Part III: Computer Forensics Analysis

 < Day Day Up > 



Part III: Computer Forensics Analysis

CHAPTER LIST

Chapter 8: Discovery of Electronic Evidence
Chapter 9: Identification of Data
Chapter 10: Reconstructing Past Events
Chapter 11: Networks



 < Day Day Up > 

 < Day Day Up > 



Chapter 8: Discovery of Electronic Evidence

OVERVIEW

Computer technology has revolutionized the way we deal with information and the way we run our businesses. Increasingly important business information is being created, stored, and communicated electronically.[i ]Many types of information that can play a useful role in litigation are no longer printed on paper and stored in paper files, but rather are stored in a computer system or in computer-readable form. As companies have increased their reliance on their computer systems, lawyers have begun to realize the valuable electronic treasures that are now being kept in these systems and have started aggressively to target electronic data for discovery in all types of litigation cases. The discoverability of these electronic files is referred to as Discovery of Electronic Evidence or DEE.

Plaintiffs’ lawyers have been increasingly targeting electronic evidence for a number of reasons. It is also likely that electronic evidence will soon attract the attention of government investigators. Numerous statutory provisions empower government officials to enter, inspect, and make copies of records that must be maintained pursuant to various statutes and regulations.

The primary purpose of these provisions is to enable the government to determine whether a company is complying with the recordkeeping and other requirements contained in the statute that imposes them. Many businesses are increasingly storing the required records in electronic form. Government investigators will likely begin to focus their attention on the electronic form of these records and the computer systems that house them.

The government also has access to records for investigatory purposes. Several statutes, such as the human rights codes, Competition Act, Criminal Code, and tax acts give government officials the right to enter a business establishment and inspect or seize records. For example, under the Competition Act, peace officers with, or in exigent circumstances, without a search warrant, may enter the premises, examine records, and copy or seize them. They may use the computer system on the premises to search data and produce print-outs, which they may then seize for examination or copying.

Plaintiffs’ lawyers and government investigators need to develop the knowledge and skill necessary to take advantage of the information residing in electronic form. This does not mean that they need to become computer specialists, but rather, that they need to understand enough about technology to ask the right questions and enlist the assistance of the forensic computer experts where necessary. Lawyers who choose to ignore these new opportunities could expose themselves to malpractice claims.

Lawyers representing parties with large amounts of electronic data need to understand that their clients’ data will be targeted for such discovery and need to advise their clients on how to prepare. Defensive strategies that should be implemented prior to litigation include a proper document retention program, periodic purging of magnetic media, and the implementation of a document management system. Once litigation has commenced, defendants need to be better advised on how to preserve relevant electronic evidence adequately—to avoid possible sanctions or a negative inference at trial.

Now, let’s begin the discussion of electronic document discovery. This is the process of viewing log files, databases, and other data sources on unseized equipment to find and analyze information that may be of importance to a computer crime investigation.

[i ]John R. Vacca, The Essential Guide to Storage Area Networks, Prentice Hall, 2002.



 < Day Day Up >