collected. By opening, printing and saving files the meta-data has been permanently changed. Lastly, the act of turning on the computer changes caches, temporary files and slack file space which along with the alteration of the meta-data may have seriously damaged or destroyed any evidence that was on the computer.

Even if extensive damage is done by the internal IT staff, a computer forensics expert may be able to salvage the damaged evidence. However, this can be a time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence from computers that have been mishandled. You will want to keep a detailed log of who had access to the machine in question, what was done to it and where the computer has been stored since the dates in question. If the hard drive is removed for a forensic examination, be sure to document the date and time in the system and note whether it differs from the current time.

It is relatively easy to avoid the most common procedural mistakes when it comes to computer forensics. Do not solely rely on the internal IT staff for computer forensics investigations. If there is even a small chance that evidence from a suspected computer system will be needed, consult a Computer Forensic expert to assist or perform an analysis to forensically collect and report on any potential evidence.

• Hit, Slap, Drop or Tap It – Though tapping the hard drive may end up loosening the drive arm; it most likely that this will cause damage to the hard drive.

• Freeze or Heat It – Heating a hard drive can lead to melted parts, and freezing a hard drive can result in condensation inside the drive, in other words, water in the hard drive.  Do not freeze or heat a hard drive in attempts to get it to work.

• Open and Spin It – Hard drives are manufactured in areas that have virtually no air contaminants.  Opening a hard drive in a normal home or office, no matter how clean it may be, will expose the hard drive to dust and humidity, hard drives worst enemies. 

• Use Norton – Some data recovery software does work when there is a pure logical problem.  The difficulty comes when the disk is showing some kind of physical problem.  In this case, the software ends up doing more physical harm than good.  In order to use data recovery software, it is important that you know the drive is having a software problem, not a physical one.

• It’ll Fix Itself – Often times, hard drives will start up again if left alone.  But the most important thing to remember is, if it starts up, make sure you are prepared and are able to backup your data immediately!

While most of these myths may carry some truth, the fact of the matter is, using any of these methods to jump-start a hard drive will usually cause irreparable damage to the hard drive and data contained in it.  Data recovery is a specialty because many people and companies can suffer great losses if they lose their data in an accident with no backup.  If a hard drive is experiencing a software problem, problems in the programming, it is likely that data can be recovered from the drive, but only if the drive is in physically good condition.  In most cases, a data recovery expert can assist in this process.

It is possible to permanently delete files off a computer, effectively making them unrecoverable.  However, software tools must be used to facilitate this process.  There are a number of commercial and free wiping tools available including Drive Scrubber, Active@ Kill Disk, Eraser, Summit Hard Disk Scrubber, and Darik’s Boot & Nuke also known as “DBAN”.  These utilities work by writing either random data or strings of zeroes and/or ones to every sector of the hard drive that is marked as available to be overwritten.  In addition, a number of whole disk encryption utilities will also include this capability and allow for wiping of individual files.

If files have been wiped from a hard drive, they become unrecoverable during a computer forensic investigation.  Though the files and the information held within the files are unrecoverable, evidence of the above mentioned wiping tools can usually still be found.