Bunting Digital Forensics, LLC
Digital Forensic Examinations
Spoliation - Bunting Digital Forensics, LLC
Bunting Digital Forensics, LLC Spoliation Examination services are among the best you can find in the industry. As a forensic examiners, we have been looking for deleted or altered data from the beginning of our careers. Finding such as part of eDiscovery is simply an extension of what we've been doing for years.
Spoliation is "the intentional destruction of evidence and when established, [the] fact finder may draw [an] inference that [the] evidence destroyed was unfavorable to [the] party responsible for its spoliation,” as cited in 342 Ark at 146, 27 S.W.3d at 388 (quoting BLACK'S LAW DICTIONARY 1401 (6th ed. 1990) (content in brackets inserted by the court)). Whenever a party to litigation intentionally destroys, alters, or hides evidence in a forthcoming litigation, they have committed the act of spoliation. Minimally, the aggrieved party is permitted to infer the deleted evidence was damaging to the party destroying. Sometimes the penalties are far worse, including a ruling in favor of the aggrieved party.
Spoliation is a very serious matter and when the spoliation involves ESI or digital evidence, you need a computer forensics expert on your team, one that knows how to locate and establish evidence of spoliation. Steve Bunting has written the book on computer forensics. He has authored a series of articles on spoliation forensic examinations for Macintosh systems and Windows systems, a two-part series, soon to be published in eForensics Magazine.
Some users can be quite blatant in their spoliation efforts and others can be quite sneaky. Often they simply install one of the various evidence removal software packages that are available for their platform (Windows, OS X, Linux, etc). Naturally these products leave footprints everywhere, leaving behind artifacts indicating when they were installed, their settings, etc. When installed shortly after the point when the duty to preserve attaches, such an act alone is indicative of the intent to destroy evidence. Of course once you've destroyed evidence you are left holding the instrumentality of the destruction in your hand. How do you do to rid yourself of that evidence? Install yet another evidence removal product? If so, what next when you are done with that product? And so the folly goes....
Others, as previously mentioned, are much more covert or sneaky in their evidence destruction endeavors. Often they will use tools built into the operating system. For example, on a Mac, a simple "srm" at the command line will not only erase its target item or items, but do so with a 35-pass wipe, by default. This five times the amount required for a DOD wipe and, again, the default setting. Fortunately such commands linger behind as evidence in the shell history file on Macs and Linux machines, but only for the skilled examiner who understands the various means of data destruction and where those trace artifacts reside. Once found, such evidence is damning proof of spoliation.
Once the proof of spoliation begins to accumulate, it often snowballs into a mountain of evidence. It places the offending party into a precarious legal predicament. In addition to having destroyed evidence, they also find that they have signed sworn statements to the court, attesting to full and complete disclosure of all evidence subject to discovery. Effectively, they have lied to the court and perjury charges become a possibility, depending on just how egregious their conduct in the eyes of the court. They have started down a slippery slope, lost all footing, and are careening downhill out of control, at full speed. That's bad for them, but usually good for you.
Once again, if you are facing a potential spoliation case, you need much more than an eDiscovery shop. You need a skilled forensic examiner. One who can ferret out spoliation evidence in a variety of platforms and devices. Even mobile devices can hold evidence of spoliation, as can their backups on computers and the cloud. We do mobile device forensics as well, including JTAG and chip-off.
We've also seen lots of Mac computers, of late, involved in digital rights litigation. It seems those who illegally download movies like Macs. That's good because we really enjoy doing forensic exams of Macs!
Not only do we ferret out evidence of spoliation, on the other side of the coin, we are called upon to defend those who are wrongfully accused of spoliation. Yes, it happens that sometimes data is misinterpreted, overlooked, or even contrived, with the net result being that a party to litigation is wrongfully accused of spoliation. When that happens, we can help.
If you are litigating a case where spoliation by the other party is suspected or you are wrongfully accused of spoliation, get a forensic expert on your side right away. Don't delay as valuable evidence can be lost just by waiting. Please contact Steve right away and we can discuss your options and develop a plan of attack.