In This Issue:

	From the Bench: Computer Forensics in the Criminal Realm
	The Brill Files: Data Breach Misfortune
	Technology You Should Know: The Role of Computer Forensics in Employment Issues
	News & Events

From the Bench: Computer Forensics in the Criminal Realm

Court Reverses Conviction Where Defendant was Unaware of Computer Cache Files
Barton v. State, 2007 WL 1775565 (Ga.App. June 21, 2007). In a suit charging the defendant of knowingly possessing child pornography, the Georgia Court of Appeals reversed the jury trial conviction based in large part on computer forensic evidence. A computer forensic analyst testified that computers automatically store Internet viewed information on their hard drives in temporary Internet cache files. The computer forensic expert further explained that there is no way to determine if the stored files were affirmatively sought after by the user or were pop-ups. Additionally, a user is not able to retrieve these files without special forensic software, which was not present on the defendant’s computer. As knowing possession of child pornography requires proof of an affirmative step to save or download images to the computer and knowledge of their existence, the defendant did not have the required culpability to be held guilty of the crime.

Court Refuses to Sanction Government Where Computer Hard Drive was Altered After Seizure
United States v. Flyer, 2007 WL 2051373 (D.Ariz. July 13, 2007). In this case, the defendant was charged with attempted transportation and shipping of, as well as possession of, child pornography. After initially pleading guilty to the charges, the defendant retained substitute counsel and withdrew his plea. The defendant then hired a computer forensic expert to review the electronic evidence gathered through the search warrant. The expert testified via affidavit that numerous files were accessed and created months after the laptop had been seized by the government, making the data completely unreliable and unusable. The government’s expert responded that battery malfunction caused the erroneous files and access dates. The court held that while the government may have been negligent, the defendant was not prejudiced, and therefore denied the defendant’s motions to dismiss, suppress the evidence and to hold a hearing to debate the evidentiary foundation of the affidavit relied on in issuing the search warrant.

The Brill Files: Data Breach Misfortune

The story is unfortunately all too familiar. A friend of mine received a letter in the mail from his bank. The letter informed him that a data breach of the bank’s central computing system had occurred and that customer information may have been compromised. The letter ensured the customers had nothing to worry about and the bank was doing everything possible to remedy the situation. This notification made me wonder how often things like this happen and if there was anything the bank could do to prevent or correct my friend’s and the bank’s own data breach misfortune.

A study conducted recently determined that companies spend an average of nearly five million dollars to recover corporate data when lost or stolen. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html. The survey also indicated that the common methods of data loss include lost or stolen laptops, desktops, PDAs, and thumb drives, hacked electronic systems, malicious insiders, malicious code, and misplaced network storage devices.

Some companies respond to a data security breach by deploying their internal IT staff to investigate the matter and then report their findings to senior management. While this may seem reasonable to the untrained eye, IT staff are generally not equipped with the training and technology to effectively handle these types of incidents. Instead, a better practice is to deploy a computer forensic expert, network intrusion specialist or data breach investigator. With specialized tools that can sift through mountains of system metadata, these trained professionals can determine the depth of a security breach, recover data that has been corrupted or intentionally deleted, determine how a hacker evaded security checks, and perhaps identify the individual who caused the damage. Additionally, these professionals can provide expert witness testimony and reports for the court should the incident proceed to litigation and they can help identify methods for plugging the holes in the computing landscape to prevent any future incidents.

Data breaches are an unfortunate reality of today’s digital world. Partnering with professionals skilled in this area will ensure an organization is best positioned to handle any data breach misfortune that may come its way.

If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Kristin Husom at 952 516 3781 or at khusom@krollontrack.com.

Technology You Should Know: The Role of Computer Forensics in Employment Issues

• Sixty one percent of employees use their work-issued e-mail accounts for personal reasons. http://findarticles.com/p/articles/mi_qa3937/is_200603/ai_n17177191
• In a recent survey, 39% of respondents admitted to forwarding customer data and records to others outside their company. http://www.securitypark.co.uk/article.asp?articleid=26423&CategoryID=1
• One in five companies have either received subpoenas for employee e-mail or have used e-mail to defend the company against allegations of sexual, racial or other discrimination claims. http://www.enquirer.com/editions/2004/07/27/biz_biz2a.html

These statistics reveal one common notion. Traditional employment law issues, such as employee discipline or termination, sexual harassment and hostile workplace claims, violation of non-compete agreements and misappropriation of trade secrets are increasingly involving a digital component. To fully investigate an employment issue, human resources professionals and employment law lawyers need a complete picture of the bits and bytes on the targeted employees’ hard drives. This is where a computer forensic expert can help. Using specialized tools to capture and investigate an organization’s hard drives, a computer forensic expert is quickly becoming a critical member of the team in charge of handling the employment issue.

