Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
requires litigants to grapple with forms of ESI—like backup tapes—traditi<strong>on</strong>ally regarded as<br />
inaccessible, and computer forensics relies <strong>on</strong> informati<strong>on</strong> readily accessible to litigants, such<br />
as file modificati<strong>on</strong> dates.<br />
The principal differentiators are expertise (computer forensics requires a unique skill set),<br />
issues (most cases can be resolved without resorting to computer forensics, though some<br />
will hinge <strong>on</strong> matters that can <strong>on</strong>ly be resolved by forensic analysis) and proporti<strong>on</strong>ality<br />
(computer forensics injects issues of expense, delay and intrusi<strong>on</strong>). Additi<strong>on</strong>ally, electr<strong>on</strong>ic<br />
discovery tends to address evidence as discrete informati<strong>on</strong> items (documents, messages,<br />
databases), while computer forensics takes a more systemic or holistic view of ESI, studying<br />
informati<strong>on</strong> items as they relate to <strong>on</strong>e another and in terms of what they reveal about what a<br />
user did or tried to do. And last, but not least, electr<strong>on</strong>ic discovery deals almost exclusively<br />
with existing ESI; computer forensics tends to focus <strong>on</strong> what’s g<strong>on</strong>e, how and why it’s g<strong>on</strong>e<br />
and how it might be restored.<br />
When to Turn to Computer <strong>Forensics</strong><br />
Most cases require no forensic-level computer examinati<strong>on</strong>, so courts should closely probe<br />
whether a request for access to an opp<strong>on</strong>ent’s machines is grounded <strong>on</strong> a genuine need or is<br />
simply a fishing expediti<strong>on</strong>. When the questi<strong>on</strong> is close, courts can balance need and burden<br />
by using a neutral examiner and a protective protocol, as well as by assessing the cost of the<br />
examinati<strong>on</strong> against the party seeking same until the evidence supports reallocati<strong>on</strong> of that<br />
cost.<br />
Certain disputes fairly demand forensic analysis of relevant systems and media, and in these<br />
cases, the court should act swiftly to support appropriate efforts to preserve relevant<br />
evidence. For example, claims of data theft may emerge when a key employee leaves to join<br />
or become a competitor, prompting a need to forensically examine the departing employee’s<br />
current and former business machines, portable storage devices and home machines. Such<br />
examinati<strong>on</strong>s inquire into the fact and method of data theft and the extent to which the stolen<br />
data has been used, shared or disseminated.<br />
Cases involving credible allegati<strong>on</strong>s of destructi<strong>on</strong>, alterati<strong>on</strong> or forgery of ESI also justify<br />
forensic analysis, as do matters alleging system intrusi<strong>on</strong> or misuse, such as instances of<br />
employment discriminati<strong>on</strong> or sexual harassment involving the use of electr<strong>on</strong>ic<br />
communicati<strong>on</strong>s. Of course, electr<strong>on</strong>ic devices now figure prominently in the majority of<br />
crimes and many domestic relati<strong>on</strong>s matters, too. It’s the rare fraud or extramarital liais<strong>on</strong><br />
that doesn’t leave behind a trail of electr<strong>on</strong>ic footprints in web mail, <strong>on</strong>line bank records and<br />
cellular teleph<strong>on</strong>es. For further guidance <strong>on</strong> circumstances justifying direct access to an<br />
opp<strong>on</strong>ent’s ESI, see, e.g., Ameriwood Ind., Inc. v. Liberman, 2006 WL 3825291 (E.D. Mo.<br />
Dec. 27, 2006).<br />
Balancing Need, Privilege and Privacy<br />
A computer forensic examiner sees it all. The Internet has so broken down barriers between<br />
business and pers<strong>on</strong>al communicati<strong>on</strong>s that workplace computers are routinely peppered<br />
with pers<strong>on</strong>al, privileged and c<strong>on</strong>fidential communicati<strong>on</strong>s, even intimate and sexual c<strong>on</strong>tent,<br />
and home computers normally c<strong>on</strong>tain some business c<strong>on</strong>tent. Further, a hard drive is more<br />
<strong>Page</strong> 90