Digital Crannies. Six Places Data Hides That Most People Don't Know Exist.
As we have stated before, from time to time, we like to improve the content of this blog by getting 
input from subject matter experts in relevant fields.
Today, we are glad to include information from our friend Will Ambruzs, an attorney and computer forensics expert at Austin based Flashback Data. Will graced the pages of this blog before with this post.
We asked Will to give us some inside information about where attorneys or others should look when they are seeking information for investigative or discovery purposes.
Here is what Will said:
Digital Crannies.
Unlike paper, electronically stored information is everywhere. Unfortunately, it’s our experience that most attorneys don’t appreciate exactly how much of it is recoverable from computers. It’s literally a Chinese food menu. Sure, it’s not always important or cost-effective to review all of it, say, for litigation or each time a company fires a bad employee. However, most folks don’t know the menu well enough to even know the sorts of things they can order. The digital world is bigger than General Tso’s Chicken!
Here are 6 random things on the menu you may find interesting:
Email vs. Correspondence
Lawyers commonly want to look at email, but more often than not it turns out that looking at all communication would be more helpful. Because it turns out a bad employee at Company X also did a lot of text messaging at work. And online chatting. And instant messaging. And she also sent messages to clients and coworkers through LinkedIn and Facebook. And she frequently used her internet browser to send webmail through Yahoo! and Gmail. Unfortunately, preserving Outlook files and Exchange mailboxes doesn’t get this material.
Don’t Forget the Phone!
iPhones and Blackberrys have fast become like third kidneys when it comes to conducting business in the 21st century. However, folks tend to overlook them when thinking about electronic storage. The truth is phones can be excellent sources of data, not only because they’re designed to hoard data and sync with just about everything under the sun, but also because the privacy expectations of their users tends to be high.
For example, on a phone, our bad employee probably gets right to the point when communicating. Unlike computers, she’s not typing out heavily-syllabled, Shakespearean text messages with her thumbs. Consequently, remnants of communication are likely to be closer to the first cut of her thoughts, not the second or third.
There’s also a good chance she configured her phone to sync with email accounts at the company. There’s an even better chance she connected the phone each day to her work computer to charge the battery and keep her contacts and calendar synced. If so, there may be a treasure trove of backup files sitting quietly on her work computer. And since each file would represent a snapshot of the data on her phone at a particular time, things that were deleted from her phone many months ago may still exist in one of the backups.
Speaking of iPhone... Dynamic Text
Let’s face it, Apple’s business model is building gadgets that know you better than you know yourself. Apple’s gadgets learn about you, and to do this their gadgets have to store data.
One of the lesser known features of iPhone is its dynamic text database. Dynamic text is basically a repository iPhone uses to keep track of words and phrases you like to use when you type. That way the phone eventually learns to quit autocorrecting Alavert to slavery when, say, you keep texting others that you love Austin, but so do your allergies.
This can be a goldmine. Especially if text messages on the phone have been deleted and can’t be recovered. Reading entries in the dynamic text database that have been chronologically preserved is like listening to a conversation through a wall. It’s muffled, and some common words are omitted, but you get the gist and all the interesting parts are preserved:
wow.hate.Kevin.can.you.believe.arrogance.ugh.how.did.ever.become.Director.wait.until.he.finds.out.copied.all. company.passwords.hahahahaha.sounds.great.yessir.talked.to.James.he’s.leaving.company.with.us.said.downloaded. company’s.client.lists.from.database.no.difficult.yes.took.thumbdrive.with.him.said.will.email.everything.you.from.home. not.work.so.don’t.get.caught.haha.call.if.can.next.few.minutes.something.urgent.tell.you
Internet History
When folks think of a computer, they tend to think of it as a collection of things that live on the computer. For example, the most common data recovery request attorneys make involves: (i) collecting all email and user-created files from a computer, (ii) processing them against an exhibit of keywords, and (iii) producing the responsive material to be reviewed by fellow attorneys.
Candidly, this is probably enough heavy lifting from an “80/20 rule” perspective, especially when processing large data sets. However, it’s created a mindset that gives little regard to activity on a computer. And sometimes that activity is interesting.
