1. Thou shalt not stomp all over the evidence.

It is no accident that this is the First Commandment. When computer forensics specialists get together and swap war stories, one recurrent theme is the unbelievable number of times that clients have fouled themselves up by trampling electronic evidence. Typically, as soon as a potential legal matter is recognized, a law firm or corporation authorizes someone from its IT department to “look through” the evidence. Unbeknownst to them, while their IT staff is busy finding golden nuggets of evidence, they are also changing the dates and times of the files they are accessing and possibly altering information that indicates which user ID did what. While it may not entirely discredit the case, you have now given fodder to opposing counsel at the very least – and you will have to spend more money on the forensic examination because unraveling dates and times and explaining “the stomping” effect is now part of the examiner’s job.

It is a very foolish client that contaminates evidence by having in-house folks look at it – from a judge’s point of view, the client has a vested interest in that evidence. Far more credible is an initial, independent forensic examination by a certified third party.

As a New York City police detective lamented at a recent seminar, many of his cases go “in the hopper” because of trampled evidence. He jokes that the first two officers on the scene are always “I Don’t Know” and “Not Me” because when he asks who stomped all over the evidence, those are always the first two answers he gets.

2. Thou shalt preserve the evidence.

The first rule of thumb when you suspect a workstation may contain significant evidence is to “pull the plug.” No, the machine will not die by doing so. If the computer is powered up, forget the orderly shut down – this just changes dates and times again. Yank the doggone power cord. Also, savvy computer miscreants may plant a “bomb” so that shutting down without untriggering the bomb causes the drive to be wiped. Servers are different beasts – it is very important to preserve log file entries and operational events on a server and “pulling the plug” may corrupt these files. Here, an orderly shutdown is mandatory.

Once a machine is taken out of commission, remove it and lock it up in a secure place. It is extraordinary how the machine will become the focal point of someone’s attention if it is still publicly accessible. Whatever you do, don’t adopt the attitude that someone else can still use the machine until you can get around to a forensic examination. Not only will usage change a world of dates and times, but deleted files which may be recoverable if the machine is decommissioned could be overwritten by continuing use.

A word about back-ups. They are invaluable. Don’t continue rotating your tapes and lose evidence. Buy new tapes and take anything that may have evidence on it out of the rotation.

If the evidence you need is in the other side’s possession, prioritize getting a preservation of evidence letter off to the appropriate parties. Courts are increasingly irritated with the spoliation of electronic evidence, so make sure the other side has early and clear notice of the evidence to be preserved, including back-up media!

3. Thou shalt not copy and thou shalt not “Ghost.”

When you copy a drive, many of the dates are not preserved – not a good thing if those dates are important in court. By default, using Symantec’s “Ghost” means that you will not retrieve information in unallocated space (all the wonderful deleted e-mails and documents that so often win a case reside in unallocated space). This is because “ghosting” results in a logical rather than a physical image.

If you are even remotely concerned that electronic evidence will end up in court, it is critical that a true forensic acquisition be performed. Using court-validated hardware and software such as EnCase, SafeBack, iLook and FastBloc means that your forensic image will be unchallengeable in court so long as the people that use them follow proper procedures.

4. Thou shalt not covet the smoking gun.

As the country music lyrics tell us, “sometimes you’re the windshield and sometimes you’re the bug.” There is nothing more gratifying than finding a digital smoking gun – it can be so exhilarating that we have been known to break into an enthusiastic if woefully off-key rendition of “We Are the Champions.” Those are good days, but not all days are good days. Sometimes, after hours or days of searching and analyzing, it becomes painfully evident that what the client hoped to find is simply not there. On those days, we are the bugs.

Sometimes clients become agitated and even fixated on the notion that what they are looking for must be there. If you have a competent, certified forensic examiner, believe the examiner if they say they have followed all appropriate procedures and the evidence you are looking for is not there. Perhaps the evidence never existed at all, or it may have been overwritten (and therefore unrecoverable), or the drive/specific files may have been wiped, sometimes with a special utility.

5. Thou shalt not be stingy, lest thee be stung.

When it comes to electronic evidence, clients frequently want the sun, the moon, and the stars – all for $3.78. OK, perhaps that’s an exaggeration, but the truth is that most lawyers do not seem to comprehend how complicated and painstaking a computer forensics examination is. Just documenting the evidence and process, setting the equipment up, taking digital photographs of the physical equipment, and opening a forensic case file takes more than an hour if done properly.

