The electronic avenue

The storage capacity of modern electronic equipment provides investigators with the ideal starting place in their search for evidence. Sanjay Bhandari and Georgina Lewis report


Anyone investigating wrongdoing may be faced with a mass of potentially relevant information stored on electronic media. The trick for the lawyer is being able to navigate that maze quickly and focus on the key information. Technology creates problems, but it also creates the solutions. Technology is available to collect data from electronic media and process it down to a manageable amount for review. Concept-mapping technologies now available in the UK can reduce further the investigator’s burden and speed up the review.

The importance of electronic evidence
Electronic evidence is important for a number of reasons:
#there is a large amount of it;
#it is durable – ‘delete’ on a computer does not mean ‘delete’, so it is possible for experts to retrieve such data;
#it includes new types of objective documentary evidence – computers routinely store ‘invisible’ information without the knowledge of the user (metadata), for instance as to when a particular letter was created, modified or read, and by whom and when; and
#the casual nature of emails makes them a rich source for revealing evidence.

So what strategies exist to enable investigators to attack the mountain of electronic evidence in a methodical way? The first stage is to plan the collection and review of electronic evidence carefully, prioritising different sources or types of evidence. Will the electronic evidence be reviewed using an electronic document management system or another type? The review strategy may impact on the strategy for prioritising the collection of data.

The next step is usually to secure the data. The routine destruction or recycling of back-up and other electronic media may need to be halted. It may also be sensible to take an immediate back-up as a snapshot of the data at that time.

Investigators need to identify the individuals who may have created or received relevant electronic data and then locate it. There are typical forms of media/data to consider.

Laptop and desktop computer hard drives
Shared areas on network servers are a good place to look; email files are usually stored on a dedicated email server, while documents relating to a specific project may be stored in a folder on a dedicated drive.

Portable media
When collecting electronic media, take a walk around and ask questions. Individuals often have idiosyncratic ways of storing data and it is better to find 30 CDs in someone’s bottom drawer at the outset rather than four days before trial.

Back-up tapes
Live databases (eg stock, sales, accounting and client relationship management databases etc) tend to be ‘living’ documents that evolve each day.

In relation to each of these forms of media, you will need a strategy for collecting the data. It is possible to take a forensic image of many of these media. This involves taking a bit-by-bit replica to standards that are acceptable in a criminal court. This is often the best way to deal with hard drives on laptops and desktops. It may not be possible, proportionate or cost-effective to image other media. In some cases, it might be more sensible for the IT director to extract copies of relevant mailboxes and shared folders from servers. Similarly, you may decide to take a ‘snapshot’ of any live databases at a particular point in time.

Before the data collected can be provided to the investigators for review (whether on an electronic or other document management system), it will need to be processed to remove irrelevant and duplicate or near duplicate material (particularly in email chains). Computers routinely contain masses of data of no interest to investigators, such as operating system files. Typically, the process of relevance filtering is conducted by focusing on particular file types, particular date ranges or particular keywords relevant to the issues. The particular keywords will vary depending on the facts of the case and it is important to agree on these at the planning stage. But keyword searching can be less effective at reducing the data set to a manageable level in investigations than when used in disputes. In a dispute, the issues tend to have crystallised already. By contrast, investigators often want broad search parameters as the issues have not yet crystallised fully.

Once the data has been filtered for relevance, the remaining data set may still be too large for a cost-effective review of every document. Other tools may be required to focus on relevant material quickly. It is anticipated that there will be an increasing reliance on concept mapping applications, such as Attenex and Autonomy. Essentially, these work by searching the content of the documents automatically for the nouns or concepts used.

With a combination of understanding the language used and statistical connections, the application detects nouns or concepts that are connected. The application then represents the entire data set visually in a diagrammatic form, connecting clusters of documents on similar issues. Thus the data speaks for itself, enabling efficient review by issue. As the investigator gains leads in an inquiry, it is possible to recluster the documents around, and focus on, identified issues of specific interest. These applications are therefore flexible enough to meet the developing demands of an investigation. These applications can also be used to show social network maps to identify in diagrammatic form the individuals that have been corresponding with each other and on what issues.

Such applications can be particularly effective at identifying quickly hot spots of activity that might otherwise take a long time to expose by conventional investigative methods. For instance, in one case the use of the Attenex application exposed a large number of documents using baseball terminology, such as ‘reaching first base’ and ‘hitting a home run’. In fact, these were code words used to indicate the fact and extent of the payment of secret commissions. Concept maps are therefore a useful tool to expose the secret argot employed by wrongdoers.

As these applications have the power to process and categorise automatically thousands of documents very swiftly, they are powerful weapons in an investigator’s armoury. Indeed, it is possible to deal in a similar way with paper records, audio files or even audio-visual files. Some businesses are already routinely storing telephone conversations for several years on back-up tapes. It may not be long before this extends to recordings of voicemails and video conferences. To date, the only viable solution in such cases has been to employ an army of contractors to listen to the audio files. Concept-mapping engines, then, are likely to represent the future of investigations. n
Sanjay Bhandari is a legal consultant and Georgina Lewis is a director at KPMG