We had someone steal some files before quitting and it has eventually come down to a lawsuit. I've now been provided with a cd of files and I have to "prove" that they are our files by matching them to our files from our own file server.
I don't know if this is just for our lawyer or evidence for court or both. I also realize that I am not an impartial 3rd party.
In thinking how to "prove" these files came from our servers we realized I also have to prove we had the files before receiving the cd. My boss took screen shots of our explorer windows of the files in question with creation dates and file names showing and emailed them to our lawyer the day before we received the cd. I would have liked to have provided md5sums but I wasn't involved in that part of the process.
My first thoughts were to use the unix diff program and give console shell output. I also thought I could couple it with the md5 sums of both our files and their files. Both of these can easily be faked.
I'm at a loss of what I actually should provide and then again at a loss on how to provide an auditable trail to reproduce my findings, so if it does need to be proved by a 3rd party it can be.
Does anyone have any experience with this?
Facts about the case:
- The files came from A Windows 2003 file server
- The incident happed over a year ago and the files haven't been modified since before the incident.
Best Answer
The technical issues are pretty straightforward. Using a combination of SHA and MD5 hashes is pretty typical in the forensics industry.
If you're talking about text files that might've been modified-- say source code files, etc, then performing some type of structured "diff" would be pretty common. I can't cite cases, but there's definitely precedent out there re: the "stolen" file being a derivative work of the "original".
Chain-of-custody issues are a LOT more of a worry to you than proving that the files match. I'd talk to your attorney about what they're looking for, and would strongly consider getting in touch with an attorney experienced with this type of litigation or computer forensics professinal and get their advice on the best way to proceed so that you don't blow your case.
If you actually received a copy of the files I hope you did a good job of maintaining a chain-of-custody. If I were the opposing counsel I'd argue that you received the CD and used it as the source material to produce the "original" files that were "stolen". I'd have kept that CD of "copied" files far, far away from the "originals" and had an independent party perform "diffs" of the files.