By David Stenhouse
If you are seeking a computer forensics expert to remove misappropriated files from locations they shouldn’t be as a part of a settlement agreement, please don’t hire me. I am going to make your job much more difficult than thought and probably charge more than you estimated.
I know the above will not be remembered in the annals of great sales pitches. It is precisely how I feel about being asked to remove data from a person’s laptop computer, mobile devices, and/or Cloud storage. I do not enjoy doing the work because the task isn’t simple, and by the time I am done I may be perceived as someone who made the entire matter more complicated. I didn’t.
Here’s why.
For over two decades I have spoken on the subject of data replication. I have preached at law firms and legal seminars on how a simple Word document created by a single employee can end up in multiple locations and in multiple versions on their own computer. Making this scenario worse is when that same document is emailed, shared via links in a text message, saved on a flash drive, uploaded to Google Drive or a similar location, and/or saved on a co-worker’s computer’s desktop.
Data is hiding in more locations than in my earlier years in this field and those locations are hard to acquire and then surgically remove the data requested. Just as a radiologist will identify problem areas by looking at images of a patient’s interior, the surgeon will use that information to remove or repair the issue hopefully. Two different people with different skill sets, using different tools. Although the surgeon knows where the problem exists by looking at the images, getting to it and eradicating it will be an entirely different process altogether.
A Typical Scenario
An employee resigns from a long-time employer and takes up a position with a competitor or starts a competing business of their own. The employee somehow still has many of the former employer’s files in possession, whether copied to portable electronic storage or transferred through the Internet. A computer forensics expert is hired by the former employer and finds evidence of the data now existing outside of the control of the company.
Legal personnel get involved, resulting in opposing sides coming to some type of agreement. Alternatively, an Order may have been issued requiring examination of the former employee’s devices. I may receive the former employee’s current laptop computer, portable storage media, and/or access to their Cloud accounts. This provides me unlimited access to see where the data left the former employer and to reveal where it may have ended up. I am given search criteria to seek out stolen documents and report to my client or both parties what I found and where it currently resides.
The opposing parties may also come to a final settlement that includes a task where the misappropriated data is to be completely wiped from former employees’ devices currently housing that data. In other words, making sure the files taken are obliterated from the locations to where they landed, preventing their future use by the former employee and new company. As an example, the Excel spreadsheet listing Company A secrets that now sits on a laptop at Company B needs to disappear, never again available to Company B.
In the eyes of opposing legal personnel and their clients, the hired expert may be the perfect person to perform this task. After all, the expert was the person that found the misappropriated data. Who better to remove it? At this point, it is best to remember that a computer forensics expert’s work centers around preserving evidence. Not destroying data.
This final task sounds relatively straightforward, and it may be simple with a single piece of storage media such as a flash drive. With multiple devices and storage locations, the scenario gets more complicated:
Problem No. 1 - You Are Never Going To Know
As noted before, data replicates. Even if the former employee doesn’t intend on that happening, data ends up in places never thought of. In multiple cases, I have been asked to verify that I found all data that went out the door. I usually answer that request as “I won’t say that. Ever.” I have also been requested to verify data never made onto a device. Once again, I won’t ever say that. I just don’t know.
I never know if I have found everything, as it is difficult just to find records of data being copied to a simple USB drive that I know was connected to a laptop. And if I know three important files exist on that USB drive, that doesn’t mean those are the only files that exist, or ever existed, on that device. Yet, on the other hand they truly may be the only files that ever existed on that device. I can make all sorts of assumptions in my head, but not when it comes for reports to the client or eventual testimony. Facts matter for verification.
A former employee may have copied files directly from a company owned laptop computer to a flash drive and the best I may come up with is a flash drive was connected to the system. That may be it. Logs generally are not created on a computer showing exactly what is happening on the system (sometimes detailed logs do exist with 3rd party software and different operating systems). I have to surmise from a series of events that some type of user activity is occurring during a specific timeframe, such as copying or deleting data. When asked to remove files from personal devices used by a person that copied them onto their laptop computer, I am never going to be sure those files remained only on that device. The owner may have copied them to a new computer or uploaded them to a new Google Drive account and I may never discover that activity.
This leads me to Problem No. 2:
Problem No. 2 - What happens during time gaps?
