| In This Issue:
 FROM
THE BENCH: APPELLATE COURTS ADDRESS THE USE OF DATA
WIPING ULITILIES
Appellate Court Upholds Lower Court’s
Spoliation of Electronic Evidence Rulings
Foust v. McFarland, 698 N.W.2d 24 (Minn. Ct.
App. 2005). The defendants appealed an $11 million jury
verdict in a personal injury lawsuit involving an automobile
accident. Specifically, the defendants argued that the
trial court erred by barring evidence relating to the
plaintiff’s intentional spoliation of electronic
evidence. The defendants also contended the court should
have granted a mistrial or dismissed the case with prejudice,
instead of granting a spoliation adverse inference instruction.
Upon examining the plaintiff’s computer, the defendants’
computer forensic expert had discovered evidence of
child pornography, illegal downloads of intellectual
property, and evidence that a software wiping program
was used in an attempt to permanently delete data from
the computer hard drive. The trial court refused to
admit the evidence on the grounds that it was more prejudicial
than probative. The trial court further concluded an
adverse inference instruction was an appropriate spoliation
sanction in light of the circumstances. On appeal, the
appellate court determined the trial court properly
issued the adverse inference instruction and concluded
that intentional spoliation did not create “a
presumption that a dismissal with prejudice of the spoiling
party’s claims is the best and fairest sanction.”
The appellate court also found the spoliation evidence
was appropriately excluded as “some of the information
was character assassination and was more prejudicial
than probative.”
Appellate Court Upholds Admission of Evidence
Contained on Defendant’s Laptop
State v. Tripp, 2005 WL 1330695 (Mo. Ct. App.
June 7, 2005). The defendant appealed a murder, rape
and kidnapping conviction, arguing the trial court erred
in admitting evidence regarding the contents of his
laptop. The defendant alleged, inter alia,
the testimony was legally irrelevant and that its prejudicial
effect outweighed any probative value it might have
had. At trial, the State’s computer forensic expert
testified that a significant amount of unallocated space
remained on the hard drive and that the space was filled
with zeros. The expert also uncovered a reference to
“wipinfo.exe” in the computer’s swap
file on the hard drive. Based on these factors, the
expert concluded that a wiping utility was used on the
computer and that 160 files had been accessed, modified
or deleted the day the victim disappeared. The defendant’s
computer expert argued it was impossible to distinguish
between a hard drive on which a wiping utility had been
used and a hard drive on which the unallocated space
was in the same condition as it was when the manufacturer
delivered it. On appeal, the court noted the “State's
position would be stronger if there had been any testimony
or other evidence that suggested that the laptop ever
had anything on it that would connect [the defendant]
with the offenses for which he was being tried.”
Despite this, the court affirmed the trial court’s
judgment, stating that admission of the testimony and
evidence did not constitute plain error as the state
only made a passing reference to the free space on the
computer and the evidence of a wiping utility.
THE BRILL FILES: PURSUING A TRAIL OF ELECTRONIC CRUMBS
*** Written by Alan Brill, Senior Managing Director for Kroll
Ontrack, The Brill Files reflects his work in the field
with clients who have encountered some not-so-pleasant
events and what was done to remedy the situation. With
more than 25 years of consulting experience, Mr. Brill
has assisted organizations with a wide range of technology
security issues and is an internationally recognized
speaker and instructor. ***
Like Hansel and Gretel, individuals leave a trail of
crumbs as they wander cyberspace or work on their computer
desktops, laptops, Palm handhelds, or BlackBerries.
Following those crumbs, our computer forensic experts
are able to pin down the “who, what, when, where
and how” on a wide variety of cases, uncovering
data in places that others may have never known it could
exist.
A computer forensic analysis generally involves recreating
a specific chain of events or user activity, including
Internet activity, e-mail communication, and file deletion.
Part of the analysis may include searching for keywords
and dates and determining what resulting data is relevant.
Experts will also look for trails of copies of previous
document drafts and the existence of certain programs
such as file deletion and wiping programs. In addition,
an expert may be able to authenticate data files and
the date and time stamps of those files.
A recent case illustrates the path computer forensic
experts often uncover in order to discover what happened
in a particular situation. A large pharmaceutical corporation
approached us with a request for help on an internal
investigation relating to insider trading. They suspected
one of its employees, a manager at the corporation,
had obtained some inside information about an upcoming
merger. Before the information became public, the manager
purchased a large amount of stock, further raising the
corporation’s suspicions.
After investigating the manager’s laptop, our
engineers discovered a trail confirming the manager
had visited numerous financial Web sites, looking for
financial information relating to the corporation’s
stock. Using keyword searches, the engineers concluded
the manager performed numerous searches for the corporation’s
information. This was proven by trails left in the computer’s
search engine history, temporary Internet files, and
fragments from several deleted documents.
Cases like this one illustrate that while it may take
analysis of multiple devices in order to get to the
end of the trail, a computer forensic expert can help
seek the truth in a particular case by putting together
a timeline of what happened on a piece of media.
*** If you would like to explore the opportunity
of Alan Brill speaking at a conference you are supporting
or organizing, please contact Michele Lange at (952)
906-4927 or at mlange@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: BREAKING PASSWORDS –
UNCOVERING CASE-WINNING INFORMATION
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators are expected to understand the inner
workings of computers and how they relate to computer
conduct issues. ***
From preventing unauthorized access to a PC, laptop,
BlackBerry, or PDA to restricting access to Excel spreadsheets,
Word documents or other computer files, passwords are
an essential tool – although not the only tool
-- for today’s corporations seeking to protect
confidential data. In some cases, a user will password
protect and/or encrypt a digital device, such as a hard
drive or flash media.
