Sherlock Holmes in the Twenty-First Century: Definitions and Limits of Computer Forensics, Forensic Copies and Forensic Examinations

Sherlock Holmes in the Twenty First Century

If Sherlock Holmes were alive today, he would surely be a master of  computer forensics. Just as he sometimes used his chemistry set in the 19th Century to analyze clues, today he would use forensic software to examine digital devices. Holmes would know how to make forensic copies of computers, i-phones, thumb-drives and other ESI storage devices, and also know when not to waste his time doing so. No doubt Dr. Watson would be amazed at the evidence Holmes would sometimes uncover. The forensic examination of computers is an important tool in twenty-first century detective work, but it is no panacea. Sherlock Holmes of all people would know that it is not a substitute for clear thinking and rational deductions, and is not appropriate in every case.

Lots of trial lawyers do not really understand computer forensics, and are prone to think that a full scale forensic examination of all computers is needed in every case. They want their tech-guys to make “forensic copies,” work their mumbo-jumbo on each, and like Sherlock Holmes, come up with an amazing and unexpected clue that solves the case. Sometimes this fantasy comes true, but only rarely. The attempt to search every bit and byte of every computer, including the deleted files and slack space, is expensive.  Most experts agree that this kind of “deep dive” forensic examination work should be done sparingly, and is not needed in most e-discovery cases. Even when a special case suggests it may be needed, such forensic exams rarely produce the killer email that wins the day. The lawyer who uses this kind of full scale forensics approach in every case is setting himself up for major disappointments and wasting his client’s money.

What is “computer forensics,” and the related terms, “forensic copy” and “forensic exam”? Let’s begin by defining “forensic copy,” which is fairly simple.  A forensic copy is an exact bit-by-bit copy of the entire physical storage media, including all active and residual data and unallocated space on the media. This is also sometimes called an “image copy” or “mirror image.” See The Sedona Conference Glossary: e-Discovery & Digital Information Management, The Sedona Conference Working Group Series, May 2005.

A forensic copy allows for a “forensic exam” of the copy. You do not examine the original because the act of examination would, in itself, change the original. (This is called the Heisenberg Principle of computer forensics.) In a forensic exam, all of the information on a disk is carefully probed and searched, even the otherwise hidden information: the deleted files, residual data, unallocated space, corrupted files, encrypted files. In a forensic exam, everything that is scientifically possible to restore and search is searched, including ESI classified as not-reasonably-accessible under Rule 26(b)(2)(B).

laptopgavelThe definition of the more general term “computer forensics” is more challenging. It is not a specific procedure like forensic copy or exam, it is an entire field of study or scientific discipline. The National Institute of Standards and Technology special publication (SP) 800-86 Guide to Integrating Forensic Techniques into Incident Responses provides an authoritative definition of computer forensics:

. . . the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way.  . . .

The NIST explains how the process of computer forensics has four basic phases:

Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.

Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting of particular interest, while preserving the integrity of the data.

Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.

Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.

A well known IT site,, provides another good definition of computer forensics:

Computer forensics, also called cyberforensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.

Forensic investigators typically follow a standard set of procedures. After physically isolating the computer in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the hard drive. Once the original hard drive has been copied, it is locked in a safe or other secure storage facility to maintain its pristine condition. All investigation is done on the digital copy.

Investigators use a variety of techniques and proprietary forensic applications to examine the hard drive copy, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files. Any evidence found on the digital copy is carefully documented in a “finding report” and verified with the original in preparation for legal proceedings that involve discovery, depositions, or actual litigation.

The Sedona Conference Glossary also defines computer forensics:

Computer Forensics (in the context of this document, “forensic analysis”) is the use of specialized techniques for recovery, authentication and analysis of electronic data when an investigation or litigation involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel, and generally requires strict adherence to chain-of-custody protocols.

