E-sleuthing and the Art of Electronic Data Retrieval Uncovering Hidden Assets in the Digital Age Part I

E-sleuthing and the Art of Electronic Data Retrieval Uncovering Hidden Assets in the Digital Age Part I

Journal Issue: 
Column Name: 
Journal Article: 
Electronic data—everything from books and records to e-mails, computer programs and digital storage systems—is everywhere in business today.3 Attorneys who represent creditors, trustees, committees, examiners, employees, shareholders, co-defendants, U.S. Trustees and most other parties in interest in a bankruptcy case must be familiar with the process and potential benefits of digital forensic accounting.

E-sleuthing uses sophisticated e-data retrieval technology to unlock the electronic records of a debtor. This technique is practically mandatory for finding evidence related to accounting and debtor fraud. In addition, recovered e-data may assist creditors in the discovery of claims against the debtor's auditors, underwriters, board members, preferred shareholders, employees and insiders. While forensic accounting has been practiced for generations, e-sleuthing in the bankruptcy context is a child of the digital age because it deals with the financial books and records and related information created and stored on computer hard disk drives, PDAs4 and other digital devices. It exists because some 93 percent of all information is generated in digital form.5 The demand for skilled forensic accountants already outstrips the supply, and this trend is likely to increase as creditors, trustees and other parties in interest seek to probe more deeply into the finances of recalcitrant debtors.6

What Is E-sleuthing, and Why Must You Know About It?

The term "e-sleuthing" refers to the technology and techniques used to find and reconstruct the digital books and records, accounting work-papers, financial reports, e-mail and other forms of data storage and communication of a debtor in order to locate assets that have been hidden, dissipated or transferred out of the reach of creditors. The skills of the e-Sleuth are essential if the debtor has intentionally tried to hide, encode or delete digital information. A digital forensic technologist is able to discover and uncover the storehouse of information located on the debtor's computers and digital devices. While the removal of computer files and the deletion of e-mails and other forms of electronic data can often be detected even long after it has occurred, the sooner an e-Sleuth is engaged, the more likely it will be that vital information can be recovered.

Why Should You Care About E-data?

Many people think that getting rid of cyberwaste and unwanted digital data is as simple as point and click. We assume that the same motherboard magic that brought data and e-mail into existence will just as graciously whisk it away without a trace, while keeping secret data safe. Taking out the trash should be this easy! But just as so many former WorldCom, Anderson and Enron employees have learned to their acute chagrin, "delete" doesn't really mean delete, and "recycle" doesn't really mean recycle—at least not as soon or as completely as most of us would like to think.7

Once created, e-data on a debtor's computer HDD, PDA and other digital devices has a life of its own, and very often, it stays around long after its welcome has worn off. Such data can include names, addresses, passwords, bank accounts, financial records, taxpayer identification numbers, memos or text of any length, backdated documents, information identifying related parties, insider transactions, financial statements, accounting working papers, stock options, business valuations, asset appraisals, beneficial owners, insurance coverage, contracts, spreadsheets and a second set of books and records. Knowing how to find and reconstruct this information, particularly in the face of debtor stonewalling, is essential for counsel representing creditors and any other party in interest when it appears that the debtor or insiders have something to hide.

Digital financial information comes in the form of accounting programs and other forms of financial information, spreadsheets, e-mails and address books, just to name a few examples. Documents, electronic memos, databases, archives, presentations and graphics are recorded, revised, encrypted, backed-up, copied, saved, pasted, printed and forwarded. E-data is stored on conventional computer HDD, as well as an ever-expanding array of electronic, digital and optical devices and media including network servers, workstations, laptops, mini-towers, desktops, floppy disks, EIDE HDD, SCSI HDD, USB devices, FireWire devices, Network Attached Storage, RAID sets, CDs, DVDs, Microdrives, CompactFlash cards, Memory Sticks, PCMCIA HDD, Multi-media Cards, Zip disks, Jazz Disks, external HDD and tape backup systems. In addition, digital information is also created and stored on a wide assortment of PDAs such as Palm, Handspring Treo, iPaq, Jornada, Cassiopeia, Clie, Visor, and Windows CE and Pocket PC devices.

