The Use of Computer Forensics in Arbitration --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

The Use of Computer Forensics in Arbitration

The Use of Computer Forensics in Arbitration
Posted: May 21 2004

With the pervasive use of computers and information technology in the business world today, approximately 80% of all corporate data is stored electronically, 93% of all new data is created electronically, and more than 70% of the data stored electronically is never reproduced on paper. Thus, in any complex commercial dispute, it is highly probable that the evidence required to prevail in a matter will need to be obtained from electronic storage. Computer forensics is the methodology to collect, authenticate, preserve, examine, and recover that evidence from electronic media.

Litigation has traditionally been the preferred manner for resolving complex commercial disputes, but over the past fifteen years, arbitration has become a common alternative to litigation. The arbitration process is less complex and less formal than litigation: witnesses are not deposed, discovery is relatively restricted, and the rules of evidence are not as strict. For these reasons, computer forensics is generally used less frequently in arbitration than in litigation. Nevertheless, there are many instances where it is both procedurally correct and cost effective to use computer forensics in arbitration.

Although the rules of evidence are neither as strict nor as formal for arbitration proceedings, as compared to litigation, it would be a gross simplification to state that they do not apply. Typically, the more important the evidence, the stricter the application of the rules of evidence is in the arbitration. For evidence that is central to an arbitration matter, evidentiary standards can be functionally equivalent to the rules of evidence in litigation. Furthermore, while arbitration decisions are rarely vacated, they may be vacated based on improper handling of evidence by the arbitrator.

Thus, as computer forensics is focused on obtaining admissible evidence from electronic media, computer forensic protocols are a necessary component to insure a successful arbitration. Of course, the IT department or someone who ¡§knows something about computers,¡¨ ¡§could¡¨ collect the data; however, in all but the simplest of matters, there can be some significant risks to collecting data in this manner. Electronic evidence is fragile by nature; the simple act of turning on a computer can destroy or taint the evidence on a computer.

Many matters, especially complex commercial disputes, depend on the exact sequence of events, e.g. was relevant information shared prior to a negotiation, were all parties aware of the situation prior to the meeting, etc. Therefore, the meta-data, i.e. creation data, last access date, etc., for a file can be as, or even more, important evidence than the contents of the file itself. Having an individual collect data by simply copying or printing files for review will permanently and irreversibly alter the file meta-data. This can make it very difficult or impossible to successfully and/or admissibly reconstruct a series of events. Given the flexible application of the rules of evidence in arbitration, this may or may not be detrimental to the client¡¦s case. If the series of events that need to be reconstructed simply frame the situation, an arbitrator might allow an attorney to stipulate as to what had occurred without corroborating evidence. On the other hand, if the sequence of events is central to the attorney¡¦s position, it is significantly less likely that the arbitrator will allow the attorney to simply stipulate as to the events that transpired without supporting evidence, such as authenticated meta-data, substantiating physical evidence, or triangulated circumstantial evidence.

Computer forensics, therefore, can be used to collect and preserve evidence from electronic media that is central and essential to an arbitration. Nevertheless, the client, due to the fact they are arbitrating as opposed to litigating, certainly wishes to contain legal costs. Thus, the use of computer forensics must be focused, judicious, and cost effective. The cost of computer forensics is a function of two things: the number of computers and the complexity of the forensics. The first factor is relatively easy to manage; the forensics effort should focus only on those individuals and systems that are known to be central to the matter.

Managing the second factor, forensics complexity, is not necessarily more difficult than managing the number of computers, but rather more subtle and nuanced. Forensic complexity is driven by how deep the forensics investigator must probe to recover evidence. Two aspects control the depth of examination required: the amount of time that has elapsed since the events and the extent of malicious and/or intentional data destruction. Time is critical as the quality of evidence from a computer system is naturally degraded by computer usage. It is therefore ideal, to bring computer forensics experts into a matter as early as is reasonably feasible.

Bringing computer forensics experts into a matter early may seem to create a cost minimization Catch-22 between managing the number of computers and the complexity of the forensics. At the early stages, it is difficult to know which computers will have critical evidence and which will not. Thus, to minimize legal cost, the temptation is either to severely limit the number of systems or to defer computer forensics to later stages. Either approach creates the risk of increased forensic examination costs due to a system that was initially overlooked or degraded evidence from system usage.

The nature of forensic collection provides an elegant solution to this quandary. Forensic collection is based on the principal of mirroring, which creates an exact bit-by-bit copy from electronic media that is locked from further alteration. Thus, collecting evidence from a system preserves a snapshot of that system at that particular moment in time which can be examined later. Compared to forensic examination, the process is relatively simple and inexpensive. Typically, forensic examination cost 3 to 4 times more than forensic collection; complex/deep forensic examination can be as much as 9 to 10 times more expensive than forensic collection. A good rule of thumb, (see chart below), is that if there is a 20% chance that an individual system may have critical evidence, the system should be forensically collected.

Along with managing cost, there is a second important reason to start computer forensics early. Clients are not always aware of the specific actions of employees who are central to the matter. This is frequently true in securities and trading matters. For example, a customer will accuse a broker at a brokerage firm of unauthorized trading activity, and one of the key questions for the brokerage firm is what did that broker do or not do? If the broker did behave inappropriately, the brokerage firm wants to know immediately so they can settle the matter with the customer and take action against the broker. An early application of computer forensics allows the client to assess their situation quickly and preserves evidence for any subsequent proceedings, such as dismissing a broker.

Thus, even though the rules of evidence are relaxed for arbitration, there are still compelling reasons to use computer forensics in an arbitrated matter. Forensics can preserve the critical evidence thereby enabling consul to stipulate to the source and authenticity of that evidence. The use of computer forensics also provides a measure of insurance against a vacated ruling as they follow the generally accepted procedures for litigation. Forensics can also enable the client to be aware of the actions of the employees centrally involved in a matter. To conclude, here are four easy steps to using computer forensics in arbitration proceedings:

„X Retain a computer forensics firm early. A good firm can help your client manage costs and assess their situation.
„X As early as possible, collect evidence from those systems that it is reasonably believed (greater than 20% chance) contain evidence essential to the matter. Systems that are known to only have tangential or supporting data should not be collected at this point.
„X One of the goals of the investigation or discovery process should be to identify those systems which should be forensically examined.
„X Forensic examination should be conducted on those systems that are known, through the facts or through discovery, to have critical/central evidence to the matter.

References:
Astarota, Mark J. Esq., ¡§Overview of the Securities Arbitration Process ¡V From start to finish, walkthrough of the process¡¨, http://www.seclaw.com/arbover.htm

Go Top