Despite the many security benefits they offer, passwords
may pose a problem in some cases. For instance, a corporation
that suspects a former employee stole proprietary or
confidential data may face the frustration of attempting
to access password-protected files on the employee’s
computer. Unless the password protection is circumvented,
the corporation may not be able to access the necessary
data, possibly preventing them from proving the employee
stole the information.
The art of password breaking involves deciphering and
recovering confidential passwords stored on a computer
system. In some cases, password breaking might help
an individual user recover a forgotten password or a
system administrator check for easily cracked passwords.
In other cases, a hacker may crack passwords in order
to gain unauthorized access to a system or files. For
the computer forensic expert, password breaking can
be an essential tool in a search for digital evidence
from protected files, protected systems (log in passwords)
or protected devices like USB memory or PDAs. An expert
with the right tools and technology can break passwords
set on documents such as Word, Excel, PowerPoint, Access,
Adobe Acrobat, and .ZIP files nearly 99% of the time.
Some common types of passwords include those listed
below.
Remote Access Passwords
Remote access allows a user to access a computer or
a network from a remote location, such as a hotel or
their home office. This service is particularly useful
for corporations who have employees that need access
to the company’s network but are located at branch
offices, home offices, or are traveling.
When accessing a network from remote locations, users
will dial in to the network using a log in name and
password. Determining these passwords, or bypassing
them, may require thinking outside the box. For instance,
it is common for people to use the same passwords for
multiple purposes. If an expert attempting to crack
the password can identify other passwords the person
uses – in Word files, for example – that
same password may well be the one that works. In other
cases, system administrators can provide access to the
network.
Password-Protected Files
Password-protected documents can pose challenges to
companies searching for clues from digital files. When
investigating a password-protected file, a computer
forensic expert can often crack the password using a
combination of password-breaking software and their
own experience and training.
The amount of time it will take to recover the password
varies depending upon the length or complexity of the
password, the strength of the software’s password
system, and the tools available to the expert. For example,
passwords are fairly easy to recover and can often be
broken in minutes from files such as Outlook, QuatroPro,
ACT, and Organizer. Paradox or WordPerfect files may
take several hours or a couple of days to crack. More
complex files – like those from Excel and Word
’97 and 2000 – can take as much as a couple
of weeks to break and there are no guarantees that such
files can be broken in the time available.
Encrypted Passwords
While password protection denies access to a user without
the password, it does not alter the data within the
document it is protecting. Encryption, on the other
hand, scrambles the data so that without the password,
a user cannot access or even view the data with low
level utilities like hex editors.
Encrypted passwords are typically the most difficult
type of password to crack because of the need to unscramble
the data. Data can be encrypted using a variety of techniques,
some of which are stronger than others. Some simple
crypto-systems can be broken easily with the right tools.
On the other hand, data encrypted using a stronger system
may be effectively unbreakable. In some cases, decrypting
passwords simply cannot be done. In such instances,
the expert will investigate other passwords used by
the person (as described above) or consider other ways
of getting the needed data.
In the end, if a company is seeking to obtain data
stored in password-protected or encrypted files, a computer
forensic expert may be able to crack the password and
retrieve the information. The crucial aspect of a successful
password recovery is often the result of a comprehensive
investigation by trained and experienced computer forensic
experts equipped with the right tools. If password-breaking
is the key to uncovering an essential piece of evidence
in an investigation or litigation, choose an expert
who is familiar with best practices techniques and has
a collection of industry standard and proprietary tools.
KROLL ONTRACK NEWS & EVENTS
Growth of Legal Technology Industry Fuels Job
Opportunities
As a result of the growth in the legal technologies
industry, Kroll Ontrack is seeking qualified candidates
for several available Discovery Services Project Manager
positions. Among other duties, these individuals will
be responsible for managing multiple projects from lead
to close-out and assisting with project scoping, conference
calls, and customer presentations.
For more information about these opportunities and
other open positions at Kroll Ontrack, visit: http://www.krollontrack.com/careers/jobsearch.asp.
Meet Kroll Ontrack Representatives at the Following
Events:
|
8/16/05 |
District
1 Meeting: Pitfalls to Avoid in the Age of Electronic
Communication |
Los
Angeles, CA |
|
8/22/05
- 8/23/05 |
CPA
Associates International |
Chicago,
IL |
|
8/22/05
- 8/25/05 |
ILTA
2005 |
Phoenix,
AZ |
|
8/29/05
- 8/31/05 |
HTCIA
2005 International Conference, Training & Expo |
Monterey,
CA |
|
9/12/05
- 9/13/05 |
|
Eden
Prairie, MN |
|
9/22/05
- 9/23/05 |
Glasser
LegalWorks - E-Discovery: An A-to-Z Workshop |
Los
Angeles, CA |
|
10/17/05
- 10/19/05 |
ACC’s
2005 Annual Meeting |
Washington,
D.C. |
|
10/19/05
- 10/23/05 |
DRI
2005 Annual Meeting |
Chicago,
IL |
|
11/2/05
- 11/5/05 |
National
Conference of Bankruptcy Judges 79th Annual Meeting |
San
Antonio, TX |
|
12/1/05
- 12/2/05 |
|
Eden
Prairie, MN |
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
