Latent Electronic Documents and Discovery

Jeff Lenning | January 28, 2014 | Comments Off

Latent electronic documents on computer networks can present problems for attorneys and their clients. These documents can be a problem for attorneys since they represent information their clients may not have realized existed. Old versions of documents, drafts, outdated revisions, and embedded comments typically do not accurately reflect the conclusions, and sometimes do not properly represent facts. These issues are magnified during electronic document discovery, especially when computer experts are called.

This article will:

Provide an understanding of the types of electronic records that may be recoverable from computer
networks;
Demonstrate how deleted documents aren’t actually deleted;
Tell you how to “shred” electronic documents.

Types of Electronic Documents
There are many types of electronic documents and records that are stored on computers and computer networks. In fact, a good IT Manager intentionally reduces the risk of lost electronic data by establishing backup procedures and server redundancy. In essence, a good disaster recovery program is designed to prevent data loss in the event of hardware failure or human error. What types of documents and electronic records are typically saved on computer networks, and are typically recoverable?

Drafts and old versions of documents (recoverable from backup media and utilities)
Website visitation history (recoverable from internet browser and utilities)
Usernames and passwords (recoverable from internet browser and other utilities)
Embedded comments (stored in the file): Many word processor applications allow for embedded comments (notations that are made in the electronic version of the file but which don’t print on the paper copy.) Many use this feature to collaborate with peers on documents. Even if a person turns the display of comments “off,” the comments are still retained in the electronic version of the document, and are thus easily recoverable.
Pretty much all email activity, including drafts, sent items, and deleted items (recoverable from email program, email server, or special utilities)
Instant Messenger (IM) conversations (recoverable from IM program or server)
Deleted files (recoverable from backup or forensic utilities)
Emptied recycle bin documents (recoverable from forensic utilities)
Files on backup archives: A well designed disaster recovery plan makes backups of files. It is important to understand that typically, backup routines are designed to permanently save files, and store them even after they have been deleted from the main server. That, after all, is the whole point of having a backup. Thus, it is important to understand that files and outdated versions of files may still exist on a backup archive somewhere, even though they were deleted, even shredded, from the main server or computer.
Files on portable devices (Blackberries, iPods, PDAs, Flash drives)
Files transferred to home computers and laptops
Files saved on hosted services (online backup, ftp, file sharing portals, extranet sites)
Cached historical versions of public websites

In essence, a good Network Administrator can track most user activity on the network.

See How a Deleted Document is not Actually Deleted
One common misconception relates to deleted files. Many computer users assume that when they “delete” a file, the computer complies and dutifully deletes the file. However, the computer does not delete the file; it simply hides the file and allocates that hard disk space as “available” for future files. Thus, with freely available utilities, one can quite easily recover deleted files. In fact, there is one remarkable utility disk that has numerous security and audit-related applications, which is available for free download, called Helix. The website address is http://www.e-fense.com/helix/

By way of demonstration, you will notice, in Figure 1 below, a file named “test delete.txt” that exists in the C:\Test folder.

Figure 1

Next, you will see that I have deleted the file and thus it is longer present in my Windows Explorer, as shown in Figure 2 below.

Figure 2

Running the Helix CD (or other similar utility) scans the hard drive and lists the deleted files, including our file “test deleted.txt”, as shown in Figure 3 below.

Figure 3

Since the deleted document appears within the file recovery utility, it is easily restored.

How to “Shred” Electronic Documents:

Analogous to paper document shredders, there are many utility computer applications that “shred” electronic documents making subsequent retrieval more difficult. As we discussed above, when a computer user deletes a file from within Microsoft Windows, the file is not actually deleted; rather, it is hidden and the space freed up for future files. A shredder application writes and rewrites to that hard drive space numerous times, making subsequent retrieval more difficult. Many shredder applications meet or exceed the media sanitization requirements of Department of Defense 5220.22-M.

Keep in mind that shredder applications are intended to be used during the normal course of business, and not once discovery begins or those documents are evidence. Additionally, these types of software utilities can’t completely remove files, only physical destruction of the hard drive (smelting, incineration, chemicals, etc) or degaussing the disk can.

One such available electronic document shredder is by PGP, and is bundled with their PGP Desktop product (pgp.com), which provides numerous other security utilities including email and file encryption, and whole disk encryption. Another such utility is the cipher program included with Windows XP.

Jeff Lenning CPA CITP is available for additional questions/comments at his Seal Beach based firm, Click Consulting, Inc. which provides network support and web application development.

Posted in