FROM THE BENCH: SUMMARY JUDGMENT MOTIONS DENIED GIVEN DISPUTE OVER LAPTOP DATA
	THE BRILL FILES: COMPUTER FORENSIC EXPERTS ASSIST IN CRACKING ATM SKIMMING SCAM
	TECHNOLOGY YOU SHOULD KNOW: “POD SLURPING” AND OTHER GADGETS PRESENT DATA THEFT SECURITY CONCERNS
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: SUMMARY JUDGMENT MOTIONS DENIED GIVEN DISPUTE OVER LAPTOP DATA

Olson v. International Bus. Machs., 2006 WL 503291 (D. Minn. Mar. 1, 2006). In a case involving allegations of wrongful termination from employment, the parties filed cross-motions for summary judgment. After terminating the plaintiff, the defendant requested the return of a company-issued laptop and instructed the plaintiff not to make any changes to the laptop. The laptop was returned and examined by a computer forensic expert, who found evidence of data deletion. The expert indicated the computer’s file content was unrecoverable, but file names – several of which related to sexually explicit material – were located. Following the investigation, the plaintiff admitted to deleting data from the laptop after his termination, but testified others, including family and friends, had used the machine. In seeking summary judgment, the defendants claimed they would have terminated the plaintiff if they knew he was visiting Internet sites featuring sexual content. The defendants also claimed the plaintiff’s spoliation of data was grounds for termination. In support of his summary judgment motion, the plaintiff declared the defendants could not prove facts to support its “after-acquired evidence defense.” The court declined to grant summary judgment for either side and found “a factual dispute exists regarding whether [the plaintiff] is responsible for the files found on the laptop and regarding whether [the defendants] would actually have terminated [the plaintiff] in this situation.”

THE BRILL FILES: COMPUTER FORENSIC EXPERTS ASSIST IN CRACKING ATM SKIMMING SCAM

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflects his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

As technology continues to evolve each year, so do the methods wrong-doers use to commit high-technology fraud. Some of my European colleagues recently worked with police investigators to crack a case involving “ATM card skimmers,” small devices capable of scanning an ATM card and storing the information contained in the magnetic strip.

In carrying out this ATM scam, a criminal gang opened the casing on an ATM and installed a card skimmer on the inside of the machine. The gang then installed a miniature video recording device (which contained a small laptop hard drive to store the heisted data) and positioned a tiny camera looking down onto the machine’s keypad. The result? The gang could record ATM users entering their PINs and then match the PINs to the skimmed card information. Thus, the gang was able to make and sell complete clones of the ATM cards.

Although the gang was apprehended by the police, investigators were unable to extract evidence from the video recording device because the device’s hard drive had been damaged. The investigators sought our expert assistance to recover the drive, retrieve the crucial data, and maintain a strict chain of custody on the evidence.

First, we used sophisticated data recovery techniques to access the damaged video on the hard drive. We then conducted a search of the recovered information and located damaged and incomplete AVI files (Audio Visual Interleave files, a common format for audio/video data on a computer) on the hard drive. The individual frames from the damaged and incomplete AVI files were then converted into JPEG files.

Although the pictures alone were good evidence, our team of experts did not stop there. We re-built a viewable video from the individual frames. The reconstructed video showed a complete picture of the crime – from the installation of the device to the raid by the police.

Further, by studying the video, our team was able to assist in identifying victims of the scam by providing investigators with a means for identifying the ATM customers’ PINs. In one instance, we used zoom and digital enhancement features to uncover a frame that revealed the reflection of a victim’s wallet in the ATM screen, allowing investigators to identify the make of one of the victim’s ATM cards.

