Hands on a laptop screen displaying graphs

A Lawyer’s Guide to Data Preservation

A Lawyer’s Guide to Data Preservation

Synopsis
2 Minute Read

Newer hard drives in laptops and computers make it harder to recover deleted data, emphasizing urgency when seeking digital evidence.

Lawyers are typically the first people who get called when things go sideways. Therefore, it’s important you advise your clients wisely when it comes to data preservation and digital forensics.

The importance of timeliness

As mentioned in our previous article, A lawyers guide to digital forensics, when it comes to preserving evidence, the sooner the better. The quality of the evidence is directly related to how soon it is seized.

All too often, a digital forensics team member will receive a laptop that previously belonged to the employee of interest, but it has already been re-deployed to another employee for several months. Or a data breach was suspected but the server in question wasn’t taken offline and imaged until weeks or months later. By that time, all the interesting information (deleted data, log files, operating system artifacts) has either been overwritten by new data or purged by the operating system itself. This renders the device much less valuable as evidence, and often results in nothing useful getting extracted.

Solid state drives (SSDs) don’t retain a lot of deleted data

More and more, SSDs are being used in laptops and desktops, and with reason. They’re ten times faster than regular hard drives (magnetic spinning platter) and immune to magnetic fields, and shocks from being dropped. However, they become slower when the drive starts to fill up. To mitigate this, the industry has come up with a pair of complementary techniques called “trim” and “garbage collection” that erases so-called deleted data in the background while the device is being used. 

This results in faster overall performance because the operating system of the device doesn’t have to wait for an erase to occur before it writes new data – the erase has already happened in the background. The downside of this behaviour is that recovery of deleted data becomes difficult, if possible at all. See here and this article for more information on how it works and what can be done. The latter paper talks about some testing done where in some cases, absolutely no deleted data could be recovered.

To seize or not to seize

An average-sized SSD in a business laptop is about 256GB. When you factor in the size of Windows 10, Microsoft Office, and Adobe Acrobat, there’s not a lot of drive space left. This means that background garbage collection will start occurring relatively soon after a computer is deployed. If you suspect something is amiss, act quickly and decisively. If in doubt, consult with a forensic professional for advice and recommendations.

For more information, contact Ken Lew, Forensics and Litigation Support, at 778.309.4750 or [email protected].

Insights

  • December 06, 2023

    Planning for long-term success in your craft brewery

    Whether you’re hoping to grow your brewery or position the business for sale down the road, setting yourself up for success means looking ahead.

  • Canada Dental Benefit: What employers need to know about changes to T4/T4A reporting

    Employers will face new T4/T4A reporting requirements to help confirm employees’ eligibility for the Canada Dental Benefit. Find out what that means for you.

  • Performance

    December 05, 2023

    Highlights from the Federal Fall Economic Statement

    The Honourable Chrystia Freeland, Deputy Prime Minister and Minister of Finance delivered the federal government’s 2023 Fall Economic Statement (FES) on November 21, 2023.