Taking a Byte Out of Cyber Secrecy
Forensic technologists can help verify or unwind intricate claims whose details are bound up in cyber nooks and crannies.
By Karl Epps
Bit by bit, information gets stored in various locations. That information could be critical to the proper evaluation of a claim, but a standard inquiry into computer files might not reveal all that's out there. The information stored in computers often represents the largest accumulation of data for an organization, but it likely does not include all relevant data. External devices such as backup drives, USB keys/flash drives/memory sticks, CD/DVDs, cell phones, PDAs, copiers, fax machines and iPads contain a wealth of data that may duplicate or expand on the stored data.
In addition to these physical storage locations, there are social media sites that can house large amounts of information. These include Facebook, Twitter and LinkedIn as well as "cloud" backup locations, such as Carbonite, DropBox and Microsoft's Live Mesh. In the case of an investigation, it is a mistake to limit your search to what is thought of as the traditional computer when there are so many potentially rich data stores available. Think of it this way: A 16-gigabyte memory chip, the size included in the current Droid cell phone, is about the size of your thumbnail and can hold approximately 320 500-page college text books or about 3,200 MP3 files.
Investigating a Claim
Today, over 90% of the world's information is being generated and stored in digital form, and more than half of all business documents created never become paper records. In fact, when it comes to receipts, invoices, and other record-keeping, it's very difficult to find paper copies at all in some industries. On the other side of the coin is the vast, new, digitized record of communications. The simple "word of mouth" and telephone conversation have been transformed, often to the benefit of the claims examiner, into a plethora of data. The key is finding all that you need and not much more than you need. That's where a claims unit can benefit from coordinating with a forensic technologist.
A forensic technology investigation usually arises in one of two ways—in criminal cases, following the seizure of computers and other external data sources; or in a civil litigation, when there is a basis for believing that relevant data has been withheld, misrepresented, forged, falsified, modified or otherwise manipulated. In civil litigation cases, a demand is made for an image of the computer system and identifiable external data sources. It is important that the investigator capture all data sources in the initial acquisition and that plans are made for a full investigation. Regardless of whether or not the plan is only to do a quick search, the imaging process is the same. In most cases, there is only one opportunity for this data acquisition step.
It is imperative that all cases are treated as if they will be litigated in a court of law; to do otherwise can endanger the evidence and outcome. In some cases, additional data sources will be identified in the course of the investigation. It will be necessary to obtain specific authority to access those sources, but it is generally frowned upon and can undermine expert testimony if repeated requests are made for the same data sources.
Once the data sources have been imaged, the forensic technologist will begin the investigation. This is where the claims management process can have a major impact on the ultimate success and cost of the forensic investigation. Prior to the analysis of the electronic data, there should be a meeting between the claims professional, attorney and forensic investigator. During this meeting, the technologist should be given sufficient information to provide a focus for the investigation. While each case is different and other information may be pertinent, the claims professional should generally be prepared to provide the following information at a minimum:
- Nature of the Case – The key issues that drive the case and the amount of damages.
- Key Parties – The relevant people who may have received or created correspondence or other types of documentation. This should include known nicknames and aliases.
- Key Dates – The earliest and latest dates on which data relevant to the key issues could have been created or received.
- Keyword Lists – Words that are tied to the issues involved in the case.
- Business Contacts – Businesses or other entities which may be involved in the issues being addressed.
- Dollar Amounts – Key dollar amounts, such as specific payments believed to have been issued or monies that are in contention or missing. This should also include relevant account numbers and bank names.
- Known E-mail Accounts and Websites – E-mail accounts and websites relevant to the case that were used or believed to have been accessed by the parties.
- Known or Suspected Areas of Inconsistency, Exclusion or Alteration of Data – Those issues which gave rise to the request for the forensic technology imaging process to be initiated.
- Date of Subpoena – Where applicable, an investigator should always ensure that subpoenaed data repositories were sequestered and that no additional manipulation was done on them. It may be found that, after the subpoena, data was deleted or modified in an effort to hide evidence. On a computer, it may even be possible to recover deleted data or to find evidence of programs used to securely delete data. An Internet history may reveal research performed to that end. Intentional destruction following a court order would result in "spoliation," intentional or negligent withholding, hiding, alteration or destruction of evidence relevant to a legal proceeding. The logical conclusion is that the party destroyed the evidence to protect himself. The court's penalties for spoliation can be very severe.
Claims personnel should provide as much specific information as possible in order to control the scope and hone the focus of the computer forensic investigation. These investigations become very expensive when they include general searches as opposed to focused ones.
Managing the forensic technology process to improve cost effectiveness does not mean limiting a proper and necessary follow-up when relevant information is found. An experienced investigator will recognize when a thread of information or data should be pursued. From a cost standpoint, following a thread found within an identified scope is far less time consuming than a search to determine where a thread might exist.
As an additional cost-saving measure, the investigation should include a plan for periodic updates. The claims professional can request that a follow-up be held after the initial investigation to review any evidence found and to discuss the direction of the case. There are several reasons why this is important.
First, information uncovered by the investigator may be relevant to other parts of the investigation, such as development of interrogatories and document requests. Second, periodic updates will provide a sense of whether or not substantive progress is being made and, if so, in what areas. Third, the sharing of information assists the entire team in determining if data sources are exhausted or if additional review is necessary.
After the initial search, the investigator will have developed a plan as to where additional investigation should be performed. During these consultations, the insurer can make the decision about strategy and further exploration. When legal counsel, claims professionals and forensic technology investigators work as a team on cyber data collection, what was once impossible to document becomes a rich source of evidence.