As the ways to commit high-tech crimes and fraud become more complex, so must the methods employed by computer forensic experts called in to crack the case. Using a combination of cutting-edge technology, industry best practices, and old-fashioned creativity, we were able to repair and recover files that were considered impossible to retrieve. By working together, our team of experts was able to provide critical evidence to support the investigators’ case against the gang and assist in cracking this ATM skimming scam.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: “POD SLURPING” AND OTHER GADGETS PRESENT DATA THEFT SECURITY CONCERNS

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. This month’s column was authored by Jason Paroff, Esq., the director of Computer Forensics Operations for Kroll Ontrack. ***

“Pod slurping.” The term refers to a computer user’s ability to copy information from a computer hard drive onto iPods or other USB devices capable of holding data (e.g., music players, "thumb" drives and data keys, digital cameras, personal digital assistants, smart phones, etc.). Consider a “pod slurping” program recently created by a security veteran to illustrate the ease with which an employee can heist company data. When the “slurp” software application is run from an iPod, a user can extract approximately 100MB of files in just minutes – by simply plugging an iPod into a USB port. For more information on this story, see http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html.

As illustrated by the “slurp” program, today’s companies face a heightened risk for losing intellectual property and other critical corporate data. From sending facsimiles and e-mails (corporate and non-corporate accounts) to copying data onto a laptop, removable media, or flash media, an employee or other data thief can use a number of methods to steal sensitive electronic information relating to current and former employees, customers, consumers, services, products and more.

When data is stolen, a computer forensic expert can search for evidence of the theft in a variety of locations. Typically, the act of copying data leaves evidence of the transaction mostly on the media receiving the copied data. For example, if data is copied from a laptop to a thumb drive, evidence of the copying generally would be found only on the thumb drive. If that thumb drive is available, a computer forensic expert may be able to uncover a trail of evidence. Even if the data was erased or the thumb drive was re-formatted, evidence of the copying and the dates/times of that copying still may be recoverable.

A forensic expert can detect whether removable media was attached to a computer by analyzing the Windows registry. The registry often reveals the make, model and serial number of all removable devices that were ever attached to the computer. An individual may represent they never attached removable media to a computer, only to have forensics reveal he or she had indeed attached such a device. Often these devices, when produced under subpoena, court order or by consent of the parties, reveal improperly copied company information. If a forensic investigation reveals the existence of removable media, counsel can demand production of these devices and can question a former user about such media through interrogatories and depositions.

A computer forensic expert also may be able to locate telltale e-mails and attachments by examining relevant time periods on the corporate e-mail server or backup tapes from that server. Depending upon configuration, servers or backup tapes may yield relevant information even if the user tried to cover his or her tracks by deleting e-mails and emptying trash folders. For instance, most e-mail servers are configured to save data even after the user has deleted it.

Examination of Internet browsing histories also may reveal improper usage of Internet mail services such as Hotmail, Google and Yahoo! mail. However, counsel should be aware that state and federal laws may preclude a computer forensic expert from performing an active login to a Webmail account without the account holder’s permission or a court order.

Nevertheless, an expert still may be able to locate and analyze active or previously deleted information on a forensic image of the target media if preserved by the employer. For example, Webmail services often leave behind Temporary Internet Files on a computer that can reveal this type of activity. This evidence can include a listing of the employee’s inbox or even the text of an e-mail message sent to an address owned by a third party. If keywords are provided for the search, fragments of this type of e-mail, which might not be found during a general search, may be found using specialized forensic tools.

With a flux of new gadgets available in today’s marketplace, organizations cannot be too careful in protecting sensitive data. However, even organizations with top physical security, solid corporate computer use policies and procedures, and IT security cannot guarantee complete protection. When data theft does occur, organizations will be in the best position to respond if they have a proactive response strategy in place that includes working with a computer forensic expert who can uncover and analyze the events surrounding the data at issue.

KROLL ONTRACK NEWS & EVENTS

Kroll Ontrack Announces Latest Enhancements to ElectronicDataViewer
On March 29, 2006, Kroll Ontrack announced the release of ElectronicDataViewer v4.2, the latest version of Kroll Ontrack’s state-of-the-art online review tool. The product upgrade includes many enhancements that give legal and document review teams more overall control and the ability to streamline complex searching and coding procedures. Some of the key details include advanced searching capabilities, a comprehensive data dictionary feature, and more than 150 customizable coding options. For more information about the release of ElectronicDataViewer v4.2, visit http://www.krollontrack.com/news/index.aspx?getPressRelease=13084.

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensics services, contact Kroll Ontrack at 1-800-347-6105 or http://www.krollontrack.com/.