As we have stated before, from time to time, we like to improve the content of this blog by getting input from subject matter experts in relevant fields.
Today, we are glad to include information from our friend Will Ambruzs, an attorney and computer forensics expert at Austin based Flashback Data. Will graced the pages of this blog before with this post.
We asked Will to give us some inside information about where attorneys or others should look when they are seeking information for investigative or discovery purposes.
Here is what Will said:
Unlike paper, electronically stored information is everywhere. Unfortunately, it’s our experience that most attorneys don’t appreciate exactly how much of it is recoverable from computers. It’s literally a Chinese food menu. Sure, it’s not always important or cost-effective to review all of it, say, for litigation or each time a company fires a bad employee. However, most folks don’t know the menu well enough to even know the sorts of things they can order. The digital world is bigger than General Tso’s Chicken!
Here are 6 random things on the menu you may find interesting:
Email vs. Correspondence
Lawyers commonly want to look at email, but more often than not it turns out that looking at all communication would be more helpful. Because it turns out a bad employee at Company X also did a lot of text messaging at work. And online chatting. And instant messaging. And she also sent messages to clients and coworkers through LinkedIn and Facebook. And she frequently used her internet browser to send webmail through Yahoo! and Gmail. Unfortunately, preserving Outlook files and Exchange mailboxes doesn’t get this material.
Don’t Forget the Phone!
iPhones and Blackberrys have fast become like third kidneys when it comes to conducting business in the 21st century. However, folks tend to overlook them when thinking about electronic storage. The truth is phones can be excellent sources of data, not only because they’re designed to hoard data and sync with just about everything under the sun, but also because the privacy expectations of their users tends to be high.
For example, on a phone, our bad employee probably gets right to the point when communicating. Unlike computers, she’s not typing out heavily-syllabled, Shakespearean text messages with her thumbs. Consequently, remnants of communication are likely to be closer to the first cut of her thoughts, not the second or third.
There’s also a good chance she configured her phone to sync with email accounts at the company. There’s an even better chance she connected the phone each day to her work computer to charge the battery and keep her contacts and calendar synced. If so, there may be a treasure trove of backup files sitting quietly on her work computer. And since each file would represent a snapshot of the data on her phone at a particular time, things that were deleted from her phone many months ago may still exist in one of the backups.
Speaking of iPhone... Dynamic Text
Let’s face it, Apple’s business model is building gadgets that know you better than you know yourself. Apple’s gadgets learn about you, and to do this their gadgets have to store data.
One of the lesser known features of iPhone is its dynamic text database. Dynamic text is basically a repository iPhone uses to keep track of words and phrases you like to use when you type. That way the phone eventually learns to quit autocorrecting Alavert to slavery when, say, you keep texting others that you love Austin, but so do your allergies.
This can be a goldmine. Especially if text messages on the phone have been deleted and can’t be recovered. Reading entries in the dynamic text database that have been chronologically preserved is like listening to a conversation through a wall. It’s muffled, and some common words are omitted, but you get the gist and all the interesting parts are preserved:
wow.hate.Kevin.can.you.believe.arrogance.ugh.how.did.ever.become.Director.wait.until.he.finds.out.copied.all. company.passwords.hahahahaha.sounds.great.yessir.talked.to.James.he’s.leaving.company.with.us.said.downloaded. company’s.client.lists.from.database.no.difficult.yes.took.thumbdrive.with.him.said.will.email.everything.you.from.home. not.work.so.don’t.get.caught.haha.call.if.can.next.few.minutes.something.urgent.tell.you
When folks think of a computer, they tend to think of it as a collection of things that live on the computer. For example, the most common data recovery request attorneys make involves: (i) collecting all email and user-created files from a computer, (ii) processing them against an exhibit of keywords, and (iii) producing the responsive material to be reviewed by fellow attorneys.
Candidly, this is probably enough heavy lifting from an “80/20 rule” perspective, especially when processing large data sets. However, it’s created a mindset that gives little regard to activity on a computer. And sometimes that activity is interesting.
For example, say John receives a preservation letter from opposing counsel. Here we see it sitting in John’s My Documents folder. There’s nothing else interesting in the folder. However, looking at John’s activity on the computer, right after he gets the letter we see him go to Google.com and type “how to securely delete data” into the search bar. Then we see 20 minutes of John clicking a bunch of URLs. Uh oh, next he’s on a website selling a product called “Evidence Eliminator v4.0.” And next we see him buying Evidence Eliminator and downloading it. Oh snap – here he is running it! And here’s him poking around later in My Documents to confirm the files are gone.
Wow! You suspected the keyword searches of John’s computer came back a quart low. And while all of this activity may or may not explain it, it’s certainly interesting!
Speaking of file elimination, another good source of data can be the repositories used by software programs to keep track of recent documents. Microsoft Word has such a repository. So does Windows Media Player. These repositories won’t help you recover a wiped file, but they may help you substantiate that the file existed on the computer at some specific time in the past, or when files were accessed.
Forensic examiners frequently draw from this well in criminal prosecutions involving possession of child pornography. Defendant swears up and down he wasn’t aware of the illicit material. Or, if he was aware, that he looked at it once by accident several years ago and, upon realizing its nature, never looked at it again. Unfortunately, that’s not the same story Windows Media Player tells. It shows Defendant playing contraband files from multiple locations on a regular basis (e.g., from the hard drive, from a thumb drive, from his Blackberry via a USB cable, etc.).
Keeping with the deleted file theme, don’t forget about simple hidden artifacts like Thumbs.db. You ever open a folder in Windows and view the contents as thumbnail images? Thumbs.db is the hidden file used by Windows to store those ‘thumbnail’ images. Importantly, the data in the Thumbs.db file tends to stick around even after someone deletes the actual file. So, while a folder in which you’re interested no longer contains the data you want, you may be able to demonstrate that what’s in there now isn’t what was in there before. (And, if so, what’s missing.)