Chapter 7 COLLECTING AND USING ELECTRONICALLY STORED INFORMATION IN A FRAUD CASE

• Jurisdiction: United States

Chapter 7 COLLECTING AND USING ELECTRONICALLY STORED INFORMATION IN A FRAUD CASE

Marion A. Hecht

Mark Michels

Kenneth Dante Murena

Evidence of fraudulent activity is needed to prove a case, and these days, evidence is often found in electronically stored information (ESI). Counsel and the forensic accountant should determine what evidence they require to support their investigation or claims, and then develop processes to ensure that (1) relevant data has not been altered, (2) it carefully depicts information from the original source and (3) the data meets the legal standards for its use in legal proceedings. This chapter addresses the processes, procedures and technologies used to preserve, collect and review ESI, and also focuses on ESI issues as they may arise in a bankruptcy case.

I. Identifying ESI

ESI can be located in many different places, some of which may not be immediately obvious. The following sources of data are among those that should be considered at the outset of a matter as possible data sources — a "wish list," of sorts — for counsel and the forensic accountant:

• company computers;
• shared network files;
• all laptops of key employees and personal computers;
• all external media used, such as thumb drives and external hard drives;
• structured data, such as enterprise databases (SAP, Oracle, etc.);
• databases, such as QuickBooks, Excel;
• email communications, such as Gmail, Exchange, GroupWise and Lotus Notes (PSTs, OSTs, or NSFs);
• identification of all email addresses;
• website servers (internal and external);
• SharePoint, eRooms;
• social media (e.g., Facebook, LinkedIn);
• bank records — digital preferred in text-delimited format;
• online account access;
• remote access;
• mobile devices, smartphones, tablets and PDAs that include Palm, Handspring, iPad, Jornada, Cassiopeia, Clie, Visor, or Windows CE and/or Pocket PC devices;
• other digital media, such as CDs, DVDs, PCMCIA HDD, micro-drives, compact flash cards and digital hand-held devices;
• backup media;
• legacy platforms/applications;
• phone records;
• calendars;
• copy/fax machines that scan print with hard drives; and
• voice messages.

II. Collecting ESI

After ESI has been identified and preserved,¹²⁸ a party should consider important ESI collection options, always keeping in mind the need to establish and document a data chain of custody. A party should also consider possible collection challenges, such as collecting ESI from the "cloud" or from mobile devices.

A. Leading Data-Collection Practices

Once counsel defines preservation scope, counsel and the forensic accountant should consider what data they need for the matter. These needs include the investigative fact-finding required for the matter and, if applicable, discovery requests from opposing and third parties. Counsel and the forensic accountant should develop a data-collection plan that includes identifying custodians from whom data are required and the location of those custodians' data. In some cases, the custodian may possess the data, but in other cases, custodian data may exist on centralized files or departmental files. Some of the data sources, such as personal computers and email, can be obtained fairly easily. Other data, though, may be more challenging to locate and collect.

Data collection is a multi-step process, and data should be collected in a manner that protects the integrity of the captured file(s) and has an associated chain of custody for ESI.

1. Checklist for Collection Planning

With that in mind, a party may consider the following checklist as part of its collection planning:

• Identify the likely custodians of data and the likely location of their data.
• Consider whether there are any noncustodial sources of data, like centralized departmental files and share drives that might contain relevant information.
• Determine whether any of the custodians or data locations pose any special challenges, e.g., are any of the custodians in remote locations? Is any of the data encrypted? Is the data on personal or home devices? Is voice data at issue? Do you need data from mobile devices/smartphones?
• Initiate a detailed chain of custody for each piece of evidence that is to be collected.
• Use industry-standard imaging tools that compare the image with a standard HASH value [more on HASH values below].
• Create a verification report for tracking purposes that records the collection specialists, the date and time of the image, the software and version used, and the HASH value of the data, as well as the hash value of the image.
• Create the image on encrypted, redundant drives to ensure that a second copy is usable in the event that a mechanical error renders one unusable.
• Complete a chain-of-custody form for each of the drives, noting the drive information, date and time, and location. If the drives need to be shipped to a central location for processing, never ship both drives together.
• Maintain a database or other tracking mechanism log for each piece of evidence handled. Be sure to include the unique identifier of the drive pair for later reference.
• Check the computer's date and time as maintained in the on-board BIOS (Basic Input/Output System) prior to returning the item to the custodian for a signature on the item's chain of custody. A date and time that are not consistent with real time will alter the metadata of files on the computer. Also note the time zone listed by the operating system when possible and note any differences to the local time zone of the imaging exercise. While this time zone bias can be determined through the registry files that have been collected, it is helpful to conduct this type of examination while the source computer is in the hands of the collection specialist, if possible.

