FROM THE BENCH: COURTS ADDRESS ISSUES RELATING TO COMPUTER FORENSIC PROTOCOLS
	THE BRILL FILES: COMPUTER FORENSIC EXPERTS INVESTIGATE DETAINED DATA
	TECHNOLOGY YOU SHOULD KNOW: TIPS FOR PREPPING A COMPUTER FORENSIC EXPERT FOR TRIAL
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: COURTS ADDRESS ISSUES RELATING TO COMPUTER FORENSIC PROTOCOLS

Court’s Chambers Used to Make Forensic Image of Defendant’s Hard Drive
Warner Bros. Records, Inc. v. Souther, 2006 WL 1549689 (W.D.N.C. June 1, 2006). In a copyright infringement case, the plaintiffs accused the defendant of unlawfully downloading and distributing copyrighted materials through a peer-to-peer, online media distribution system. After the defendant failed to provide electronic copies of her computer’s desktop and registry files in response to a production request, the court ordered the defendant to bring the computer to an evidentiary hearing. At the hearing, the court permitted the plaintiff’s forensic technician to make a mirror image of the defendant’s computer in the court’s chambers. Issuing a protective order, the court restricted the plaintiffs from using or disclosing any electronic information obtained from the computer that was unrelated to the case. The court also reserved the right to issue Rule 37 sanctions against the defendant for failing to provide the electronic files, after having the opportunity to consider the defendant’s computer skills and the reasonableness of her efforts to comply with the discovery request.

Citing Sedona Principles, Court Allows Forensic Imaging of Former Employee’s Home Computer
Quotient, Inc. v. Toon, 2005 WL 4006493 (Md. Cir. Ct. Dec. 23, 2005). In a breach of contract suit, the plaintiff alleged that the defendant, while employed by the plaintiff, provided a former employee access to the plaintiff’s computer system so that the former employee could obtain trade secrets and confidential information. In order to preserve potentially relevant e-mail evidence on the defendant’s personal computer, the plaintiff filed an emergency motion for expedited discovery. The plaintiff offered to pay for a computer expert to make a mirror image of the defendant’s computer and stipulated the contents could be sealed until further court order. In granting the emergency motion, the court found a “substantial probability” that relevant electronic evidence, including e-mails and instant messages, “could be made less accessible to the parties merely by the defendant’s normal course of computer use, regardless of his intentions and motive.” The court observed, “the unintentional destruction of relevant evidence should be halted when it can be done so in a fashion that is minimally intrusive and where [the other party] is willing to bear the full cost of the process.” Citing the Sedona Principles, the court granted the emergency order, finding in certain circumstances, preservation orders may aid the discovery process by promoting efficiency and by specifying the parties’ preservation obligations. The court requested the defendant’s lawyers screen the computer data for privacy, privilege, and relevancy issues before disclosing the contents to the plaintiffs.

THE BRILL FILES: COMPUTER FORENSIC EXPERTS INVESTIGATE DETAINED DATA

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflects his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

I recently read a news story featuring one of the latest “ransomware” viruses to infect cyberspace. “Cryzip,” a Trojan virus, captures documents on an infected computer by using a commercial zip library that stores the documents inside of an encrypted zip file. The virus then leaves instructions on the victim’s computer detailing how to retrieve the encrypted documents. In order to unzip the file and access documents, a victim of the virus must pay $300 ransom in exchange for a decryption password (see http://www.foxnews.com/story/0,2933,187845,00.html).

Cases involving data encryption issues certainly can be among the most difficult for a computer forensic expert to resolve. In one of the latest cases Kroll Ontrack worked on, for example, we were asked to identify and break hundreds of encrypted files contained on backup tapes. Unless the encryption could be broken, our client would not be able to access critical data needed for an internal corporate investigation.

Initially, our computer forensic experts extracted all of the data contained on the backup tapes. We then proceeded to identify the target data – the data requiring decryption – and segregated it from the rest of the data. Using specialized computer forensic tools, we de-duplicated the target files and eliminated more than 150 duplicative files.

After the de-duping process, our forensic experts were left with approximately 400 original files that needed password decrypting. We separated the remaining files into sets of 50 files and ran each set through a password cracking utility.

