fbpx

    What Every Attorney Needs to Know About Computer Forensics: Changes to the System Clock, Windows Event Logs, and Proving Spoliation

    Nick Ferrara

    From time to time, a party to a lawsuit may attempt to delete or overwrite relevant files from a computer system in its custody before producing that system to an opposing party.

    Such an attempt can lead a court to infer spoliation of evidence if a producing party’s destructive intentions can be reasonably established. Forensic computer examiners often address this issue in the course of their investigations and can typically identify techniques commonly used to compromise digital evidence. While there are a variety of ways that a user can compromise digital evidence, one technique on Windows computer systems that is within the reach of even unsophisticated users is to manually change the computer’s time and date settings.

    Most Windows computers allow users to manually change the system’s time and date settings. By changing these settings before compromising key files, a user might hope to create the appearance that these files were deleted or overwritten as part of normal computer usage prior to a court’s preservation order.

    Fortunately, a number of Windows artifacts make this technique relatively easy to detect. The Windows Event Log, for example, includes log entries that concretely identify any manual changes made to a computer’s date and time settings through the user interface.

    Expert examination can easily distinguish these log entries from other normal modifications made to a computer’s date and time settings and can yield the evidence necessary to support (or, as applicable, refute) an inference of spoliation.

    Expert examination can easily distinguish these log entries from other normal modifications made to a computer’s date and time settings and can yield the evidence necessary to support (or, as applicable, refute) an inference of spoliation. These types of analyses are typical of the work that DisputeSoft’s forensic investigators perform for clients.

    If you are involved in a matter where you suspect that the date and time that files were deleted or last modified have been manipulated, or if you are defending against such an assertion, give us a call to see if we can assist you in establishing or refuting an inference of spoliation.

    Other Insights from Nick Ferrara

    Post
    This installment of DisputeSoft's Computer Forensics series considers how experts can establish or refute inferences of spoliation by examining Windows Event Logs.
    Case
    DisputeSoft was engaged by Thermo Fisher Scientific in this trade secret misappropriation dispute involving a Clinical Trial Management System.

    Nick Ferrara

    Manager & Forensic Examiner

    Nick Ferrara has been an integral part of more than 35 cases, spanning numerous commercial industries and all of DisputeSoft’s core practice areas, including copyright infringement, trade secret misappropriation, and computer forensics. His code review work has covered everything from analyzing the architecture of large scale, multi-tier information systems to examinations of low-level smartphone firmware code.