THE BAR ASSOCIATION OF QUEENSLAND
Previous Issue
Issue 19: Aug 2007
About Us
HOME / Time Travel with Computer Forensics
FEATURE ARTICLE - Issue 19 Articles, Issue 19: Aug 2007

Time Travel with Computer Forensics

BY Hearsay
798 Views
time_travel_intro.jpg
Friday 22nd June, 2007
Time Travel with Computer Forensics

 

Introduction

Dealing with electronically stored information (ESI) as potential electronic evidence is a proposition that leaves most Barristers facing the daunting and somewhat unusual feeling of the unknown.  Some may even be jaded by past experiences with ‘technology experts’.

Computer forensics is readily defined as the process of identifying, collecting, analysing and presenting ESI for subsequent presentation as electronic evidence before a court of law2. However, the application of computer forensic principles extends beyond the ubiquitous personal computer.  For example, forensic examination is critical in examining activity on:

      1. Data storage devices such as universal serial bus (USB) keys and external hard drives;
      2. Computer networks and the Internet;
      3. Communication devices such as mobile phones, personal digital assistants (PDAs) and satellite navigation systems; and
      4. Consumer electronics such as digital cameras and portable media players with data storage capabilities, including the Apple iPod.

          time_travel_fingerprint.jpgIdentification and Collection of Electronic Evidence

          Computer forensic practitioners are recommended for consultation and/or engagement whenever ESI has the potential to be relied upon as electronic evidence.  Even the simple task of turning on a computer may result in substantial alteration or loss of data3. Such incidents also have the potential for an opposing party to put forward a claim of evidence spoliation.

          As part of the identification and collection process, a computer forensic practitioner may be engaged to assist in, and appropriately facilitate the execution of a search order,4 to conduct an otherwise court ordered forensic examination,5 or in the preliminary stages of disclosure where electronic documents and/or e-mails are required for review and production.6

          From an evidentiary standpoint, failure to engage a computer forensic practitioner with appropriate qualifications, legal knowledge and practical expertise to assist with electronic evidence may lead to:

          1. Reduction in the weight afforded to, or even worse – inadmissibility of key electronic evidence;7
          2. Provision of overly technical opinion founded on indecipherable jargon;
          3. Inability to implement an efficient electronic evidence methodology with regard to time and cost constraints;8
          4. Inability to efficiently deal with issues of electronic evidence accessibility,9 relevance,10  and privilege;11
          5. Exceeding jurisdictional and lawful scope — which can easily occur in the collection of electronic evidence from sources on disparate computer networks and the Internet;
          6. Causing substantial disruption to another party (e.g. a respondent in a search order) which may have adverse implications unless such actions are justified; and
          7. Compromising the overall integrity of your arguments at pre-trial conference and in the witness box.

          The quality of a computer forensic practitioner is measured by their well-rounded ability to provide strategic advisory and opinion, of a hybrid technical and legal nature, which facilitates the timely production of relevant electronic evidence to assist in resolution of the matter.

          Data Recovery

          As a general principle, with many exceptions, deleted data can still be recovered.12 In addition, data may still be able to be accessed if password-protected, encrypted or when initially and otherwise thought inaccessible. Computer forensics may assist in:

          1. Recovery of deleted electronic documents and e-mails;
          2. Recovery of deleted instant messaging (IM) communications; 13
          3. Recovery of archived e-mails and computers to verify completeness of disclosure;14  and
          4. Circumventing or ‘cracking’ password-protection and encryption measures.

          comp_lawbooks.jpgQuestions of Electronic Authenticity

          Today, over 90% of all business correspondence and documents subsist in an electronic form. The majority of e-mails and electronic documents are tendered as evidence with minimal question as to their authenticity.  ESI is essentially data, and data may be copied and appear identical to its source.  Consequently, questionable electronic documents, e-mails and even short message service (SMS) messages — in particular, those pertaining to contractual and/or financial agreements, are often put forward, even though forgery can be achieved with relative ease.  Computer forensics may assist to:

          1.  Verify the authenticity of,15  and any alterations or modifications to,16 an electronic document or e-mail, even in comparison to a hard-copy printout; and
          2. Trace the origin of e-mails — where the source is unknown,17 where defamatory,18  or spam (junk) e-mail.19

          Reconstruction of Electronic Events

          In the majority of cases where reliance is placed upon electronic evidence – computer forensics may also bring everything together to assist in the substantiation or dismissal of an allegation. Such situations may include:

          1. Responding to an incident where a computer has been used, directly or indirectly, to facilitate impropriety, suspicious or criminal activity;
          2. Investigating the leakage or theft of confidential information20 or intellectual property (IP);21
          3. The resolution of an employment dispute – where an employee is alleged to have inappropriately used a computer, the Internet or e-mail.22

          Closing Remark

          Technology often endeavours to provide greater efficiency in daily life; However, Barristers are spending more time dealing with ESI as part of their practice.  Possessing a basic working knowledge of electronic evidence, and its implications, is essential.  In addition, the engagement of a competent practitioner to act as a ‘technology translator’ can provide clarity upon your next encounter with electronic evidence.

