| In This Issue:
 FROM THE BENCH: COMPUTER FORENSIC ANALYSIS
ASSISTS COURT IN UPHOLDING BURGLARY
CONVICTION
The
Defendant in a recent Tennessee case, State v. Bikrev,
2003 WL 21458683 (Tenn.Crim.App. June 24, 2003), was
charged with and convicted of burglarizing several
computers and other equipment. Appealing his conviction,
the Defendant made the following two arguments: (1) that
the trial court erred in denying his judgment for
acquittal motion and (2) that the State did not
establish a proper chain of custody concerning the
stolen computer property. After reviewing the facts in
the case and the testimony of several witnesses —
including a computer forensic detective — the appellate
court upheld the trial court’s denial of the acquittal
motion and the admission of evidence.
The
victims in the case owned a home-based computer business
that they operated through a rented storage unit. The
Defendant was one of the victims’ customers, having
purchased a computer, monitor, keyboard, and mouse from
the victims’ business. Two days after the computer sale
to the Defendant, the victims discovered that their
storage unit had been broken into and over $7,000 of
equipment missing.
Several months later, the police located the
victims’ computer equipment. After identifying the
items, the waterlogged computers were released to the
victims to dry them out at home. The police instructed
the victims to return the computers if they noticed
anything significant once the computers were operable.
Twenty-four hours later, the victims returned the
computer equipment to the police because, once they were
able to dry out the equipment, the victims noticed
approximately twenty-eight new files placed on the
computer.
A
police detective conducted a computer forensic
investigation and was able to locate a file containing
the Defendant’s personal contact information. In
addition, the detective determined that the new files
placed on the stolen computer were created a few days
after the victims’ storage unit was burglarized. Based
upon the computer’s registry files, the detective was
able to show that the victims had not created or changed
any of the evidence used against the Defendant when the
victims booted the computer at home after drying out the
wet equipment.
The
appellate court concluded that the State established a
sufficient chain of custody of the recovered stolen
property to justify its admission into evidence.
Although the victims possessed the recovered property
for approximately twenty-four hours, computer forensic
analysis revealed there was no evidence of tampering,
loss, substitution, or mistake regarding the recovered
property. The appellate court upheld the Defendant’s
burglary conviction.
THE BRILL FILE:
JUMPING TO CONCLUSIONS IS NOT AN OLYMPIC SPORT – PART
II
*** The Brill Files, written by Alan Brill,
Senior Managing Director for Kroll Ontrack, reflect his
work in the field with clients who have encountered some
unique and interesting situations.
Jumping to conclusions can underestimate any
investigator’s case, including a computer forensic
expert digging for digital fingerprints. In last month’s
edition, I addressed how sometimes it is easy to jump to
plausible computer forensic conclusions without having
the necessary evidence for support. This month I will
address another area where it is easy to make
unsupported computer forensic assumptions – computer
ownership and possession.
Whose computer is it, anyway?
One
issue I have seen over the years is so simple that it is
often overlooked, but can result in an immediate
undermining of a computer professional’s work. It
involves how you identify a computer that you have been
asked to investigate.
Years ago, I worked on computer systems that
supported a large bank’s “bank safekeeping” program.
People with trust accounts would sometimes bring in
objects to be stored in the bank’s vault. The first
lesson that I learned in working on this project was
that these folks were very fond of the statement “said
to contain.” For example, if a client brought in a small
velvet bag and told his or her account officer that it
contained 500 blue-white two-carat flawless diamonds,
the bank did not make any assumptions. Rather, they put
the bag in a secure container and entered the
description qualified by the term “said to contain.” The
bank did not independently verify what was in the velvet
bag, just reported what the customer stated was in the
velvet bag. There is obviously a big
difference.
In
computer forensics, we analyze data that we may have
obtained out in the field, or which may have been
shipped to us. We may have been told that a given
computer was the one used by “Sally Smith.” But does
that make it Sally’s PC? It is vital for forensic
specialists to document where they got the evidence they
are examining. Were we told by someone that it was her
machine? Did we find it in an office with her name on
the door and pictures of her family all around the
desktop?
In
our personal knowledge, is it more appropriate to refer
to the machine as “Sally’s computer” or “the computer
said by XYZ Corporation to be the one Sally used.” Are
we careful to make a distinction between “we found the
file on the machine identified to us as Sally’s” and
“Sally put it on the machine?” They are different, but
it is easy to make the leap of assumption from one to
another.
In
looking at computer forensic evidence, be sure that you
are saying what you actually mean, and that you are not
making assumptions or jumping to conclusions that you
cannot support with investigative
findings.
Kroll Ontrack News and
Events:
To
learn more about electronic discovery and computer
forensics, attend one of these events:
Visit our Upcoming Events section at http://www.krollontrack.com/upcomingevents/
to learn about these presentations and more.
Kroll Ontrack Requests
Your Input
Our
legal consultants, project managers, and technology
experts strive to stay on top of e-evidence law. If you
are aware of any additional local court rules or new
cases in this area of the law, please do not hesitate to
contact us by writing to electronicdiscovery@krollontrack.com.
For
more information about electronic discovery and computer
forensics services, contact Kroll Ontrack at
1-800-347-6105 or www.krollontrack.com.
| 
