|
 
|
Visit www.krollontrack.com where you can now navigate better, faster and more efficiently to get the information you need. Our new resource library www.krollontrack.com/resources/ is one click away and includes case law summaries, publications, state e-discovery rules and statutes, additional newsletters and podcasts. Upcoming events and event materials are also available at: www.krollontrack.com/events/ In This Issue:
Michigan v. Raar, 2008 WL 4228349 (Mich.App. Sept. 16, 2008). In this criminal prosecution, the defendant appealed his jury trial convictions, including a conviction for using the Internet or computer system to engage in criminally prohibited communications. The defendant argued the trial court improperly permitted the government's expert witness to offer opinions on computer activity. At trial, the defendant objected to the expert witness' computer forensics qualifications, but did not specifically identify a basis for objection. Overruling the objection, the trial court noted the expert witness had: over 800 hours of training in computer forensics; three years of experience working in state police computer forensics lab; was a certified member of the International Association of Computer Specialists; and had performed over 100 computer forensic examinations. This court held that the trial court did not abuse its discretion in relying on the forensic expert's testimony and its determination that the witness had "sufficient 'knowledge, skill, experience, training, or education' in the field of computer forensics." To view additional case summaries visit: www.krollontrack.com/case-summaries/.
Internal investigations are not new to the business world, and the focus of the investigation often dictates the person or department driving the investigation. After the much publicized scandals of Enron and WorldCom and the introduction of Sarbanes-Oxley, financial accountability and documentation are under increasingly tight scrutiny. In the situation where an internal investigation involves complex financial matters, it often makes sense to utilize the skills and expertise of a forensic accountant. Forensic accounting is a rapidly growing profession that combines investigative and legal support to companies, law firms, banks and other financial departments or organizations. Forensic accountants provide analysis that can be used in court and other methods of dispute resolution on issues involving finances. Forensic accountants may be involved in a broad range of issues including fraud investigations that involve misrepresentations of a company's financial data, bankruptcy and accountability with applicable regulations. In addition to the investigative support, a forensic accountant may participate in the interviewing process of key players and may also be called as an expert witness to provide testimony on his/her findings. In their work, forensic accountants utilize an understanding of business information and financial reporting systems, accounting and auditing standards and procedures, and evidence gathering and investigative techniques. Many forensic accountants are also playing more proactive risk-reduction roles by designing and performing procedures as part of an audit process, acting as advisers to audit committees and assisting in investment analyst research. A strong accounting background is absolutely essential to a forensic accountant. As such, the recommended path for most forensic accountants begins with obtaining a Certified Public Accounting (CPA) designation. Responding to the increasing demand for a career in financial accounting, colleges and universities are beginning to offer masters programs in this topic, along with scholarships and other opportunities. To enhance one's value as a forensic accountant, I recommend seeking a Certified Forensic Accountant (Cr.FA) accreditation as well as the Certified Fraud Examiner (CFE) accreditation from the Association of Fraud Examiners. Despite the current state of the economy, forensic accounting is a rapidly growing and developing market that provides great opportunities for those seeking a career dashed with accounting principles and detective work. If you would like to explore the opportunity of world-renowned forensics expert, Alan Brill, speaking at a conference you are supporting or organizing, please contact Kristin Husom at 952 516 3781 or at khusom@krollontrack.com.
Computer forensic engineers employ various methodologies and techniques when examining hard drives. One common engineering technique used to determine whether two or more electronic files are mirror images of one another is the creation of a hash value. A hash value is a unique alphanumeric representation of data, a sort of "digital DNA." A hash value, generated by industry standard hashing tools, is created from a data stream input from the source hard drive and is sent via a series of cables and connectors to the computer or other device performing the imaging. Comparing hash values is a generally accepted method of insuring the integrity of a forensic image. Generally, if a hash value of the source drive matches the hash value of the image, the image is said to be an exact copy and "forensically sound." Creation of a hash is commonly practiced as a means to detect illegal video and images, for example, in instances of suspected child pornography. The computer at issue is first "hashed," then imaged, and then the individual imaged file hashes are compared to those of known pornographic files. A recent criminal case highlights this process and considers whether the creation and comparison of hash values constitutes an illegal search in violation of the Fourth Amendment. In United States v. Crist, the defendant filed a motion to suppress evidence recovered from his computer, claiming the search of his computer was warrantless, in violation of his Fourth Amendment Right to be free from unreasonable search or seizure. [United States v. Crist, 2008 WL 4682806 (M.D.Pa. Oct. 22, 2008)]. The facts of Crist are summarized as follows: the defendant was behind on rental payments, so his landlord hired a third party to remove and dispose of his belongings from the apartment. Rather than simply throwing away the defendant's computer, this third party gave it to a friend in need. Upon learning of the disposal, the defendant called the police and reported the theft of his computer, during which time the friend found the child pornography and called the police. Despite the defendant's theft report, the police sent the computer to the Attorney General's office for forensic examination. The forensic examiner followed standard protocol for examining the computer for evidence of child pornography: he hashed and imaged the drive, then hashed the individual files on the image and compared them to known pornographic files. The examiner found evidence of child pornography and the defendant was indicted on charges of knowingly receiving and possessing digital images and video files containing child pornography. The defendant claimed the search of the computer violated his Forth Amendment rights to be free from warrantless searches and argued that the creation of the hash was a warrantless search. The court determined that subjecting the computer to a hash value analysis constituted a search and reasoned that instead of a hard drive being analogous to an individual item; it is comprised of many platters with multiple data storage units. The court went on to hold that since the government was given access to each of these units following the hash, the examination constituted a search and therefore required a warrant. Therefore, the court granted the defendant's motion to suppress the evidence obtained from the forensic search of his computer. Lesson learned: this outcome was very fact-specific, but professionals may be wary of conducting hash analysis on computers without the consent of the owner or first obtaining a valid search warrant. #1 E-Discovery Provider 7th Year in a Row Corporate ESI Policies Are On the Rise, But So Are E-Discovery Risks Last Chance to Attend Redesigned Certification Course in 2008 Meet our representatives at the following events:
Visit http://www.krollontrack.com/upcoming-events/ for more information on these events and others.
Our legal consultants, project managers and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please contact us by writing to jshogren@krollontrack.com. This newsletter was written by Gina Jytyla and Joni Shogren, Kroll Ontrack Staff Attorneys, with assistance from Kelly Kubacki and Meridith Socha, Kroll Ontrack Law Clerks. Ms. Shogren can be contacted by writing to jshogren@krollontrack.com.
|
| |||||||||||||||||||||||||||||||||
From the Bench: Courts Rely on Computer Forensic Experts
9023 Columbine Road | Eden Prairie, MN 55347 | 800 347 6105
Subscription Information
Recently you provided us with permission to send you updates via e-mail. Your information is exclusive to Kroll Ontrack Inc. and is used only to provide information that may benefit you. Kroll Ontrack Inc. does not supply customer information to other third party marketers.
If you would like to change your subscription options, including choosing not to receive any newsletters or sign up for additional newsletters, please visit the link below to access our newsletter service center and follow the easy, on-screen instructions.
http://www.krollontrack.com/newsletter-center/login.aspx
This document does not provide legal or other professional advice and should not be relied upon as anything other than a starting point for research and information on the subject of electronic evidence.
© 2008 Kroll Ontrack Inc. All material contained within this publication is protected by copyright law and may not be reproduced or transmitted, in whole or in part, without the express written consent of Kroll Ontrack Inc.