E-sleuthing and the Art of Electronic Data Retrieval Uncovering Hidden Assets in the Digital Age Part I

Journal Issue

Feb 2004

Column Name

Journal HTML Content

Electronic data—everything from books and records to e-mails, computer programs and digital storage systems—is
everywhere in business today.<a href="#3" name="3a">3</a> Attorneys who represent creditors, trustees, committees, examiners, employees,
shareholders, co-defendants, U.S. Trustees and most other parties in interest in a bankruptcy case must be familiar
with the process and potential benefits of digital forensic accounting.

E-sleuthing uses sophisticated e-data retrieval technology to unlock the electronic records of a debtor. This
technique is practically mandatory for finding evidence related to accounting and debtor fraud. In addition, recovered
e-data may assist creditors in the discovery of claims against the debtor's auditors, underwriters, board members,
preferred shareholders, employees and insiders. While forensic accounting has been practiced for generations,
e-sleuthing in the bankruptcy context is a child of the digital age because it deals with the financial books and
records and related information created and stored on computer hard disk drives, PDAs<a href="#4" name="4a">4</a> and other digital devices. It
exists because some 93 percent of all information is generated in digital form.<a href="#5" name="5a">5</a> The demand for skilled forensic
accountants already outstrips the supply, and this trend is likely to increase as creditors, trustees and other parties in
interest seek to probe more deeply into the finances of recalcitrant debtors.<a href="#6" name="6a">6</a>

<h3>What Is E-sleuthing, and Why Must You Know About It?</h3>

The term "e-sleuthing" refers to the technology and techniques used to find and reconstruct the digital books and
records, accounting work-papers, financial reports, e-mail and other forms of data storage and communication of a
debtor in order to locate assets that have been hidden, dissipated or transferred out of the reach of creditors. The
skills of the e-Sleuth are essential if the debtor has intentionally tried to hide, encode or delete digital information.
A digital forensic technologist is able to discover and uncover the storehouse of information located on the debtor's
computers and digital devices. While the removal of computer files and the deletion of e-mails and other forms of
electronic data can often be detected even long after it has occurred, the sooner an e-Sleuth is engaged, the more
likely it will be that vital information can be recovered.

<h3>Why Should You Care About E-data?</h3>

Many people think that getting rid of cyberwaste and unwanted digital data is as simple as point and click. We
assume that the same motherboard magic that brought data and e-mail into existence will just as graciously whisk it
away without a trace, while keeping secret data safe. Taking out the trash should be this easy! But just as so many
former WorldCom, Anderson and Enron employees have learned to their acute chagrin, "delete" doesn't really mean
delete, and "recycle" doesn't really mean recycle—at least not as soon or as completely as most of us would like to
think.<a href="#7" name="7a">7</a>

Once created, e-data on a debtor's computer HDD, PDA and other digital devices has a life of its own, and very
often, it stays around long after its welcome has worn off. Such data can include names, addresses, passwords, bank
accounts, financial records, taxpayer identification numbers, memos or text of any length, backdated documents,
information identifying related parties, insider transactions, financial statements, accounting working papers, stock
options, business valuations, asset appraisals, beneficial owners, insurance coverage, contracts, spreadsheets and a
second set of books and records. Knowing how to find and reconstruct this information, particularly in the face of
debtor stonewalling, is essential for counsel representing creditors and any other party in interest when it appears
that the debtor or insiders have something to hide.

Digital financial information comes in the form of accounting programs and other forms of financial information,
spreadsheets, e-mails and address books, just to name a few examples. Documents, electronic memos, databases,
archives, presentations and graphics are recorded, revised, encrypted, backed-up, copied, saved, pasted, printed and
forwarded. E-data is stored on conventional computer HDD, as well as an ever-expanding array of electronic, digital
and optical devices and media including network servers, workstations, laptops, mini-towers, desktops, floppy
disks, EIDE HDD, SCSI HDD, USB devices, FireWire devices, Network Attached Storage, RAID sets, CDs,
DVDs, Microdrives, CompactFlash cards, Memory Sticks, PCMCIA HDD, Multi-media Cards, Zip disks, Jazz
Disks, external HDD and tape backup systems. In addition, digital information is also created and stored on a wide
assortment of PDAs such as Palm, Handspring Treo, iPaq, Jornada, Cassiopeia, Clie, Visor, and Windows CE and
Pocket PC devices.

