chevron-down Created with Sketch Beta.
March 18, 2021 Practice Points

Forensic Examination of Electronic Devices: Part 1

While it may seem that thinking about forensic examinations is only necessary when a company is preparing to litigate, familiarity with forensics can help position your client before the need for a forensic examination arises.

By Sarah Horstmann, Dawn Mertineit, and Antonio Rega

Forensic analysis of electronic devices has become increasingly important in both pre-litigation and litigation. This Practice Point will cover:

  • The basics of forensic examinations, including the types of devices and accounts that can be analyzed and data that can be uncovered; and
  • Strategies to best position your client proactively before the need for forensic examination arises.

A subsequent Practice Point will address key considerations in carrying out the forensic examination, including the scope of the examination, options for who will conduct the investigation, and tips on drafting protocols and analyzing results.

The Basics

What Is a Forensic Examination?

A forensic examination is essentially an investigation—or “interrogation”—of electronic records to identify indications of activity that may be noteworthy or otherwise suspicious, undertaken in a manner that can ultimately be presented in court.

Forensic examinations can be used to analyze many types of devices and accounts, including computers, tablets, mobile devices, email accounts, and USB devices. More recently, enterprise chat collaboration apps and/or cloud-based accounts (such as Google Workplace, Office 365, Slack, or Dropbox) have become more prominent, which in turn facilitates potential data flight. A forensic examination of these devices and accounts could uncover useful data such as the following:

  • Transfer of documents from a laptop to a USB drive, including the serial number of the drive, the date it was plugged into the laptop, and what files were accessed on the drive at the time it was plugged in
  • Forwarding of documents to a personal email account
  • Copying of documents to personal cloud-based storage sites, like Google Drive or Dropbox
  • Access dates for certain documents at certain times and from certain devices
  • Internet searches that might be relevant (for example, “non-compete enforceable” or “scrubbing software”)
  • Use of a mobile device to take photos of documents
  • Call logs or text messages to customers or former coworkers in violation of restrictive covenants
  • Use of cloud-based “chat” messaging to transfer documents or information

When Are Forensic Examinations Used?

Forensic examinations are used in a variety of circumstances, both pre-litigation and during litigation. An employer might conduct a forensic examination of a departed employee’s company-issued devices to determine whether the employee retained any confidential information or breached contractual non-solicitation obligations. This examination can provide a former employer with information necessary to evaluate potential claims and may be useful in pre-litigation settlement discussions.

Forensic examinations may also be used during litigation as part of discovery. With respect to devices and accounts in a party’s custody and control, parties will often conduct their own examinations. Where devices and accounts are not in a party’s custody and control, the party may demand, and seek a court order if necessary, for review by a third-party neutral.

Thinking Proactively: What Are Strategies to Best Position Your Company or Client before the Need for Forensic Examination Arises?

While it may seem that thinking about forensic examinations is only necessary when a company is preparing to litigate, familiarity with forensics can help position your client before the need for a forensic examination arises.

First, counsel should regularly review in-house protocols, including but not limited to policies regarding recovery of company-owned assets (including not just electronic devices but data thereon) when employees depart. In addition, counsel should ensure that relevant stakeholders within the client (such as HR, IT, and legal personnel) are familiar with best practices as to non-use of returned assets. For example, those likely to receive and/or handle returned devices from departed employees should be aware that access to those devices—including something seemingly as innocuous as booting up a computer—could permanently alter metadata that may later be critical in litigation. Accordingly, those individuals should understand the company’s protocols regarding what steps may be taken (such as forensic imaging where necessary) before returned devices are accessed or redeployed to other employees. Counsel should consider potential adjustments to company policies or procedures to minimize potential for data flight.

Finally, companies should consider partnering with a forensic expert so that during the early stages of an investigation, the expert can provide your client with prompt guidance, such as identifying remedial actions to take in lieu of more extensive discovery and/or analysis.

Stay tuned for a follow-up Practice Point discussing key considerations as to the examination itself.

Sarah Horstmann is a partner with Maslon in Minneapolis, Minnesota. Dawn Mertineit is a partner with Seyfarth Shaw in Boston, Massachusetts. Antonio Rega is a managing director with Ankura in New York City, New York.

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).