Examining electronically stored information

Many companies and individuals are regularly in the position where they wish to source Electronically Stored Information (ESI) from a third party during litigation. The process may occur through consent or may be in terms of a court order. The applicant should always consider the nature and the volatility of ESI as well as the format in which the data will be collected.

It is important to note that a simple “drop and drag” copy of data will not suffice, should the relevant metadata of the ESI be in contention and limits the context within which the evidence can be interrogated. It is always suggested that a duly qualified digital forensic expert (DFE) attend to the physical collection of the data or at the very least oversee the process and format of the sourced information. This will also be important where there may be various sources where the relevant information can be located. Data can be held by a third party service provider or an external server, whilst the application for the information may be limiting and as such very relevant information can inadvertently be excluded.

Accordingly, the applicant should include a clause that requires that where such data is not held by the respondent, but an independent third party, the applicant/ their DFE must be advised of this in order to indicate the recommended processes and/or current practice in that instance.

In practice, the applicant and/or their attorney will supply relevant keywords/ phrases or timelines (this may have been agreed on in the court application). Your application or agreement should include that your DFE will then search the relevant sources to locate the relevant data.

It is recommended that the order/ agreement make provision that the search is conducted under the supervision of a delegated person from the respondent party and/or the relevant respondent him or herself, your DFE will utilise forensic tools such as FTK or Encase to access the relevant device/ profile and run the keywords to search for any/ all relevant data. This ensures that they cannot question the integrity of the data at a later stage.

Internationally the practice to prevent the actions of the investigator to modify or alter the digital evidence, is to not access the original data directly as far as possible, but to access the data via a “write blocker” device. A write blocker device is a software or hardware device which places the subject data in a read only format and prevents any actions taken by the investigator from being written to the subject data.

Once the results are available, the parties present will confirm that it falls within the ambit of the order/ agreement. What the applicant effectively has is a “snapshot” or better known as a bit-by-bit copy of the data as it stands at that moment.

The applicant must bear in mind that relevant data may be deleted and that data recovery may be necessary on a particular device. The back-up and deletion protocols of the company  or person from whom the data is sourced must also be taken into consideration whether more in depth images are required to recover deleted data.

The DFE will then only extract the relevant data and make a forensic copy thereof. 

Depending on the directive from client, a copy can be made available to the respondent as the case may be.

The forensic duplicates will be verified for integrity in the presence of the parties.

The data will be in forensic encrypted format and the data will be reverted to the Digital Forensic Lab which complies will all International Standards in line with due process for digital evidence (including the requirements of admissibility and authenticity in terms of the Electronic Communications and Transactions Act 2002).

The DFE will work on a working copy of the data so as to preserve the integrity of the duplicate original.

Following these simple guidelines, will ensure you have all relevant information and the admissibility of your evidence during litigation.

Contributed by:

Cyanre - The Digital Forensic Lab (Pty) Ltd
Tel: + 27 (0) 12 664 0066 

FacebookTwitterLinkedInRSS Feed