By the time a computer forensic expert typically is engaged by an organization, however, it is too late. Hard drives of key employees may have been discarded, wiped or redeployed to other employees, possibly destroying crucial pieces of the puzzle and making the investigation more challenging. Listed below are key computer forensic concepts that human resources professionals and employment law practitioners should understand when faced with any employee issue involving a computer.

Avoid tainting the evidence. While electronic files are easy and convenient to create and duplicate, they are also easy to alter or destroy. For example, simply booting a computer or opening a file can change potentially valuable dates, times and other behind the scenes information about the data. Never boot a computer simply to “get a better picture of what is going on” as you will probably do more harm than good. Instead, if it’s off, leave it off; if it’s on, leave it on until a trained computer forensic professional can take custody of the machine.

Image and hold. When it is foreseeable that an employee’s computer might be a good source of salient evidence, a simple mirror image is crucial. Such an image captures every bit and byte on the hard drive, exactly as last used by the employee. The image should be taken as soon as a departing employee is terminated or leaves the organization or as soon as a current employee is suspected of an employment law issue. There is nothing more frustrating to a litigator than to be in the midst of discovery and be told “that information is on John’s laptop and we let him take that out-of-date machine with him when he left the company” or “Sue is now using John’s computer.” The costs associated with imaging a hard drive are minuscule compared to the costs involved in attempting to locate and, if possible, retrieve the data later on down the road. Computer forensic experts can quickly be deployed to the organization’s location to make a forensically sound image of the employee’s hard drive. Then the organization or the expert can securely hold this image until a full forensic investigation is needed down the road. If the employment law issue dissipates, the image can be destroyed.

Investigate if necessary. Should the employment law issue escalate, a full computer forensic investigation will be needed. The investigator will attempt to build a complete picture of the employee’s computer conduct; breaking passwords, accessing internet history files and cookies, recovering deleted files and e-mails, analyzing date and time stamps, finding files stored in the hidden sections of a hard drive, recovering instant messaging conversations if possible and looking for any removable media types (such as USB drives) that interacted with the computer.

Use qualified forensic experts. Partner with a computer forensic service provider that uses proper protocols to not only collect and recover the data important to your employment law issues, but who can articulate their results and conclusions clearly and accurately, should litigation ensue. Do not hesitate to bring your computer forensic expert to the table as soon as an employment law issue arises. Prepared organizations will work with a computer forensic expert in advance to establish standard procedures for imaging, holding, and if necessary, investigating departed employees’ hard drives.

NEWS & EVENTS

Kroll Ontrack Appoints New President
Effective July 19, 2007, Kristin M. Nimsger, Esq. was appointed to the position of president of Kroll Ontrack, as Ben Allen, Kroll Ontrack’s former leader recently assumed new duties as chief operating officer of Kroll Inc. Nimsger brings extensive strategic development and business management experience to her new role. As president, Nimsger is responsible for advancing the strategic vision of Kroll Ontrack and growing the Data Recovery, Legal Technologies and Search business lines through investments in organic growth and geographic expansion. Furthermore, she will work with the broader Kroll organization to continue to enhance the cooperation and collaboration between the Kroll businesses. Among one of the nation’s most knowledgeable legal technology experts, Nimsger most recently served as the vice president of Legal Technologies for Kroll Ontrack. With the company since 2001, Nimsger oversaw the evolution of products and service offerings for the Legal Technologies business group, which primarily serves law firms, corporate counsel, government agencies, and others with electronically stored information consulting services, electronic and paper discovery, and computer forensic solutions. Nimsger earned her J.D. cum laude from William Mitchell College of Law, St. Paul, Minn., and received her B.A. in English/Communications from the University of Minnesota, Duluth.

Meet our representatives at the following events:

Visit www.krollontrack.com/upcomingevents for more information on these events and others.

Back To Top

We Request Your Input

Our legal consultants, project managers, and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, an Ontrack Forensics staff attorney with Kroll Ontrack, with assistance from Joni Heikes, a Kroll Ontrack staff attorney. Ms. Lange has published numerous articles and speaks regularly on the topics of e-discovery, computer forensics, and technology’s role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or www.krollontrack.com.