A vast array of digital information is created and stored on media commonly used in all types of business and commercial applications. E-data can be a veritable gold mine of information on how the debtor did business, when and what insiders, employees and others did with its assets, and other information. In cases where the debtor has intentionally hidden or transferred assets, recovered data can be the digital equivalent of a smoking gun.

How Is E-data Hidden, and How Is It Recovered?

E-data first exists as information entered and stored on any electronic, digital or optical device. This includes "active files," which are used and modified on a daily basis, and any type of stored or archival files. Documents may be saved or backed up on more than one computer, computer server, external HDD, tape drives or other media. Insiders might also keep copies on their personal computers or PDAs.

Lost and Found: Locating Hidden E-data

E-data can be concealed in a variety of ways. Often, it is secreted behind legitimate files on the HDD as invisible attachments. For example, the Microsoft NTFS file system provides for Alternative Data Streams (ADS), also called Multiple Data Streams (MDS). ADS and MDS can hide e-data. Information is also hidden in file slack space. File slack space exists at the end of the last "cluster" in a computer file. Randomly dumped information from computer memory often finds its way into the file slack space, including passwords, account numbers and other confidential information. Similarly, random access memory (RAM) slack or drive slack space, also on the HDD, is a repository of e-data. RAM slack is the last "sector" of a file and comes from the dump of computer memory. Drive slack space retains information that was previously stored, and may contain valuable scraps of deleted files.

Software programs create a type of e-data called "metadata." Metadata is information about the e-data. This includes when a file was modified, accessed or created, and it has the user name associated with those tasks. Metadata provides information about the software application name and version, title of the document, subject, keywords, template, comments, revision number, number of pages, lines, words and paragraphs, number of characters and notes, slides, security flags, dates last accessed and modified, etc. The metadata can show, for example, if any electronic files were accessed, modified or backdated at any time after the user received notice of a lawsuit. Most word-processing documents, spreadsheets, database files, presentation files and many other types of files contain this embedded information. This digital information is not shown on any hard-copy documents, so production of hard copy alone will leave out this potentially critical data.

Many programs create numerous temporary files, and several versions may exist under different names. Computer network logs also provide a history of files and documents accessed, and will often show what has been printed, backed up, downloaded and/or shared between users. In addition, data sent to a printer is stored in a computer buffer and may sometimes be recoverable.

A rich source of e-data is the various back-up or archival systems used in most business computer networks. These include automatic back-ups by software applications to prevent loss of information due to power loss or improper shutdown. Back-up copies often create a record of a document that includes prior revisions. In addition, many businesses use a daily back-up system in which all new documents and modifications are copied daily and kept on magnetic tape to be retained for a period of time (weeks or perhaps months). Some companies archive e-data at an off-site location for even longer periods.

Important financial information can also be found in deleted e-data. When e-data is "deleted," the computer marks the information as deleted in the file system. The deleted e-data, although concealed, remains in the "unallocated file space" on the HDD. This file space can contain the debtor's books and records, financial statements, audit workpapers, spreadsheets, financial databases, e-mail and related attachments, electronic payments and transfers, documents and other e-data. The information will usually only be completely erased when the section of HDD where the information is stored is overwritten with new data. A debtor's insiders may try to eliminate this e-data by using software that "wipes clean" hard drive space, but the e-sleuth can often recover this deleted data, and the debtor's attempt to "wipe clean" the data will be evident upon inspection by the digital forensic accounting technologist.

Of special interest to e-sleuths is e-mail and instant messaging. The debtor's HDDs and PDAs may contain millions of e-mails and attached files relating to the financial activities of the debtor and insiders.8 It is common knowledge that people are consistently more open and frank in e-mail and instant messaging than they would otherwise be in person or in formal hard-copy correspondence and memos. There may be many reasons for this, including the rapid and informal nature of e-mail, seeming privacy, the ability to selectively communicate by and among a particular group of people, and the fact that most people still believe that e-mail is readily deleted. Cases in which e-mails have been important or dispositive are increasing. For example, in In re Kevco Inc., 2003 Bankr. LEXIS 519,*25 (N.D. Texas 2003), e-mails found on the defendants' hard drives supported allegations by the chapter 11 liquidating agent that defendant former officers of the debtor wrongfully appropriated trade secrets and breached their fiduciary duties in setting up a competing company. E-mail must not be overlooked as a source of information regarding alleged corporate and individual wrongdoing.9 In a typical large business with multiple locations, e-mail is kept on an e-mail server. After an e-mail is "deleted" by an individual user, it is retained on the server for a set period of time before it is deleted. This period can be as little as a few days up to a several months or longer, depending on the policies of the company and its e-data storage capacities. Some businesses routinely back-up e-mails on tape or other media, while others do not. Even if the e-mail is not routinely backed-up, a skilled e-sleuth still has a chance to find relevant financial information in deleted e-mail. E-mail frequently includes attachments. An e-sleuth will be able to determine whether any attachments are missing.