A recent commentary by forensic expert, Ken Zatyko, in Forensic Magazine focused on the difficulty of defining what he called “digital forensics,” which for purposes of this article, I consider equivalent to “computer forensics.” Ken Zatyko is a recently retired Air Force Lt. Colonel who was the director of the Department of Defense Computer Forensics Laboratory for many years, and is now an Adjunct Professor with John Hopkins University. Ken reviews several other definitions as I have done, and then settles on his own definition that he urges others to adopt:

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

This is the best definition I have seen, and my personal favorite, perhaps because it includes “validation with mathematics,” a reference to my favorite subject in computer forensics, hash analysis (See the Blog Page above, HASH, and my law review article on this subject: HASH: The New Bates Stamp).  Zatyko then goes on to delineate an eight-step forensics process:

1. Search authority
2. Chain of custody
3. Imaging/hashing function
4. Validated tools
5. Analysis
6. Repeatability (Quality Assurance)
7. Reporting
8. Possible expert presentation

The various definitions make clear that “computer forensics” is a disciplined, scientific approach to electronic discovery and evidence validation.  Computer forensics in this general sense should be followed whenever electronic evidence is involved in a legal proceeding, which in today’s world means almost every case. In that sense, the trial lawyer may need a person familiar with computer forensics on every case to supervise e-discovery activities. Trial attorneys must be able to verify that proper procedures, authenticity and chain of custody were followed in order for the ESI discovered to be admissable as evidence at trial. This is, however, a far cry from a full scale Sherlock Holmes forensic examination of all computers.  It is important for attorneys to understand the difference between forensics as a general discipline to lay a proper predicate for evidence, and forensic copying and forensic examinations as particular applications of this discipline, applications that are not necessary in every case.

forensics evidence marked and ready for admission into evidence

One person who has a good grasp of this difference is John Patzakis. He is the General Counsel of Guidance Software, makers of EnCase, the forensics software tool used by over 80% of computer forensics experts. Although it might be tempting for him to push the over-use of forensics, he does not do so.  He and his company are a class act, which is one reason I am pleased that John agreed to do a West-Thompson Webinar with me later this year: “Computer Forensics and E-Discovery.” We will be joined by another e-discovery attorney, a modern-day Sherlock Holmes of computers, Bill Speros, who also understands this distinction very well, and by a well-known accountant forensics expert, Frank Wu of Protivity.

John Patzakis was interviewed in 2007 by Forensic Focus, a website for “computer forensics news, information and community.” John’s interview provides some good advice on the prudent and restrained use of computer forensics in e-discovery.

In general, eDiscovery tends to involve a “computer forensics-like” approach, if you will, where aspects of traditional forensics such as chain of custody, metadata recovery and preservation, documentation and reporting and an overall defendable process are central requirements. Aspects of traditional forensics that are generally not as important include full disk imaging, deleted file and file fragment recovery, and deep dive analysis involving various artifacts.

This reference to “traditional forensics” is what most people think of when they hear “computer forensics,” the expensive CSI-type criminal investigations where computer disks are imaged and forensic exams are performed to restore and search deleted files, fragments, Internet cache, slack space, memory, and the like.  A diagram providing a simple overview of the forensic examination process using EnCase software is shown below.

EnCase Forensics diagram

John Patzakis has written a very comprehensive treatise on electronic discovery law related to his company’s software tools and forensic related issues called the EnCase Legal Journal  (April 2007). At 143 pages and 446 legal citations, this is not your typical vendor white paper, and is well worth reading and using as a reference. Section 9.5 of the Journal is entitled “Cost-Effective Searching of Data.” It pertains to my original point that many trial lawyers tend to over use computer forensics and seek full-disk imaging and other “deep-dive” analysis in every case.

Collection and preservation of ESI must incorporate a defensible process that accomplishes the objective of preserving relevant data, including metadata, and establishing a proper chain of custody. With the right technology, these results can be achieved without full-disk imaging. However, full-disk imaging and deleted file recovery are emphasized by many eDiscovery vendors and consultants as a routine eDiscovery practice. While such deep-dive analysis is required in some circumstances, full-disk imaging is unwarranted as a standard eDiscovery practice due to considerable costs and burden. Large-scale, full-disk imaging is burdensome because the process is very disruptive, requires much more time to complete, and, as eDiscovery processing and hosting fees are usually calculated on a per-gigabyte basis, costs are increased exponentially. . . .

Generally, courts will only require that full forensic copies of hard drives be made if there is a showing of good cause supported by specific, concrete evidence of the alteration or destruction of electronic information or for other reasons. Balboa Threadworks, Inc. v. Stucky, 2006 WL 763668, at *3 (D. Kan. 2006); However, “[c]ourts have been cautious in requiring the mirror imaging of computers where the request is extremely broad in nature and the connection between the computers and the claims in a lawsuit are unduly vague or unsubstantiated in nature.” Ameriwood Industries, Inc. v. Liberman, 2006 WL 3825291, (E.D. Mo. Dec. 27, 2006).

