Destruction of evidenceComputer Forensics |
Background:
We were approached by a legal firm. The defendant in an employment case had been required to surrender his laptop computer because the device was believed to contain important evidence. However, when surrendered the hard drive was discovered to contain operating system files and nothing else.
Concern:
To demonstrate if and how evidence had been removed from the hard drive.
Deloitte’s Actions:
• Deloitte took the computer into custody and acquired a forensic image of the hard drive.
• Deloitte also inspected the hard drive and computer for signs of tampering.
Deloitte’s Findings:
• Deloitte quickly found that time stamps on the operating system indicated that it had been 'installed' in 2003. Deloitte quickly established that no other documents or applications had been installed on the computer.
• Deloitte decoded the manufacture date of the computer’s hard drive, and found out it had not been built until mid-2007. This demonstrated that the time stamps of the data on the hard drive were fake.
• Deloitte also examined the slack and unallocated spaces on the hard drive (unused areas of the disk where deleted and ephemeral data tends to accumulate over time) and found them to be completely clean. This indicated that the computer had not even been turned on after the operating system had been installed.
Results:
• Using an affidavit prepared by Deloitte, our client was able to demonstrate bad-faith by the counterparties in the case. The case was thrown out, with costs in our client’s favour.
Comment:
Evidence modification and deletion is quite common in the cases we investigate. Fortunately, it is very difficult to destroy or modify files without leaving telltale traces. Even specialised 'evidence elimination' software leaves clear traces of its operation. Nevertheless it is better to ensure that electronic evidence is acquired and secured as quickly as possible after it is identified as potentially relevant.
Page Last Updated