A corollary commandment might be: Thou shall not attempt to break the laws of physics. Imaging takes as long as imaging takes, and no amount of persuasion will make it go faster. Depending on the amount of data written to the media, the technology and methods that must be used to perform the acquisition, etc., the amount of time required will vary widely. Perhaps one of the least understood aspects of pricing is the difference between acquisitions that take place in a computer forensics lab and an acquisition that must be done on site. It is far faster (and therefore cheaper) to acquire in a lab. People who are unfamiliar with forensics assume that a forensic acquisition is the equivalent of “copying.” They are aware of the time involved to copy a drive and simply cannot comprehend why a forensic acquisition takes so much longer. Remember that a copy is a logical copy, whereas a forensic acquisition produces a physical bit-by-bit image.

On-site acquisitions are not just a little longer but a lot longer, because the portable computer used for the acquisition doesn’t have the processing power or memory that the lab devices do. The data transfer rate for evidence storage is much slower because the evidence must now be held on an external drive versus one directly attached to a lab acquisition machine. By way of example, an acquisition that took 4 hours in the lab might take 8-10 hours on-site, though one can never pinpoint the exact time because it is unknown how much data is written on the hard drive or the impact of the speed of the subject computer. There are a lot of variables. Moreover, the technologist may run into specific issues where he/she needs to consult reference materials or needs a particular utility from the forensic toolkit. It is impossible to take everything on-site, so the expert will make a “best guess” based on the information that has been provided.

Most often, technologists are asked to acquire servers on site, and the client will not obligingly ship them to the forensics lab. Clients have angst about letting servers out of their possession and sometimes are determined that the acquisition will be done on-site no matter how great the advantages of shipping them out. If this is the client’s determination, simply be aware that the costs are likely to be 2-3 times as great, even before travel is included.

6. Thou shalt not bear false witness, nor ask thy witness to bear false witness.

You wouldn’t think this admonition would need to be in here, would you? Lawyers are governed by codes of ethics, yes? Officers of the court and all that? And yet, it seems to be so tempting to constantly ask the expert to slant testimony. While there are clearly “experts for hire,” good experts are seekers of truth and will report their findings regardless of what those findings may be. Having a forensic technologist examine a drive can certainly be a double-edged sword. You may find exculpatory evidence – or you may find incriminating evidence. An expert can’t pretend a search on a particular term wasn’t conducted. You may put your expert on the stand and limit the scope of your questions, but if anything you’ve asked exposes a soft underbelly to the evidence and opposing counsel has the acumen to strike at it, well, so it goes.

It is perfectly understandable that counsel would like its expert to say explicitly: “Mr. Jones sent this defamatory e-mail” when all the expert can really say is that “this e-mail was transmitted from this machine, which Mr. Jones shares with his wife and children.” Even if it was done under Mr. Jones’ ID, did any of his family members have access to that ID? In a large number of cases, the best you can hope for is testimony that the evidence in question came from a specific machine that a specific person had access to.

While it’s certainly fair to ask “Are you comfortable testifying to blah, blah, blah?,” a “no” should be accepted gracefully, no matter how much “yes” was the answer you wanted to hear. Ditto for those expert reports – while all experts will labor to say whatever they can on behalf of the side that employed them, they will and should exercise extreme care in making sure they don’t say anything that they are not comfortable they can fully back up. The good news is that employing experts who are known to be precise and careful in their reports and testimony frequently means that they have added credibility. Note well that this is especially true in an area where judges walk in unfamiliar, alien territory, as most of them do in the field of electronic evidence.

7. Thou shalt not kill forests.

Why, why, why do lawyers want to take electronic evidence and have us produce it to them in paper format? There is nothing more unwieldy than paper. It is stupefying that we are so often asked to produce boxes and boxes of paper when the complete forensic analysis report can easily be held on a single CD-ROM. Moreover, paper production puts the attorney in the same miserable place they have always been with respect to reviewing documents. Our most comic moment came when a firm wanted the entire forensic report converted to paper (two big boxes worth!) and then insisted that we transport it all to a conference we were speaking at so we could review the paper in their stead in order to meet their looming discovery deadline. Good thing one of us is a lawyer! How much simpler it is to manage the evidence in electronic form, where it is filed, cross-referenced, indexed, etc. This can be done using standard tools available to law firms or using sophisticated document management software, such as Summation or its counterparts. Subsequent searching and manipulation of the evidence is a relative breeze compared to traditional paper methods.

