What Is a Forensic Examination?
A forensic examination is essentially an investigation—or “interrogation”—of electronic records to identify indications of activity that may be noteworthy or otherwise suspicious, undertaken in a manner that can ultimately be presented in court.
Forensic examinations can be used to analyze many types of devices and accounts, including computers, tablets, mobile devices, email accounts, and USB devices. More recently, enterprise chat collaboration apps and/or cloud-based accounts (such as Google Workplace, Office 365, Slack, or Dropbox) have become more prominent, which in turn facilitates potential data flight. A forensic examination of these devices and accounts could uncover useful data such as the following:
- Transfer of documents from a laptop to a USB drive, including the serial number of the drive, the date it was plugged into the laptop, and what files were accessed on the drive at the time it was plugged in
- Forwarding of documents to a personal email account
- Copying of documents to personal cloud-based storage sites, like Google Drive or Dropbox
- Access dates for certain documents at certain times and from certain devices
- Internet searches that might be relevant (for example, “non-compete enforceable” or “scrubbing software”)
- Use of a mobile device to take photos of documents
- Call logs or text messages to customers or former coworkers in violation of restrictive covenants
- Use of cloud-based “chat” messaging to transfer documents or information
When Are Forensic Examinations Used?
Forensic examinations are used in a variety of circumstances, both pre-litigation and during litigation. An employer might conduct a forensic examination of a departed employee’s company-issued devices to determine whether the employee retained any confidential information or breached contractual non-solicitation obligations. This examination can provide a former employer with information necessary to evaluate potential claims and may be useful in pre-litigation settlement discussions.
Forensic examinations may also be used during litigation as part of discovery. With respect to devices and accounts in a party’s custody and control, parties will often conduct their own examinations. Where devices and accounts are not in a party’s custody and control, the party may demand, and seek a court order if necessary, for review by a third-party neutral.
Thinking Proactively: What Are Strategies to Best Position Your Company or Client before the Need for Forensic Examination Arises?
While it may seem that thinking about forensic examinations is only necessary when a company is preparing to litigate, familiarity with forensics can help position your client before the need for a forensic examination arises.
First, counsel should regularly review in-house protocols, including but not limited to policies regarding recovery of company-owned assets (including not just electronic devices but data thereon) when employees depart. In addition, counsel should ensure that relevant stakeholders within the client (such as HR, IT, and legal personnel) are familiar with best practices as to non-use of returned assets. For example, those likely to receive and/or handle returned devices from departed employees should be aware that access to those devices—including something seemingly as innocuous as booting up a computer—could permanently alter metadata that may later be critical in litigation. Accordingly, those individuals should understand the company’s protocols regarding what steps may be taken (such as forensic imaging where necessary) before returned devices are accessed or redeployed to other employees. Counsel should consider potential adjustments to company policies or procedures to minimize potential for data flight.
Finally, companies should consider partnering with a forensic expert so that during the early stages of an investigation, the expert can provide your client with prompt guidance, such as identifying remedial actions to take in lieu of more extensive discovery and/or analysis.
Stay tuned for a follow-up Practice Point discussing key considerations as to the examination itself.