Computer Forensics

Computer Forensics: What Lawyers Need to Know

Some lawyers may believe that by obtaining a law degree, they would be free from needing to master technology; however, that is not the case. The key that unlocks many legal matters is electronic data—it can help you determine whether private customer data was compromised, prove that a former employee stole valuable trade secrets, or assess a potential spoliation claim. Thus, a basic understanding of computer forensics is becoming a necessary part of a successful legal practice. This article is a high-level, introductory guide to computer forensics for lawyers.

First things first: what is computer forensics?

Computer forensics generally refers to steps taken to collect and analyze digital data, such as what is found (or sometimes buried) in computers, phones, portable hard drives, and cloud storage locations. Computer forensics experts have specialized tools that allow them to analyze data that may not be displayed in plain text or that would not be responsive to search terms. This evidence may help piece together what actions a user took and when; such as, for example, when a user modified a file, downloaded wiping software, or attached an external hard drive to the computer.

What does a lawyer need to understand?

Below are 10 simple tips that every lawyer who collects or utilizes electronic evidence should understand.

1. A broad collection is key.

When preserving, collecting, and analyzing electronic evidence, whether in anticipation of litigation or as part of an investigation, think broadly. In addition to collecting devices like computers, phones, and hard drives, consider collecting security camera footage, key card access logs, printer logs, and server or database logs.

2. Keeping a collection record is important.

To minimize any dispute over the electronic evidence your Computer forensics expert finds, make sure to keep a record of how and when each device was collected (e.g., document the time and place of collection), as well as the make, model, and a serial number of the device. You should also document anytime you transfer possession of the device; for example, when you hand the device over to your Computer forensics expert for analysis. Documenting the chain of custody will be particularly important if your client wants to ultimately refer the matter to law enforcement.

3. Making a forensically sound image before anyone (even well-intentioned IT staff) does any investigation is critical.

An essential step in any Computer forensics investigation is making an exact bit-for-bit copy (referred to as an “image”) of the source device. A computer forensics expert will be able to tell if the copy is an exact duplicate based upon a unique numerical identifier known as a “hash value.” This image needs to be made before anyone takes any investigative steps, because even seemingly innocuous actions can change data that exists on the device, thereby creating questions about whether the evidence can be trusted. The image should also should be made using a “write-blocker,” which prevents any changes (or “writes”) to the device. This technology is not often part of a standard corporate IT team’s toolbox, and if it is not used when making a copy of a drive, the validity of the evidence can be called into question.

4. Merely turning a computer on or off can lose evidence.

Even the simple step of turning a computer on can manipulate and change important data. For example, Windows alters hundreds of files, including updating logs and writing over data, every time a user boots up the system. Turning a computer off can also have problematic consequences, because data that is stored in temporary memory, called RAM, will be lost. Therefore, you should consult a Computer forensics expert before even turning a device on or off if you believe the device may contain evidence. Another good practice to follow is to have IT disconnect the computer from the company network ASAP to prevent any remote connections or any additional syncing with the network.

5. A “deleted” file may still exist.

If a user tried to cover his or her tracks by deleting a file, the file may not be gone forever. First, it may still be in the trash. If the user deleted the file from the trash, it may still exist in what is called “unallocated space” if it has not been written over. Importantly, if there are no deleted files in the unallocated space, that can be evidence that the user re-installed the operating system or wiped the device, which can be valuable evidence itself.

6. Use of external devices can be determined.

Some devices, such as external hard drives (e.g., USB devices), leave behind clues (on the machine they were connected to) of what the user did. A computer forensics expert generally can generate a list of the USB devices the user connected. For Windows devices, the expert can create a list of every device plugged in, including the first and last dates on which each device was plugged in. For Mac computers, the expert can often generate a list of the devices plugged in within the last 30 days. Often, both on Windows and Mac computers, it is even possible to find out the make, model, and a serial number of each device.

7. There is no log kept of files copied or moved to external devices.

Often, finding out what files a user moved to an external device is important evidence, especially in cases of suspected trade-secret theft. Many clients think that a Computer forensics expert can just print a report of all files transferred; however, no such list exists. But, if the user copied a file from his or her Windows computer to an external device, like a thumb drive, and then opened the file on that device (such as to verify that the copying worked), a shortcut file known as a “lnk” file would be created on the computer and can be analyzed. In addition to lnk files, it may be possible to piece together other pieces of evidence to show the movement of files. Therefore, analyzing whether a user moved documents off of a computer is possible, although it is more complicated and nuanced than many people realize.

8. Date and time stamps are not gospel.

Piecing together a timeline of events is often key to any investigation or litigation. Therefore, time stamps associated with files, such as those showing when files were created or modified, will be important. Because the time stamps are based on the computer’s internal clock, you need to make sure you know what time zone the clock is set in and whether there is any evidence that the clock was changed. In fact, some malicious actors try to cover their tracks by changing the clock multiple times. Make sure you confirm with your Computer forensics examiner what time zone was used when he or she is generating any reports for you.

9. Virtual machines may be hiding evidence.

It is possible for a user to essentially set up a computer within a computer so that he or she can run an operating system and applications covertly. This is referred to as a “virtual machine.” While virtual machines have many common and non-nefarious uses, a bad actor could use a virtual machine to bypass security measures. For example, if a company has disabled its employees’ ability to use external storage devices, an employee may still be able to use such a device—and covertly move files to such a device—if he or she installs a virtual machine. Therefore, you should ask your forensics expert whether there is any evidence that the user installed any virtual machines.

10. Your Computer forensics expert needs background information.

Your Computer forensics expert needs to know the factual background of your case to be able to determine the best places to look for evidence and whether other data points might be relevant. For example, it can be helpful for the expert to know key names, dates of relevant events (e.g., the date that an employee was terminated), names of important files, file naming conventions used by the company for types of important files, what types of files may be important (e.g., pictures, schematics, Word documents), and whether the company allows its employees to use cloud storage devices or to remotely access company data. Therefore, you should treat the forensic expert as part of the investigative team and give the expert an understanding of the circumstances, background facts, and high-level legal strategy to allow the expert to effectively mine the electronic data for clues and evidence.


If you use these tips, you will be able to work more efficiently and effectively with your Computer forensics expert, and, together, maximize your chance of finding evidence and improve your ability to skillfully utilize it to build (and hopefully win) your case.


Shannon Murphy is a litigator, investigator, and data protection attorney at Winston & Strawn LLP.  As a member of the firm’s Global Privacy and Data Security Task Force, she deploys computer forensic knowledge, theft of trade secret expertise, and decade of criminal justice experience to counsel clients and protect their interests, with a focus on protecting valuable corporate data.

David Freskos is a Senior Director in FTI Technology’s Chicago based Digital Forensics & Investigations Practice. David provides expert computer forensic and e-discovery consulting services to legal teams in support of high stakes Intellectual Property (IP) theft investigations, Government investigations, litigations and all other types of matters. Additionally, David specializes in the collection and in-depth analysis of data from mobile devices, social media and cloud-based storage.

Check Also

time blocking

12 Personal Productivity Tips for Your Year-End Push, Pt. II

The second part of a three-part series on Dennis Kennedy's and Tom Mighell's personal productivity tips and strategies.