8. Thou shalt not think like thy parents, but like thy children.

How well one of the authors remembers the day when her 11 year old daughter called from elementary school the week before school opened. She had gone in for half a day to help the teachers get their classrooms ready. At noon, she called and said “Mom, I’m going to have to be here all day – the teachers all have new computers and they have no idea how to configure them. Can you pick me up at 5 instead?” Nearly everyone has marveled at how youngsters tool around the Internet, manipulate computer programs, and even master the simultaneous use of the four or five remote controls for the TV/DVD/VHS/Stereo systems we all seem to have.

Those of us who come from the paper era seem to have enough trouble simply converting a paper function into an electronic one. Our kids, on the other hand, see the whole vista of new possibilities opened up by the electronic world. When you deal with electronic evidence, it helps to think like a child. Everyone knows that the kids are swapping music files with the like of Kazaa, Morpheus, and Bearshare, but it was out of the box thinking by our young interns, who said “hey, they might be using file-swapping to exchange other illegal stuff,” that led us to realize that those same fileswappers were used by pedophiles and others who wanted to swap contraband files rather than copyrighted music.

It is the younger generation that cottoned to steganography first (hiding text files within the white space of graphics) and soon we began to realize that terrorists might also be using steganography. In time, it became obvious that all sorts of miscreants might have uses for steganography. Though it’s old hat now, it took a long time for law enforcement to realize what kids knew right along. If you want to hide particular kinds of files from mom and dad, give them innocent names and change the file extension so (for instance) your extensive .jpg collection of porn appears as .doc (Word) files bearing such innocuous names as historyreport.doc. These days, competent forensic examiners look for such mechanisms, which are very easy to discover. In the electronic arena, innovative thinking is frequently the way to unearth critical evidence.

9. Thou shalt not honor false prophets.

Caveat emptor. The world of computer forensics is rife with “wannabes” who hang out their shingle and proclaim themselves forensic technologists. Be skeptical. Good forensic technologists have a lot of experience and credentials, have been involved in litigation many times, and are happy to given you referrals and to cite some of the cases in which they’ve been involved.

Are they certified? By whom? Did they simply pay dollars for a certification that is essentially meaningless? What is there training and experience level? Have they been previously qualified as an expert? How many times? Which courts? Have they written expert reports? How many? Have they served as court appointed computer forensic experts? What certifications do they have? How long have they been engaged in computer forensics? How many cases have they personally handled? Make sure you carefully review their CV with all of the above in mind.

Also keep in mind that certified forensic technologists generally charge somewhere between $250-$500 an hour. If the price is significantly lower, be wary and ask questions.

10. Honor thy expert.

Though it might sound a little silly, it is astonishing how often lawyers treat forensics experts with cavalier disregard, as though they were mechanics engaged to change the oil. Not only do they often want the world on a platter, and delivered to them yesterday, but frequently their own lack of timely preparation is foisted onto their experts, who must now abandon everything else on their dockets in order to produce what the attorney needs when he/she needs it or has promised the client/court it will be delivered.

Making your expert part of the team can only help the end result. In a remarkable number of cases, forensic technologists are given directions for searching the evidence without any briefing as to the facts of the case. Needless to say, this is a patently absurd use of an expert. The more the technologist understands the case, the greater his/her sense is of the next logical step for achieving useful results. It is also striking that many attorneys fail to return calls from their experts. There are few things more frustrating than reaching a point in evidence analysis where guidance is required and being completely unable to get it.

Just as attorneys have their favorite and least favorite experts, so experts have their favorite and least favorite attorneys. While most technologists will do their level best for everyone, there are some attorneys who are so consistently gracious, collaborative and responsive that the technologists will work 7X24 if necessary to be a part of a winning team. As with most things, success in the world of electronic evidence is a combination of the right people and the right process. If you’ve picked good forensic technologists, trust them, be responsive to them, and involve them in your litigation strategy. If you ignore the Ten Commandments, you do so at your own peril!

The authors are the President and Vice President of Sensei Enterprises, Inc., a computer forensics and legal technology firm based in Fairfax, VA. 703-359-0700 (phone) 703-359-8434 (fax) sensei@senseient.com (e-mail) http://www.senseient.com (website)