Get documents about "What Every Lawyer Needs to Know
Document Sample
What Every Lawyer Needs to
Know About Computer
Forensic Evidence in IP
Litigation
Sid Leach
Snell & Wilmer LLP
University of Texas 11th Annual
Intellectual Property Law
Symposium
February 19, 2010
Computer Forensic Evidence in IP Cases
• Many business records reside on a
company’s computers – e.g., trade secrets,
invention disclosures, copyrighted software
• Since computer data is easy to copy, how do
you detect when a departing employee
copies computer files to take with him?
• How do you defend a case when a competitor
accuses your new employee of copying his
former employer’s computer files and using
them at his new job?
Analysis of Someone’s Computer
• What thumb drives were attached to PC
• Files sequentially accessed – mass copy
• What web sites were visited
• What search terms were used on the Internet
• Recover deleted files and folders
• Read ex-employee’s personal email if PC was used
to log onto personal account
• Recover deleted email
• Recover the last files printed with the PC
• Recover last files copied to a CD-ROM
• Attempts to access remote server
• Programs installed on PC – even if no longer there
• PDA files if PDA was synched to PC
• Detect remnants of large files even if over-written
Internal records - user’s computer
• File dates and metadata
• Internet cache & Internet history file
• Registry entries
• Print spooler
• Temporary files (CD-ROM burning)
• System event logs
• Individual program logs
• Deleted files & remnants
• MFT directory entries & remnants
• Unallocated space and slack space
• Email and attachments
• Restore point
External records
• Servers
• Server logs
• Server file storage
• Backup tapes
• Email
• Other records
• Records kept by ISP
• Phone records
• Email recipients
Computer Forensics
• Takes advantage of the way computers
store and retrieve information
• Takes advantage of the way computers
operate and the information recorded
during normal operation
• Software – EnCase Forensic by
Guidance Software - recognized as
reliable
Active Files
• Have metadata & dates
• Creation date
• Modified Date
• Access Date
• May have author or owner
• Have a location
• Folder
• Directory entry for file in Master File Table (MFT)
• Occupies storage space on hard disk
• Visible to user – Captured by backup
Internal Records - Metadata
“[W]hen a party is ordered to produce electronic
documents as they are maintained in the ordinary
course of business, the producing party should
produce the electronic documents with their
metadata intact, unless the party timely objects to
production of metadata, the parties agree that the
metadata should not be produced, or the
producing party requests a protective order. …
[M]etadata is an inherent part of an electronic
document, and its removal ordinarily requires an
affirmative act by the producing party that alters
the document.”
Williams v. Sprint/United Mgmt. Co., 230 F.R.D.
640, 652 (D. Kan. 2005)
Internal Records - Metadata
“In light of the dubious value of metadata and
plaintiffs’ total failure to explain its relevance to the
claims and defenses in this action, plaintiffs’
application to compel its production is denied.
Kingsway Financial Services, Inc. v.
Pricewaterhouse-Coopers, LLP, 2008 WL
5423316, at *6 (S.D.N.Y. 2008)
Date and Time
• Computer stores date and time in binary based on
PC internal clock – user sets time & time zone
• Windows system – timestamp is an 8-byte number
representing the number of nanoseconds since
January 1, 1601.
• DOS system – timestamp is a 4-byte value
representing the number of seconds since
January 1, 1980.
• UNIX system – timestamp is a 4-byte value
representing number of seconds since January 1,
1970. (32-bit overflow on January 19, 2038)
• NTFS (standard for Windows NT, Windows XP,
Windows 2000 & Windows Vista) converts time to
GMT regardless of time zone.
• FAT (DOS & thumb drives) stores local time as
shown by the system clock.
Creation Date
• Creation date is the date that this specific
copy of a file was created on this storage
media and at this location.
• Different copies of the same file can have
different creation dates, even though the
contents are identical.
• Date file was downloaded or received as
email attachment.
• Exceptions – zip files & installed software
Modify Date
• Modified date is the date that this file was
last changed.
• Contents of the file changed or file
renamed.
• Downloaded files – typically set to the date
the file was downloaded.
• Modify date before create date typically
indicates copy as opposed to download.
• Modify date the same as create date or
after create date may mean downloading
or email attachment.
Access Date & Time
• Access date is the last time this file was
accessed for any reason.
• Access date of original file is changed when
the file is copied. Files with close sequential
access times may indicate mass copy.