E-data is also found on digital devices such as CDs, DVDs, PCMIA HDD, Microdrives, USB drives, CompactFlash cards and many types of hand-held devices. When e-data that has been written to a CD, DVD-RW or DVD+RW or other rewritable media is deleted, the fate of the data depends on the type of software application that was used to create the data. Many software programs will move the deleted data to available free space. That space will not be used until the entire disk has been written over once, and only then will the free space be reused. An e-sleuth will search the entire media source for slack space and deleted files. The task is made more complicated by the fact that most rewritable media writes files in disparate parts, rather than contiguously on the disk.

A final source for potentially significant information is encrypted e-data and "steganography."10 Steganography is the art of hiding information in an innocent-looking carrier. Steganalysis is the inspection of digital data to detect steganography and embedded hidden information. This hidden information can often contain the most incriminating evidence. There are numerous encryption and steganography software products available, as well as many applications that require usernames and passwords in order to access this stealth e-data.11 Encrypted data may include the debtor's books and records, financial statements, audit workpapers, spreadsheets, e-mail and related attached files, documents, computer folders, directories and hard disk drives. Modern steganography uses highly sophisticated digital "carriers" to hide data. For example, using currently available steganography software, insiders can hide corporate financial records, accounting workpapers and other hidden data in something as innocuous as a digital photo of the company headquarters or a recent office party. The same steganography software allows an employee or insider to load the debtor's books and records or intellectual property hidden on an audio MP3 player HDD, CD, DVD, USB device, etc., and walk out the front door without the dozens of boxes of hard copy that the e-data represents. Because of the almost unlimited potential for hiding important financial data through encryption and steganography, the e-sleuth will need the latest decryption and investigative software available. This includes regulated technology that is also used by agencies such as the U.S. Secret Service and U.S. Air Force.

Retrieving E-data and Creating a Forensic Image

Obviously, even the most incriminating e-data is of no value to creditors if it cannot be viewed by counsel and professionals. Like a forensic medical examination, analysis of the debtor's digital remains can yield valuable financial information.

The first rule for the retrieval of e-data is that time is of the essence. Counsel for creditors and trustees must move as quickly as possible to secure important e-data before it is lost or compromised. When possible, this should be done before the §341 meeting of creditors.

In order to collect and secure the important e-data, the first task of the digital forensic accounting technologist is to create a forensic image12 using established forensic practices. A forensic image is an exact copy of the data that exists on the debtor's computers, PDAs and other digital storage devices as of the date of the image. The purpose of a forensic image is to obtain a clean, uncompromised body of e-data evidence directly from the debtor that will be admissible in court. Therefore, it is imperative that the forensic image be produced correctly without any chance of tainting or compromising the integrity of the data. A party seeking e-data has a duty to use the method that yields the most complete and accurate results. Where correct procedures are not used, disaster will follow.13

In creating the forensic image, the e-sleuth does not generally turn on or use the debtor's stand-alone computers. For example, sometimes the HDD is removed from the computer or work station, and plugged into a write-blocking device which is connected to a forensic examination device or computer. If necessary, an examination can take place without removing the hard drive. Since a PDA does not have a hard drive, the PDA must be on. Other types of media storage systems, such as Zip drives, tape drives, CDs and DVDs, require specific forensic tools. Using an absolutely sanitized or sterile HDD and forensically sound hardware and software, the digital forensic accounting technologist will acquire bit by bit the e-data on the debtor's original source HDD, PDA and other digital devices.

