| In This Issue:
 From the Courts: Evidence obtained from hard
drive in computer forensic investigation does not
violate search and seizure
In a
recent criminal case, the government sought and obtained
a search warrant to search and seize a laptop computer
in order to prevent the destruction of evidence. The
warrant did not limit the search to any particular area
of the hard drive. However, it did limit the government
to search for and seize only certain evidence relating
specifically to the charges and to follow detailed
protocols to avoid revealing any privileged information.
So
the data would not be altered, the government made
bit-by-bit mirror images of the hard drive and proceeded
with the computer forensic investigation. The Defendants
argued that this mirroring amounted to an unlawful
search and seizure of the entire hard drive and moved to
suppress all evidence from the laptop.
The
court determined that although the search warrant
limited the scope of the information that investigators
could search for, technical realities required the
government to make complete mirror images of the hard
drive. Furthermore, the court ruled that copying
computer files does not necessarily constitute seizure
of that data and that examining a computer file more
than once does not constitute multiple searches under
the Fourth Amendment. United States v. Triumph
Capital Group, 211 F.R.D. 31 (D.Conn.
2002).
The People That Make It
Happen: Alan Brill
Note: This month's "People That Make It
Happen" column highlights one of our regular
contributors to the Cyber Crime & Computer Forensics
News.
Alan
Brill, Senior Managing Director for Kroll's Technology
Services Group (Kroll Ontrack), is a regular speaker
behind the microphone and in front of the camera,
addressing topics like cyber-terrorism and computer
forensics to audiences around the world.
He
divides his time between hourly-based consulting work
(usually for projects focused on complex investigations
involving technology issues and proactive engagements
involving information security, planning and strategy),
writing, conducting media interviews, and speaking at
conferences and seminars. His more well-known projects
(at least the ones he can talk about) include the
investigation of the finances of Saddam Hussein prior to
the first Gulf War, the search for the assets of the
former Soviet Union, the investigation into the death of
Vatican Banker Roberto Calvi, and the investigation
leading to the impeachment of Brazilian President
Collor. He has also conducted high-tech related
investigations for many of the most well known computer
and electronics companies in the world. Aside from these
high-visibility cases, Alan regularly consults with
companies on routine projects like document retention
policy development and audit assessments, which require
detailed understanding of computer networks and
technical documentation to ensure proper
compliance.
Based in Kroll Ontrack's lab facility in New
Jersey, he routinely travels more than 100,000 miles a
year on client assignments and speaking at conferences.
Asked to comment on his work, Alan said, "Kroll is in
the unique position of being able to help people and
companies that are facing serious challenges, often
through no fault of their own. Whether it's our data
recovery engineers restoring vital corporate data that
was believed irretrievable, or using our technology
skills in support of multinational Kroll investigations,
what we do makes a big difference to our clients."
Certified both as an Information Systems Security
Professional (CISSP) and Fraud Examiner (CFE), Alan is
the author of five books and dozens of articles
published in magazines ranging from
Computerworld to the FBI Law Enforcement
Bulletin. He is a frequent TV guest commentator on
matters involving technology security and computer
fraud. He has appeared on programs including 60
Minutes, Dateline NBC, network evening news
programs, Good Morning America, CNN, Fox
News, CNBC and MSNBC. His work was featured in
articles in Newsweek, Time, The Wall Street Journal
and USA Today. His work is also featured
in a TV special on cyberwarfare and cyberterrorism to be
shown on The History Channel this spring. His prior TV
special, "Hackers: Outlaws and Angels," appeared on The
Learning Channel in December of 2002.
If
you would like to explore the opportunity of Alan Brill
speaking at a conference you are supporting or
organizing, please contact Nicolle Martin at
952-949-4137 or at nmartin@krollontrack.com.
From the Brill File:
They Can't Steal What You Don't
Store
The Brill File contains reports that are the
equivalent of real-life 21st century fables. Written by
Alan Brill, these accounts reflect his work in the field
with clients who have encountered some not-so-pleasant
events and what was done to remedy the situation.
On a
number of occasions, we have worked with clients who
have been the victim of unauthorized computer
intrusions. We help them understand how the incident
happened, who was involved, what data was compromised,
and how to prevent similar incidents from recurring.
In
some of those cases, highly sensitive information was
compromised. In carefully examining the logs, records
and files regarding the incident, we often discover that
a lot of the information probably should not have been
retained by the victimized company in the first place.
Today, many businesses are finding "vampire data" -
(information that is believed to be gone but really has
been unintentionally retained) - which comes back from
the grave to cause problems.
I
recall one investigation where we were looking into an
unauthorized computer intrusion. To do so, we began to
review the company under attack and, while searching for
the possible point of intrusion, learned that the
attacked company was retaining credit card numbers
indefinitely, without notification to the customer.
Certainly the company needed the card numbers from the
time of the customers' orders until the transaction was
complete; however, retaining the records indefinitely
could pose a number of problems. We also noted that the
sensitive information was stored in plain text form and
not encrypted for protection. Anyone with access to the
file, or to the backup files, could read the data.
In
order to address these problems, a list of measures the
company needed to undertake immediately to ensure better
data retention, filtration and security policies was
developed for the client. After all, when a lawsuit
ensues, you want to be sure there isn't any dirty
laundry in your backyard to distract from the unlawful
act in the matter at hand.
To
avoid problems such as these, it is good practice to
review your data retention plan regularly and to
challenge every piece of information you
retain.
- Ask yourself whether you actually need to
retain each piece of data you collect, and how long
you need to retain it for business purposes.
- Working with counsel, identify and understand
any legal or regulatory requirements relating to
records that must be retained.
- Ask whether you disclose to customers (or
others whose information you retain) information about
your retention policies, and whether you can and
should give them the ability to view, modify or change
the information you store about them.
- Determine whether as a matter of policy,
sensitive information should be stored in an encrypted
form, and only decrypted when necessary.
- When you determine that records can be
periodically purged (for example, you might decide
that newly received e-mails will be retained for 60
days), you need to make sure you have a mechanism to
interrupt the automatic destruction process if counsel
receives a notice to preserve data and
documents.
Records retention and records management policies
are the documents that drive and control the Business
Continuity Management planning process. Building a
backup and recovery plan without understanding records
management requirements can lead to haunting problems
years later.
Kroll Ontrack News and
Events:
Learn more about electronic discovery and
computer forensics at the following
presentations:
Visit our Upcoming Events section at http://www.krollontrack.com/upcomingevents/
to learn about these presentations and more.
Kroll Ontrack Requests
Your Input
Our
legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law. If you
are aware of any additional local court rules or new
cases in this area of the law, please do not hesitate to
contact us by writing to abrill@krollontrack.com.
For
more information about electronic discovery and computer
forensics services, contact Kroll Ontrack at
1-800-347-6105 or www.krollontrack.com.
| 