In many matters, I am given the former employee’s devices and access to all their storage, whether on removable devices or in the Cloud to be copied and immediately returned to the owner. These devices and/or storage locations may be their only tools for day-to-day business and my examination may take days or weeks.
Whatever the state of a device is when it arrived at my office, it is not going to change (or shouldn’t change much) by the time it is returned to the owner.
I will review my copies for what the client believes the former employee transferred and eventually provide my findings. These findings may be presented to the client in the form of a simple phone call, lists of items found, or file copies for the client’s review.
By the time I am requested to remove misappropriated data, a large gap in time has taken place. Remember, I returned the former employee’s devices and they have been using their device and accessing their Cloud locations daily. I have had more than one case where this gap has been almost a year.
While I have my original copies preserved on my system and in off-site archives, the original devices placed back into operation have been creating, modifying, moving, and deleting items from storage the entire time. When an agreement between the opposing parties is finally formulated and the devices returned to me for data removal, much has been changed. Like a 12-year-old nephew last seen at Thanksgiving in 2020, he’s now approaching 14 and barely recognizable in April 2022. This may warrant an entirely new forensic examination of the devices to see what has been happening to the misappropriated data since the devices were returned to the user. Did this person make copies on a new USB drive or upload them to a Dropbox account?
What new devices did that device connect with to change those dates? Am I to now review what has happened to the original items I found? How far is this secondary review supposed to go, and how far is it going to go to surpass the expense of the original examination?
Problem No. 3 - Types Of Devices And Cloud Locations
I was recently requested to remove text messages from a user’s iPhone. On the surface this seems relatively simple, as most users look at their iPhone messaging app and believe it is easy to do—just swipe to the left and hit the trashcan. That scenario is different from an expert’s perspective.
When I am reviewing a device as a part of a forensic examination, I am looking at a copy of the device created by a forensics tool capable of viewing the device in a sterile, more-viewable manner. What I extract from the cell phone cannot just be reversed and placed back with my tools. I am viewing a static copy.
However, when purging data from a user’s iPhone I am required to be operating the live device running its operating system and any native and/or 3rd party apps. This device is holding data on which the owner depends. I take that seriously and handle most devices as if I am defusing a bomb. It is nerve-racking. An iPhone can be replaced easily, but me destroying a text message from the owner’s spouse that should be preserved on that device? That is damaging to my reputation.
While I may be viewed as an expert at all things storing electronic data, in reality, I am human and fallible. I do not know how every device functions and stores data. I can learn, but it’s not easy on a live device that is not mine to begin with. As an added fun point, an iPhone is probably backing up to Apple iCloud, meaning that what is on the phone is probably copied into an iCloud backup. So when I finally clean off items from the iPhone, I need to delete any iCloud backups and then create a new backup—what if I mistakenly deleted items during my purge and only realize this after my work? That is just one scenario out of many I can think of at the moment.
How About Solutions To Alleviate These Problems?
I don’t like to be the provider of unsolvable problems to my clients. I like to be a problem solver. The scenario in Problem No. 3 resulted in me advising my client that I would not do the work in that manner. When I first attempted the process of removing the text messages, I immediately knew the task would be overwhelming. I was under a 36-hour clock that was obviously not adequate in length. I offered to find another expert that may have had a better experience in the task. What I found is my difficulties were common among others in my field. Making calls to four of my competitors resulted in three different responses:
The first wanted more than a week to do the work;
The second didn’t want to have to declare everything had been removed;
The third and fourth didn’t want the work.
So, calling around and shopping for ideas may not work for you. Instead, I have suggestions to consider that may make this whole scenario much easier to navigate:
Suggestion No. 1 - Include The Expert In Planning
Contact the expert that reviewed the device(s) (if a previous examination took place), as they are the most knowledgeable about how difficult it will be to remove it and ensure it is gone. Also, the expert may not exactly know at that time what their own process may be, but they will know what you are expecting. While this sounds like a sales pitch, it is to make your life easier.
Let me make a revelation that should be obvious by now: I am not an attorney. I know the legal team has a much better view of their matter, what their customer expects, and how to apply my findings to their arguments. I am hired to feed them facts, data, and my opinions on those items. They take that information and run with it—knowing best how to use it.