To complete the process, digital forensic software will verify that the source and destination drives match. This match is verified by using a cryptographic "hash value." The cryptographic hash is a digest value that confirms that the e-data on both drives is an exact match. The digest value acts like a digital fingerprint or signature—it is unique to the specific document and its exact match.

It is advisable to make multiple forensic images at the time of original acquisition of the debtor's e-data. The ideal number will depend on the specific facts of the case, but the minimum number is at least two. One forensic image will be kept completely pristine and unused, in case anyone challenges the accuracy of the forensic image. A second forensic image will be used for the trustee, creditors or other parties in interest to recreate the debtor's computer environment. The costs of HDD and other suitable storage media is sufficiently reasonable so that it makes sense to make several forensic images in case anything goes wrong during the examination. Remember, the hash value will always verify that the document, folder, partition or HDD is an authentic match of the original, just like a fingerprint.

Reconstructing the Debtor's E-data: Mining the Retrieved Files for Gold

All available files (reconstructed as clean forensic images) result in a combined Digital DataSource. This is a digital alpha/numeric index of all text, phrases, terms, numbers, symbols, passwords, electronic commerce, special-purpose words that relate to the debtor's or insider's business, and all dates and times that pertain to any document or actions created or implemented on the computer and other devices from which the forensic images were obtained.

After the debtor's Digital DataSource has been created, trustees, creditors and other parties in interest will have available a fully digitized, exact replication of all the debtor's e-data, including the books, records and related financial information. At this point, the search capabilities are endless. Powerful search capabilities allow for the specific and relevant simultaneous text searches of accounting records, audit workpapers, financial spreadsheets, financial statements, e-mail and files in virtually any word processing documents, accounting databases, financial reports, presentation or multimedia software programs, including Mac software, as well as for an almost unlimited list of file extensions.


Footnotes

1 Jack Seward is a consultant and has an association with a forensic accounting firm in New York City. He is a veteran of many years of forensic accounting and electronic data sleuthing. Mr. Seward may be reached at [email protected]. Return to article

2 Daniel Austin is a lawyer in the Pittsburgh office of the international law firm McGuireWoods LLP, where he specializes in bankruptcy law. Mr. Austin may be reached at [email protected]. The authors gratefully acknowledge the assistance of Cynthia Smith, a research librarian in the Washington, D.C., office of McGuireWoods LLP. Return to article

3 Electronic commerce is taking on a life of its own. In a visionary decision, the U.S. Bankruptcy Court for the Southern District of Florida found that a bank's computer, not the bank, was in civil contempt for sending the debtors a dunning letter on a debt that had been discharged. In re John Coffey Vivian and Margaret Vivian, 150 B.R. 832 (Bankr. S.D. Fla. 1992). The computer was fined 50 megabytes of hard drive memory and 10 megabytes of random access memory, and provided the opportunity to purge itself of contempt by ceasing the production and mailing of documents to the debtors. Id. at 833. Return to article

4 Digital devices include, but are not limited to, CD, DVD, Microdrive, CompactFlash, SmartMedia, SecureDigital, Memory Stick and MultiMediaCard. Return to article

5 According to a study at the University of California, 93 percent of all information created in 1999 was generated on computers, while only 7 percent was generated in other media, such as paper. In re Bristol-Myers Squibb Securities Litigation, 205 F.R.D. 437, 440, n.2 (D. N.J. 2002) (citing Withers, Kenneth J., Electronic Discovery: The Challenges and Opportunities of Electronic Evidence, Address at the National Workshop for Magistrate Judges (July 2001)). Some studies indicate that 20-30 percent of all computer data never reaches paper form. Sokol, Monte E. and Andriola, Philip P., "Becomes Ground Zero in Discovery Process and at Trial," N.Y.L.J. Dec. 1, 1997 at S5. Return to article

6 See, e.g., Zea, Andrea, "Massive Rise in Demand for Forensic Accountants," http://www.AccountancyAge.com/News/1135199 (Oct. 16, 2003). Return to article

