In addition to the advantages of recovering deleted files, digital evidence contains a wealth of critical data and “embedded” information for both intact files as well as deleted files. For example, forensic software can view the contents of a Excel file to reveal, (depending on how it was configured by the user), information such as: the creation date and original author; dates the file was last accessed, modified and printed; when the file was last saved and by whom; the number of times the file was edited, for how long and by whom; the number of revisions; client name, ID and reference number; hidden key words and comments that identify who edited or collaborated on the file; and the original file location.

For example, WordPerfect allows the user to open a saved file and “undo” the last 20 or so modifications, charting the latest changes that have been made to the document. Word has a tracking device that can be secured with a password that can invisibly track ALL changes made on a document allowing a subsequent user with a password to review every keystroke and peruse every comment made to the document.

Searches also could reveal embedded information in email headers including routing details and a list of associated file attachments. Palms and other digital assistants leave a log of when they were last synched with the desktop, and what information was downloaded. WinFax keeps a log file of all electronic faxes sent, sometimes for years after the original document was lost or destroyed.



Proper seizure and recovery of computer evidence requires the use of non-invasive advanced computer software specifically designed for the task. Such software recovers, searches, authenticates and documents relevant electronic evidence during the course of internal investigations or for use in criminal or civil litigation without compromising the integrity of the original evidence. Electronic evidence is fragile by nature and can easily be altered or erased without proper handing. The following guidelines should be followed in order to properly preserve and protect critical computer evidence.

Do not operate any computer that may contain electronic evidence – Merely turning on a subject computer will alter critical date stamps and erase data contained in temporary files. It’s critical that a computer suspected of containing important evidence is not operated or booted, and is removed to a phyically secure location to await examination by a trained computer forensic expert utilizing proper software.

If the subject computer isn’t in your possession, immediately send a letter requesting preservation of the evidence – Often times, litigants or potential litigants lack access to critical computer evidence in possession of their adversaries or other third parties. In these cases, a preservation request letter should be sent requesting that all relevant computer data is immediately preserved until proper recovery and analysis can be conducted through permitted access or litigation discovery procedures.

Immediately consult an experienced computer forensic expert – Many make the mistake of involving untrained IT personnel or other resident “computer hackers” to search the computer of a current or former employee. This practice invariably results in the destruction or alteration of critical evidence unless trained professionals use proper computer forensic tools to acquire and process the evidence. It’s also contrary to State and Federally mandated electronic evidence handling procedures.

Ensure that proper computer forensic software is utilized – EnCase is the leading computer forensic software tool used by private industry and law enforcement and has proven to be the most capable integrated application for searching and recovering electronic data contained in Windows and Mac computers. EnCase ensures accurate search results and recovery of all existing “deleted” evidence. To receive complete and accurate results with a proper evidentiary foundation, ensure that your computer forensics expert is utilizing EnCase.




Preservation of electronic evidence is critical and the PC or other media should be treated similar to a crime scene. Depending on numerous factors, electronic evidence can be very perishable, or can last for years. The key to the success of electronic discovery and forensic examinations is to gain access to (or preserve the integrity of) the target media as quickly as possible. PCs should not be powered up or used until it’s data can be imaged by a forensic examiner. Relevant target media includes not only PC hard drives, but other types of storage media including tape backups and archives, floppy diskettes, PDAs (personal digital assistants such as Palms) and other removable electronic media.

Recently we have observed an increase in the types of actions that can impact the integrity and availability of electronic evidence including:

-the use of data compression, disk de-fragmentation and optimization programs
-the downloading or transfer of large files (such as .JPG pictures) which rapidly overwrite data in unused clusters
-the use of programs that overwrite sectors with a string of 0’s, such as Norton Utilities’ Wipe-Info
-the reuse of back-up tapes
-installing new software applications
-low level formats, operating system formats, partitioning formats, etc.
-deleting of temporary Internet files, browser history and cookies
-changing of the time clock on the computer.

All of the steps taken above will destroy potentially recoverable evidence, and a number of the steps above could wipe the drive clean. Any of the steps above could alter, delete or modify recoverable evidence.