Spoliation of Digital Evidence

Spoliation of Digital Evidence in Civil Cases

The most common issue in digital forensics for civil cases is spoliation.  Any evidence that one party negligently or intentionally destroyed or modified relevant information can have a huge impact on the outcome of a case.

Here’s how a digital forensics lab can help attorneys in cases where spoliation of digital evidence is suspected.

Secure the Evidence and Establish Chain of Custody

The first step in any forensic analysis is to secure the specific device or media.  In civil cases we’re often asked to collect digital devices at a company or residence.  Regardless of whether we’re collecting a desktop, laptop, mobile device or flash drive, our first step is to isolate the device from any network, cellular or Bluetooth connections.  We want to ensure that the devices in question cannot be modified or accessed on purpose or accidentally.

We will also document each device and begin a formal chain of custody.  This is a step that many people ignore or don’t do with enough attention to detail.  Each individual device AND piece of media must be documented by unique identifier.  If a computer has two hard drives, we will document the computer serial number and the serial numbers of each individual drive.  Similarly, a cell phone with an expanded SD memory card is actually two different pieces of media from a forensics perspective.   We will also document who had access to these devices up to that point (to the extent possible) and will formally document any change of control from that point forward.

Create a Verified Forensic Image

Once we have the devices in question at our accredited digital forensics lab, we will create a verified forensic image of each piece of media.  This is technical and rigorously validated bit-for-bit copy of every piece of data on the digital media in question.  You can learn more about the term verified forensic image here.

Recovering Data and Any Changes To The Data

Once we have a forensic image, our examiners can start reviewing the data to look for information that is relevant to the case.  We can often recover files that have been deleted and identify who deleted the files and when.  We can also identify when files were updated or changed, and in some cases may be able to recover old versions of files.  In cases where we can’t recover deleted files, we may be able to document that a file was deleted by a certain person or at a certain time, which is often sufficient evidence for a spoliation claim.

We will always prepare a comprehensive report of our findings that can be easily understood by attorneys and court officials.

Devices With Physical Damage

In some cases, the devices or media in question are inoperable or inaccessible because of physical damage or password locks.  As an accredited digital forensics lab, we have extensive capabilities to recover data from damaged and inaccessible devices that most labs are unable to work with.

In one case with a failed hard drive, we were able to demonstrate that someone had used a sharp object to physically scratch the surface of an internal drive in hopes of destroying it.  In that case, we recovered the data and showed evidence of an attempt to destroy data.

Getting Help

If you need help with digital evidence in a civil case, contact Flashback Data today.  Our digital forensics lab is accredited under the same program as the FBI and state labs and we can recover data from more devices with shorter turnaround times that other labs.