• Access time after create date may mean file
was opened or viewed.
• Access time is changed when a file is printed,
opened, dragged and dropped in new folder,
right-clicking, mouse hovers over file, file
displayed as a thumbnail, some virus scans,
some encryption software when file is
unencrypted, etc.
Deleted Files
• Computer is lazy when deleting
• Until reused, a file is completely recoverable
• File storage space
• Marked as usable – but not erased
• Storage space becomes unallocated space
• If file space is reused, information in MFT may still
be available – file name & dates
• Directory entry for file in MFT
• Marked as usable – but not erased
• If MFT reused, file may still be recoverable, but no
dates and other metadata is lost
Slack Space
A cluster is the smallest amount of disk space on a hard
drive that can be allocated to hold a file.
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB AAAAAAAAAAAAAAAA
Slack Space
A file that does not completely fill the space available in a
cluster leaves slack space that is not over-written.
The previous data written in the slack space remains as a
file remnant, and can be detected by forensic software.
Unallocated Space
• Microsoft does not disclose details of how
Windows determines what portion of unallocated
space to use when storing a file.
• Therefore, cannot predict the location of the storage space
that will be over-written in any particular instance
• Disk defragmenter may over-write space, but cannot predict
what files may be moved, and where they will be moved
• Headers & Footers
• Some files are formatted to have a distinct start (header
code) and a distinct end (footer code)
• Forensic software can scour hard drive to find these headers
and footers
• Some files are clear text, and some require a
particular program to read them (Excel
spreadsheet, mailbox file, etc.)
Master File Table
• Includes information about folders, the
location of files, and dates
• Folders that previously existed on the hard drive
may be detected and possibly recovered if MFT
data has not been over-written, even if the file
itself has been over-written.
• Date information for folders and deleted date of
files may be obtained.
• Windows file systems
• NTFS used since Windows NT
• FAT is old system used by DOS, still supported by
Windows. Different versions exist, such as FAT16
& FAT32
Link Files
• Link files, or “.lnk” files, are shortcuts
• A link file identifies its target file, and where the
target file was located, including the logical drive
• A link file is created when a file is opened on a
thumb drive. Thus, a link file is evidence that a
file was on the thumb drive (and may be
additional evidence that file was copied to thumb
drive)
• Link files may provide evidence of documents
and programs that were once on the computer,
but have since been deleted.
• Link files include their own date of creation, so
they may reveal when the target file was opened.
Recycle Bin
• When a file is deleted in Windows, the file is
typically sent to the recycle bin. A file can be
easily restored back to where it was if it is still in
the recycle bin.
• Files remain in the recycle bin until the recycle
bin is emptied, or until the recycle bin is opened
and the file is manually deleted from the recycle
bin.
• Windows has to maintain records for files in the
recycle bin, in case the user wants to restore the
file. Windows maintains a record of all of the files
that have been in the recycle bin, including those
manually deleted from the recycle bin, until the
recycle bin is emptied.
Recycle Bin
• A file in the recycle bin cannot be opened while it
is in the recycle bin.
• A record is kept of the date the file was “deleted”
as long as it remains in the recycle bin.
• Files in the recycle bin include a date accessed.
Initially, it is the same as the date deleted. The
date accessed can be changed if a user right-
clicks on the file (to see its properties), or hovers
the mouse over the file.
• The date modified and date created are
unchanged when a file goes in the recycle bin.
Registry Entries
• The registry is a database that contains hardware
and software settings for a Windows computer.
• Windows stores information that identifies every
thumb drive and external storage device
connected to a USB port, including the last date
it was connected.
• MRU lists for some programs store the names of
files that were opened with the program.
• Entries in the registry may show software that
was once installed on the PC, but is no longer
present (e.g., wiping software)
Registry Entries
• History of changes may be maintained in
the registry file in order to facilitate restore
points.
• Windows Vista allocates hard drive space
to maintain a copy of files for a restore
point. Data and files previously existing on
a hard drive may be easily recovered
simply by restoring Windows Vista to a
previous restore point.
Other File Copies
• When a file is printed, a copy of the file is sent to the print
spooler, so the PC is not locked up while the document is
printing. The last files printed will still be in the print
spooler and can be recovered.
• When a CD-ROM is burned, a temporary copy of the file is
typically made to facilitate the process. The last files
burned to a CD-ROM will often still be on the PC and can
be recovered.
