Digital Evidence
Susan R. Knox, Kroll Ontrack
How Technology is Changing Disclosable Evidence
Electronic evidence has been a part of disclosure, in the rules and increasingly in practice, for some time now. Indeed, the notion that documents such as e-mail messages, word processing documents and spreadsheets are disclosable is not controversial. But new technologies, and changes in the way in which technologies are used, mean that potentially relevant information – and even key evidence – may now be found in forms and locations far more removed than these from the traditional paper document. It may therefore be wise to take such technologies and sources of evidence into account when gathering evidence and preparing requests for disclosure.
Changes in technologies and behaviours have affected the ways in which information may be created and stored. New types of media – often relatively inexpensive and physically very small – may hold vast amounts of data, and individuals are increasingly recording and publishing details about their lives using online social networking tools.
New technologies are allowing skilled forensic investigators to recover detailed information regarding computer users’ activities and about documents that they may think have long been irrecoverable.
Significant New Types of Media
Thanks to developments in technology, individuals can now carry around large amounts of data in very small and portable forms. Laptop computers nowadays can be very light, and may hold hundreds of gigabytes (GB) of documents. One gigabyte equates, on average, to 30,000 printed pages – so a laptop could quite easily contain 50 GB of documents on 100 GB of hard drive space, which could result in approximately one and half million printed pages. But it is the way in which this type of capacity is replicated in even smaller and more portable media that may be of particular note to those who seek evidence.
USB Memory Sticks
USB memory sticks, which connect directly and instantly to a laptop or desktop computer via a USB port, may hide several gigabytes of data in a space a few centimetres long. Memory sticks are readily available at shops and even supermarkets and can easily fit in a pocket. Some are even disguised in items such as watches or jewellery. A number of organisations have measures in place to prevent the transfer of data using memory sticks, but at many, if not most, it is nevertheless still possible to copy files between a memory stick and a computer with minimal time and effort.
It is not uncommon for employees to be suspected or accused of stealing company information by copying it onto memory sticks. It is likewise not uncommon for individuals to use memory sticks for innocent purposes. In either event, key evidence may only reside on a memory stick, which may in turn be in the possession of an individual such that its existence may not be readily apparent when evidence is gathered. Evidence of the use of a memory stick may in turn be very important in establishing a user’s activity and identifying the location of potentially key evidence.
Portable Media Players
Portable media players such as iPods have rapidly gained widespread use. They are, of course, a convenient and enjoyable means of listening to music and watching video content, but they can also have other functions. These devices have at their core significant amounts of storage space that can hold data files – including word processing documents and spreadsheets – just as easily as music and videos. Moreover, it is usually easy for almost anyone to transfer material between these devices and individual computers.
Individuals sometimes use these devices as a means of storing and moving files, whether simply for practical reasons or as a cover method of taking data from an organisation. Some also use the devices with microphones to record statements or conversations. As is the case with USB memory sticks, some materials may only exist at a given point in time on such a device; recordings made using one might only ever exist on that device. A portable media player may therefore be a unique source of key documents.
Digital Cameras
Digital cameras, like other new technologies, are capable of storing large volumes of data in a small amount of space. Moreover, they are capable of capturing extremely detailed images of people, places and things including paper documents, often with accurate time and date stamps.
Their value as a potential source of evidence is in no way limited to the extent to which they may contain images of paper documents. Digital photographs of a variety of subjects may provide proof of a wide variety of facts, including the dates and times of events and meetings, the level of acquaintance between individuals and the presence or absence of people or things at key moments.
Sophisticated PDAs
Today’s sophisticated Portable Digital Assistant (PDA) devices, such as Blackberries, may combine many of the features referred to above. They often include high-volume storage with a media player and a camera, as well as a telephone and e-mail facilities, all in a small package. In addition to the types of evidence discussed above, they may contain vast quantities of e-mail messages (including e-mail messages no longer available due to deletion elsewhere) as well as active and deleted text messages and other files, such as notes and calendar items. Their potential role as a source of evidence should not be overlooked.
The Impact of New Social Networking Tools
Individuals increasingly provide detailed information regarding their activities – including times, locations, and those accompanying them using “social networking” tools such as Facebook, Twitter and even Flickr. Although the tools work in various ways, they fundamentally work by allowing people to share information and make social plans with contacts, thus allowing people to monitor others’ activities at the same time. All of the major tools have privacy settings that allow users to “lock down” access to their information and photographs, but not all users choose to take advantage of these settings. Indeed, one of the considerably power aspects of the tools is the amount of content that they put into the public realm.
Social networking information may be readily accessible to anyone online, or some of it may be cached on individuals’ hard drives and thus retrievable using forensic techniques. In either case, it may be of real use in a particular matter in establishing timelines, relationships, activities or the identity of those present at a particular event.
Advanced Forensic Tools and Document Search and Review Techniques
Advances in technologies have changed not only the ways in which information is stored and transported but also the ways in which it may be found. Sophisticated forensic tools enable experienced forensic investigators to identify and examine documents and fragments of documents that a user has tried to delete. Investigators can determine what external media have been connected to a computer, and when, and they may be able to identify documents that have been copied to or from those media. It may be possible to find logs of web usage as well as items such as copies of web content visited and lists of contacts within an application.
Of course, once documents have been found they can now be reviewed and analysed using a range of methods. These include instant computer-generated graphical analyses of e-mail traffic between individual users, searches on words, phrases and portions of words. In addition it is possible to search for conceptually linked words and documents based around analyses of proximity and frequency of terms within the document set. Audio files can also be searched phonetically using such technology.
Take New Sources of Evidence into Account
Evidence that is found in one of these newer sources, or with the latest forensic techniques, may have a real impact in a case by providing unique information that has considerable evidentiary weight.
Obviously it will not always be practical or proportional for a legal team to seek to obtain, or to examine and review all of the possible sources of evidence for a particular matter. However, by understanding and taking into account the various potential sources, the team can make an informed and potentially outcome-altering decision as to the disclosure to be requested as well as regarding the searches for evidence that are to be carried out internally.
Susan R. Knox is a Legal Consultant at Kroll Ontrack and is based in our London office.
Disclaimer
This document is neither designed nor intended to provide legal or other professional advice but is intended merely to be a starting point for research and information on the subject of legal technology. While every attempt has been made to ensure accuracy of this information, no responsibility can be accepted for errors or omissions. Recipients of information or services provided by Kroll Ontrack shall maintain full, professional, and direct responsibility to their clients for any information or services rendered by Kroll Ontrack.
Copyright 2007 Kroll Ontrack, Inc & Kroll Ontrack Legal Technologies Ltd.
