FROM THE BENCH: COMPUTER FORENSICS EXPERT UNCOVERS FALSIFIED ELECTRONIC DOCUMENTS
	THE BRILL FILES: PLANNING PRESERVATION OF POTENTIAL E-EVIDENCE
	TECHNOLOGY YOU SHOULD KNOW: DETECTING AND PROVING INTERNAL DATA THEFT
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: COMPUTER FORENSICS EXPERT UNCOVERS FALSIFIED ELECTRONIC DOCUMENTS

Using various tools and techniques, a computer forensics expert can uncover key aspects about electronic evidence including when documents were created, last accessed, and last modified. In People v. Superior Court, 2004 WL 1468698 (Cal. Ct. App. June 29, 2004), a case arising from a fraud and grand theft investigation, an expert identified critical information about the electronically created documents at issue in the suit.

In People, the plaintiff accused the defendant of creating false, backdated electronic documents after his company was served with a federal subpoena requiring him to produce certain documents. The false documents included an inaccurate billing statement and five letters pertaining to “future” meetings. A computer forensics investigation of the defendant’s computer revealed that the letters were created after the “future” meetings were set to occur. In addition, the billing statement was created within an hour of the letters.

The trial court decided this evidence was insufficient to show the defendant created the documents after he found out about the audit. On appeal, the government argued that the defendant’s fellow director knew about the audit the day before the defendant created the documents. Determining this evidence supported the government’s argument, the appellate court reversed the trial court’s decision and declared a reasonable person could conclude the defendant was aware of the audit when he created the backdated documents.

THE BRILL FILES: PLANNING PRESERVATION OF POTENTIAL E-EVIDENCE

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

In one of my first jobs, I worked as a software developer for the Apollo moon landing program at the NASA Manned Spacecraft Center (now called the Johnson Space Center) in Houston. From day one, I learned that failing to carefully program every line of software code could have life-or-death consequences for the astronauts. As NASA Flight Director, Gene Kranz, pointed out during Apollo 13, “Failure is not an option.” With this in mind, we carefully tested our programs as exhaustively as we could. As a result of our efforts and in spite of our primitive 1960s technology (large slide rules and huge mainframe computers with very limited processing power), astronauts safely launched and departed from the moon.

Careful preparation has continued to be necessary in my work as a computer forensics investigator. All too often, when circumstances arise in a corporation where computer forensics may be needed, it seems like planning is ignored. Some IT departments carelessly reassign machines containing potentially valuable information to other users, wiping their hard drives prior to loading fresh software for the next user. We also find cases in which well-intentioned technical staff decided to take “just a quick look” at the data on a drive and, in the process, unintentionally change significant metadata information within a document. In other cases, backup files are recycled and overwritten, eliminating useful electronic data.

Preventing the loss of potentially valuable information is easy with a few, simple precautions. To ensure you avoid destroying potential electronic evidence follow this checklist:

• Brainstorm about where possible evidence may be located.
  
• Take a few minutes to save any potential evidence --this can pay big dividends later on.
  
• Programs like Symantec Ghost, when configured correctly, documented properly, and accurately executed, can help save the day in many situations.
  
• Stop automatic destruction protocols if email might become relevant evidence.
  
• Do not overwrite backup tapes for re-use if they might contain potential evidence.
  
• If you think a computer hard drive may be of value, consider taking the machine out of service or, at the very least, replacing the hard drive. Document where the old hard drive came from and store in a secure location.
  
• Do not hesitate to seek expert help – getting some up-front advice can prevent the kind of errors that are easily avoided, but difficult to recover from.

Most importantly, counsel, technicians and experts should work together to proactively develop a strategy that will help prevent the loss of potentially indispensable evidence. In working together, the best solutions for particular environments can emerge.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637 or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: DETECTING AND PROVING INTERNAL DATA THEFT

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue. ***

In most organizations, proprietary data is a critical asset and can cost companies millions of dollars if stolen. In fact, according to the 2004 CSI/FBI Computer Crime and Security Survey, theft of proprietary information is the second most expensive computer crime, costing organizations approximately $11.46 million. While many companies take precautions to defend against outside threats to their intellectual property, organizations in the 21st century also need to consider potential internal threats –namely, the disgruntled employee.

Theft of proprietary information is more likely to occur among employees than external hackers because employees have nearly unfettered access to much of a company’s sensitive data. In addition, employees are typically able to avoid firewalls, traditional outward-looking intrusion detection systems, and other forms of computer security.

Corporations should consider the following sources when they suspect a disgruntled employee has stolen proprietary information:

• Email - One in 10 employees has received confidential company information via e-mail, and, 79% of employees admit to sharing confidential information with other companies via e-mail.
  (http://www.internetmanager.com/pdf/emailpolicy.pdf)
• Instant Messaging - Unless preventative controls are in place, employees can use IM tools to send small amounts of text and to transfer files. Some of the IM packages are sophisticated enough to search for an unused Internet Protocol Port (there are 64,000 of them for each Internet connection) and run itself through that port to avoid detection.
• CD-ROMs or DVDs - Copying information to floppy disks is quickly becoming an outdated medium. Instead, gigabytes of data can be burnt to DVDs or CDs in just a few minutes.
• PDAs - Personal Digital Assistants, such as Palm Pilots, BlackBerries, and PocketPCs, can be used to covertly carry data out of an organization.
• USB drives - USB drives (a.k.a. pen drives, thumb drives, lipstick drives), are typically the size of a tube of lipstick or a human thumb and make it possible for employees to take data out of a company quickly, quietly and discretely. In addition to this, devices such as watches, Swiss Army Knives and key rings, have all been fitted with USB drive attachments.
• Digital Cameras - Devices of all sizes are being fitted with digital camera capabilities, allowing an employee to take a picture of highly sensitive areas or documents. When connected to a computer through a USB port, digital cameras look to the computer as a local hard drive, which can contain up to four gigabytes of storage capacity.
• Other high-tech gadgets - Wireless networks, Bluetooth dongles (which allow you to connect a mobile phone or PDA to a computer), and Firewire hard drives also multiply the threat.

An experienced computer forensic expert can assist during or after an incident where data theft is believed to have occurred. The expert can help prove what data has been or is being stolen as well as ascertain the source of theft. In addition, computer forensic experts are also very useful resources when trying to secure your system. They can help to focus your security expenditures toward preventing issues that are most likely to represent a realistic risk.

KROLL ONTRACK NEWS & EVENTS

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/eEvidence/UpcomingEvents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please do not hesitate to contact us by writing to mlange@krollontrack.com.

Michele C.S. Lange, staff attorney with Kroll Ontrack, wrote portions of this newsletter. Charity Delich, a Kroll Ontrack law clerk, helped prepare the case summaries. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology’s role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensic services, contact Kroll Ontrack at 1-800-347-6105 or www.krollontrack.com.