Tag Archives: Spoliation

Solid State, Spoliation, Stochastics, Shrodinger’s Cat & Wyatt Erp

MP900401975Last year, I was presenting at the Calbar Solo Summit and the issue of gleaning evidence from solid state drives (aka SSDs) came up.  From a technological standpoint, SSDs are highly efficient; from a forensics standpoint, they can be a nightmare.

The problem one faces with being queried about this issue is that it results in a very common answer I have to give when faced with a one-hour presentation and little time to explain; it depends.  Of course, on this blog, I’m not time-constrained.  Furthermore, I don’t re-invent the wheel when others have so elegantly explained the issue.

But, for a basic overview, let’s break down the data recording patterns into three possibilities:

  1. Random data is written to an open area.  When data is marked for deletion, it is not deleted immediately, but in the future, when a need arises to utilize that space.
  2. New data is written to an area containing existing data that is marked for deletion, thereby overwriting that data.
  3. Data marked for deletion is actually erased, then other data is written to the same area at a future time.

If you asked most people what happens when they record something on magnetic tape, most believe that there’s simply one ‘head’ that records onto the tape while simultaneously recording over anything that already exists on the tape.  Not so.

This is where “ERP”, comes in.  It’s just a simple mnemonic that stands for “Erase”, “Record” and “Playback”.  There are actually three separate heads, in that order, so when the tape passes over them, the first head erases any data, then the second head records new data.  In playback mode, obviously, the other two heads are bypassed and the playback head is used.

The reason I mention it is that most people also believe that deleting data on a drive is instantaneous, when normally, as illustrated from the examples above, it is not.  However, SSDs are closest to that process through an operation called ‘self-corrosion’.  Very soon after data is marked for deletion, that data may be gone; and I mean, really gone and unrecoverable.

Add that to the long list of challenges faced by data forensic investigators.

News of the World Buries the eDiscovery Lede: Spoliation

For those who aren't familiar with the term, "burying the lede" refers to an article that fails to express the most important issue in the 1st sentence or paragraph.

Obviously, by now you've heard about the News of the World phone-hacking scandal.  If you're an eDiscovery professional, then you'll find the lede buried all the way in paragraph nineteen:

"On Saturday, the Guardian newspaper, which has led the reporting on the scandal, said Scotland Yard was investigating evidence that a News International executive may have deleted millions of internal e-mails to obstruct the phone-hacking probe. The company denies the allegation." [italics/bold added]

If the allegation turns out to be true, I only have one question.  When will they ever learn?

e-Evidence Insights: A Good Senator, Spoliated.

…with deference to Mark Twain…

MP900400181 Recently-former-Senator John Ensign's (R-NV) affair and alleged attempts to cover it up would normally be fodder for the press – and I'd take little notice of it.  However, with the release of the Senate Ethics Committee Panel report, we find this:

"The report also accuses Ensign of deleting documents and files the committee was likely to request. The senator deleted the contents of a personal email account after the investigation was launched, it says." [italics added]

And this:

"The committee's report describes Cynthia Hampton as running up $1,000 in phone bills by texting Ensign while he was traveling in Iraq with a congressional delegation."

I want to distinguish between the first quote and the second.  The former is clearly in the realm of relevance (save for an attempted-but-likely-futile privilege argument against access to his personal email account), but the latter is an example of how 'beside-the-point' ESI becomes relevant.  The affair may be morally wrong, but texts between the two players are private – or at least they would be, except for the likelihood that access to them might lead to relevant evidence that would tend to prove or disprove a material fact.  Examples?  Did they conspire to cover up the affair through means that would be deemed improper?  Plus, who paid the phone bill?

This is how your personal cell, PDA or email account ends up in the hands of your adversaries.  You're not immune.

What do you think the odds are that Sen. Ensign knew, or should have known that destroying evidence after learning of an investigation is at best sanctionable conduct and at worst, a crime?

This is how destruction turns into obstruction.  Time to call "Aunt Judy"…or Judge Judy…