• Many software programs automatically create temporary
files so that the document the user was working on can be
recovered if the program terminates abnormally. These
files will often still be on the computer and can be
recovered.
• If the user synched a PDA to the PC, the files from the
PDA will still be on the PC and can be recovered.
Internet History
• Records the websites that were accessed.
• Includes a record of search terms used to search
the Internet.
• Includes records of files downloaded by web
pages.
• Records access to local files when the web
browser is used to view a local file on the PC.
• Internet history is deleted at intervals, and the
data may be lost if not preserved.
Internet Cache
• Includes copies of files actually downloaded when a web
page was viewed. Even if a web page has been changed,
the appearance of the web page at the time the user
viewed it can be reconstructed from the files in the
Internet cache.
• Files are downloaded even if the web page is off screen or
the browser is minimized.
• Files may be in the Internet cache, even if no record
remains in the Internet history.
• Files in the cache have a date created and a date
accessed. Date created can provide evidence of when
the web page was first viewed. However, accessed date
does not necessarily mean accessed by the user.
Event Logs
• Windows system logs
• Windows keeps a record of errors and significant
events.
• Some log records indicate human activity, e.g., user
login, program crashed, etc.
• Individual program logs
• Some programs use the Windows system logs, but
others maintain their own separate log files.
• Individual programs may record significant events,
such as download successful, download unsuccessful,
dial-up connection successful, chat logs, etc.
Email
• Microsoft Outlook
• Creates a “pst” file where electronic copies of email
communications, including attachments, are stored on the
hard drive. Attachments can be easily matched up with
emails using the “pst” file.
• When an email is deleted, it is normally moved to the
“Deleted Items” folder, and remains there until the user
empties the “Deleted Items” folder. Even after the “Deleted
Items” folder is emptied, deleted emails may still be
recovered from the “pst” file’s own unallocated space if they
have not been over-written.
• A deleted “pst” file can be recovered and rebuilt from
unallocated space like any other file if it has not been over-
written.
• Password protected and encrypted “pst” files can be easily
opened with forensic software like EnCase.
Email
• Outlook Express
• Creates a “dbx” file where electronic copies of email
communications, including attachments, are stored on the hard
drive. Emails sent or received using Outlook Express can be
recovered, including deleted emails.
• AOL
• Emails sent or received using AOL can be recovered, including the
contents of the user’s personal file cabinet.
• Web mail
• Hotmail, Netscape, and Yahoo! Use html web pages instead of a
standard email application. Although there is no single location for
the remnants of these types of web mail usage, there are artifacts
that can be used to recreate web mail viewed using the target
machine.
• If the user used his company computer to log on and read
personal email, his personal email messages can be recovered
and reconstructed.
Anti-Forensic Software
• Wiping software is widely available to completely
over-write slack space and unallocated space on
a hard drive. It has legitimate uses, e.g., when a
PC is donated to charity, or reassigned to
another employee.
• The use of wiping software can be detected. The
registry file will usually contain records showing
that wiping software was installed on a PC, even
if it has been subsequently uninstalled. Most
wiping software will write a characteristic pattern
on the wiped space that can be identified. The
accessed date of the wiping software program
file will identify when the program was last run.
Forensic Experts
• If you are the plaintiff, you may find it advisable to
obtain a forensic expert to collect and preserve
evidence, for example, if a departing employee is
suspected of copying computer files. Prompt
work by a forensic expert can locate and
preserve evidence that might otherwise be lost.
• A forensic image of a hard drive or other memory
device will copy and preserve everything on the
hard drive, including slack space, unallocated
space, file fragments, and registry entries.
• A forensic expert can identify thumb drives and
other external devices that were attached to the
PC, and which may have been used to copy files.
Forensic Experts
• If you are the defendant, by all means get your
own forensic expert if the plaintiff has one.
• In almost every instance, the plaintiff’s forensic
expert will not tell you about anything that does
not support the plaintiff’s case.
• A forensic expert can determine whether there
were multiple users of the PC, whether files were
changed after the defendant returned the PC to
his ex-employer, whether files were accessed
after they were created, whether the hard drive
was accessed without a write-block before the
forensic image was made, whether there was a
virus, etc.
Special Thanks To:
Robert D. Young
Managing Consultant & Forensic
Software Analyst
Johnson-Laird, Inc.
850 NW Summit Avenue
Portland, Oregon 97210-2816
(503) 274-0784
For Assistance in Preparing This
Presentation
