Why should I use a digital forensic examiner?

  • To access and maintain the integrity of the hidden metadata of e-mails and files that you may wish to enter as evidence;
  • To insure that appropriate and proper techniques are employed to forensically acquire and preserve all the evidence that is present so that it will be admissible in legal proceeding (Copying or "ghosting" a drive is not the forensic way!);
  • To prevent spoliation of evidence by properly and carefully handling all digital media, equipment, and software;
  • To start and maintain a Chain of Custody for the evidence;
  • To obtain an expert who has experience in a wide range of computer hardware and software (Since fundamental computer design and software implementation can be similar from one system to another, experience in one application or operating system area may be transferable to a new system.);
  • For an impartial and neutral examination of the digital media;
  • So that business operations will be affected only for a limited amount of time, if at all; and
  • So that any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged.
  • Caution: Do not use your client's IT personnel, for they usually lack the forensic software, hardware, and training to prevent spoliation of the evidence.  (You don't want to lose your case because opposing counsel's forensic examiner shows the jury where your evidentiary files' dates have been changed, do you?)
  • Remember: A forensics examiner is much better at explaining the procedures employed to obtain your digital evidence and defending it against tampering charges than most attorneys and IT personnel.

Are there landmark cases involving e-discovery and digital forensics?

Yes, there are several cases that could be described as landmark cases involving e-discovery and digital forensics.  Although some are being appealed, the following cases are often referred to in talks and articles: 

  • Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co., Inc., 2005 WL 67071 (Fla. Cir. Ct. Mar. 1, 2005)
  • Ernst v. Merck & Co. [Vioxx case]
  • Rowe Entertainment, Inc. v. William Morris Agency, Inc.
  • State of New York v. Marsh & McLennan
  • United States v. Microsoft [Anti-trust case]
  • United States v. Arthur Andersen, LLP, 374 F.3d 281 (5th Cir. 2004) [Enron case]
  • Worldcom, Inc., Securities litigation case, 2004 WL 1068032 (S.D.N.Y. May 13, 2004)
  • Zubulake v. UBS Warburg, LLC

There will be more important cases until the turmoil of this new field calms down, and the courts offer clear directions.

Of general interest, although not considered a landmark case, the police identified the BTK Killer through the use of digital forensics.

What is "digital forensics"?

Digital forensics is the process for the preservation, extraction, analysis, and presentation of digital information for its use as evidence in a legal proceeding. Protecting the integrity of the information so that it can be admitted as evidence in a court proceeding is always paramount during the process.

“Digital forensics” started out as “computer forensics.” Today, digital forensics has grown to encompass computer forensics, media forensics, and network forensics. Forensic examination of computers has expanded to include many other processor-based devices; e.g., PDAs, cell phones, and digital cameras. However, the goal of digital forensics has remained the same — find useful information and collect it in a manner that insures its admissibility as evidence.

Page 2 of 2