What Every Attorney Needs to Know About Computer Forensics: Changes to the System Clock, Windows Event Logs, and Proving Spoliation

March 27, 2017 - from DisputeSoft's Nick Ferrara

From time to time, a party to a lawsuit may attempt to delete or overwrite relevant files from a computer system in its custody before producing that system to an opposing party. Such an attempt can lead a court to infer spoliation of evidence if a producing party’s destructive intentions can be reasonably established.

Forensic computer examiners often address this issue in the course of their investigations and can typically identify techniques commonly used to compromise digital evidence. While there are a variety of ways that a user can compromise digital evidence, one technique on Windows computer systems that is within the reach of even unsophisticated users is to manually change the computer’s time and date settings.

Most Windows computers allow users to manually change the system’s time and date settings. By changing these settings before compromising key files, a user might hope to create the appearance that these files were deleted or overwritten as part of normal computer usage prior to a court’s preservation order.

Fortunately, a number of Windows artifacts make this technique relatively easy to detect. The Windows Event Log, for example, includes log entries that concretely identify any manual changes made to a computer’s date and time settings through the user interface. Expert examination can easily distinguish these log entries from other normal modifications made to a computer’s date and time settings and can yield the evidence necessary to support (or, as applicable, refute) an inference of spoliation. These types of analyses are typical of the work that DisputeSoft’s forensic investigators perform for clients.

If you are involved in a matter where you suspect that the date and time that files were deleted or last modified have been manipulated, or if you are defending against such an assertion, give us a call to see if we can assist you in establishing or refuting an inference of spoliation.