Running Interference in Digital Forensics

Let’s take a look at another interesting case worth talking about that involves digital forensics evidence files. It was an ongoing matter that was actively engaged in litigation in the courts and had stretched over several years. Truth be told, we hadn’t done much in the way of forensic analysis, imaging and analyzing the computers that had been in use in the early goings of the case. After looking at a contentious file, our analysis was able to determine that the file was not as old as had been purported.  Additional findings from the analysiscorrupt-email-file of the file led me to believe that the file had been originally an attachment in an email.  When we inquired about the originating email, opposing counsel said that the original message and others had been lost in an issue with corrupted data in an email system.  When pushed for additional details, they stated that their internal information technology staff had attempted recovery to no avail.  Oddly, this explanation seemed to satisfy most parties in the matter, but it did not satisfy us nor counsel on our side.  As a consequence, the judge in the matter became increasingly dissatisfied with the responses that were offered when our counsel kept inquiring in an effort to unearth the original copies of the emails or their accounts.  Our counsel finally offered up our services in an effort to recover the missing email by allowing us access to the entire exchange message database store. Doing so would hopefully not only clear up the matter at stake, but would seemingly also assist the opposing side (who wouldn’t want to recover their lost email?), yet they still refused.

Ultimately, after hearing the arguments and reaching a critical point of contention in the matter, the judge in the case compelled them to turn over a number of specific accounts and ordered that they be exported, given to our counsel and in turn to us.  When we received the exported email (after an inordinate amount of time, which to us and counsel seemed to clearly be an additional stall tactic) the files provided were indeed corrupt.  Something to point out at this stage in the process is that ordinarily, with the typical e-discovery approach, these corrupt email databases would have likely been glossed over, the emails themselves not making it out of their corrupt graves.  However, our job was not, and typically is not, to merely produce readily available files. Files that could be sitting in a My Documents folder or sitting in the recycle bin yet undeleted with many e-discovery approaches. No, we iemail-file-recoverynstead rebuilt and indexed the corrupt inoperable email database files (which ranged from 10 Gigabytes to 90 Gigabytes in size), culling not only all the whole emails available after rebuild, but also going through the unallocated areas of the files which typically yields the remnants (if not the whole emails) that had been previously deleted.  As you can probably gather by now we dislike using a shot gun blast method of data retrieval. Our goal is help our clients win, therefore we prefer the sniper approach. What good is a pile of data that you have to sift through, when you can have someone who loves hunting for the smoking gun?

Returning to the case, the end results indeed yielded Gigabytes of useable email and tens of thousands of emails.  Really this was no surprise given their large file sizes to begin with.  Remember, these were emails that were no longer available; essentially they did not exist as far as what the other side in the case knew and/or represented.  After completing our task, it was apparent that we were correct in our initial analysis of the lone file earlier on in the matter. The file in fact came from an email. This was something we surmised the other side was trying to obscure given whom the email came from (another interesting subject involved in the case) as well as the suspicious timing it was sent.  The original email attachment had been included in a number of emails and had numerous versions in play, which we could now see with the resurrected email database.  These different versions essentially showed revisions that were expert-witness-testimonysomewhat telling in their progression. All of which played to allegations made by the side we were working for.  After our analysis brought all of this to light, the findings were presented to the attorney whom we were working with, our mutual client and ultimately the court.  As we prepared to testify as expert witnesses (which we regularly do), the opposing side decided they were now ready to “come to the table.” The two parties were then able to reach an agreement. This turn of events was in no small measure due to not only the information that we unearthed in our analysis (for one), but also (and this is another important distinction from typical e-discovery) the way that we were able to summarily dismiss the arguments and excuses presented by the opposing parties through our use of digital forensics. Our approach enables us to truly find, and interpret, the data found, not just report on what information is readily available.

This isn’t to say that the “smoking gun” is always found. In the world of forensics, finite proof of wrong doing is not always completely achievable. However, your chances are much higher using experienced experts, who quite frankly, are passionate about what they do. And this client’s story is just one of countless successful outcomes we’ve played an integral part in. Here we were able to find both the “smoke” and the “gun.”  The old adage ringing true, “where there’s smoke, there’s fire.”

*As I’m sure you’ll understand, the names of individuals and companies, as well as a few unnecessary details have been left out in order to respect our client’s confidentiality*

Share this: