FROM THE BENCH: COURTS EXAMINE EXPERT TESTIMONY ON COMPUTER FORENSIC ISSUES
	THE BRILL FILES: HASHING & HARDWARE – IMPROPER IMAGING CAN LEAD TO FAULTY FORENSIC FINDINGS
	TECHNOLOGY YOU SHOULD KNOW: IF IT’S OFF LEAVE IT OFF! – HOW TO GUARD AGAINST COMPROMISING A COMPUTER FORENSIC INVESTIGATION
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: COURTS EXAMINE EXPERT TESTIMONY ON COMPUTER FORENSIC ISSUES

Oved & Assocs. Constr. Servs., Inc. v. Los Angeles County Metro. Transp. Auth., 2006 WL 1703824 (Cal. Ct. App. June 22, 2006). In a construction dispute case, the appellate court affirmed the trial court’s award of terminating sanctions against the defendant for years of discovery abuses and the intentional spoliation of evidence. After the defendant repeatedly failed to produce financial documents responsive to the plaintiffs’ discovery requests, the plaintiffs sought an order to conduct a forensic examination of the defendant’s computer hard drive. When the trial court awarded the plaintiffs request, the defendant filed an interlocutory appeal. The retained computer forensic examiner determined a number of individual files had been selected and manually deleted. In addition, the expert testified that the recycle bin had been emptied on the same day the Court of Appeals denied the defendant’s appeal and issued an order to preserve and produce the computer hard drive. Finding that the financial records were integral to the case, the court observed, “[the defendant’s] conduct effectively destroys the ability of [the plaintiffs] to litigate the trial.” In affirming the default judgment against the defendants, the appellate court noted, “any lesser sanction for this willful failure to comply would have condoned [the defendant’s] behavior and by definition would have been insufficient.” The court also awarded the plaintiffs’ attorneys fees and the costs of appeal.

Griggs v. Harrah’s Casino, 929 So. 2d 204 (La. Ct. App. 2006). In a casino gaming dispute, the defendants appealed the trial court’s decision as erroneous for relying on witness testimony rather than forensic tests in ruling that the plaintiffs had won a slot machine jackpot. The defendants offered the testimony of several experts who, after conducting a forensic examination of the computer microprocessor of the slot machine, concluded no jackpot had been won by the plaintiffs. However, one of the defendant’s experts had made a pre-trial statement suggesting data had been lost, casting his conclusions into doubt. The plaintiff’s expert did not conduct an examination of the slot machine, but opined that the record of the win was stored in temporary memory which was lost or corrupted when the casino technician powered the slot machine off and on before a forensic examination could be conducted. The appellate court affirmed the trial court’s decision, holding there was sufficient eyewitness testimony to provide an adequate basis for the verdict as well as admissions from defendant’s forensics experts to allow the jury to doubt their testimony.

MGE UPS Systems v. Fakouri Electrical Engineering, Inc., 2006 WL 680513 (N.D. Tex. March 14, 2006). The defendants filed a motion to strike the plaintiff’s expert testimony, claiming the expert had contaminated and destroyed electronic evidence by using improper forensic methodology. The defendant’s expert contended the plaintiff’s expert had made a number of errors in conducting an examination of six impounded laptop computers, specifically: (1) used a methodology that deleted 71 files on the computers; (2) used a methodology that contaminated and altered the date and time stamps on 8,803 files on the computers; (3) did not use sanitized floppy disks to boot the computers or to copy data from the computers; (4) performed multiple forced shutdowns on the computers that may have created a number of cross-linked files found on the computers; (5) used improper ghosting procedures to image the computers' hard drives and only obtained part of the data on the computers; and (6) used computers without wiped hard drives during the ghosting procedure. Although the court found evidence that some files were deleted or altered, the court accepted the plaintiff expert’s explanations that he had excluded the compromised electronic data in reaching his conclusions. The court denied the defendant’s motion, finding the expert’s qualifications and explanations of his methodology “were sufficiently reliable and that he applied the principles and methods reliably.” The court also refused the defendant’s motion to limit the subject area of the plaintiff’s expert, holding that FRE Rule 702 and Daubert principles would be inconsistent with attempting “to parse these computer issues and the experts allowed to discuss them into very narrow specialties.”

THE BRILL FILES: HASHING & HARDWARE – IMPROPER IMAGING CAN LEAD TO FAULTY FORENSIC FINDINGS

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflects his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. This month’s column was co-authored by Jason Paroff, Esq., the director of Computer Forensics Operations for Kroll Ontrack. ***

In an investigation concerning possible involvement in a corporate money laundering scheme, a pharmaceutical company hired a computer forensic expert to image and analyze the contents of an executive’s home computer hard drive. Upon completing the investigation, the expert concluded a user wiped files on the drive using data wiping software and then reformatted the drive. The expert also surmised that the user copied data off of the drive prior to using the wiping software.