I wrote about the Ameriwood case in my blog, Employer Allowed to Mirror Employees-Home Computers and Obtain Inaccessible ESI. Ameriwood was one of the first decisions in the country to employ the new inaccessibility analysis under Rule 26(b)(2)(B). Although the court in Ameriwood was cautious, it decided to allow the employer to make a forensic copy of the employee’s computer, and search for otherwise inaccessible ESI, the deleted files and slack space.  The court only allowed this kind of forensic imaging because the employer had made a special showing of good cause under Rule 26(b)(2)(B). The general rule is to be cautious and not allow such forensic exams absent a showing of good cause. Good cause can come in a variety of forms, but usually arises from suspicious circumstances that suggest spoliation, such as a story of a midnight hacker erasing all of your files, or the loss of a laptop with all of your records just before a deposition duces tecum.

In another case, Hedenburg v. Aramark American Food Services, 2007 U.S. Dist. LEXIS 3443 (W.D. Wash. Jan. 17, 2007), the court applied the general rule and denied the application for a forensic exam. The employer requesting the forensic imaging did not provide good cause as required under Rule 26(b)(2)(B). I wrote about Hedenburg in my prior blog Forensic Fishing Expedition Rejected. This is an employment discrimination case where the employer wanted a forensic copy made of the employee’s personal computers. The employer proposed that the copy then be examined by a computer forensic expert serving as a special master. The employer’s attorneys had an expansive view of computer forensics not warranted by the facts or the law.

In a move reminiscent of Inspector Lestrade, employer’s counsel provided no good reasons for the exam, and instead argued that such exams were common in these types of cases, and might lead to important clues. The Judge rejected the proposed forensics as a mere “fishing expedition.” Blind hope may be a fisherman’s credo, but it will not work in court, and is no substitute for the kind of cold logic and reasoned analysis made famous by Sherlock Holmes.

For more information on forensics check out the audio CLE I did for West Legalworks entitled: E-Discovery and Computer Forensic Investigations 101: When Does Your Case Warrant the Full “CSI” Treatment? With me on the panel for this 1.5 hour webcast were J. William Speros, Consultant and Principal, Speros & Associates LLC; Michael Michalowicz – Associate Director, Protiviti; and, John Patzakis, – Vice Chairman and Chief Legal Officer, Guidance Software.

4 Responses to Sherlock Holmes in the Twenty-First Century: Definitions and Limits of Computer Forensics, Forensic Copies and Forensic Examinations

  1. Aaron Gardner says:

    Rule 26(b)(2)(B) does not identify any particular class of data as inherently inaccessible, including deleted data or other data that is only available through forensic analysis as you defined it above. Rather, 26(b)(2)(B) refers to data that are “not reasonably accessible because of undue burden or cost.” It easy to imagine that in a case involving only a few computers but where claims reach into the millions that any court would find the relatively low cost of forensic analysis would be well worth it if the requesting party could show good cause and an analysis under 26(b)(2)(C) favored the discovery in question. The point is that while the term “inaccessible” is useful shorthand, it doesn’t do justice to the letter of the rule, nor does it reflect the fact that 26(b)(2)(B) will be interpreted differently over the time as technology changes. For example, the mere existence of such an excellent tool as EnCase means that deleted data are far more accessible (i.e., can be accessed with less burden and cost) than they would be otherwise.

  2. Ralph Losey says:

    You make a good clarifying point Aaron. I agree. It requires case by case analysis, but, as a general rule of thumb, full forensic exams are for locating data that are otherwise not-reasonably-accessible, and thus require a showing of good cause. See my many other blogs on Rule 26(b)(2)(B) for a more complete picture on the application and meaning of the new rule.

  3. […] files. I have discussed my rationale for this several times, including in two of my favorite blogs, Sherlock Holmes in the Twenty-First Century and “Book ‘em […]

  4. […] v. Broward County School Board, 916 S.2d 8 (Fl. 4th DCA, 2005). Also see my prior articles:  Sherlock Holmes in the Twenty-First Century and “Book ‘em […]

Leave a Reply