Posts

Deleting Data

Mass File Deletion Isn’t Always Malfeasance

A recent civil case we supported reminded me of the difference between a cursory technical analysis and a full forensic analysis of a digital device. The issue in question was whether evidence of mass file deletion was evidence of malfeasance. Opposing counsel’s “expert” said it was, we disagreed.

Our Initial Analysis

In this case, we were working with an attorney whose client was accused of having many files that he was not supposed to have on his computer. The computer was placed under a preservation order by the courts, and he was prohibited from deleting any files on his computer.

We were asked to perform a forensic analysis of the computer to look for any files that the person wasn’t supposed to have or for any evidence that he had deleted files. Our examination turned up nothing of interest and no evidence that this person had deleted any files.

Opposing Counsel’s Expert Disagrees

On a Sunday night, after we had done our examination, we received a frantic call from the attorney. Opposing counsel’s forensic computer expert had written a report stating that he had found considerable proof that “hundreds of files” were deleted. Our client emphatically maintained that he had not deleted anything, so we reassured him that we would look into the report from the opposing expert.

The opposing expert stated that he had found an “evidence eliminator” that was used to destroy hundreds of files. We were shocked; our senior examiner had done a thorough examination and had found no evidence of malfeasance. We felt confident that our client had not deleted any files, and quickly returned to our lab re-open the case.

Upon Further Analysis – The Whole Truth

The first thing our examiner found was there were indeed around seven hundred files that had been deleted. How could we have missed that? We then looked for a file mentioned in the opposing expert’s report called, “SymEraser,” and to our astonishment there it was, as we say in Texas, “Bigger than Dallas!” Wow, we started to doubt our findings. Before losing all hope, we quickly ran a Google search for “SymEraser.”

It turns out that “SymEraser” is a file included in Norton Antivirus, Symantec Antivirus, and various other Norton and Symantec packages that include antivirus software. It is not an “evidence eliminator”, it was a virus eliminator. OK, that’s not too bad, but what about all those files? There were definitely hundreds of deleted files. We re-examined them. They were all deleted from a folder called “virdef.” They were in fact, virus definition files. Our client had not deleted them; Norton Antivirus had deleted them when it had updated the computer to a newer set of definitions! This was not the blatant act of a human malfeasance, but rather an automatic function of a piece of software.

We had done our forensic examination, and had not found anything malicious or suspect. Opposing side’s expert had done his examination, and had found quite a lot. So what was the truth? The truth was that files were deleted during a time that our client was not supposed to delete files. The truth was that there is a software program called SymEraser, which eliminates things. That was the truth. Fortunately for our client, it was not the whole truth!

If you’re in need of digital forensics support for a case involving IP theft, family law or criminal law, contact Flashback Data today. We’re the first private digital crime lab accredited under the same program as the FBI. We’ve helped hundreds of attorneys to preserve, analyze and understand the digital evidence in their case.

CALL 1-866-786-5700 TODAY FOR A FREE CONSULTATION

THIS POST WAS UPDATED AND REPOSTED IN 8/7/18

Digital Forensics for IP Theft

Digital Forensics for IP Theft Cases

Cases involving theft of intellectual property often hinge on the findings of a digital forensics analysis of specific digital media or devices. If your client suspects IP theft or has been accused of IP theft, here’s how an accredited digital forensics lab can help you with the case.

Flashback Data, LLC has supported plaintiff and defense attorneys on literally hundreds of IP theft cases. Based on our experience, a digital forensics lab may assist attorneys in a variety of ways.

Plaintiff’s Counsel

Step 1: Consultation

Our first involvement with a potential IP theft case is typically a phone consultation (30 – 60 minutes) to get an overview of the suspected theft, what evidence exists, what information was accessed or stolen and what media and devices are available for forensic analysis.

The most common example is a company suspects that a former employee downloaded a client list before leaving. We’ll want to know if the company still has that employee’s computer and/or cell phone, along with information about which system or systems contain the client list in question. This information will help us and you understand how a digital forensic analysis could support the case.

Step 2: Secure and Preserve The Evidence

Assuming there are digital devices or media to analyze, we’ll want to secure those devices as soon as possible. In the context of a digital forensics analysis, securing a digital device is more than just having physical control of it. We’ll also need to isolate that device from any computer networks, Bluetooth devices and wireless and cellular internet access. This should be done as quickly as possible to preserve any files that may be altered over time (purposely or not).

Step 3: Forensic Analysis

Our certified forensic examiners will analyze the devices in question to look for the specific evidence or activities that we discussed in the initial consultation. Depending on the devices, this can take anywhere from a few days to a few weeks.

Even if your in-house IT team has found evidence of theft, you may still need a certified forensic examiner to perform an analysis, especially if you expect the employee to contest the claims. A certified digital forensics examiner will proceed with the intent of creating a forensic report that is transparent, repeatable and can hold up in court. That means preserving evidence, following defined procedures and strictly documenting every step in the analysis.

Step 4: Report on Findings

We’ll prepare a formal report of findings that are clear and understandable to you, your client and any other parties in the case, including the judge.

Step 5: Litigation Support (as necessary)

As we noted above, one of the greatest values of a professional digital forensic analysis, especially from a certified crime lab, is that it can hold up in court even through adversarial cross-examination. Our examiners are experienced in explaining and defending their analysis in a formal deposition.

Defense Counsel

The main difference in supporting defense counsel vs plaintiff’s counsel is that an assessment has typically already been completed by the plaintiff.

Step 1: Technical Analysis / Consultation

Our initial focus with defense counsel in IP theft is to review any existing claims and help them understand the technical details of the evidence. Some common issues that we discuss with defense counsel are:

  • Who performed this analysis and does it appear to be professionally done? Can we trust the findings?
  • Help me translate the findings report into layman’s terms. What is this really saying?
  • My client has a different story than the one claimed by his employer. Could these findings support my client’s version of events?

Step 2: Forensic Analysis

Depending on how well the initial claims are substantiated, the defense may want to perform their own digital forensic analysis. In that case, we normally begin by helping counsel justify such an analysis and any associated discovery needs to the court. This includes things like helping to define what data is related to the case (producible) and what isn’t. We also help to define the “forensic protocol” for the analysis. This is a codified document agreed to by both parties that describes the series of steps that the forensic examiner will perform. Once we receive the device(s) in question, we follow a similar path to what we described above.

GET HELP TODAY!

If your client is involved in an IP theft case, Flashback Data can help. We were the first private digital crime lab accredited under the same program as the FBI and state labs and we offer experience examiners, personalized service and fast turnaround times.

We’ve completed thousands of digital forensics exams for hundreds of attorneys in IP theft, family law and other criminal and civil cases. Contact us for a free consultation about your case today.

CALL 1-866-786-5700 FOR A FREE CONSULTATION TODAY!