As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, 
e-discovery, and cybersecurity service provider. The Vestige team that you know and trust will
continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow
us to serve you and your clients even better.


What Happens if You’re Late to the Game? Part 1

Articles

What Happens if You’re Late to the Game? Part 1

Author photo
by Nick Ventura
AAS, CCE, GCFA, SECURITY+, A+

In the last blog, Vestige’s Manager of Digital Forensics and Electronic Evidence wrote about Image and Holds and how they can help with cases in the future. Outside of the various devices he mentioned, he also spoke about the potential for data loss, which is the topic of this week’s blog.  Image and Holds, when done at the first site of a potential suit, can save you from potential spoliation issues in the future, and can even save your case as well.  

I’ll briefly talk about 3 different scenarios that performing an Image and Hold can save you:

1) Deletion of documents
2) New devices replacing the old
3) Employees leaving the company

An important aspect to mention is that it is the affirmative duty of all parties in a suit to preserve any data potentially relevant to the case at the first sign of litigation—even if it is just the anticipation that litigation may ensue.

Daily Routine

Everyday people go on about their business and use their computers, cell phones, and other electronic devices Just like they have the day before.  During the course of a normal business day, people will create and delete files and emails without any malicious intent. Now you may be thinking, well so what?  Depending on what people are working on daily, the files and emails they’re deleting could be very relevant in the future, and you have no way of knowing whether or not the data that could be important to your case has been deleted or even altered in a relevant manner.  When files are deleted, they are generally still accessible via Forensic means, however an issue can arise the longer the device is used.  While data ought to be recoverable when it’s initially deleted (and even for a period of time afterwards), there’s no way of telling when that deleted data will be overwritten and irrecoverable from a person just going about their normal work day. A quick Image and Hold of potentially relevant devices could not only save you the headache of dealing with possible spoliation claims in the future, but could also recover the deleted data on the computers. This data recovery could be just the thing that ends up saving your case.

Replacement of Devices

Outside of data deletion, there is another aspect that could potentially destroy data relevant to the case that Image and Holds can save you from–getting new devices!  It’s not an out of the ordinary occurrence, especially from my experience, for companies to get new computers and cell phones for employees.  When this happens, data is copied over to the new devices, and then the old devices are either repurposed, destroyed, sold, or disposed of in some other fashion..  Now you may be saying, “well they copied all the data over, right?” Well no, because you’re still missing all the files that had been deleted on the replaced device as well as countless artifacts that may be relevant but are not picked up during the migration process.  A quick Image and Hold would have alleviated this issue before getting rid of the old equipment.

When Employees Leave

The last point I’m going to talk about ties in with getting new equipment, but in a different way.  When an employee leaves, whether the individual quit, retired, or is fired, their computer and cell phone is usually repurposed for a new employee or another employee in the company.  When this happens, data might be copied off so the organization doesn’t lose any important data the employee may have had saved locally; then the computer and phone are repurposed.  Depending on the protocol put in place by IT, they may either reinstall the operating system (effectively removing artifacts from the computer as deleted user documents), or simply add another user account.  Most cases we’ll see the operating system reinstalled and all data removed from a computer before it’s provided to another employee to use–cell phones are very similar.  With a cell phone, you have to reset the device so it can be used by another employee, so you’re generally losing data from the device when it’s reset.  Again, a simple fix to any situations that could arise from an employee leaving in the middle of a suit, is doing an Image and Hold.

Image & Hold to the Rescue

As you can see, there are various situations that doing a quick Image and Hold of relevant devices can save you from down the road in relations to deleted data.  With organizations always concerned about budgets and availability of equipment, the Image & Hold is an economical, quick and very effective means of meeting your duties surrounding data preservation.  Contact Vestige today to learn how Image & Hold can play a strategic role within your organization.

by Nick Ventura, CCE, CFCA, Security+, A+