lexisONE
LOGIN REGISTER
REGISTER
 
Customer Support|Your Account & Subscriptions|About lexisONE
LexisNexis® Research
for Small Firms
 
Forms
 
LexisNexis® Bookstore
 
LexisNexis® Mealey's
Online Publications
 
 
Headline Legal News
 
Balancing Life and Practice
 
New Attorneys
 
Legal Web Site Directory
 
Lawyer Locator
 
LexisNexis® Professional
Development Center
 
LexisWeb

 

Balancing Life and Practice

Deleting May Be Easy, But Your Hard Drive Still Tells All



The New York Times
May 2006


It was only a single digit in a 20-page Microsoft Word contract between two partners, but Scott Cooper earned his fee several years ago when he found it.
More from the New York Times

Mr. Cooper, a computer forensics expert, learned that the numeral ''1'' had been scrubbed in some later versions of this digital document. This gave his client, a partner in a software firm that had recently been sold, just a 5 percent rather than a 15 percent share in the company. If the change had gone undetected, the partner would have received $32 million rather than his rightful $96 million payout.

What the partner did not realize was that digital data rarely goes away, even when erased. ''It is extremely difficult to completely delete all evidence from a hard drive,'' said John Colbert, the chief executive of Guidance Software, which makes a widely used program that helps retrieve digital evidence.

Using various techniques, Mr. Cooper, the managing director of the Insync Consulting Group's electronic discovery and forensics practice, based in Los Angeles, figured out when the document had been changed and by whom. His client got his money.

Digital storage of information has become ubiquitous. In 2003, the School of Information Management and Systems at the University of California, Berkeley, estimated that 92 percent of new information was being stored on some form of magnetic media. As a result, digital forensics -- the acquisition and analysis of digital information -- has become an important legal tool.

The presentation of this data must abide by the rules of evidence gathering. And as with physical evidence, like a dead body, the documents and the digital storage device must be carefully preserved to avoid any claims of ta

As a computer forensics expert, Mr. Cooper finds hidden digital information using various software tools, then reconstructs a timeline to explain how and when data was recorded and changed.

Essential evidence can be gleaned from any digital storage device. Numbers erased from a cellphone can indicate on its memory that one person knows another. Appointments stored on hand-held devices can help establish a chronology. Even television shows recorded on a TiVo can confirm or destroy an alibi, revealing when a show was started or paused. All this evidence is theoretically recoverable.

With regard to the contract between the former software partners, Mr. Cooper determined how the document originally looked by examining the file's metadata, hidden digital information that showed how and when the document was altered. It was clear that his client's former partner surreptitiously altered the ownership percentage after the company became successful.

A 1993 New Yorker cartoon declared, ''On the Internet, nobody knows you're a dog.'' That was wrong. When it comes to digital data, anyone can find out who you are and what you are doing.

Dennis L. Rader, the ''B.T.K.'' serial killer, who pleaded guilty last year to 10 murders in Kansas, was arrested after he sent a floppy disk to the police. Using Guidance Software's EnCase Forensic program, the police retrieved deleted files that contained Mr. Rader's name as the author. Other digital data indicated that the computer on which the disk was used was owned by Mr. Rader's church, where he was president of the council.

EnCase Forensic software was also used to convict Scott Peterson of killing his wife, Laci. Using the program, investigators determined that around the time of the murder, Mr. Peterson had used his computer to visit Web sites that detailed tidal conditions in San Francisco Bay, where his wife's body was found. ''Even if he had deleted his Internet search history, the information would still have been there,'' Mr. Colbert, of Guidance Software, said.

As Mr. Cooper said: ''George Orwell was right; Big Brother is watching. By writing e-mails and banking online, we've condoned it.''

Although erasing computer files is easy, it has lulled people into a false sense of security. Digital data may be easily lost, but it is hardly forgotten.

As hard drives increase exponentially in storage capacity, retrieving incriminating data becomes easier. The bigger the drive, the less often that new data needs to be written on top of old ''deleted'' files.

''Passwords, visual images, bank account information -- it's all there,'' said Mary Mack, technology counsel for Fios, a digital forensics firm in Portland, Ore.

Unlike paper files, digital files usually exist in more than one place. So removing one copy may do little to prevent a file's retrieval.

Microsoft Word documents create multiple temporary files as the user types. Documents created on a company computer might have copies stored on both the server and the local work station. As e-mail wends its way from sender to receiver, copies are temporarily stored on multiple servers around the world.

Deleting a file from a computer is therefore a concept but not a reality, Mr. Cooper said. A file is not deleted; only its name is erased from a file database. Files can be made unrecoverable only if their data is overwritten with a series of ones and zeroes.

Various software programs can be used to overwrite data. One popular product, Evidence Eliminator, draws a red flag in legal circles.

''I'm still puzzled why someone would use a product of that name,'' said Michael A. Gold, a senior partner with the law firm Jeffer, Mangels, Butler & Marmaro in Century City, Calif., and a chairman of the firm's Discovery Technology Group. The use of any overwriting software can be detected, tipping off investigators that the person under scrutiny has something to hide.

Like a villain in a horror movie, data keeps on coming. According to Mr. Cooper, even a piece of a hard drive no bigger than a fingernail can yield information that can help an investigation move forward.

Fortunately for forensic investigators, most cases are not particularly difficult to crack. In the business world, workers may use their computers for illegal purposes and then simply delete data, hoping to cover their tracks.

When the medical products company Medtronic and Dr. Gary K. Michelson were involved in a legal dispute over medical technology, Medtronic was ordered to produce electronic documents to Dr. Michelson's lawyers. ''We learned that deleted files had not been produced,'' said Dan P. Sedor, a Jeffer, Mangels lawyer and co-counsel for Dr. Michelson.

The law firm discovered this when Mr. Cooper and his colleagues inspected Medtronic's hard drives.

''Various things were missing, such as an operating system, configuration files and deleted documents,'' Mr. Cooper said. ''Electronically, we know that documents are missing. You can't do this with paper.''

Once data is recovered, other software automates the discovery process, helping investigators burrow through what could be hundreds of thousands of pages of information.

Electronic discovery, or e-discovery, software analyzes the data by searching for keywords and patterns.

The searches are not always obvious. ''People rarely use the word 'fraud' when they're committing fraud,'' said Mike Kinnaman, vice president of marketing for Attenex, an e-discovery software provider.

Instead the software may be instructed to search for sports phrases -- always popular when discussing criminal activity -- separating out the mention of ''diamond'' when it pertains to baseball, as opposed to jewelry.

''We present collections of words; why are they talking about baseball in the middle of a business e-mail?'' Mr. Kinnaman said.

Once it is clearthat electronic files will become part of a legal or criminal investigation, it is essential that the digital device be treated as carefully as a shell casing in a murder.

''All we're after is the story, just like in the old days,'' Mr. Cooper said. Only nowadays, he added, ''the computer is the witness.''

Copyright 2006 The New York Times Company International News National News New York Regional News Political News Business News Technology News Sports News The New York Times

  
LexisNexis
     www.lexisnexis.com
Customer Support  Browse Federal Case Law  Browse State Case Law  Site Map  Contact Us 
Terms & Conditions    Privacy    Copyright  
© 2008 LexisNexis, a division of Reed Elsevier Inc. All rights reserved.