For example, say John receives a preservation letter from opposing counsel. Here we see it sitting in John’s My Documents folder. There’s nothing else interesting in the folder. However, looking at John’s activity on the computer, right after he gets the letter we see him go to Google.com and type “how to securely delete data” into the search bar. Then we see 20 minutes of John clicking a bunch of URLs. Uh oh, next he’s on a website selling a product called “Evidence Eliminator v4.0.” And next we see him buying Evidence Eliminator and downloading it. Oh snap – here he is running it! And here’s him poking around later in My Documents to confirm the files are gone.
Wow! You suspected the keyword searches of John’s computer came back a quart low. And while all of this activity may or may not explain it, it’s certainly interesting!
Recent Documents
Speaking of file elimination, another good source of data can be the repositories used by software programs to keep track of recent documents. Microsoft Word has such a repository. So does Windows Media Player. These repositories won’t help you recover a wiped file, but they may help you substantiate that the file existed on the computer at some specific time in the past, or when files were accessed.
Forensic examiners frequently draw from this well in criminal prosecutions involving possession of child pornography. Defendant swears up and down he wasn’t aware of the illicit material. Or, if he was aware, that he looked at it once by accident several years ago and, upon realizing its nature, never looked at it again. Unfortunately, that’s not the same story Windows Media Player tells. It shows Defendant playing contraband files from multiple locations on a regular basis (e.g., from the hard drive, from a thumb drive, from his Blackberry via a USB cable, etc.).
Thumbs.db
Keeping with the deleted file theme, don’t forget about simple hidden artifacts like Thumbs.db. You ever open a folder in Windows and view the contents as thumbnail images? Thumbs.db is the hidden file used by Windows to store those ‘thumbnail’ images. Importantly, the data in the Thumbs.db file tends to stick around even after someone deletes the actual file. So, while a folder in which you’re interested no longer contains the data you want, you may be able to demonstrate that what’s in there now isn’t what was in there before. (And, if so, what’s missing.)
Address, which will live stream the speech along with charts and statistics to provide context and emphasize key points. During the speech, aides will be using Twitter to comment on the speech. You can participate in the Twitter feed by going @whitehouse with the hashtag #sotu.
communicate with her attorney about a law suit against such employer waived attorney-client privilege and allowed discovery of such e-mails and the introduction of such at trial. 
mortgage loan documents. The license agreement explicitly allowed access to the technology by "Originating Lenders" and Licensee's general counsel, an outside law firm. Licensee granted access to another law firm to prepare loan packages for Licensee.
patents in 2010. This is 31% more than was granted in 2009 and 29% more than granted in the next busiest year (2007). Granted applications took a big jump around 1998 when software patents began to be granted with more regularity (thanks, 
annoying "Smiling Bob" and a plethora of thinly disguised puns and props to indicate that the supplement would increase the size, durability and apparently the appearance of your external genitalia. Imagine our surprise when the makers and distributors were accused of deception, fraud and a number of other transgressions, including money laundering. During the investigation, the government compelled an internet service provider to release e-mails more than 180 days old without getting a warrant. The government relied on a provision in The Stored Communications Act 18 U.S.C. §§ 2701 et seq., which allowed for such shenanigans when the e-mails were of such an age.
night "raves" or for extended sexual encounters. In this case, the defendant Diaz attempted to sell Ecstasy to a police informant. A sale was made, an arrest ensued and Mr. Diaz's cell phone was taken from his person. An hour and a half later, back at the station, an investigator looked at text messages on the phone and found the text: "6 4 80". This apparently means that the defendant offered to sell six tablets for $80. The defendant was shown the text and promptly confessed..jpg)
application and 
programmers to try to promote the sale, play and mention of such CDs. UMG does not charge for the CDs but it does put notices on the CDs. 
r a long time (parts of five decades). I'm slightly nostalgic on this, the occasion of my becoming a ward of the state. This blog talks generally about technology and the law. This post will address technology in the law.
occasions
nd only special Word Perfect gurus knew how to use the "codes".
information) that the Stuxnet virus was the result of a nation state's activity to impact the Iranian nuclear development. Now it appears that we were probably correct. 