In This Issue:

	From the Bench: Courts Rely on Forensic Evidence
	The Brill Files: Can a Social Network Site Leak Confidential Corporate Data?
	Technology You Should Know: Authenticating Electronic Evidence – Understanding What It Is & How to Achieve It
	News & Events

From the Bench: Courts Rely on Forensic Evidence

Court Allows Limited Hard Drive Imaging to Test Accuracy of Previously Produced ESI
Binary Semantics Ltd. v. Minitab, Inc., 2008 WL 2020362 (M.D. Pa. May 5, 2008). In this trade secrets litigation, the defendants filed an emergency motion for court intervention to allow the defendants’ forensic expert to image the plaintiffs’ FTP and file servers, in addition to certain employees’ computers and removed hard drives. The defendants claimed this imaging was necessary to determine the integrity of previously produced ESI that contained questionable metadata. The plaintiffs opposed the motion and argued the request was overly-broad and intrusive. Agreeing in part with the plaintiffs, the court found the defendants’ request was largely overly broad because an image of relevant folders would resolve the documents’ integrity issue. The court permitted the defendants to image the relevant folders contained on the plaintiffs’ FTP server. The court also granted the defendants’ unopposed request to image the removed hard drives.

After Plaintiff Deleted Hard Drive, Court Orders Adverse Jury Instruction Rather than Case Dismissal
Johnson v. Wells Fargo Home Mortg., Inc., 2008 WL 2142219 (D. Nev. May 16, 2008). In this mortgage loans and credit dispute, the defendants filed a motion to dismiss, alleging evidence spoliation. Through forensic analysis, the defendants’ computer forensic expert established that the plaintiff reformatted both laptops shortly after a production request for the hard drives, and also found two documents containing metadata suggesting the plaintiff created the documents one year later than claimed. Opposing the motion, the plaintiff claimed the hard drives were wiped and reformatted for maintenance purposes due to virus infections. The court ordered an adverse jury instruction creating a presumption in favor of the defendants finding the plaintiff acted willfully; was on notice that information contained on the hard drives was potentially relevant to litigation; and did not produce backup files despite numerous requests. The court reasoned that the harsh sanction of dismissal was not appropriate because the evidence secured by the defendants’ computer forensic expert, combined with the adverse jury instruction, did not render it ”helpless to rebut any material that [the] plaintiff might use to overcome the presumption” at trial.   

Court Denies Motion to Dismiss Because Government Did Not Act in Bad Faith
United States v. Kimoto, 2008 WL 2003187 (S.D. Ill. May 8, 2008). In this post-conspiracy conviction hearing, the defendant filed a motion to dismiss alleging that the government either failed to provide, or destroyed, digital forensic evidence and relevant e-mail. Specifically, the defendant claimed approximately 2500 e-mail were missing and further electronic evidence was intentionally withheld. The government argued that open file discovery was allowed from the beginning, making “every scrap” of electronic evidence available. Finding the defendant failed to prove the government acted in bad faith, failed to show the exculpatory value of the evidence was apparent, and failed to show the evidence could not have been obtained by other reasonably available means, the court denied the defendant’s motion.

The Brill Files: Can a Social Network Site Leak Confidential Corporate Data?

Social networking sites have experienced incredible growth rates in recent years. Sites like Facebook and MySpace have tens of millions of participants. They enable people to reunite with old friends and to find communities of people with shared interests. They are immensely popular and clearly have provided great benefit to millions of users. So what’s the problem when it comes to protecting trade secrets?

I believe the potential informational security risks posed by these sites is aptly demonstrated by a situation I was involved in some years ago. My colleagues and I were called to trace the loss of extremely sensitive electronics R&D information that was finding its way into the press. Ultimately, we discovered that the leak was from an employee sharing the information (completely without authorization) with a professor who had been the person’s Ph.D. advisor. The messages were read by a graduate student serving as the professor’s assistant who was turning around and selling the information. There was no doubt on the part of the corporation involved that the person did not intend for the information to reach the press. The individual was simply proud of the work they were doing and wanted to let the professor know about it. Nonetheless, the release was unauthorized and led to the publication of the highly confidential data.

Today’s equivalent of the water cooler is the social networking site. MySpace and Facebook pages have become a place to post almost anything you want, and that may be a problem for corporations. An employee can post information on what they are doing and inadvertently provide information – which the company has not made public – to anybody with internet access. Many companies, for example, are the subject of MySpace and Facebook groups. There are hundreds of groups related to major companies and some of those have thousands of members. Often anyone can join, but how careful are the members who are actually employees? If someone makes a negative remark, isn’t there a real danger that an employee will respond with unauthorized information?

If nonpublic information is divulged, it can have very serious results. But to some extent, it is a preventable problem. Companies should remind employees that they should not be revealing any nonpublic information on any forum, including not only social networking sites but discussion boards as well. A little prevention can go a long way!

If you would like to explore the opportunity of world-renown forensics expert, Alan Brill, speaking at a conference you are supporting or organizing, please contact Kristin Husom at 952 516 3781 or at khusom@krollontrack.com.

Technology You Should Know: Authenticating Electronic Evidence – Understanding What It Is & How to Achieve It

“[I]t makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence... ,” lamented Chief Magistrate Judge Grimm in an decision issued last year, Lorraine v. Markel Insurance Company, 241 F.R.D. 534 (D.Md. 2007).

