By order of Judge Mr. Juan Pablo Molina Pérez, presiding over the Court of First Instance and Preliminary Investigation No. 1 of Ciutadella de Menorca, I was appointed as a computer expert in preliminary proceedings.
The scope of the expert report requested by the judge primarily consisted of analyzing the hard drive of a computer owned by a local company, in order to determine a series of issues related to data deletion, as well as matters concerning any deleted information that could have been recovered from said hard drive.
The plaintiff had contracted the services of an ANTPJI associated professional. Following my judicial appointment as an expert in the proceedings, I was contacted by both the plaintiff and their expert, who offered their availability for the case. In this manner, I requested technical information about the hard drive in question from said professional, to properly plan the acquisition using forensic computer engineering tools and techniques, ensuring the chain of custody and non-alteration of evidence at all times.
As the hard drive was deposited with a notary, I was authorized to transfer and custody it to the referring court, to proceed with its cloning before the Clerk of the Court. Once the cloning was completed and the hard drive returned to the referring notary, work was carried out to prepare the forensic environment for a proper analysis of the acquired evidence.
Once in the forensic environment and with the different disk partitions identified, a meticulous study of them was carried out, to ascertain the existence of untimely alterations, as it was plausible that, potentially, the original hard drive could have been subjected to some type of alteration by the professional hired by the plaintiff. Given this condition, modifications could potentially have been introduced into the disk, with or without malicious intent, in order to confuse or hinder any subsequent investigation, eliminate traces of unfavorable activity, or alter records to show information favorable to their interests.
Upon completion of this preliminary phase of validating the integrity of the digital evidence, the study of different operating system artifacts installed on the disk was carried out. The deletion of information by different users linked to the operating system could be evidenced, but the most significant data deletion did not appear to be linked to the user associated with the defendant. The plaintiff’s expert provided evidence related to a data recovery procedure, which was also analyzed in the report submitted to the court.
Consequently, the court scheduled a hearing, with both experts being summoned to appear in court. Both professionals ratified our respective reports, which caused some perplexity to His Honor, as contradictory conclusions were defended after analyzing the same evidence.
Given the contradictory situation of two computer forensic reports, the court requested me to expand my expert report. For this purpose, I was provided with the plaintiff’s expert report and authorized to access the plaintiff company’s computer systems.
The counter-report presented revealed methodological and forensic analysis errors on the part of the ANTPJI associated expert, which consequently affected the robustness of the conclusions they sought to support. A National Police report and a notarial deed were also analyzed, which showed certain deficiencies or material errors.
According to what the court informed me, after the submission of my counter-expert report, the judicial proceedings were archived.