2. Use of Forensic Skills to Collect Data

The term "forensic" can have many connotations. In this section of the chapter, the term is used to describe various techniques and procedures for capturing data that preserve the integrity of the original data and data source. Moreover, as noted previously, ESI can be altered or lost as it is being collected. Alterations during this process can lead to allegations of spoliation, thwart a party's effort to use data at trial, or impair a party's ability to use its own data for investigatory purposes.¹²⁹

A party should employ someone skilled in data capture that can collect data in a forensically sound manner to decrease the threat of an unwanted alteration of data and to reduce these evidentiary concerns. Indeed, it is important to work with trained personnel who are well versed in capturing and handling data from a variety of data sources because different types of ESI require different techniques for capture. The computer forensic data collector will very often be called upon to testify about the procedures used to collect the data to ensure its evidentiary reliability.

Forensic data capture is more than simply "copying" computer data, because the former preserves not only the content of the electronic file in its original form, but also the "background" data about the file — the metadata — associated with the original file. The kinds of metadata that exist vary across file types. For example, the following are examples of just some of the over 100 metadata fields associated with an Outlook email message:

• To — RECIPIENT — addressee(s) of the message;
• From — FROM — the email address of the person sending the message;
• CC — CC — person(s) copied on the message;
• BCC — BCC — person(s) blind copied on the message;
• Date Sent — DATESENT — date the message was sent;
• Time Sent — TIMESENT - time the message was sent;
• Subject — SUBJECT — subject line of the message;
• Date Received — DATERCVD — date the message was received;
• Time Received — TIMERCVD - time the message was received;
• Attachments — ATTACHMENTID;
• Mail Folder Path — MAILPATH - the path of the message from the root of the mail folder; and
• Message ID — MESSAGEID — The Microsoft Outlook or similar unique message identifier.

Additionally, user-created files such as spreadsheets and documents can contain other critical metadata fields that can be affected and unintentionally altered by improper collection. For example, the metadata pertaining to the file's "last accessed date" and "created date" can be changed if the file is copied to a separate piece of media or from one file folder to another, potentially impeding a timeline analysis of that file. From the perspective of an internal investigation or potential litigation, information contained in many of these fields could prove critical to counsel and the forensic accountant in understanding the underlying facts in a matter, especially in one in which the timing of events or the creation of data are at issue. Therefore, it is imperative that the information be collected in a manner that does not alter or destroy this potentially key source of information.

3. Use of Technology to Collect Data

The specialist tasked with the forensic data collection will use a number of technologies and techniques designed to maintain the soundness of the data and to provide a thorough record of the collection process. For example, the collection specialist will use technology that applies a "HASH value" to the data as it is collected. A HASH value is the result of a calculation (a HASH algorithm) that can be applied to a string of text, an electronic file, or the entire contents of a hard drive.

HASH values are used to identify and filter duplicate files (e.g., email, attachments, and loose files) found in an ESI collection or to verify that a forensic image was captured successfully and completely. There are several kinds of HASH algorithms available for use. The MD5 algorithm (a unique 32-character hexadecimal representation) is often used by data-collection specialists. Once the value has been designated, any alteration to the original data set will cause the hash value to change. This...