Deliberate evidence tampering is becoming a serious problem in Ireland. As people become more aware of the potential of computer forensics, more and more culprits are taking action to remove, alter or disguise the data they leave behind them. Fortunately an experienced IT forensics specialist can usually identify tampering, and can often recover evidence even when it has occurred.
The problem
Our team was carrying out a routine electronic discovery assignment, (where we retrieve data from computer systems for use in legal proceedings). One of the computers handed to us for data extraction showed signs of data tampering.
Computers are not very efficient in the way they store data on their hard drives. The drives are optimised for speed and not efficiency of storage, consequently much useful material is left on the hard drives even after it has supposedly been deleted. It is this fact that underpins much of IT forensics.
An experienced IT forensics specialist will know where useful data is likely to accumulate. If this data is not present, it will indicate to such a specialist that measures have been taken to remove it.
In recent years we have seen increasing numbers of cases where data tampering has occurred. Forensics based TV shows and recent high-profile cases have raised public awareness of the effectiveness of IT forensic in cracking cases, and it has become increasingly common to find computers where measures have been taken to disguise or erase data.
The solution
In the case in question, an “evidence eraser” program had been run, which had removed all the deleted material from the hard drive. Eraser programs are rarely fully effective, however, and a skilled IT forensics specialist can still find much useful information even when such an application has been employed. In this case we were able to recover remnants of Google searches, showing the computer’s user researching and selecting an evidence eraser program. We were also able to show the time and date when the program was run on the computer (a couple of days before the computer was handed over to us). Our client’s legal representatives were able to use this clear evidence of misconduct to negotiate highly satisfactory settlement terms in the case.