The forgotten source of evidence
Forensic Focus - July 2010
Authors: Barry Foster and Jason Weir
Computer records and email in particular, have long been a vital source of evidence in both litigation and financial investigations. Much like burglars can wear gloves to prevent fingerprints being left at the scene of the crime, “forensically aware” people can take steps to permanently delete documents and email files from their local computer.
However, most people (parties to litigation, fraudsters, advisers and investigators) tend to overlook back-up tapes. If you created a document that you wanted to permanently delete, you would be conscious about the need to permanently delete the document from your workstation and the server, but would probably overlook the copy of that document sitting on the back-up tapes.
Even if you were aware of the back-up tapes, most people don’t have physical access to them, as good backup procedure dictates the tapes are stored offsite. It is also technically difficult to access and alter data on back-up tapes.
In most cases, back-up tapes are a critical source of evidence. The costs involved in restoring, extracting and analysing the data from them are significant (circa $3k per tape), but manageable if only one or two tapes need to be processed. However, it is not uncommon for even small to medium sized organisations to have approximately 50 back-up tapes that need to be looked at. The cost for some becomes prohibitive to finding all the evidence.
We’ve been conscious of this problem for some time and have now invested in a back-up tape processing facility that is the only one of its kind in New Zealand. This means you can now have back-up tapes processed for both investigation and discovery purposes, maximising your chances of finding that crucial piece of evidence without the high price tag.
The Deloitte Tape Discovery System is based on international best practice for electronic data discovery. It is an innovative application of technology that provides a timely and cost effective back-up tape processing facility to assist you with your discovery of an often overlooked evidence and business information source.
How it works?
Once we have the tapes in our possession we use the system to directly access the tape - as you would a CD or memory stick. We can then catalogue, index and extract data directly from the tape. The ability to filter the indexed data by file type, dates and systems is built into the system as is the ability to search the tape contents using keywords and phrases.
This allow greater speed and flexibility in the examination of the tape data, and therefore reduces the cost to about half of the traditional costs.
This technology also gives you a cost effective means of identifying the content of stored tapes that may not or may not be of value to your business. The cataloguing process identifies the volumes and tape sets as well as the systems that were backed up to a particular tape. Because of the innovative technology involved this is a very cost effective process, usually taking less than an hour per tape.