| In This Issue:
 FROM
THE BENCH: APPELLATE COURT AFFIRMS “TIME BOMB”
COMPUTER CONVICTION
Lloyd v. United States, 2005 WL 2009890 (D.N.J.
Aug. 16, 2005). The defendant appealed from a conviction
under a federal computer fraud statute, arguing, inter
alia, the prosecution had tampered with the evidence
leading to his conviction. An investigation of the defendant’s
former employer’s network revealed that a string
of computer commands, designated as a “Time Bomb,”
had been programmed to automatically delete massive
amounts of the company’s data at a predetermined
time. Kroll Ontrack investigated hard drives damaged
by the Time Bomb program. On appeal, the defendant argued
the government tampered with copies of the hard drives
it received back from Kroll Ontrack because the drives
were not the same as those provided by the Secret Service.
Specifically, the defendant claimed different amounts
of "zeroes" were inserted onto the drives.
The defendant also alleged his expert fully recovered
the lost data once the zeroes were removed. The defendant
further argued four files were added onto copies of
the drives from Kroll Ontrack, one of which was deleted
and no longer contained data and three that consisted
of resumes and correspondence documents. Rejecting the
defendant’s arguments, the court upheld the defendant’s
conviction and found the defendant failed to show the
discrepancy among the copied drives was sufficient evidence
to overcome the trial court’s determination. See
also United States v. Lloyd, 269 F.3d 228 (3rd
Cir. 2001).
THE BRILL FILES: COMPUTER TIME BOMB PLOT EXPLODES
*** Written by Alan Brill, Senior Managing Director
for Kroll Ontrack, The Brill Files reflects his work
in the field with clients who have encountered some
not-so-pleasant events and what was done to remedy the
situation. With more than 25 years of consulting experience,
Mr. Brill has assisted organizations with a wide range
of technology security issues and is an internationally
recognized speaker and instructor. ***
Timothy Lloyd’s recent appeal in the “Time
Bomb” computer virus case mentioned above caught
my eye as two of my fellow engineers had originally
worked on the case and provided testimony relating to
their findings (See United States v. Lloyd,
269 F.3d 228 (3rd Cir. 2001) and Lloyd v. United
States, 2005 WL 2009890 (D.N.J. Aug. 16, 2005)).
The case was particularly interesting because it was
one of the first cases to go to trial under a fairly
new federal computer fraud statute – 18 U.S.C.
§ 1030 Fraud and Related Activities In Connection
With Computers.
Lloyd was a former chief network administrator who
became disgruntled and was later terminated from Omega
Engineering Corp. He left behind a computer "Time
Bomb" that was unleashed and resulted in over $10
million in damages to Omega. The Time Bomb deleted design
and production programs, prohibiting Omega from keeping
manufacturing contracts it had established with the
Navy, NASA and various private companies.
Days after the Time Bomb went off and destroyed the
company’s file server, Omega contacted Kroll Ontrack
to assist with the investigation. In the following months,
Kroll Ontrack engineers worked in conjunction with the
Secret Service on cracking the case. Operating off of
forensic copies of Omega's damaged hard drives, the
engineers located a string of “Time Bomb”
computer commands programmed on the file server. The
engineers concluded the commands were based on a Microsoft
Windows deletion program and were set to automatically
delete massive waves of data when the server was booted
after a “trigger” date. During their investigation,
the engineers compared the strings of commands found
on the damaged Omega hard drives to a master hard drive
from the Omega file server that was recovered from Lloyd’s
house. The result was an identical match in several
strings of commands found on the drives.
At trial, one of our engineers testified that the specificity
of the commands, coupled with the match of the strings
of commands, confirmed the data was deleted as a result
of the program. Based on his extensive investigation,
the engineer’s testimony suggested that “only
an individual with system administrative skills, programming
skills, Microsoft Windows experience, and independent
knowledge of how to change the deleting program's message
could have committed the act of computer sabotage.”
The jury ultimately convicted Lloyd, and he was sentenced
to 41 months in prison. In setting off the Time Bomb,
Lloyd thought he could get away with sabotaging Omega’s
company file server. However, Lloyd’s plan exploded
when a lengthy and thorough investigation by seasoned
computer forensic engineers linked him to the crime.
*** If you would like to explore the opportunity
of Alan Brill speaking at a conference you are supporting
or organizing, please contact Amanda Karls at (952)
516-3637or at akarls@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: WHAT IMPACT WILL THE
PROPOSED CHANGES TO THE FEDERAL RULES OF CIVIL PROCEDURE
HAVE ON COMPUTER FORENSICS?
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators are expected to understand the inner
workings of computers and how they relate to computer
conduct issues. ***
In September 2005, the U.S. Judicial Conference approved
the proposed amendments to the Federal Rules of Civil
Procedure – the “playbook” for civil
litigation in the U.S. federal court system. The proposals
are aimed at addressing the impact of electronically
stored information on civil litigation and include amendments
to Rules 16, 26, 33, 34, 37, and 45, along with a related
amendment to Form 35. The Rules are projected to take
effect on December 1, 2006, once promulgated and approved
by the U.S. Supreme Court and Congress.
