Chapter 10: Reconstructing Past Events

 < Day Day Up > 

Chapter 10: Reconstructing Past Events


The increase in computer-related crime has led to development of special tools to recover and analyze computer data. A combination of hardware and software tools has been developed using commercial off-the-shelf utilities integrated with newly developed programs. Procedures have been defined and implemented to protect the original computer data. Processes have been developed to recover hidden, erased, and password-protected data. To that end, all recovery and analysis work is performed on image copies of the original.

Because there is a wide variety of computers, peripherals, and software available, including many different forms of archival storage (Zip, Jaz, disk, tape, CD-ROM, etc.),[i] it is important that a wide variety of equipment be available for recovery and analysis of evidence residing on a computer’s hard disk and external storage media. Recovered data must be analyzed, and a coherent file must be reconstructed using advanced search programs specifically developed for this work.

For example, these techniques were recently used to recover data from several computers that indicated a large check forgery ring was in operation throughout California and personal and business identities were being stolen without the knowledge of the victims. Case files going back over 5 years were cleared with the information obtained.

In another case, proprietary intellectual property was found on the suspect’s computer and was being used for extortion. In the case of a murdered model, the murderer’s computer address book was recovered and is now being used to determine if he might be a serial killer. Another case involved a stalker who had restricted pager information on his victim, which was recovered from the suspect’s computer.

With the preceding cases in mind, the primary goal of this chapter is to illustrate the reconstruction of past events with as little distortion or bias as possible. Many analogies can be drawn from the physical to the virtual realms of detective work—anyone who has seen a slaying on a police show can probably give a reasonably good account of the initial steps in an investigation. First, you might protect and isolate the crime scene from outside disturbances. Next, comes recording the area via photographs and note taking. Finally, a search is conducted to collect and package any evidence found.

[i]John R. Vacca, The Essential Guide To Storage Area Networks, Prentice Hall, 2002.

 < Day Day Up > 

 < Day Day Up > 


Recovering electronic data is only the beginning. Once you recover it, you need to determine how to use it in your case. In other words, how do you reconstruct past events to ensure that will be admissible as evidence in your case? What follows are some recommendations for accomplishing that goal.

If You Need Help, Get Help

When you receive the package of evidence containing a Zip disk and cover letter stating, “Enclosed and produced upon you please find,” you may not know what to do with the disk. If you don’t know, get help.

Help may be just down the hall. If you have an information services department, consider going there. They might not understand what you mean by a discovery request, but they may be able to help you convert the contents of the disk to a form you can look at. If you have a litigation support group, consider contacting them. They may have the tools you need to look at and start working with the data you just received. Even if there is no formal entity within your office dedicated to dealing with technological issues, there may be informal resources.

In addition, your client may have the resources you need. Your expert witnesses, assuming you have some, may be able to sort out the data for you. If you are using a litigation support vendor, that organization may be able to bring skills to bear. And, of course, don’t forget the professionals, the ones who deal with electronic data recovery and reconstructing past events for a living.

Convert Digital Evidence

Before you can reconstruct past events and present the data, you need it on a medium and in a format you can work with. In other words, you need to get the data onto a medium you can use, if it is not already on one. Data can come on a variety of media, such as data tapes, Zip disks, CD-ROM disks, 3.5-inch floppy disks, and 5.25-inch floppy disks.

If you receive electronic evidence on an 8-millimeter data tape, chances are that you will not have an 8-mm tape drive at your desk. Even if you have a drive, it may not be able to read that specific tape. You need to get the data onto a medium your computer can read, which these days generally means a 3.5-inch floppy or a CD disk. How do you do this?

Well, for example, you could use Zip disks. Zip disks are simpler. The cost of Iomega Zip drives ( is so low that you can keep one on hand just to copy data from Zip disks you receive (and to copy data to Zip disks when others request data from you on that medium).

CDs are even simpler, as CD drives have become commonplace on PCs. Similarly, 3.5-inch disks generally pose no problem.

Nevertheless, 5.25-inch floppy disks have started to become problematic, as fewer and fewer PCs have the drives in them. Older sizes of floppies can be even more difficult; when you receive electronic data on them, you usually have to engage outside vendors to move the data over to media you can work with.

Put the Evidence in a Useable Format

Having data on a useable medium is useless unless it also is in a useable format. At times this is not an issue. If the data comes in a format that you already use, then you can begin to work with it as soon as you get it off the media. The formats most likely to be useable without conversion are word processing files (principally WordPerfect and Word files), spreadsheet files (principally Excel and Lotus), and presentation files (principally PowerPoint files).

 < Day Day Up >