Our experts discovered some of the passwords were not truly encrypted but were instead protected cells. We broke these passwords instantly and were able to break all of the other passwords, except one, on the remaining encrypted files within minutes. The remaining password required a more extensive analysis and, after trillions of attempts, we cracked the password – in less than 12 hours.

This case study presents just one example of how a computer forensic expert can use innovative techniques and tools to assist in retrieving password-protected and encrypted data. If faced with a case in which crucial data is held hostage by an encryption-napper, you should engage a computer forensic expert who can assist in cracking the case.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: TIPS FOR PREPPING A COMPUTER FORENSIC EXPERT FOR TRIAL

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. ***

After a lengthy discovery process filled with client interviews, discovery requests, depositions, interrogatories, and case scheduling hurdles, you have finally made it to trial. As the trial date looms near, you must plan one of the most important pieces of your case – preparing a computer forensic expert to testify at trial.

Preparing a computer forensic expert to testify can raise numerous questions and concerns. How can a computer forensic expert’s testimony assist in solidifying your case? What information should you know before beginning expert witness preparation? How does prepping a computer forensic expert differ from prepping any other expert? How can you help the expert connect with and convince the jury? The following five tips can help you sharpen your computer forensic expert witness’ ability to persuade the jury, thwart attacks from opposing counsel and shine at trial.

1. Emphasize the Expert’s Credentials. An expert with impeccable credentials and solid computer investigative experience can be one of the most important weapons in your case arsenal. Indeed, opposing counsel will use every opportunity available to attack your expert’s reliability and expertise. Establishing expert credibility during trial will involve highlighting the expert’s direct, provable experience handling the type of technical situation at issue in the case. Additionally, counsel should point out the expert’s technical and professional skills, such as his or her case experience (including both volume and types of cases handled), formal education, certifications and ongoing field training, publication and presentation experience, and testifying background.
2. Understand Technical Terminology. For most lawyers, terms like “encryption,” “slack space,” “file allocation table,” and “date/time stamps” are virtually meaningless. However, proper witness preparation requires counsel to develop a working familiarity with any computer technology terms likely to come up in the case at hand. In addition to comprehending terms contained in your own expert’s report, you should also understand terminology mentioned by your opponents. Possessing this knowledge will allow you to pick apart the opposing expert’s report and to prepare for addressing shortfalls in your own case.
3. Familiarize Yourself with the Computer Forensic Investigation Process. A typical computer forensic investigation involves the following steps: (1) consultation with clients and computer forensic experts; (2) data collection; (3) data preservation; (4) data recovery and analysis; and (5) expert testimony and reporting. Lawyers should acquire general knowledge about the processes that take place during each of these steps and how these procedures work into their overall theory of the case. This will also help a litigator pinpoint process gaps in the opposing expert’s computer investigation.
4. Ask the Expert to Educate You About Issues Raised in Your Specific Case. In addition to understanding the general scope of a computer forensic investigation, you should develop intimate knowledge about the specific technical issues that will need to be addressed in your case. An expert can help explain shortcomings in your case and assist with uncovering weaknesses in the opposing side’s case – an indispensable tool during cross-examination of the opposing party’s expert. The expert can also help pinpoint weaknesses and potential areas for impeachment in an opposing expert’s computer forensic report.
5. Coach the Expert on Communication Skills. Regardless of how much education, experience and skill they possess, testifying computer forensic experts will be virtually valueless if they cannot clearly explain case technicalities to the judge or jury. Attorneys should realize most computer forensic experts have backgrounds in information technology or high-tech investigative police work, making highly complex technical terms second nature to them. It’s imperative you work with an expert on phrasing case explanations in layman’s terms and work to avoid the use of technical acronyms. In addition, you should prepare the expert for which questions they will be asked at trial on direct examination, why those questions are likely to be asked, and what tactics the opposing side may employ on cross-examination.

KROLL ONTRACK NEWS & EVENTS

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcoming-events/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Melanie Bradshaw, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensics services, contact Kroll Ontrack at 1-800-347-6105 or http://www.krollontrack.com/.