The executive opted to hire her own computer forensic expert and called upon Kroll Ontrack to analyze the same drive. Working from a mirror image of the original drive, we conducted our own independent forensic investigation. The results of the investigation showed no evidence of data wiping or reformatting. Upon reviewing the other expert’s procedures, Kroll Ontrack discovered the expert had worked from a faulty mirror image. This led him to make a series of flawed conclusions about the executive’s computer activities. During imaging, a physical defect corrupted the image, resulting in the appearance of drive formatting. While data corruption of this nature during imaging is rare, it can occur when defective cabling, write blockers (a hardware device used during the imaging process to prevent changes to the data on the original hard drive) or other defective hardware is used.

When a hard drive is imaged, data is passed via cable from the imaged hard drive to the target hard drive. Often the data is passed through a write blocker, a sort of one-way gate, to insure that writes only occur on the target drive and that nothing can be written back to the original source drive. From the write blocker, the data is transferred to the target hard drive. Each cable and junction presents the possibility of a poor connection or damaged wires, and often these anomalies cannot be seen with the naked eye or easily detected by the attached equipment. In addition, these cables have maximum recommended lengths. Exceeding these recommended lengths, and sometimes even approaching the maximum recommended lengths, can result in unreliable data transmissions. If cables are damaged or poorly attached, the data may not read or transmit correctly, and detecting problems such as bit corruption or sector rotation may be difficult.

Comparing hash values is a generally accepted standard method of insuring the integrity of a forensic image. A hash value, generated by industry standard hashing tools, is created from a data stream input from the source hard drive and is sent via a series of cables and connectors to the computer or other device performing the imaging. Generally, if a hash value of the source drive matches the hash value of the image, the image is said to be an exact copy and “forensically sound.” If the cables or other hardware used during the imaging are damaged however, the data can be damaged or corrupted in transit, and this circumstance will not reveal itself through the use of hash values. In other words, if the cable used during imaging is consistently bad and generates consistent errors, a hash of the source drive over that cable will match the hash of the image performed over that same cable even though there are errors or corruption in the image. Thus, even though the hash values appear correct, the data may not have been accurately transmitted to the image.

Although faulty imaging is rare, it can lead to erroneous conclusions if an expert fails to recognize it before conducting a forensic analysis on the data. While many experts appear qualified because they have attended industry-recognized training and achieved industry-recognized certifications, often they do not have the experience of imaging thousands of drives which tend to reveal these important issues. In addition, many experts may not have proper image validating processes in place to recognize and avoid problems when imaging drives.

Despite all these factors, the most challenging part of computer forensics is not making a valid image of a drive. Rather, it is in making correct conclusions from the data that can be seen on the drive, or based on the condition the drive is in when it is first submitted for analysis. If forensic findings fail to support a case, a second analysis may uncover the true “who,” “what,” “when,” “where,” and “how” of a user’s activities.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: IF IT’S OFF, LEAVE IT OFF! HOW TO GUARD AGAINST COMPROMISING A COMPUTER FORENSIC INVESTIGATION

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. ***

The cases in this month’s newsletter illustrate how improper interference with a computer or electronic data prior to forensic review can compromise an investigation and leave a party vulnerable to charges of data mishandling. In Griggs v. Harrah’s Casino, 929 So. 2d 204 (La. Ct. App. 2006), the plaintiffs successfully argued temporary data was lost when the casino technician deviated from normal protocol and turned off the slot machine. In another case, featured in last month’s newsletter, Quotient, Inc. v. Toon, 2005 WL 4006493 (Md. Cir. Ct. Dec. 23, 2005), the court noted, “by the mere fact that a computer is turned on or off, the Operating System (OS) writes data to the hard disk, which could be overwriting data of possible evidentiary value.”

As these cases indicate, when investigating electronic data, care must be taken to prevent against even the smallest change to the evidence, or an investigator may face charges of evidence tampering. Simply booting a computer or opening a file can change potentially valuable metadata – dates, times and other behind-the-scenes information about the data. Turning on a computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer. It is best to leave a computer under investigation “on” if it is “on” and “off” if it is “off” until someone trained in computer forensic best practices is able to access the media.

Listed below are steps a forensic expert should take to prevent data from being altered or damaged through improper handling:

• Secure the computer system to prevent it from being tampered with by investigators, third parties or automated processes.
• Avoid analyzing data on the machine from which it was collected.
• Do not run programs on a computer under investigation.
• Exercise minimal interaction with original evidence.
• Make exact, forensically sound copies of data storage devices.
• Protect extracted data from mechanical or electromagnetic damage.
• Do not change date and time stamps or alter data itself.
• Do not overwrite unallocated space, which may happen when rebooting.
• Establish and maintain a proper chain of custody.

Failure to adhere to strict industry standards regarding data preservation can result not only in the loss of critical data, but also can impinge upon the credibility of any data that is recovered, potentially rendering it unreliable or inadmissible in a court of law.

KROLL ONTRACK NEWS & EVENTS

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Melanie Bradshaw, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensics services, contact Kroll Ontrack at 1-800-347-6105 or http://www.krollontrack.com/.