A vast array of digital information is created and stored on media commonly used in all types of business and
commercial applications. E-data can be a veritable gold mine of information on how the debtor did business, when
and what insiders, employees and others did with its assets, and other information. In cases where the debtor has
intentionally hidden or transferred assets, recovered data can be the digital equivalent of a smoking gun.

<h3>How Is E-data Hidden, and How Is It Recovered?</h3>

E-data first exists as information entered and stored on any electronic, digital or optical device. This includes "active
files," which are used and modified on a daily basis, and any type of stored or archival files. Documents may be
saved or backed up on more than one computer, computer server, external HDD, tape drives or other media. Insiders
might also keep copies on their personal computers or PDAs.

<h3>Lost and Found: Locating Hidden E-data</h3>

E-data can be concealed in a variety of ways. Often, it is secreted behind legitimate files on the HDD as invisible
attachments. For example, the Microsoft NTFS file system provides for Alternative Data Streams (ADS), also
called Multiple Data Streams (MDS). ADS and MDS can hide e-data. Information is also hidden in file slack space.
File slack space exists at the end of the last "cluster" in a computer file. Randomly dumped information from
computer memory often finds its way into the file slack space, including passwords, account numbers and other
confidential information. Similarly, random access memory (RAM) slack or drive slack space, also on the HDD, is
a repository of e-data. RAM slack is the last "sector" of a file and comes from the dump of computer memory.
Drive slack space retains information that was previously stored, and may contain valuable scraps of deleted files.

Software programs create a type of e-data called "metadata." Metadata is information about the e-data. This includes
when a file was modified, accessed or created, and it has the user name associated with those tasks. Metadata
provides information about the software application name and version, title of the document, subject, keywords,
template, comments, revision number, number of pages, lines, words and paragraphs, number of characters and
notes, slides, security flags, dates last accessed and modified, etc. The metadata can show, for example, if any
electronic files were accessed, modified or backdated at any time after the user received notice of a lawsuit. Most
word-processing documents, spreadsheets, database files, presentation files and many other types of files contain
this embedded information. This digital information is not shown on any hard-copy documents, so production of
hard copy alone will leave out this potentially critical data.

Many programs create numerous temporary files, and several versions may exist under different names. Computer
network logs also provide a history of files and documents accessed, and will often show what has been printed,
backed up, downloaded and/or shared between users. In addition, data sent to a printer is stored in a computer buffer
and may sometimes be recoverable.

A rich source of e-data is the various back-up or archival systems used in most business computer networks. These
include automatic back-ups by software applications to prevent loss of information due to power loss or improper
shutdown. Back-up copies often create a record of a document that includes prior revisions. In addition, many
businesses use a daily back-up system in which all new documents and modifications are copied daily and kept on
magnetic tape to be retained for a period of time (weeks or perhaps months). Some companies archive e-data at an
off-site location for even longer periods.

Important financial information can also be found in deleted e-data. When e-data is "deleted," the computer marks
the information as deleted in the file system. The deleted e-data, although concealed, remains in the "unallocated file
space" on the HDD. This file space can contain the debtor's books and records, financial statements, audit
workpapers, spreadsheets, financial databases, e-mail and related attachments, electronic payments and transfers,
documents and other e-data. The information will usually only be completely erased when the section of HDD
where the information is stored is overwritten with new data. A debtor's insiders may try to eliminate this e-data by
using software that "wipes clean" hard drive space, but the e-sleuth can often recover this deleted data, and the
debtor's attempt to "wipe clean" the data will be evident upon inspection by the digital forensic accounting
technologist.

Of special interest to e-sleuths is e-mail and instant messaging. The debtor's HDDs and PDAs may contain millions
of e-mails and attached files relating to the financial activities of the debtor and insiders.<a href="#8" name="8a">8</a> It is common knowledge
that people are consistently more open and frank in e-mail and instant messaging than they would otherwise be in
person or in formal hard-copy correspondence and memos. There may be many reasons for this, including the rapid
and informal nature of e-mail, seeming privacy, the ability to selectively communicate by and among a particular
group of people, and the fact that most people still believe that e-mail is readily deleted. Cases in which e-mails
have been important or dispositive are increasing. For example, in In re Kevco Inc., 2003 Bankr. LEXIS 519,*25
(N.D. Texas 2003), e-mails found on the defendants' hard drives supported allegations by the chapter 11
liquidating agent that defendant former officers of the debtor wrongfully appropriated trade secrets and breached their
fiduciary duties in setting up a competing company. E-mail must not be overlooked as a source of information
regarding alleged corporate and individual wrongdoing.<a href="#9" name="9a">9</a> In a typical large business with multiple locations, e-mail
is kept on an e-mail server. After an e-mail is "deleted" by an individual user, it is retained on the server for a set
period of time before it is deleted. This period can be as little as a few days up to a several months or longer,
depending on the policies of the company and its e-data storage capacities. Some businesses routinely back-up
e-mails on tape or other media, while others do not. Even if the e-mail is not routinely backed-up, a skilled e-sleuth
still has a chance to find relevant financial information in deleted e-mail. E-mail frequently includes attachments.
An e-sleuth will be able to determine whether any attachments are missing.

