ShellbagsThis is the tenth in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations.  As always, your comments are gratefully solicited.

Locard’s Principle

[Originally published in Law Technology News, February 2006]

Devoted viewers of the TV show “CSI” know about Locard’s Exchange Principle: the theory that anyone entering a crime scene leaves something behind or takes something away.  It’s called cross-transference, and though it brings to mind fingerprints, fibers and DNA, it applies to electronic evidence, too.  The personal computer is Grand Central Station for smart phones, thumb drives, MP3 players, CDs, floppies, printers, scanners and a bevy of other gadgets.  Few systems exist in isolation from networks and the Internet.  When these connections are used for monkey business like stealing proprietary data, the electronic evidence left behind or carried away can tell a compelling story.

Recently, a colleague owning a very successful business called about an employee who’d quit to start a competing firm.  My colleague worried that years of collected forms, research and other proprietary data might have gone out the door, too.  The departing employee swore he’d taken nothing, but the unconvinced boss needed reassurance that someone he trusted hadn’t betrayed him.  He asked me to examine Mr. Not Me’s laptop.

Turning to a forensic specialist was a smart move.  Had the boss yielded to temptation and poked around the laptop, Locard’s Principle dictates he would have irretrievably contaminated the digital crime scene.  Last access dates would change.  Log entries would be overwritten.  Some deleted data might disappear forever.  More to the point, an unskilled examiner would have overlooked the wealth of cross-transference evidence painting a vivid picture of theft and duplicity.

Stolen data has to be accessed, copied and then find its way out of the machine.  Whether it’s sent to a printer, e-mailed, burned to optical disk, written to a floppy or spirited away on a thumb drive, each conduit carries data away and leaves data behind as evidence of the transaction.

Forensic analysis of the employee’s laptop turned up many examples of Locard’s Principle at work.  Microsoft Windows employs a complex database called the Registry to track preferences and activities of the operating system and installed applications.  When a USB storage device like a thumb drive connects, however briefly, to a Windows computer, the operating system interrogates the attachment and dutifully records information about the device and the date in the Registry.  A moment-by-moment analysis of every file accessed shortly before the employee’s departure and of the Registry revealed attachment of a thumb drive—an event reinforced by the system accessing the sound file played when a device attaches to a USB port. “Bonk-bink.”  This immediately preceded access to many proprietary files on the network, concluding with the system accessing the sound file signaling removal of the USB device.  “Bink-bonk.”

Further examination showed access to other proprietary data in conjunction with use of the system driver that writes data to recordable CDs.  This evidence, along with an error log file created by a CD burning application detailing the date and time of difficulty encountered trying to burn particular proprietary files to CD-R, left no doubt as to what had transpired.

The coup de grace demonstrating the premeditated nature of the theft emerged from a review of files used to synchronize the laptop with a smart phone.  These held records of cell phone text messaging between the employee and a confederate in the firm discussing what files needed to be spirited away.  Though the messages weren’t created on or sent via the laptop, they transferred to the laptop’s hard drive unbeknownst to the employee when he synched his phone.  Armed with this evidence, the boss confronted the still-employed confederate, who tearfully confessed all to the sadder-but-wiser employer.  Case closed, but no happy ending.

Computers, like crime scenes, have stories to tell.  Data and metadata in their registries, logs, link files and abandoned storage serve as Greek chorus to the tragedy or comedy of the user’s electronic life.  Most cases don’t require the “CSI” treatment, but when the computer takes center stage, don’t overlook the potential for computer forensic analysis—and Dr. Locard’s Exchange Principle–to wring decisive evidence from the machine.

In 2015, we have still more digital footprints to follow, some permitting a step back in time.  Since this appeared early in 2006, Microsoft implemented Volume Shadow Services in its Windows operating system.  Volume “shadow copies” preserve a record of deleted or altered files and allow a rollback to restore past content in much the same way as Windows supports a restoration of prior system settings when you install a bad device driver.  Cloud storage and synchronization also serves as a cornucopia of digital treasure and dross.  Then there are the happy accidents so valuable to forensic examiners, like the oddly-named “shellbags,” viz., Windows Registry keys that reveal long-gone content and devices.

The art and science of computer forensics has seen gains and losses in the last decade. As noted, there are more sources, more devices and more artifacts to be explored.  But, the wealth of new evidence comes coupled with greater complexity and vastly increased volumes to be acquired, processed and puzzled over.  Too, the move to solid state drives and the growing use of encryption has diminished examiners’ ability to recover data from the unallocated clusters of storage devices, the region where deleted information lodged when hard drives employed spinning magnetic platters instead of memory chips.

Today’s greatest challenges are posed by handheld devices.  The Blackberry data that proved so important in the 2006 column above was simple to acquire and simple to analyze.  It was, at best, a mere adjunct to the information gleaned from the personal computer. Now,  phones and tablets are crucial, unique evidence repositories.  They teem with geolocation coordinates, texting, biometric data, social networking artifacts, call records, contact histories, sound bites, videos, snapshots and other revealing information as peculiar and varied as the apps in the App Store.  Oh, and e-mail, too. But all of it is harder to access, preserve and parse intelligibly than its desktop counterparts–and much of it has no counterpart on the desktop.

It’s a brave new world for digital forensics.  Locard’s Principle is alive and well.  Cross-transference is extensive and constant.  Forensic examiners have never been able to tell so vivid a tale of human behavior as we can today; but, neither have we had to work as hard to tell it and defend it.