The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
52°F
Current Conditions
Overcast clouds
View complete weather report
Subscribe now

Software helps lawyers mine data users thought they’d deleted

Josiah Roloff, a vice president and investigator for Spokane computer forensics company Global CompuSearch, explains how deleted files and chats can be retrieved from computers and phones. (Dan Pelle)
By Tom Sowa toms@spokesman.com(509) 459-5492

In 2009, Peter Moesslang, a 68-year-old Spokane-area businessman, was sued by a woman who said she had been his companion for nearly 20 years.

The former companion, Bette Lyn Kelly, filed suit in Spokane County Superior Court, saying she and Moesslang had a steady relationship from the mid-1980s. She said their relationship was meretricious – legally viewed in Washington as similar to a marriage.

Kelly, who’s 64, sued for a portion of Moesslang’s assets, even though she acknowledged they no longer lived together and had broken off the relationship well before 2009.

Moesslang’s attorney, Jane Brown, of Spokane law firm Paine Hamblen LLP, obtained a copy of email files on a computer Kelly used while working for Moesslang. Brown wasn’t sure what they might contain, but like many lawyers Brown now makes that request as standard practice.

Last year a Spokane judge dismissed Kelly’s suit. Some of the emails recovered from her computer – even those thought to be deleted – played a key role in that decision.

That tactic – asking for digital copies of messages, photos, voicemail or chat transcripts found on computers or cellphones – is now widely accepted by attorneys.

Where it used to be found only in corporate law or commercial disputes, it’s now seen across the board, especially in employment- and family-law matters, said Greg Johnson, another Paine Hamblen lawyer and the firm’s technology specialist.

Lawyers routinely make court-approved searches of smartphones, computers and iPads, and, in the past two years, have broadened their investigations to social media sites like Facebook and Twitter.

In a society saturated with electronic communications, all those digital traces and records have made being a lawyer much easier, said Michael Church, a Spokane employment-law attorney.

“People don’t realize this stuff lives forever,” Church said. Even when people delete information, those messages, photos and browsing records on computers or phones can be easily retrieved, he said.

In fact, Paine Hamblen’s Brown and Johnson suspected some of the key messages needed to defend Moesslang would be found in deleted email form.

When she made the claim on Moesslang’s property and assets, Kelly tried to establish she was in an exclusive, committed relationship with him during the period within the law’s statute of limitations.

Instead of making her case, many of Kelly’s emails showed she had formed another romantic relationship while still living in one of Moesslang’s homes.

Brown was able to cite those messages in convincing the court that Kelly and Moesslang had both ended their romantic relationship during the time Kelly said they were together.

After Kelly’s claim in Superior Court was dismissed, her lawyer, Spokane attorney Al Gauper, appealed the decision. The appeals court has not yet set an oral argument on that case.

Gauper, a veteran Spokane family-law attorney, understands the value of electronic evidence. He has used it himself in other cases, such as a divorce and support-payment dispute he handled two years ago.

His client, a Spokane woman, said her ex-spouse insisted he no longer had the income to pay alimony.

Gauper visited Facebook and started copying down the ex-husband’s messages and updates. Many were about locations he visited or events he attended in different cities.

“The messages there, saying ‘I’ve been to Las Vegas’ or other glamorous places, didn’t seem to bear out his statement that times were hard and he needed to adjust his lifestyle,” Gauper said.

The judge agreed on that matter.

Publicly available Facebook messages are almost too simple a source of information. It’s harder – but possible – for attorneys to find ways to get copies of chats and instant messages Facebook users engage in, and which typically are not kept in permanent form.

But computer forensic experts have found Facebook instant chats are saved in deleted form on a person’s computer.

“People who use instant messaging in Facebook assume those conversations are gone,” said Josiah Roloff, a vice president and investigator with Spokane computer forensics company Global CompuSearch.

“Those conversations are there on the hard drive in what’s called unallocated file space,” Roloff said. To find them, investigators use software tools, such as EnCase, a product that finds and restores deleted computer data. As long as the deleted files sit on parts of the hard drive that are not overwritten with new data, EnCase can retrieve messages and chats.

EnCase is also used, among other tools, to dig through deleted messages on smartphones, including the popular Apple iPhone.

Not long ago Global CompuSearch was asked by a Spokane man to look through his wife’s iPhone to determine if she was having an affair.

Using EnCase, Global CompuSearch investigators sifted through the wife’s iPhone data. Even though many of the recorded voice messages were deleted, EnCase was able to recover roughly 1,000 of them, and the husband learned she was seeing another man, Roloff said.

As a result, his attorney was able to negotiate a divorce settlement in the man’s favor, Roloff said.

“The iPhone is one of the most insecure phones you can have” if you’re trying to hide or protect personal information, Roloff said.

That opinion has nothing to do with the recently divulged feature of many iPhones, which can keep a location history going back many months. Apple has modified that feature and told users how to disable that option.

“What makes an iPhone so insecure is that it can hold so much information, including photos that may be deleted but can also be recovered,” he said. Older or plain-feature phones don’t hold that volume of personal information, he added.

At other times attorneys try to determine not what’s on a computer, but how it got there.

Roloff’s boss, Global CompuSearch CEO Marcus Lawson, was involved in a major child-custody case in Connecticut that involved allegations that a husband was downloading child pornography.

The wife said she found the porn on one of the couple’s home computers. She cited that as the reason she deserved sole custody of their three children.

The husband’s attorneys asked Lawson to examine a number of computers the couple used. The husband insisted he had nothing to do with them.

Lawson discovered he couldn’t establish who downloaded the porn, but he made a strong case it wasn’t the husband.

Using time-stamp information associated with browser files on the computer, Lawson showed that whoever visited the porn sites did so when the husband was far from home on business trips.

The wife’s attorneys tried to argue the husband might have downloaded the porn while taking one of the home computers on a trip.

Lawson used a website feature to show that the porn had to have been downloaded by someone living in Connecticut. “Porn sites do something that’s very specific to their geographic location. They load ads for adult friend-finder sites,” Lawson said.

Those “find-a-friend” ads are delivered with a reference to a specific geographic location to better appeal to the person visiting the website. The ads in this case offered to “find a date” with someone located in the city where the couple lived.

Lawson retrieved and reproduced as evidence the porn pages with the accompanying “friend” ads to show the computer wasn’t with the husband in another city.

Lawson testified for more than two days, dealing with challenges to that evidence from the wife’s attorneys. In the end, the judge ruled in favor of the husband.

Digital evidence does more than incriminate, of course. It also helps people, said Hector Quiroga, a Spokane Valley attorney.

“Social media evidence can show innocence. An email, a Tweet or a Facebook update can show that you were not present at the place you are accused to be, and save the day for you,” Quiroga said.

But he also foresees negative consequences of the spread of digital records through the legal system.

Because people post messages quickly, sometimes less than thoughtfully, comments can be taken as attacks, defamation or even cyberstalking, he said.

“Those will become more common and this will create another burden in our courts,” Quiroga said.