Electronic Evidence and Computer Forensics

Information and communication systems are now breeding grounds for electronic-evidence (eevidence) in audits, investigations, or litigation. Increasingly organizations are being ordered by law or lawsuit to preserve, retrieve, and hand-over relevant electronic records (e-records) because "the courts are uniformly recognizing the discoverability of electronic communication and documents" [Nimsger and Lange, 2002]. This trend is an outgrowth of aggressive tactics by regulators to ensure corporate accountability and deter fraud. In cases ranging from Securities and Exchange Commission probes of corporate malfeasance and insider trading to employment lawsuits, e-records are subpoenaed. Investigations conducted by the National Association of Security Dealers, Department of Justice, and Department of Homeland Security routinely require companies, their business partners, or third parties to preserve and disclose e-records, including internal e-mail and instant messages (IM). A highprofile example is the probe into alleged White House leaks of a covert CIA agent's identity in which White House employees received e-mail stating: ''You must preserve all materials that might in any way be related to the department's investigation.'' E-mail, telephone logs, and other electronic documents were mentioned specifically. Any communication or file storage device is subject to computer forensic searches to identify, examine, and preserve potential e-evidence—the electronic equivalent of a "smoking gun." Preserving e-records and then restoring them so that they can be searched can seriously disrupt IS and over-burden Information Systems staff. What's more, a preservation order might specify not only the type of e-records (data files or email), but also stipulate that processes that over-write data be suspended, or that backup tapes be retained for unspecified duration. These stipulations are very disruptive to IS operations. That disruption depends largely on whether the company had an e-record management (ERM) system to systemically review, retain, and destroy e-records received or created in the course of business. This article presents an overview of e-evidence and computer forensics and their implications for Information Systems. It aims to encourage research into ERM and fully-indexed, searchable email archives by providing compelling reasons for how these approaches mitigate e-evidence risks and cost. These research issues are important for several reasons. Rarely are IS 458 Communications of the Association for Information Systems (Volume 12, 2003) 457-468 Electronic Evidence and Computer Forensics by L. Volonino departments prepared for the challenges that evidentiary rules impose on active and archival data operations. Retaining unessential e-records increases costs and risks. Companies may need to justify their e-record retention and destruction policies as proof of compliance with their accounting, regulatory, or legal obligations. Courts impose severe sanctions on employers who claim they are unable to comply with e-record requests because of Information Systems design flaws or sloppy e-records management if it obstructs an investigation.