          Seamus E. Byrne1

          Seamus welcomes any questions relating to electronic evidence, electronic disclosure/discovery or computer forensics via the Hearsay Forum or e-mail [sbyrne@vincents.com.au].

          In the next edition of Hearsay: The (Electronic) Disclosure Revolution — What you need to know regarding the proposed amendments to the Federal Court of Australia and Supreme Court of Queensland practice guidelines relating to electronic disclosure/discovery and litigation.

          Comment on this article in the Hearsay Forum Endnotes 

          1. Lawyer and Director, Forensic Technology with Vincents Chartered Accountants. His website is located at: http://www.seamusbyrne.com.
          2. Standards Australia, Guidelines for the Management of IT Evidence (HB 171-2003) (2003). Eoghan Casey, Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet (2nd ed, 2004).
          3. Egglishaw v ACC [2006] FCA 819 [37]. See also: Egglishaw v ACC [2007] FCA 939.
          4. Seamus E. Byrne and Geoffrey Lambert, ‘Practice Direction Update: Search (Anton Piller) Orders in Queensland’ (2007) Proctor (Forthcoming).
          5. For example: Benzlaw and Associates Pty Ltd v Medi-Aid Centre Foundation Ltd & Ors (Order, Supreme Court of Queensland, Chesterman J, 5 June 2007).
          6. “Disclosure by production requires production of the original documents, electronically if the original was in electronic form or by hard copy if the original was in hard copy form” Shannon & Anor v Park Equipment Pty Ltd [2006] QSC 284, [7] (Atkinson J, 5/10/2006).
          7. This is prone to occur where an evidence ‘chain of custody’ has not been (or inadequately) documented, or where a practitioner engaged by a party has failed to comply with best practice guidelines pertaining to electronic evidence.
          8. Sony Music Entertainment (Australia) Ltd v University of Tasmania [2003] FCA 532.
          9. Questions as to the accessibility of electronic evidence may involve: Balancing the time and cost implications of recovering data from a backup tape based on its apparent probative value: BT (Australasia) Pty Ltd v State of New South Wales & Anor (No 9) [1998] 363 FCA (Sackville J, 9/04/1998). Dealing with legacy (i.e. superseded) computer systems which may contain ‘potentially relevant’ ESI: Davies & Anor v Chicago Boot Company [2006] SASC 241 (Lunn J, 22/06/2006).
          10. Kennedy v Baker [2004] FCA 562.
          11. GT Corporation Pty Ltd v Amare Safety Pty Ltd [2007] VSC 123. JMA Accounting Pty Ltd v Federal Commissioner of Taxation [2006] FCA 1519. Prescience Communications Ltd v Commissioner of Taxation Office [2006] FCA 1561.
          12. As stated, this is a general principle and recovery is dependent upon a large number of variables including the technological environment and whether the data was ‘merely deleted’ as opposed to being securely deleted or overwritten.
          13. Sony Computer Entertainment Aust Pty Ltd v Jakopcevic [2001] FCA 1520.
          14. Slick v Westpac Banking Corporation (No 2) [2006] FCA 1712.
          15. ACCC v IPM Operation and Maintenance Loy Yang Pty Ltd [2006] FCA 1777. ASIC v Loiterton & Ors [2004] NSWSC 172.
          16. Hudson Investment Group Limited v Australian Hardboards Limited & Ors [2005] NSWSC 716.
          17. Grant v Marshall [2003] FCA 1161.
          18. Boniface v SMEC Holdings Limited & Ors [2006] NSWCA 351.
          19. ACMA v Clarity1 Pty Ltd [2006] FCA 410.
          20. Australian Administration Services Pty Ltd v Korchinski [2007] FCA 12. Austress Freyssinet Pty Ltd v Joseph [2006] NSWSC 77. Portal Software v Bodsworth [2005] NSWSC 1179.
          21. Universal Music Australia Pty Ltd v Sharman License Holdings Ltd [2005] FCA 1242.
          22. Lewis v Toyota Motor Corporation [2001] AIRC 213.