Law around the subject of electronically stored information (ESI) and computer forensics is ever-evolving. In a lawsuit, it’s treated just like paper documents. If you shred or burn the paper evidence, you’re in trouble – and if you’re caught deleting or wiping electronic evidence, you’re in the same boat.
But in some cases, it can be easier to get busted for destroying ESI, both because electrons have a way of proliferating as digital copies of files and pictures and documents, and because the process of destroying data usually leaves detectable digital traces.
Just yesterday, a fellow (I decline to call him a gentleman) called me up to ask if he could consult with me on an hourly basis about how to destroy data (evidence) on his computer for an upcoming potential divorce. I actually found myself offended and explained to him (trying to keep the disdain from my voice) that destroying evidence is the exact opposite of the service I offer.
We don’t wreck evidence – we find it.
I further suggested that he might want to look into the Federal Rules of Civil Procedure, Sections 26 & 34 and how they apply in his state. I told him that I am not an attorney (and so can’t advise him on law), but that if he went about destroying evidence, the judge in his case could sanction him in a way that could be devastating to his side of the lawsuit.
But I could be wrong. While there is generally a requirement under common law to preserve evidence, and while some judges will take unkindly to the destruction of any potentially relevant evidence, others have held to a deadline of 20 days after a complaint is filed, or not until the party is served with court papers. This guy hadn’t yet been served, although his interest in the destruction of data would lead a reasonable person to infer that there was something on that computer that would lead his wife to start the process!
In more than twenty years in the computer forensic business, we’ve found that people rarely manage to erase all traces of a file, or of their acts of destruction of files. When a file is deleted, it just remains sitting there for someone with the proper tools and skill set to uncover it. It’s not gone until it has been overwritten by something else. There are utilities designed to overwrite files in order to completely get rid of them, but often references to the file remain in an old directory, the Master File Table, or in shadow volume automated backups. The file-destroying software usually leaves tracks of itself having been used, and may even provide the forensic investigator a log of its activities.
Even if the file is completely overwritten and its attendant directory entries, etc “sanitized,” many files, such as MS-Word, make Autorecovery backup copies while the user is typing away. These are deleted when the user closes his document, but as we have seen, what’s deleted is not gone. Such remnants can be valuable evidence.
So these kinds of activities are detectable and the intended target of data destruction may survive the efforts. Then of course, there is the question of ethics. Even if, in some jurisdictions, the destruction of data before certain other documents are filed is not prosecuted, the idea of destroying evidence and/or lying about it is reprehensible and is certainly unethical.