For better or worse, electronic data is at the heart of many legal investigations. Therefore, it is becoming increasingly important for lawyers to have a basic understanding of computer forensics including: - what computer forensics is and what types of things can a computer forensic expert do; - types of mistakes lawyers or IT professionals make that can corrupt, alter, or destroy evidence that is key to investigations; what types of electronic evidence exists; - ways to work efficiently and effectively with a computer forensic expert; and - when to consider hiring and how to choose a computer forensic expert as part of an investigation Learn more from Winston & Strawn and listen to the presentation here: https://www.winston.com/en/thought-leadership/computer-forensics-what-every-lawyer-needs-to-know.html.

1. Computer Forensics: What Every
Lawyer Needs to Know
Shannon Murphy
Dave Freskos
Raj Laud

2. Presenters
Shannon Murphy
White Collar, Regulatory Defense &
Investigation
Winston & Strawn LLP - Chicago, IL
stmurphy@winston.com
• Member of the firm’s Global Privacy
and Data Security Task Force.
• Handles litigation, investigations, and
advisory services, with a focus on data
security and theft of trade secrets.
• Received a certificate for passing the
Rochester Institute of Technology’s
Computer Forensics program
and is CompTIA IT Fundamentals
Certified
Dave Freskos
Senior Director, Digital Forensics &
Investigations
FTI Consulting, Inc. - Chicago, IL
David.freskos@fticonsulting.com
• Certified EnCase Examiner and
Cellebrite Physical Analyst
• Leads Chicago based forensics team
that specializes in uncovering IP theft
and supporting other high stakes
investigations.
• Regularly provides expert testimony
and written affidavits in support of
litigation matters.
Raj Laud
Deputy Chief, National Security and
Cybercrimes
Chicago, IL
rajnath.laud@usdoj.gov
• Supervises national security, cyber,
and intellectual property crimes cases
in the U.S. Attorney’s Office for the
Northern District of Illinois
• Opinions expressed are his own, not
those of the U.S. Attorney’s Office or
Department of Justice

3. Why Digital Forensics?

4. What Is Digital Forensics?
• Obtaining evidence from digital media in a defensible manner
• Proper preservation
• Carefully documented use of a variety of different techniques.
• No one, singular log provides all the answers
• Analysis of processes designed with the intent to help a device run more
efficiently, not produce evidence.
• Collection of seemingly non-related artifacts allow for examiners to build a
narrative around user activity.

5. Traditional Document Searches Forensic Analyses
• User-created documents
• Microsoft Suite, PDF, etc.
• Corporate Email
• File Shares
• Paper Documents
• USB Devices
• Internet History
• Event Logs
• Social Media
• Cloud Services
• Mobile Devices/Applications
• Volume Shadow Copies/Backups
• Personal Webmail
• Unallocated Disk Space
• Program Execution History
A Different Approach
5

6. 10 Things Every Lawyer
Should Know

7. Collect Broadly
• Where might evidence be located?
• Email
• Computers
• Phones
• External hard drives
• Security camera footage
• Keycard access logs
• Printer logs
• Server/database logs
• Extranet access logs
7

8. Maintain and Document Chain of
Custody
• Document collect
• Make, model, serial number
• When collected
• By whom
• From whom/from where
• Store securely
• Document any change in custody
8

9. Image the Device Before Any Review
• Do not take any steps to review a
device until a copy has been made
• Train “well-intentioned” IT personnel
9

10. What is a Device Image?
• Bit-for-bit copy of the
entire hard drive
• Hash value is generated as
the image is created
• Allows for integrity of the
image to be verified
• Ghost or similar enterprise IT
tools do not create a forensic
image.
10

11. Consider Whether to Turn a Device
On/Off
• Turning on or off a device can lose
or alter data, including potentially
key date/time stamps
• BUT, in some instances, turning off
the computer is the better option,
even though some data will be lost
11

12. “Deleted” Does Not Mean Nonexistent
• In-tact deleted files vs Overwritten
files.
• Ease of recoverability depends on file
state
• Forensic software can identify deleted
files and recover metadata associated
with the once active file
• Carving of unallocated space
• May allow of snippets of relevant data to
be recovered.
12

13. Deleted File States
13
Part of your hard drive is a file
system that lists where files are on
this track – here is where this track
starts and ends, etc.
File System: File System:
file001
file002
file003
Deleted, but data is
not removed from
the track
Upon deletion, space is only
marked as available. Data is
not removed from the track.
Data can still be pulled out.
File System:
file001
file002
file003
Data is physically
removed from
the track
Space is marked as available.
Data is removed from the track.
Active Files Deleting Files Wiping Files
file001
file002
file003

14. Computers Do Not Track Files Moved
to Other Devices
• Computers do not create a log of
files moved or copied
• “Artifacts” may be created
• Software programs can be used to
generate a list of files on external
storage (e.g. USB devices)
14

15. File Usage Artifacts
15
Link Files:
Link files are shortcuts to files you opened. They get
created by Windows and applications for a variety of
reasons, including to show you which files you opened
recently. Link files include information about where a file
was opened from (e.g. a USB device) and the file’s
metadata.

16. File Usage Artifacts
16
Jump Lists:
Metadata stored about folders and files that have
been recently accessed – including the most recent
time each file was opened and the file’s access,
creation, and modification date.

17. A List of External Devices Can Be
Created
• For Windows devices – a list of
every device plugged in with first
and last connection dates
• For Mac devices – a list of devices
plugged in within the last 30 days
17

18. Date/Time Stamps Are Not Gospel
• Documents have date time stamps
of certain events (created,
modified, last accessed)
• Computers keep many logs that
have dates and times of certain
events
• Dates/times are keyed off of the
internal clock – which can be
changed
• Intentional changes
• Changes due to lack of battery
18

19. Give Your Forensic Expert Case Details
• Computer forensic work is an
art
• Your computer forensic expert
needs background facts to
investigate
• How/where company stores data
• Key names and dates
• File naming conventions
• Information about remote access
19

20. Preventative Measures are available
• Use Data Loss Prevention
software
• Educate legal and IT teams to
communicate
• Data Governance
• Know where your valuable IP
resides and use managed
resources to secure
20

21. Hiring a Digital Forensics Expert
21
Complex analysis required, such as
showing misappropriation of corporate
data
May file a TRO or lawsuit
May need an affidavit
May refer matter to law enforcement
Need to ensure complete and
defensible preservation
Considerations
Counsel should engage to protect
privilege
Discuss and define the scope of work
But, realize the scope may change
Not all experts are the same
Engage as soon as possible
When

22. Questions?
22