Most practitioners and clients think that hitting the "delete" key on a computer keyboard is comparable to putting a piece of paper through a shedder. However, with the advent of new technology and the infamy of recent document destruction scandals, this misconception is quickly disintegrating. It is now common knowledge that e-evidence tends to remain accessible on a computer hard drive even after it has been "deleted."

When electronic data is deleted, it is simply removed from the file allocation table (FAT), thereby marking those sectors of the disk available to store new data. Until new data, which is stored in a random fashion on the disk, is written to each and every sector that housed the deleted data, portions of that data are recoverable. Until it is overwritten several times, potentially important evidence can be retrieved from your opponent's and client's computers.

Computer forensics is now a daily service being rendered to companies in Asia Pacific. When the average office worker hears the term ‘computer forensics,’ it conjures up visions of US television shows where criminal investigators are finding critical clues to solve a ghastly crime – but this is not so in the world of commercial computer forensics investigators. These tech savvy professionals are used to help clients understand if there have been wrong doings by staff, and if trade secrets or intellectual property have been copied and sent to a third party for example.

A real world example of a trade secrets case illustrates the benefits of computer forensics. A company sought assistance in investigating several former employees suspected of stealing the company’s trade secrets. The night before forensic engineers were to image the hard drives in question, one of the former employees destroyed the computer evidence by deleting the incriminating information and then downloading approximately six gigabytes of music files (mp3’s) to the drives, which overwrote the suspect files. Even though no evidence of the trade secret misappropriation was recoverable, engineers presented findings that supported the company’s claims that the former employee destroyed incriminating evidence.

So what is computer forensics?

Computer forensics is the recovery of deleted computer-based information. It is the science of examining and piecing back together the who, what, when, where, and how of computer-related conduct.

Commercial computer forensics plays major roles in complex financial disputes, sexual harassment cases and inappropriate Web surfing. What a member of staff does at work is invariably recorded on his computer’s hard drive, as 90 plus percent of all documents now are created electronically. The act of just going to your favourite Web site is being recorded somewhere on your hard drive.

With the increasing trend towards creating and using electronic document, the computer is becoming a critical point of investigation for any company that needs to locate information about its business activities. Computer systems, whether consisting of a single hard drive or a network of servers and desktops, are often the best place to begin collecting potential evidence.

Over the last few years, the technology to collect, process, and analyze data has evolved very quickly. One of the latest technology breakthroughs has been in the arena of global cases involving multilingual documents. Investigators now have tools available to search not only Western languages but also Chinese, Korean and Japanese – most cases in and around the Asia Pacific region will look at all data sources available and determine the best ‘keywords’ to search for in multiple languages.

Process of a computer forensics investigation

A typical first step is to create a mirror image of the hard drive or computer media in question. A mirror image is made in order to preserve the integrity of the original media. This imaging process provides the client and forensic expert with a "snap-shot" of the data contained on the media. The "snap-shot" is a perfect bit-by-bit copy of the media, including all of the unused and partially overwritten spaces where important evidence may reside. The imaging process does not change or alter the information on the original hard drive/computer media.
After the image is created, computer forensic experts search for several classes of information through the data recovery portion of the computer forensics process:

* Active Data. This term describes the original accessible data from the hard drive or tape. This is the data that was accessible to the particular user working with the computer.

* Recovered. This term refers to files and directories that were recovered after being deleted from the Active Data. Some of the files are recovered completely and are easily identifiable, while some are just bits and pieces, which require some expert analysis to try to put the puzzle back together.

* Unused. This term describes the free space or unallocated portion of the hard drive. It contains two types of files, both of which essentially comprise the portions of the drive that are either free and open because they have never been used or free because the information contained there has been deleted, and the computer has marked that space as available for new information.

Beyond retrieving files, forensic engineers often can determine whether computer evidence was tampered with, altered, damaged or removed. In essence, they can recreate a course of events relating to the primary user of the media in question as if the hard drive itself were the scene of a crime or event.

Once the data analysis is complete, computer forensic experts can provide expert reporting and testimony if necessary.

The Nancy Kissel murder trial was a landmark case in Hong Kong, where computer forensics was used on a case that was not directly related to computer crime.

The police computer forensic experts deployed in the Kissel case did a good job in imaging all of the computers used by the Kissel family, and as part of the electronic discovery process, the defense also had access to those forensic images. I represented the defense and carried out an examination of two of the images taken by the police.
The prosecution had opened their case by painting a picture of the deceased favorably and the accused (Nancy Kissel) unfavorably, and on many occasions throughout their submission, the prosecution would refer to evidence obtained from the family computers to substantiate a particular point.

Using my findings, the defense wanted to counter the prosecution by showing that they had been selective in their submission and that the computer evidence showed that the diseased was not as the prosecution had suggested. My findings included the reconstruction of web surfing history, web sites visited and terms typed into search engines. Using the same image and software as the police, I was able to find evidence on the disks that was not presented by the prosecution, evidence that was potentially unfavorable to the deceased.

I was successfully able to demonstrative live in court to the jury in a non-technical manner, the complex procedures I had used to reach my findings and what those findings were. As a result of this case every computer forensic expert that testifies in Hong Kong now must be prepared to demonstrate live, in-court, how he or she arrived at any findings in support of their expert reports.

Following the Kissel trial, the use computer forensics is now being seen in family disputes where for example, one side would allege that the spouse had used the family computer to visit certain websites as ‘proof’ of the alleged state of mind of that particular spouse.

How can legal counsel help their clients steer clear of computer forensic landmines?

1) Understand that delete does not mean delete. Each and every computer document leaves an e-fingerprint captured on the hard drive. Only until the user resaves over the fingerprint might it disappear for good

2) Create a mirror image of the media to preserve evidence. A simple mirror image may be extremely useful in the event data is negligently or intentionally deleted down the road

3) Avoid tainting the computer evidence. It should be understood that evidence from computers is latent evidence, meaning that it is similar to fingerprints, blood, DNA, etc., and just as fragile. This means that in order to process such evidence and make it acceptable in a court of law, forensically sound methods must be used. For example, simply booting a computer or opening a file can change potentially valuable dates, times and other behind the scenes information about the data

4) Know the difference between formatting, defragmenting and wiping and what each does to data on a hard drive. Often, people assume data is unrecoverable after one of these techniques is employed. In reality, formatting will oftentimes not render the data inaccessible while, at the other end of the spectrum, wiping generally destroys any realistic chance of recovery

5) Use qualified forensic experts who use proper protocols to not only collect and recover the data important to your case, but who can articulate their results and conclusions to a finder of fact clearly and accurately.

Just as the computer has become a mainstay in today’s electronic workplace, computer forensic evidence is becoming the key to many investigations and legal matters. A firm grasp of electronic evidence concepts will unlock the door to successful advocacy in the digital age.

Ben Pasco is the Managing Director of Legal Technologies Asia Pacific for Kroll Ontrack, the industry leader in electronic discovery, computer forensics, ESI consulting, jury consulting and trial presentation services. Mr. Pasco's case experience includes fraud, asset tracing, IP theft, counter terrorism, audit negligence and, he is often called on as an expert computer forensics witness in criminal and civil cases.