7 See, e.g., Berman, Dennis K., "Online Laundry: Government Posts Enron's E-mail," Wall Street Journal, Oct. 6, 2003. The Enron case is especially instructive. The Federal Energy Regulatory Commission gathered a massive trove of data from Enron in its investigation of energy-market manipulation. In March 2003, the agency released more than 1.6 million pieces of e-mail and other documents, and posted them on the web in a searchable database, http://www.ferc.gov/industries/electronic/indus-act/03/26/03-release.asp. The e-mails cover three years of business and personal communication, and contain numerous highly personal and revealing private messages. Return to article

8 Ken Withers, a research associate at the Federal Judicial Center in Washington, D.C., estimates that a company of 100 employees will generate up to 7.5 million e-mails per year. Withers, Ken, "Digital Discovery Starts to Work," National Law Journal, Nov. 4, 2002. Return to article

9 There are numerous recent examples. E-mails written by a senior staff member of J.P. Morgan Chase & Co. referring to "disguised loans" were pertinent evidence to support allegations that J.P. Morgan helped Enron conceal its growing debt problems. See Swartz, Nikki, "E-mails Can and Will Be Held Against You," Information Management Journal, Mar/Apr. 2003, p. 12. Another recent example is the ongoing case against Frank Quattrone, a former investment banker for Credit Suisse First Boston. Quattrone was prosecuted for obstructing investigations of alleged kickbacks schemes for initial public offerings. A major item of evidence against Quattrone was an e-mail he sent to colleagues in December 2000, urging them to "clean up" their files just two days after an in-house lawyer alerted him to a grand-jury probe. Smith, Randall and Scannel, Kara, "Inside Quattrone Jury Room, Discord Culminates in Mistrial," Wall Street Journal, Oct. 27, 2003, p. A-1. A thoughtful review of the use of deleted e-mail in litigation was written by Michael Marron in Comment, "Discovery of 'Deleted' E-mail: Time for a Closer Examination," 25 Seattle Univ. L. Review 895 (2002). Return to article

10 From the Greek word for writing or hiding secret messages. Return to article

11 Popular applications that encrypt data and/or require passwords include Encrypt Magic Folders, Source Safe, BestCrypt, PC-Encrypt, Microsoft Office, Word, Access, Pocket Excel, dBase, FoxBASE, Windows XP, Windows 2000, Windows NT, Outlook, Outlook Express, Microsoft Exchange Server, Disappearing Mail, SafeMessage, WinZip, PKZip, ZIP, General Zippers, VBA Visual Basic, Internet Explorer, Adobe Acrobat, Quicken, QuickBooks, Lotus 1-2-3, Lotus Organizer, Lotus WordPro, Microsoft Project, MYOB, Paradox, ACT!, Microsoft Mail, Schedule+, Microsoft Money, WordPerfect, Filemaker, Peachtree Accounting, Quattro Pro, Ami Pro, Backup, Bullet Proof FTP, Cute FTP, Data Perfect, File Maker Pro, My Personal Check Writer, Norton Secret Stuff, Palm, Q&A, WinRAR, Symphony, Versa Check, Adobe PDF, Windows 95 and Windows 98, PWL Files and Netscape Mail. Return to article

12 More technically referred to as a "low-level bit stream image." Return to article

13 The seminal case regarding the importance of utilizing "best practices" to recover e-data is Gates Rubber v. Bando Chem. Indus. Ltd., 167 F.R.D. 90 (D. Colo. 1996). In Gates, the plaintiff sought sanctions for alleged destruction of evidence in an underlying case for theft of trade secrets. In conducting discovery of the defendant's computers, the plaintiff's expert used a file-retrieval program that had to be copied onto the defendant's hard drive. This overwrote 7-8 percent of the data on the drive. In addition, the plaintiff's expert failed to preserve the creation dates of certain files that allegedly overwrote relevant files. These dates would have indicated the dates of the alleged deletions. Finally, the expert copied the defendant's hard drive using a "file-by-file" method, which only extracted non-deleted files, rather than an "image backup" (forensic image), which would have captured all the data on the hard drive. These mistakes seriously undermined the plaintiff's case, leading to only minimal sanctions in favor of plaintiff, with offsetting damages awarded to the defendants on those claims that lacked justification. Return to article

Journal Date: 
Sunday, February 1, 2004