E-data is also found on digital devices such as CDs, DVDs, PCMIA HDD, Microdrives, USB drives,
CompactFlash cards and many types of hand-held devices. When e-data that has been written to a CD, DVD-RW or
DVD+RW or other rewritable media is deleted, the fate of the data depends on the type of software application that
was used to create the data. Many software programs will move the deleted data to available free space. That space
will not be used until the entire disk has been written over once, and only then will the free space be reused. An
e-sleuth will search the entire media source for slack space and deleted files. The task is made more complicated by
the fact that most rewritable media writes files in disparate parts, rather than contiguously on the disk.

A final source for potentially significant information is encrypted e-data and "steganography."<a href="#10" name="10a">10</a> Steganography is
the art of hiding information in an innocent-looking carrier. Steganalysis is the inspection of digital data to detect
steganography and embedded hidden information. This hidden information can often contain the most
incriminating evidence. There are numerous encryption and steganography software products available, as well as
many applications that require usernames and passwords in order to access this stealth e-data.<a href="#11" name="11a">11</a> Encrypted data may
include the debtor's books and records, financial statements, audit workpapers, spreadsheets, e-mail and related
attached files, documents, computer folders, directories and hard disk drives. Modern steganography uses highly
sophisticated digital "carriers" to hide data. For example, using currently available steganography software, insiders
can hide corporate financial records, accounting workpapers and other hidden data in something as innocuous as a
digital photo of the company headquarters or a recent office party. The same steganography software allows an
employee or insider to load the debtor's books and records or intellectual property hidden on an audio MP3 player
HDD, CD, DVD, USB device, etc., and walk out the front door without the dozens of boxes of hard copy that the
e-data represents. Because of the almost unlimited potential for hiding important financial data through encryption
and steganography, the e-sleuth will need the latest decryption and investigative software available. This includes
regulated technology that is also used by agencies such as the U.S. Secret Service and U.S. Air Force.

<h3>Retrieving E-data and Creating a Forensic Image</h3>

Obviously, even the most incriminating e-data is of no value to creditors if it cannot be viewed by counsel and
professionals. Like a forensic medical examination, analysis of the debtor's digital remains can yield valuable
financial information.

The first rule for the retrieval of e-data is that time is of the essence. Counsel for creditors and trustees must move
as quickly as possible to secure important e-data before it is lost or compromised. When possible, this should be
done before the §341 meeting of creditors.

In order to collect and secure the important e-data, the first task of the digital forensic accounting technologist is to
create a forensic image<a href="#12" name="12a">12</a> using established forensic practices. A forensic image is an exact copy of the data that
exists on the debtor's computers, PDAs and other digital storage devices as of the date of the image. The purpose of
a forensic image is to obtain a clean, uncompromised body of e-data evidence directly from the debtor that will be
admissible in court. Therefore, it is imperative that the forensic image be produced correctly without any chance of
tainting or compromising the integrity of the data. A party seeking e-data has a duty to use the method that yields
the most complete and accurate results. Where correct procedures are not used, disaster will follow.<a href="#13" name="13a">13</a>

In creating the forensic image, the e-sleuth does not generally turn on or use the debtor's stand-alone computers. For
example, sometimes the HDD is removed from the computer or work station, and plugged into a write-blocking
device which is connected to a forensic examination device or computer. If necessary, an examination can take place
without removing the hard drive. Since a PDA does not have a hard drive, the PDA must be on. Other types of
media storage systems, such as Zip drives, tape drives, CDs and DVDs, require specific forensic tools. Using an
absolutely sanitized or sterile HDD and forensically sound hardware and software, the digital forensic accounting
technologist will acquire bit by bit the e-data on the debtor's original source HDD, PDA and other digital devices.

To complete the process, digital forensic software will verify that the source and destination drives match. This
match is verified by using a cryptographic "hash value." The cryptographic hash is a digest value that confirms that
the e-data on both drives is an exact match. The digest value acts like a digital fingerprint or signature—it is unique
to the specific document and its exact match.

