“If it is envisaged that the respondent’s computers are to be imaged (ie the hard drives are to be copied wholesale, thereby reproducing listed items and other items indiscriminately), special provision needs to be made and independent computer specialists need to be appointed, who should be required to give undertakings to the court.” (CPR, PD 25)
Over the last year, since the introduction of the above footnote to the practice direction for Part 25 of the Civil Procedure Rules, there have been many interpretations of the way in which it should be implemented. The footnote, which was added in March 2002, contains the subtle change which introduced the suggestion that independent forensic computing specialists should attend the execution of a Search and Seize Order if it is anticipated that any computer resident evidence may be present; a practice that has long been advocated by many lawyers who recognised the potential benefits that can be brought to a case by properly obtained electronic evidence.
Who should retain the specialist
While there are several different interpretations of the footnote, many practitioners within the forensic computing community agree that, in practice, one of the most successful interpretations is for the forensic computing specialist to be retained by the supervising solicitor, rather than by the claimant.
When a Search and Seize Order is considered in its larger context, the logic behind the forensic computing specialist being retained by the supervising solicitor rather than by the claimant becomes more apparent. When a forensic computing specialist is hired by the claimant, he or she would typically perform all of the work including assisting with the drafting of the appropriate sections of the Order, imaging the computers during the execution of the Order and all of the analysis of the data obtained. This can lead to potential problems as the analysis of the data by the claimant’s forensic computing specialist must be overseen by, and all procedures performed explained to, the supervising solicitor to ensure that no material that is potentially privileged, or outside the scope of the order, is accessed. The delay that the explanation of procedures and supervision creates can often lead to material identified from the computers not being made available to the parties for a number of days. If the forensic computing specialist were to be retained by the supervising solicitor the requirement for this supervision, and subsequent delay, could be substantially reduced.
Wording of the order
Following the retention of a suitably experienced forensic computing specialist, the next step to consider is the wording of the Order in relation to computer-based data. This is an area that is often overlooked, but which can lead to major problems during the execution of the Order; a considerable amount of time could be wasted should any revisions to the wording of the Order be required and then need to be agreed upon by all of the parties involved. Although the forensic computing specialist would be retained by the supervising solicitor it is often best that the specialist is consulted during the initial drafting stage to ensure that the wording is appropriate to the situation likely to be encountered.
From the perspective of the forensic computing specialist the most appropriate wording of the Order will depend on certain factors including:
· Are the premises being searched business or residential (or both)?
· If business premises, in what sector does the business operate?
· If business premises, how many people are employed?
· If residential premises, how large is the family?
· How many computers are potentially located at the premises?
The location at which the Order is served has a considerable impact on how the forensic computing aspects of the execution are performed. If the premises are residential, the likelihood of encountering a computer network is negligible. However, other factors need to be taken into consideration, such as the presence of computers used by the respondent’s spouse or children, which are often hand-me-downs, and the possibility of encountering old computers which are no longer used, but still present in the house. If the premises are those of a business, the likelihood of encountering multiple computers connected together via a network with a server and some type of back-up device are high. Although network servers can often be imaged in the same way as most other computers, the benefits of this can sometimes be limited and, if a suitable back-up policy is in place, the optimal solution can often be to obtain back-up tapes covering an appropriate time period instead.
In addition to taking account of the location at which the Order is being served, it is important to ensure that it is worded in a way that ensures that appropriate assistance is available to the forensic computing specialist. For example, while it may be possible for a single person to complete the imaging of a small number of computers at a respondent’s home in a single day, three people may require two days to image all of the computers present in an office employing 50 people. As a general rule, an average desktop computer can usually be imaged in approximately 1 to 1½ hours.
The process of imaging a computer usually requires the removal of the outer casing of the computer (which should be explicitly mentioned in the Order) to allow access to the internal hard disk on which the data is resident. Numerous methods can then be employed by the forensic computing specialist to obtain a complete image of all of the data resident on the hard disk of the computer, including the connection of an external back-up tape drive, the connection of a second hard disk or the removal of the hard disk and subsequent connection to another computer. Following the connection of an external storage device, the computer is switched on and specialist software applications used to control the operation of the computer and generate the image of the data resident on the hard disk. The resulting image contains all of the data resident on the internal hard disk, including active and deleted files, file fragments, and other areas not normally accessible to a computer user, known as free and slack space.
This example paragraph refers to some of the important points:
“The respondent shall permit the Independent Computer Specialist to remove the outer casing of any computer or other electronic data storage device in order to copy all of the data resident thereon by use of the software programs “ENCASE” or “SAFEBACK” or by other means and shall supply him with all passwords or other information reasonably required by the Independent Computer Specialist in order to enable him to make such copies. The electronic copies will then be kept safely at the Supervising Solicitor’s premises.”