Unfortunately, that is exactly what can happen if a party submits electronically stored information (ESI) to a court without proper authentication. Before evidence may be offered into evidence, it must be properly authenticated. Authentication is satisfied with evidence sufficient to support a finding that the matter in question is what the litigant claims it is. If evidence is not authenticated, a jury never even gets to consider it.

In the context of ESI, authentication often requires establishing evidence’s integrity in addition to its identity. Integrity refers to soundness of evidence; for instance, that a document has not been altered or corrupted. Electronic document integrity is a huge concern given how easily ESI can be altered, both purposefully and inadvertently. The authentication concern – as it relates to forensics and e-discovery – is that the evidence presented at trial is the same as the evidence originally collected. Thankfully, these fears can largely be eliminated by taking reasonable precautions by following forensic and discovery best practices.

Here are a few guidelines that should be followed when working with electronic evidence to increase the likelihood of authentication should the reliability of ESI ever be challenged.

Work Off A Forensic Copy: The most important practice to ensure that no authentication issues arise from a forensic examination is to take a bit-by-bit image from a physical layer of the original media (which does not touch the data level), and then do all forensic work on the forensic copy. Either an untouched forensic copy or the original media should be placed in a secure, environmentally-controlled location to avoid alteration, damage or spoliation.
The importance of working on a forensic copy of the media and not the original is twofold. First, ESI contains metadata (data about data such as the file creation date, size, author, etc.). Metadata can be altered by retrieving or searching data, or even booting a computer system. While trustworthy metadata can be used to authenticate ESI, the reverse is also true. Questionable metadata can cast a document’s integrity in question by being unable to vouch for the document and, in some cases, actually providing conflicting data. For example, altered metadata could show a creation data that post-dates the claimed creation date.   

Second, the hash value of ESI (a unique number identifying a file or group of files based on a standard mathematical algorithm) will be altered if even the slightest change is made to the data. Following forensic best practices and working off a forensic copy will allow the hash value of the evidence ultimately produced to be compared to the original’s hash value. Matching hash values can be used to prove the integrity of ESI. 

Create a Chain of Custody Log: The importance of creating a chain of custody log cannot be stressed enough. A chain of custody log should document every time the custody of the original media or forensic copy is transferred from collection to presentation at trial. A good chain of custody log will include details (such as serial numbers and model types) of the devices from which data was copied; the processes used for collection, retrieval of information, filtering and processing; and any criteria used for making decisions relating to the evidence’s handling.    

Consider Using an Experienced Third-Party Service Provider: There are several reasons to consider using an experienced third party service provider whenever you decided to collect or analyze ESI for potential use at trial. First, they are likely to be able to recover data your IT department could not, based on their experience and specialized tools. Second, service providers are often able to handle every aspect of ESI from collection to presentation, thus decreasing the number of transfers (and potential weak links) your data must undergo. Third, having a neutral party conduct the work can increase the credibility of the evidence in the eyes of the jurors who will be determining the outcome of your case. Lastly, should the need arise an experienced service
provider can provide expert testimony to assist in authentication by testifying as to the reliability of the computer processing system and protocols used in the handling of the electronic evidence.

Back To Top

NEWS & EVENTS

Kroll Ontrack ESI Trends Report Reveals Valuable Insights
A report based on an independent survey conducted by Canvasse Opinion on behalf of Kroll Ontrack reveals valuable insights into ESI management and e-discovery corporate practices in the United States and the United Kingdoms. Three key themes with regard to in-house counsel ESI practices emerged from the survey: preparedness, ownership and challenges. Notably, the survey revealed a severe lack of understanding, preparedness and enforcement by organizations regarding how to manage their ESI. The report exposed immense confusion over who within a company is responsible for creating an ESI policy and who is accountable should the policy fail, along with many other significant findings. To download a complimentary copy of the ESI Trends
Report, please visit: http://www.krollontrack.com/esitrends/.

Kroll Ontrack Expands Electronic Discovery Support for Documents With Asian Languages
Kroll Ontrack announced on June 25, 2008 the addition of Unicode processing support and multilingual search features to its electronic discovery services. With expanded capabilities that include languages such as Simplified Chinese, Traditional Chinese, Japanese and Korean, Kroll Ontrack is helping global legal teams more quickly and efficiently identify, process, search, review and produce multilingual documents, resulting in time and cost savings.

Kroll Expands Legal Technologies Practice in Asia
Kroll announced on July 1, 2008 the expansion of its Hong Kong office to include Legal Technologies services provided by Kroll Ontrack, a wholly-owned subsidiary of Kroll. Kroll Ontrack has appointed Ben Pasco as managing director of the Legal Technologies practice in Asia. Pasco will be based in Hong Kong, which serves as the region's headquarters. As the recognized world leader in helping companies manage their electronically stored information (ESI), Kroll Ontrack will specifically aid businesses in the Asia Pacific region with their electronic discovery and computer forensics needs for litigation, regulatory matters and internal investigations. US, UK and European companies and law firms will also benefit from this expansion when their matters require data collection or in-country data handling in the Asia-Pacific region.

Meet our representatives at the following events:

Visit www.krollontrack.com/upcomingevents/ for more information on these events and others.

Back To Top

We Request Your Input

Our legal consultants, project managers and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please contact us by writing to gjytyla@krollontrack.com.

This newsletter is written by Joni Shogren and Gina Jytyla, Kroll Ontrack staff attorneys, with assistance from Kelly Kubacki and Meridith Socha, law clerks. Ms. Jytyla can be contacted by writing to gjytyla@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or visit www.krollontrack.com.