It is advisable to make multiple forensic images at the time of original acquisition of the debtor's e-data. The ideal
number will depend on the specific facts of the case, but the minimum number is at least two. One forensic image
will be kept completely pristine and unused, in case anyone challenges the accuracy of the forensic image. A second
forensic image will be used for the trustee, creditors or other parties in interest to recreate the debtor's computer
environment. The costs of HDD and other suitable storage media is sufficiently reasonable so that it makes sense to
make several forensic images in case anything goes wrong during the examination. Remember, the hash value will
always verify that the document, folder, partition or HDD is an authentic match of the original, just like a
fingerprint.

<h3>Reconstructing the Debtor's E-data: Mining the Retrieved Files for Gold</h3>

All available files (reconstructed as clean forensic images) result in a combined Digital DataSource. This is a digital
alpha/numeric index of all text, phrases, terms, numbers, symbols, passwords, electronic commerce, special-purpose
words that relate to the debtor's or insider's business, and all dates and times that pertain to any document or
actions created or implemented on the computer and other devices from which the forensic images were obtained.

After the debtor's Digital DataSource has been created, trustees, creditors and other parties in interest will have
available a fully digitized, exact replication of all the debtor's e-data, including the books, records and related
financial information. At this point, the search capabilities are endless. Powerful search capabilities allow for the
specific and relevant simultaneous text searches of accounting records, audit workpapers, financial spreadsheets,
financial statements, e-mail and files in virtually any word processing documents, accounting databases, financial
reports, presentation or multimedia software programs, including Mac software, as well as for an almost unlimited
list of file extensions.

<hr>
<h3>Footnotes</h3>

<a name="1">1</a> Jack Seward is a consultant and has an association with a forensic accounting firm in New York City. He is a veteran of many years of forensic accounting and electronic data
sleuthing. Mr. Seward may be reached at jackseward@msn.com. <a href="#1a">Return to article</a>

<a name="2">2</a> Daniel Austin is a lawyer in the Pittsburgh office of the international law firm McGuireWoods LLP, where he specializes in bankruptcy law. Mr. Austin may be reached at
daustin@mcguirewoods.com. The authors gratefully acknowledge the assistance of Cynthia Smith, a research librarian in the Washington, D.C., office of McGuireWoods LLP. <a href="#2a">Return to article</a>

<a name="3">3</a> Electronic commerce is taking on a life of its own. In a visionary decision, the U.S. Bankruptcy Court for the Southern District of Florida found that a bank's computer, not the
bank, was in civil contempt for sending the debtors a dunning letter on a debt that had been discharged. In re John Coffey Vivian and Margaret Vivian, 150 B.R. 832 (Bankr.
S.D. Fla. 1992). The computer was fined 50 megabytes of hard drive memory and 10 megabytes of random access memory, and provided the opportunity to purge itself of
contempt by ceasing the production and mailing of documents to the debtors. Id. at 833. <a href="#3a">Return to article</a>

<a name="4">4</a> Digital devices include, but are not limited to, CD, DVD, Microdrive, CompactFlash, SmartMedia, SecureDigital, Memory Stick and MultiMediaCard. <a href="#4a">Return to article</a>

<a name="5">5</a> According to a study at the University of California, 93 percent of all information created in 1999 was generated on computers, while only 7 percent was generated in other
media, such as paper. In re Bristol-Myers Squibb Securities Litigation, 205 F.R.D. 437, 440, n.2 (D. N.J. 2002) (citing Withers, Kenneth J., Electronic Discovery: The Challenges
and Opportunities of Electronic Evidence, Address at the National Workshop for Magistrate Judges (July 2001)). Some studies indicate that 20-30 percent of all computer data
never reaches paper form. Sokol, Monte E. and Andriola, Philip P., "Becomes Ground Zero in Discovery Process and at Trial," N.Y.L.J. Dec. 1, 1997 at S5. <a href="#5a">Return to article</a>

<a name="6">6</a> See, e.g., Zea, Andrea, "Massive Rise in Demand for Forensic Accountants," <a href="http://www.AccountancyAge.com/News/1135199">http://www.AccountancyAge.c…; (Oct. 16, 2003). <a href="#6a">Return to article</a>

