A Lawyer’s Guide to Data Preservation

Lawyers are typically the first people who get called when things go sideways. Therefore, it’s important you advise your clients wisely when it comes to data preservation and digital forensics.

The importance of timeliness

As mentioned in our previous article, A lawyers guide to digital forensics, when it comes to preserving evidence, the sooner the better. The quality of the evidence is directly related to how soon it is seized.

All too often, a digital forensics team member will receive a laptop that previously belonged to the employee of interest, but it has already been re-deployed to another employee for several months. Or a data breach was suspected but the server in question wasn’t taken offline and imaged until weeks or months later. By that time, all the interesting information (deleted data, log files, operating system artifacts) has either been overwritten by new data or purged by the operating system itself. This renders the device much less valuable as evidence, and often results in nothing useful getting extracted.

Solid state drives (SSDs) don’t retain a lot of deleted data

More and more, SSDs are being used in laptops and desktops, and with reason. They’re ten times faster than regular hard drives (magnetic spinning platter) and immune to magnetic fields, and shocks from being dropped. However, they become slower when the drive starts to fill up. To mitigate this, the industry has come up with a pair of complementary techniques called “trim” and “garbage collection” that erases so-called deleted data in the background while the device is being used. 

This results in faster overall performance because the operating system of the device doesn’t have to wait for an erase to occur before it writes new data – the erase has already happened in the background. The downside of this behaviour is that recovery of deleted data becomes difficult, if possible at all. See here and this article for more information on how it works and what can be done. The latter paper talks about some testing done where in some cases, absolutely no deleted data could be recovered.

To seize or not to seize

An average-sized SSD in a business laptop is about 256GB. When you factor in the size of Windows 10, Microsoft Office, and Adobe Acrobat, there’s not a lot of drive space left. This means that background garbage collection will start occurring relatively soon after a computer is deployed. If you suspect something is amiss, act quickly and decisively. If in doubt, consult with a forensic professional for advice and recommendations.

For more information, contact Ken Lew, Forensics and Litigation Support, at 778.309.4750 or [email protected].