Electronic Evidence: Where to Find the Smoking Gun

Posted by Lea C. Dearing on

The common lay person looks at a computer or smartphone and sees Microsoft Office files saved to a desktop. However, today’s modern computers and smartphones store a treasure trove of information just below the surface. This data could be helpful in your next trade secret dispute, collection case, or divorce matter.  All you need to know is where to look.

Many trade secret cases involve tracing information from point A to point B.  Most investigations will begin by looking at a User’s Sent Mail to see if the information was emailed outside the organization. Next, a Company may analyze the computer’s connection history to determine if a USB device or other portable storage device was attached. If so, a forensic examiner can generate a LNK file report, which may show what files were accessed by the User at the same time the USB drive was attached. This analysis shows what files may have been transferred to the USB or other portable storage device.

Another option is to look at a computer’s browser history.  From there, you can see if the User was going to file sharing websites like Dropbox or SharePoint.  You can also see if the User was accessing cloud based email applications like Gmail. 

All of this evidence can inform the Company about a User’s patterns and behaviors and potential avenues the User could have used to send or transfer information outside the organization. 

Smartphones can also provide excellent insight into a User’s activity. Request a report that compiles calls, SMS (text messages) and MMS (media messages, e.g., photos) messages into a single chronological report and you can get a comprehensive look into a user’s chain of communications in a relevant time period. Add to that, the email correspondence, the LNK file analysis and web browser history described above and you may be able to paint a compelling picture of data theft.

These same strategies can be used to find assets for collection or in a divorce matter where a party is suspected of having undisclosed assets.  You can look at internet browsing history to see what financial websites the User is accessing.  If the User goes to a Charles Schwab portal every month, you can guess he or she has an account there. Or, if the User is getting spam mail from a Bank, you may investigate if he or she has accounts at the institution. 

Another strategy is looking for deleted files. A forensic examiner can catalogue the information in a computer’s free space (and sometimes a smartphone’s too) to determine what files previously existed and have been deleted. That oftentimes is a cache of interesting data.  On occasion you will see documents that were deleted on or near a key date in your dispute. The content of those files may lead you to new information that the User did not want anyone to have access to.   

Unfortunately, some Users think they can avoid the disclosure of bad facts or evidence by simply deleting the information.  Depending on how tech savvy the User is, he or she may be successful in removing the information, but, it is rare that he or she can cover up the fact that they intentionally deleted or wiped data, as a forensic examiner can often detect that a wiping program was run.  Showing that a User altered or deleted data can be sufficient alone to get relief from a Court in many cases.  If a User runs wiping software on the content of a machine near a relevant date, or resets a smart phone to factory settings, that might be spoliation and might be dispositive of the legal claims.

When the smoking gun is electronic evidence, you must take steps to ensure the integrity of the data so that it is admissible in Court.  Therefore, it is important to preserve and protect the data before conducting the types of forensic analysis discussed above.  Every case is different and you should research the appropriate ways to preserve and collect the unique data you are handling in your particular case.  It is important to work with counsel who is knowledgeable and well versed in conducting investigations that involve searching for electronic evidence.  Otherwise, you may miss a golden opportunity to uncover the key evidence against your adversary.  In many circumstances, it is also a best practice to partner with a forensic expert.