<a name="7">7</a> See, e.g., Berman, Dennis K., "Online Laundry: Government Posts Enron's E-mail," Wall Street Journal, Oct. 6, 2003. The Enron case is especially instructive. The Federal
Energy Regulatory Commission gathered a massive trove of data from Enron in its investigation of energy-market manipulation. In March 2003, the agency released more than
1.6 million pieces of e-mail and other documents, and posted them on the web in a searchable database, <a href="http://www.ferc.gov/industries/electronic/indus-act/03/26/03-release.as…;. The
e-mails cover three years of business and personal communication, and contain numerous highly personal and revealing private messages. <a href="#7a">Return to article</a>

<a name="8">8</a> Ken Withers, a research associate at the Federal Judicial Center in Washington, D.C., estimates that a company of 100 employees will generate up to 7.5 million e-mails per
year. Withers, Ken, "Digital Discovery Starts to Work," National Law Journal, Nov. 4, 2002. <a href="#8a">Return to article</a>

<a name="9">9</a> There are numerous recent examples. E-mails written by a senior staff member of J.P. Morgan Chase & Co. referring to "disguised loans" were pertinent evidence to support
allegations that J.P. Morgan helped Enron conceal its growing debt problems. See Swartz, Nikki, "E-mails Can and Will Be Held Against You," Information Management
Journal, Mar/Apr. 2003, p. 12. Another recent example is the ongoing case against Frank Quattrone, a former investment banker for Credit Suisse First Boston. Quattrone was
prosecuted for obstructing investigations of alleged kickbacks schemes for initial public offerings. A major item of evidence against Quattrone was an e-mail he sent to
colleagues in December 2000, urging them to "clean up" their files just two days after an in-house lawyer alerted him to a grand-jury probe. Smith, Randall and Scannel, Kara,
"Inside Quattrone Jury Room, Discord Culminates in Mistrial," Wall Street Journal, Oct. 27, 2003, p. A-1. A thoughtful review of the use of deleted e-mail in litigation was
written by Michael Marron in Comment, "Discovery of 'Deleted' E-mail: Time for a Closer Examination," 25 Seattle Univ. L. Review 895 (2002). <a href="#9a">Return to article</a>

<a name="10">10</a> From the Greek word for writing or hiding secret messages. <a href="#10a">Return to article</a>

<a name="11">11</a> Popular applications that encrypt data and/or require passwords include Encrypt Magic Folders, Source Safe, BestCrypt, PC-Encrypt, Microsoft Office, Word, Access, Pocket
Excel, dBase, FoxBASE, Windows XP, Windows 2000, Windows NT, Outlook, Outlook Express, Microsoft Exchange Server, Disappearing Mail, SafeMessage, WinZip, PKZip,
ZIP, General Zippers, VBA Visual Basic, Internet Explorer, Adobe Acrobat, Quicken, QuickBooks, Lotus 1-2-3, Lotus Organizer, Lotus WordPro, Microsoft Project, MYOB,
Paradox, ACT!, Microsoft Mail, Schedule+, Microsoft Money, WordPerfect, Filemaker, Peachtree Accounting, Quattro Pro, Ami Pro, Backup, Bullet Proof FTP, Cute FTP, Data
Perfect, File Maker Pro, My Personal Check Writer, Norton Secret Stuff, Palm, Q&A, WinRAR, Symphony, Versa Check, Adobe PDF, Windows 95 and Windows 98, PWL Files
and Netscape Mail. <a href="#11a">Return to article</a>

<a name="12">12</a> More technically referred to as a "low-level bit stream image." <a href="#12a">Return to article</a>

<a name="13">13</a> The seminal case regarding the importance of utilizing "best practices" to recover e-data is Gates Rubber v. Bando Chem. Indus. Ltd., 167 F.R.D. 90 (D. Colo. 1996). In Gates,
the plaintiff sought sanctions for alleged destruction of evidence in an underlying case for theft of trade secrets. In conducting discovery of the defendant's computers, the
plaintiff's expert used a file-retrieval program that had to be copied onto the defendant's hard drive. This overwrote 7-8 percent of the data on the drive. In addition, the
plaintiff's expert failed to preserve the creation dates of certain files that allegedly overwrote relevant files. These dates would have indicated the dates of the alleged deletions.
Finally, the expert copied the defendant's hard drive using a "file-by-file" method, which only extracted non-deleted files, rather than an "image backup" (forensic image),
which would have captured all the data on the hard drive. These mistakes seriously undermined the plaintiff's case, leading to only minimal sanctions in favor of plaintiff, with
offsetting damages awarded to the defendants on those claims that lacked justification. <a href="#13a">Return to article</a>

Journal Authors

Daniel A. Austin

Jack Seward

Journal Date

Sunday, February 1, 2004 - 12:00

Bankruptcy Rule

2004