Friday, December 25, 2009

Divorce and Computer Evidence

Today, we live in an expanding digital world. On any given day, many people use a myriad of digital equipment to process, store and send data. Digital tools that are commonly used may include, without limitation:

Desk top computers

Laptop computers

personal digital assistants (PDA) which act as electronic organizers or day planners that are portable, easy to use and capable of sharing information with your PC.

Cell Phones;

TIVO (which can be modified to store data);

Digital Cameras.

These devices offer a rich source of information which often overlooked in divorce proceedings. Any of these digital databases may be forensically examined as part of the divorce discovery process. This may involve making a mirrored copy of hard drives, examining stored data or recovering deleted information.


Clearly, such a forensic analysis can be an indispensable tool in high conflict divorce cases where there is a suspicion of wealth transfers or to locate proof of infidelity or other fault based conduct. Information obtainable may include:


(1) e-mail messages;

(2) instant messages;

(3) user names; passwords;

(4) names and addresses of financial institutions;

(5) asset transfers;

(6)fund transfers;

(7) debt information;

(8) account activity;

(9) monitoring activity including creating chronological timelines for computer program use;

(10) recovering deleted, encrypted, or damaged file information.


It is important to remember that deleted information is never truly deleted. Even formatting the hard drive of a computer does not erase stored date and, instead, simply erases the links that point to where the data can be located. In fact, computer experts claim that if an amateur tried to burn their computer in a fireplace, there is a very good chance the data could still be recovered. What is even more compelling is that, in many instances, the most important evidence is proof that there was an attempt to destroy data. Some things that may be discovered in a forensic examination include:


(1) Saved Files – These are data files that exist in a form that can be readily used. They can often be located in named and organized directories. However, a good investigator will look further for files that are hidden in strange directories or even marked to be hidden from the operating system. Often, computer users attempt to hide files by adding suffixes to the file name like .exe in order to avoid detection.


(2) Deleted Files – When a file is deleted from a computer, it is not altered. The operating system is just told to ignore that it exists. Unless the operating system writes new data over the old, it may be recovered.


(3) Temporary Files – Operating systems and programs temporarily store a copy of working data in various places. Sometimes it is in the same location as the original. More frequently it is in a specially designated folder specifically for temporary files.


(4) Metadata – This is a term that refers to corollary information that is stored along with data. It includes such things as the date the file was created, modified and last accessed. It can tell us the original owner as well as everyone who has ever used it. Sometimes it contains previous versions of the document.


(5) Disk Slack – When data is stored, it accidentally captures data from previous documents. With the certain forensic software, this datas can be searched and the old data resurrected.


The consequences of discovering undisclosed assets or other relevant information in divorce can be profound. The party that fails to disclose the asset during the divorce process may be required to pay attorney’s fees, turn over the asset to the other party or to the court in a receivership proceeding in addition to calling into question that party’s credibility in the proceedings as a whole. Actively pursing this avenue of investigation may be the difference between losing out on significant assets or finding a treasure trove of financial information from local investments and real estate holdings even if they are held in the name of another person or sheltered as part of a holding company. In practice, forensic examinations have been effective in turning up financial institutions to explore for hidden accounts and discovering wealth transfers to overseas repositories.


The goal of computer forensics is to do a structured investigation and find out exactly what happened on a digital system, and who was responsible for it. Hiring a qualified expert is critical to such an investigation. Any manipulation of a digital device from an untrained person may effectively destroy the admissibility of any evidence found since such information in untrained hands may be manipulated and modified by mistake or design. A forensic expert, by contrast, must take great pains to preserve the data in its original form before even commencing an analysis. This means that forensic examiners must take steps to ensure the integrity of the information contained within those physical items while developing methods and techniques that provide valid and reliable results while protecting the real evidence—the information—from harm. In the context of a computer hard drive, this may mean making a mirrored hard drive so that the original condition of the hard drive is preserved for any subsequent investigation.


Forensic expert generally use three phases for recovering evidence from a computer system or storage medium. Those phases include:


(1) Acquiring the data;

(2) Analyzing the data; and

(3) Reporting the data.

(4) Digital device users, including computer users, always leave tracks. According to computer forensic experts, it is “just” a matter of finding these tracks.


It is important to recognize that computer evidence almost never exists in isolation. It is a product of the data stored, the application used to create and store it, and the computer system that directed these activities. Even the applications used to create data may serve a critical role.


For example, in one particular divorce proceeding, discovery was served to acquire financial records related to a family owned business. In response, the spouse that operated the business provided profit and loss statements and general ledgers for a four year period. the records seemed to minimize the corporate assets and income. As a result, a Motion was brought to perform a forensic analysis on the computer system where the records were purportedly stored. At trial, it was revealed that the computer that was analyzed had been used to modify the data. Specifically, a program designed to erase data was downloaded and used to remove items from the hard drive only shortly before the computer was turned over to the forensic examiner. Even more compelling, the forensic examiner was able to determine that the financial records that were provided by the spouse had been created by a program version that was not in use at the time the records were purportedly compiled. The end result was that the court imposed a sanction against the party providing the records including a presumption that the records had been modified and were inaccurate.


Conclusion


Valid and reliable methods to recover data from computers as part of discovery in divorce proceedings are becoming fundamental for divorce lawyers. this is particularly true in cases with larger estates, complicated business or real estate holdings or multi-jurisdictional assets. These methods must not be overlooked. However, in such cases, it is critical to hire an attorney and a computer forensic expert capable of finding necessary information and presenting it effectively in court.



For legal representation call 612.240.8005



Maury D. Beaulier is a recognized leader in divorce and famnily law in Minnesota and Wisconsin including high profile cases across both sttaes. He can be reached at http://www.divorceprofessionals.com or at (612) 240-8005.