The adoption of the proposed Rule changes could mean
corporations and law firms will need the services of
a computer forensic expert in a more significant capacity
than ever before. In some cases, courts may order the
appointment of an outside expert to assist with complex
electronic evidence concerns. From assisting with data
preservation to retrieving non-accessible information,
a computer forensic expert may provide invaluable assistance
in ensuring an electronic data investigation complies
with the Rule requirements.
Inspecting, Copying and Sampling Electronic
Information: Fed. R. Civ. P. 34(a)
Proposed Rule 34(a) explicitly authorizes a requesting
party to “inspect, copy, test, or sample”
electronic information. If a party chooses to exercise
this authority under proposed Rule 34, a computer forensic
expert may play an important role in extracting relevant
data and ensuring such access complies with court orders
and party stipulations. For example, during the inspection
or copying process, an expert can help ensure evidence
from the computer system is not damaged, computer viruses
are not introduced, extracted data is protected from
mechanical or electromagnetic damage, and a proper chain
of custody is maintained.
In some cases, a forensic expert may be needed to assist
with copying electronic data from a hard drive. Although
a forensic “mirror image” (bit-by-bit copy
of the hard drive) may not be necessary in every case,
it may be important where evidence spoliation is a concern
or where maintaining data authenticity and integrity
is a key part of the case. After mirror imaging the
drive, the expert can then conduct an inspection or
investigation on the copy of the drive, certifying the
original data is not altered in any way. Once trial
is underway, the expert can support the reliability
of the evidence by testifying the inspection adhered
to strict industry standards and protocols. The inspecting
party cannot afford to risk the loss of critical data
or to impinge upon the credibility of any data that
is recovered by failing to ensure proper safeguards
are in place.
Reasonably Accessible Information: Fed. R.
Civ. P. 26(b)(2)(B)
Draft Rule 26(b)(2)(B) mandates that a party does not
have to produce electronic information that is “not
reasonably accessible.” After much public commentary,
this amendment was modified to include a test for reasonable
accessibility based on the “undue burden or cost”
of producing the information.
According to the Advisory Committee Notes on the Proposed
Rule, information in this category includes “backup
tapes intended for disaster recovery purposes that are
often not indexed, organized, or susceptible to electronic
searching; legacy data that remains from obsolete systems
and is unintelligible on the successor systems; data
that was ‘deleted’ but remains in fragmented
form, requiring a modern version of forensics to restore
and retrieve; and databases that were designed to create
certain information in certain ways and that cannot
readily create very different kinds or forms of information.”
The Rule change may mean an increase in the need for
computer forensic services if difficult-to-access sources
of information are deemed relevant and meet the Rule
26 undue burden and cost test. For instance, a computer
forensic expert may be able to retrieve deleted data
and reconstruct a relevant document. An expert may also
assist in recovering physically or logically damaged
data that may be crucial to a case, including data that
becomes inaccessible as a result of hardware or system
malfunction, human error or destruction, software corruption
or program malfunction, computer viruses and natural
disasters.
Sanctions for Lost Data: Rule 37(f)
Proposed Rule 37(f) gives parties reprieve from judicial
sanctions for failing to produce electronically stored
information in cases where the information was lost
as a result of the “routine, good-faith operation
of an electronic information system.” However,
under the most recent revision, even if parties act
in good faith, sanctions are permitted in “exceptional
circumstances.”
In cases where a requesting party suspects a responding
party has lost data in bad faith but is attempting to
hide behind the Rule 37(f) safe harbor from sanction,
a computer forensic expert may be helpful in assessing
the responding party’s intentions. In the course
of examining a system, the expert may determine whether
or not the company willfully destroyed information in
an attempt to avoid producing it during legal discovery.
On the other hand, an expert can also bolster a responding
party’s argument that sanctions are not warranted
because the party acted in good faith. For example,
after examining a company’s system, the expert
may determine the company’s failure to preserve
data was a result of automatic overwriting of information.
The adoption of the proposed Federal Rules of Civil
Procedure will require companies, law firms and computer
forensic or other technical experts to acknowledge the
changing procedural landscape when it comes to electronically
stored data. Staying on top of the latest developments
will put you in the best position to determine when
a computer forensic expert is vital in your case. A
copy of the draft Rules is available at: http://www.krollontrack.com/rules-statutes/.
KROLL ONTRACK NEWS & EVENTS
Meet Kroll Ontrack Representatives at the Following
Events:
Visit http://www.krollontrack.com/upcoming-events/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of electronic discovery
law. If you are aware of any additional local court
rulings or new cases in this area of the law, please
contact us by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, staff
attorney with Kroll Ontrack, with assistance from Charity
J. Delich, a Kroll Ontrack law clerk. Ms. Lange has
published numerous articles and speaks regularly on
the topics of electronic discovery, computer forensics,
and technology's role in the law. She can be contacted
by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
