When litigation looms or a data preservation notice is sent out, key individuals or parties might try to delete data to avoid discovery – despite well-publicized horror stories regarding data destruction, phone and email wiping, and the risks of spoliation and sanctions. In many cases, if we find an absence of evidence during an examination, we typically also find evidence of destruction. We refer to these individuals as “Wipers.”
Wipers are the folks who roll the dice and try to game the system. They have enough knowledge to know how to destroy data, feel like they can get away with it, and take a chance. “The document is gone, aha!” might say the Wiper. However, Wipers still run into problems they didn’t anticipate. Even if they manage to delete or destroy the incriminating document or email, they’ve usually taken the time to install and run data destruction software, leaving behind associated artifacts showing the download and usage of such software. Another thing Wipers usually don’t consider: they leave behind other artifacts and data that gives us a clear picture of the document. Data showing when the document was created or modified, the folder it was saved in, even who opened it, when, and how many times. In trying to cover up the original footprints, they invariably left new footprints. And sometimes, even when a Wiper believes they completely deleted the document itself, it sometimes resides in a snapshot or backup they did not see.
“Amateurs!” says the super-duper IT-savvy group of Wipers with IT backgrounds. This group of Wipers takes it to another level – they sometimes wipe their entire hard drive, install a fresh instance of their operating system, and rebuild their system from scratch. “The whole computer is gone, aha!” These Wipers have no choice but to own up to what they did. Hard drives do not yet wipe themselves. As a client once told me, nothing says “culpability” like a freshly-wiped hard drive that was wiped when it should have been preserved.
On a recent project, iDS took possession of a computer used by a long-time office administrator who worked for the defendant for several years. Examination of the computer’s hard drive showed that it appeared to be brand new – it was never used. The drive did not even have a user profile for the administrator, despite the computer being used daily. It turns out the administrator opted to have IT wipe their hard drive before providing it to counsel. Instead of handing over their documents and email for preservation, the administrator now how had to explain to management and legal counsel why they instead chose to destroy all the data on their computer. A potential case destroyer, but at the very least, a move that usually leads to sanctions or adverse inference instructions.
At the end of the day, Wipers pretty much announce to everyone that they’re wiping. Facing the music is often the easiest route, and it certainly puts counsel in the best position to protect their client.
To access previous The Forensicators blog posts, please CLICK HERE.
Download Keys to Today’s Information Governance Landscape