Not all potentially relevant data is confined to computers. Valuable information is also likely to be found on removable media such as floppy disks, CD-ROMs, and other electronic devices like personal organisers and mobile phones. The Order should also provide for this:
“The Respondent must also give the search party effective access to the computer disks, mobile telephones, telephones, personal organiser, or other electronic equipment situated on or accessible from the premises, with all necessary passwords and/or software and/or information to enable them to be searched and permit them to be searched.”
Other factors to consider
Prior to the execution of the Order, it is often useful for the forensic computing specialist to brief the searching party as to the potential types of removable media, or devices which may be encountered. This ensures that the searching party are able to identify any computer media that is found, and to alert the forensic computing specialist to its presence
During the execution of the Order, the role of the forensic computing specialist is a broad one. In addition to identifying and imaging any computers and removable media, they are required to act as a link between the respondent, the searching party and the supervising solicitor on a technical basis and to explain any complex technical issues in such a way that all those involved can understand; for example the procedures involved in taking an image of a computer.
It is helpful if the forensic computing specialist is able to gain access to the search premises as early in the execution process as possible in order that any computer, or other potentially relevant media, can be identified and secured prior to the commencement of the imaging process. Again the benefit of the forensic computing specialist being retained by the supervising solicitor can be seen, as the specialist may be perceived as being independent from the claimant, and therefore potentially more likely to be allowed access prior to the commencement of the search of the premises.
Although it is technically possible to perform searches on the data resident on a computer during the execution of the Order to identify whether a particular computer contains relevant material, this should be avoided wherever possible. This is mainly because it would take too long – each computer present would be required to be manually searched in the presence of the supervising solicitor and lawyers for both the claimant and the respondent for any material which may be regarded as relevant. This process could easily take many hours to perform on a single computer as the volume of information which could be resident on a typical computer can be vast; when printed, the user-generated data alone could easily be enough to fill over a 100 four-drawer filing cabinets. Should any relevant material be identified as a result of the search, the computer would still require to be imaged. There are many additional benefits to imaging the entire computer and subsequently performing a review of the data – for example, once imaged, forensic techniques can be used on the data obtained to access any deleted or encrypted files and to perform further searches to identify potentially relevant material.
Once an image of a computer has been generated, the media to which it is written should be verified to ensure that the imaging process has been completed successfully and sealed into an evidence bag with a copy of the “hash value” that is generated as part of the imaging process. This hash value can best be described as a digital fingerprint; the chances of two different images having the same hash value are virtually non-existent. The hash value can also be used at a later date to prove that the contents of the image have not been modified during the subsequent analysis.
Following the completion of the execution of the Order, the respondent’s lawyers may request that they be provided with a copy of the images taken. This is a relatively simple task as the media on which the images are stored can usually be readily duplicated. This would usually be performed in the days following the execution of the Order.
In the event that the forensic computing specialist has been retained by the supervising solicitor, and is therefore independent of either party, the analysis of the computer images and other media can be performed at the forensic computing specialist’s offices without the need for the supervising solicitor to be present. Traditionally, where the forensic computing specialist is retained by the claimant, any analysis of the images taken would have to be performed in the presence of the supervising solicitor, and all of the procedures being performed would need to be explained – thus considerably lengthening the time taken to perform the analysis of the data.
The analysis of the data will enable all of the active, and recoverable deleted files to be extracted from each of the computer images, along with any e-mail correspondence and fragments of data. All of this data can be rapidly searched to enable material that is potentially responsive to be provided to the supervising solicitor for review prior to its dissemination to the parties involved. The forensic computing specialist will also be able to examine the computer data in order to identify any other information, such as details of the usage patterns of the computer, or other such information not specifically resident in a file, which may also be relevant to the investigation. It is also important to note that, although the entire computer would be imaged, only the data relevant to the Order would be supplied to the claimant in the same way as any other document identified. The forensic computing specialist would also restore any back-up tapes that were seized during the execution of the Order and search their contents in the same way as described for a computer. However, due to their nature, back-up tapes would not contain deleted files.
Following the provision of all potentially pertinent material obtained from the computer data, it is normal procedure for the forensic computing specialist to produce a witness statement, or affidavit, to submit to the court. This would give details of the specialist’s involvement in the execution of the Order, the methods used to create the images, and the procedures performed during the subsequent analysis, a short time after the completion of the execution.
Conclusion
In conclusion, it is envisaged that if the forensic computing specialist were to be retained by the supervising solicitor, rather than by the claimant, it could potentially both expedite the process of the execution of a Search and Seize Order, as well as ensuring that all data obtained from the respondent’s computers is reviewed in an independent and timely fashion, and made available to the parties involved as quickly as possible.
Craig Earnshaw is head of the Forensic Computing Services Group at Lee & Allen Consulting Limited.