However, now and then my clients bring back memories of working in an eDiscovery business where a salesperson has sold a large job. I would be sent the work for my team and asked the question, “you can do this, right? Because it needs to be done by next week”<—two sentences that should not follow one another. Try to stay clear of similar conversations with your expert. Bring them into the planning by explaining your goal. And if you are worried about spending even more money on an expert to be a part of the planning process, at least make a short phone call to them and float your idea. A few minutes on the phone may save hours down the road.
Your expert may reveal to you that your desired process will not work, or have unseen holes that allow data to escape view. Or, they may inform you the process in place is going to take days while an alternate idea may cut it down to a few hours. If you are floating the idea to your expert, make sure they are the ones that will be doing the task—the person on the ground needs to give you a true report of the feasibility.
Suggestion No. 2 - Put The Onus On The Device Owner(s)
They are probably responsible for this entire scenario. While your expert tries to figure out how to surgically remove documents from the former employee’s device and storage locations, the person who triggered this process is waiting for the work to be done. Instead, give them a list of what was found in the examination, and then have them remove those items and all copies wherever they exist in their possession. And then instruct them to remove what was not found and shouldn’t be there.
This puts pressure on the former employee to do a thorough job. If they are truly hiding something, knowing a computer forensics expert will be auditing their task may entice them to be a bit more inclusive of what they remove, and at the same time discourage them from trying to be crafty in keeping data. When I am the first person to seek and remove data, the pressure is all on me to find everything and make sure it is removed. I have one shot and I will definitely put in much more time than I eventually bill because that is just how I am wired. I believe the device owner(s) should shoulder that burden.
Suggestion No. 3 - Destroy Everything (My Personal Favorite)
This is the nuclear option, but hear me out. Instead of remodeling a house that has numerous issues in hidden areas, sometimes it’s just best to pull out the belongings that are irreplaceable and then bulldoze the property. The love of the house’s “character” erodes quickly when faced with the actual costs of the work. Build a new house.
While this a bit barbaric, it is much less expensive to replace devices than have an expert surgically go through them. This obviously doesn’t work if the areas reviewed are a corporate network in a large company. Once again, put the responsibility on the person that caused this issue. Have them identify what shouldn’t be destroyed. Give them instructions to go through all of their devices and copy over to a new USB hard drive the items they want to keep. Most users want personal and/or administrative documents, photos, and videos secured—small in comparison to the entire universe of data.
Once this is completed, every device including the new USB device is handed over to me. Access to the Cloud locations, such as Gmail, Dropbox, and Apple iCloud is also provided.
I will once again make copies of everything that is provided. This is done prior to destroying data. Much like IT personnel that do not like to destroy that special backup, I make a copy just in case I later receive an email starting with “David, have you destroyed the items yet? If not, we have a few other files that need to be saved”—that has happened. My copies go to an off-site location, never to be handed back to the party that provided the devices to me, or my client. The copies are destroyed once the matter has finally closed with my company (maybe a year later).
I will review only the USB device for misappropriated data. The rest of the devices are wiped or reset to factory settings, and/or hit with a sledgehammer (I have done that many times). Cloud locations can be completely wiped out with passwords and secondary access reset by me so only I know the passcodes. The owner can set up new accounts and upload the data from the USB device once I clear that device and return it.
Data gone. Or to be more precise, data gone from where I knew it existed.
Final Thoughts
Try to address at least one of my suggestions above if this post describes your matter. When it seems as if the bulk of the computer forensics work was completed at the beginning of your case, the cleanup and removal of the misappropriated files may be only the halfway point in the expert’s work. Take the time to talk with your expert about your plans. Although the above may have discouraged many, think about where the misappropriated data resides and then ask the expert how difficult it will be to remove it. And then ask the expert about their thoughts about using your desired process and ensuring “everything” is gone. They may have a better method ready to go.
You can follow David on Twitter @dsforensics.
Quoted in Computerworld, Laptop Magazine, Businessweek, and other print and online news outlets, David Stenhouse brings 20+ years of computer forensics experience working with law firms and corporate clients. He is currently President of DS Forensics, Inc..
A former Special Agent in the U. S. Secret Service and Trooper with the Washington State Patrol, he is now so blessed to spend each day running a business with his best friend, high school sweetheart, and wife, Shay.