My article about InterCity Telecom Ltd and Anor v Solanki was headed A failed attempt to overwrite stolen company data and told the story of a senior salesman who stole his employer’s sales data for his own benefit and that of its competitors.
Among the data recovered on discovery was a USB drive which apparently contained only music. Examination by a forensic expert showed the that the drive had been used previously for copies of the stolen data. That which was recovered from the drive formed much of the evidence against the defendant.
That article has, perhaps inevitably, drawn comment from a couple of forensic experts, both of whom seized on the difference between “deleted” and “overwritten” data.
Chris Caul of Visa Europe wrote:
I wouldn’t agree that it is almost certainly possible to recover overwritten data. Deleted data yes, but when a file is overwritten and you are looking at the same sectors that the file had occupied you are normally looking at the file that has overwritten it, not the original file. Perhaps the analyst in this case recovered deleted files or the remains of partially overwritten files. Also, the defendant wasn’t wrong to say in his affidavit that the memory stick had been used to store music. It states in Para (t) that it did – he just ‘forgot’ to mention the other files that shouldn’t have been there! Otherwise, an interesting write-up to a fairly common job for forensic analysts.
Nigel Crockford, also of Visa Europe, wrote:
The problem here is a non-technical person confusing the very important difference between ‘Deleted’ and ‘Overwritten’. From what I have read, there was no attempt made to overwrite the offending data. Once you realise we are talking about deleted data this becomes a fairly run of the mill DF job.
Their points are important ones and draw attention to the need to involve someone who is truly expert in forensics when it becomes necessary, as it often does, to make a comprehensive search through discovered data sources.
I gave the same answer to both of them in the following terms:
Perhaps it would have been better if I had simply said that people should not assume that attempts to remove or conceal electronic data will be successful, leaving the distinction between methods open. My main object, as you know, is to drive lawyers to at least think about instructing a forensic expert. The difference between methods of concealment only matters if anyone thinks to check.
So when is it right to seek the advice of a forensic expert? The answer is the usual and unhelpful-sounding “it depends”. There are cases where it is quite obviously a waste of time and money, and there are cases where the least technical lawyer will see that help is needed. Our old friend proportionality comes into play here, in the form of the question “Am I likely to find anything of value which justifies the expense of looking for it?”, together with its corollary “Am I negligent if I don’t?”.
Two examples may help. I once came across a solicitor who, without being particularly technical, decided that a laptop might hold more than appeared superficially. He sent it for forensic examination and, for £1,500, extracted information which won his case. Whether £1,500 is worth spending will clearly vary with the case, and the cash value of the claim is not the only factor (save in relation to recoverable costs where, as we now know if we didn’t before, work may be necessary without being proportionate; even then there are matters whose importance is not measured in cash terms).
The other example involved a single document; if it was actually created on the date alleged by the other side then the case was lost; if it could be shown that it was created afterwards then the case was won. My caller had no idea what the likely costs were of examining the document, but had not thought of simply ringing one or two forensic experts and asking them for an estimate of the costs. You would do that with everyone else from a barrister to a decorator. Why not with a forensics expert?