| In This Issue:
 FROM THE BENCH: JURY WEIGHS CONFLICTING COMPUTER EXPERT TESTIMONY IN CHILD MOLESTATION CASE
State v. Speers, 98 P.3d 560 (Ariz. Ct. App. 2004). In a recent case, the state brought charges and prosecuted the defendant on several counts of sexual exploitation of a minor. At trial, the state argued the defendant was a child molester, putting forth evidence from children who claimed to be molested and sexually abused by the defendant. The state also presented evidence seized from the defendant’s computer, including results of a computer forensic examination, which revealed 18 thumbnail child pornography image files stored in the temporary Internet files on the hard drive. The computer’s access logs showed a computer user accessed the images just days before the state filed molestation charges. Thumbnail pictures, which appeared on the monitor in grids of five pictures wide and four pictures high, comprised 16 of the images. The other two thumbnail images had been enlarged before being automatically stored in the temporary Internet files.
The state presented expert testimony concerning the use of the computer and how the 18 images could only be present on the computer's hard drive if the user consciously accessed the Web sites on which they appeared. The state also claimed the enlarged images could only have been saved on the computer by the defendant affirmatively placing the cursor on the thumbnail images and clicking to engage the links.
In response, the defendant argued he could not have knowingly possessed the images because the computer automatically saved the images in its temporary Internet files. The defendant's expert questioned the state's assertion that the enlarged images would only exist on the computer as a result of a deliberate clicking of the mouse on the thumbnail images.
The jury weighed the conflicting computer expert opinions, in addition to the other evidence presented, and acquitted the defendant on the 16 counts related to the thumbnail pictures. However, the jury convicted him for the two enlarged images. The defendant appealed the conviction arguing evidentiary and jury instruction errors. Vacating the defendant's convictions and remanding for a new trial, the appellate court held that the evidentiary and jury instruction errors could have affected the verdicts against the defendant.
THE BRILL FILES: DECIPHERING DELIBERATE DIGITAL DATA DESTRUCTION
*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***
You unavoidably overwrite data every time you operate a computer - often without realizing it. While most overwriting is the unintentional result of daily computer use, sometimes computer files are deliberately destroyed or "scrubbed” in attempts to remove all traces of the data.
I remember one such case we worked on. A group of physicians, employed in the AIDS outpatient area of a metropolitan hospital, left the hospital to open a clinic for a competing hospital. The first hospital suspected the physicians were using the hospital’s confidential information to set up the new facility. When the chief physician returned her laptop computer, she claimed she had accidentally reformatted the hard drive. We went to work on the laptop and discovered the physicians had indeed stolen the hospital’s proprietary historical data in an attempt to develop a grant application for the new clinic. We also determined the physicians had made unauthorized copies of patient medical records to identify patients who had good insurance and who had long lifespan expectancies. We turned this information over to the hospital, which eventually co-owned the new clinic and terminated the physicians involved in the information theft.
Cases like this one are not novel by any means. From simply deleting documents to actually scrubbing hard drives, parties have tried a variety of techniques to cover up traces of illegal or unethical conduct. Formatting, defragmenting and wiping are three of the most common processes used by people attempting to intentionally destroy computer records.
Formatting. Instead of deleting data, formatting eliminates the document indexes and file/folder pointers on a computer hard drive and, in most cases, does not harm the data on the hard drive. The contents of the documents, files and folders still physically exist on the drive and are likely recoverable by computer forensic experts using best practice industry standards. Shutting off the computer immediately and consulting a computer forensic expert to assist with recovery will ensure the best chance of data recovery.
Defragmenting. Defragmentation is designed to make the computer run more efficiently by putting the pieces of files as close to each other as possible. Depending on the size the drive, data volume and order of operations, active files and some deleted files may be recoverable. A complete computer forensic investigation will help identify data that is recoverable after defragmentation.
Wiping. When wiping a hard drive or portion of a hard drive, an individual runs a commercially available software "shredder” program to intentionally overwrite data with a specific or randomly generated pattern of "1s” and "0s.” If properly used, a wiping utility will make the data unrecoverable by commercial computer forensic experts. Depending on the wiping program that was used, computer forensic experts may still be able to determine the date, time and specific program used to conduct the wiping.
Other forms of deliberate computer evidence spoliation are also common, including:
Deliberate Overwriting. When data is deliberately overwritten, the selected files are erased, and the computer trash bin is emptied. A large quantity of data is then loaded onto the operating system so that each unassigned bit and byte of storage is filled up with meaningless data.
Hard Drive Destruction. Methods of hard drive destruction include hitting or scratching the drive’s inner workings with a hard object, submersing the drive in water, or putting the drive into a fire. Drives damaged this way are unreadable and may be unrecognized by the system; however, a reliable data recovery lab may be able to recover the data.
Drive Replacement. Completely replacing a hard drive is accomplished by installing a new drive in the computer, loading it with software, and throwing away the original drive.
The lesson here is simple - if you suspect that someone has been deliberately destroying digital data, bring in the experts as soon as possible. In many cases, an expert can locate and recover the data, and the results of the forensic analysis can often yield a potential treasure trove of information.
*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at
(952) 516-3637 or at akarls@krollontrack.com. ***
TECHNOLOGY YOU SHOULD KNOW: WHERE CAN LAW ENFORCEMENT OFFICIALS OBTAIN TRAINING?
*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue. ***
Computer forensic investigators must have advanced computer knowledge and specialized data recovery and computer investigation analysis skills. Most companies or police departments seeking to hire a computer forensic expert look for a blend of technological training and expert testimony experience.
In the computer forensic field, technical training is a continuous process. In addition to having either a background in law enforcement or computer sciences, an expert in this field should have some formal computer forensic training. Training is accomplished through law enforcement courses offered by large departments and agencies, as well as certification courses offered by recognized private sector companies. In fact, the number of academic institutions offering Computer Forensics degrees continues to increase. Some of the common computer forensic and related certifications are described below.
International Association of Computer Investigation Specialists (IACIS) – This association offers training programs that certify only public sector (law enforcement) professionals.
National White Collar Crime Center (NWCCC or NW3C) – This federally funded non-profit corporation offers training only to public sector (law enforcement) professionals.
The National Consortium for Justice Information and Statistics (SEARCH) –This non-profit organization offers training only to public sector (law enforcement) professionals.
Federal Law Enforcement Training Center (FLETC) – This center trains most federal agents other than the FBI, which has its own training academy.
EnCase Certified Examiner (EnCE) – This program certifies both public and private sector professionals in the use of Guidance Software’s EnCase computer forensic software.
Certified Information System Security Professional (CISSP) – This certification reflects the qualifications of information systems security practitioners.
For a complete list of educational institutions offering courses and degree programs in computer forensics, visit http://www.e-evidence.info/education.html. Gaining experience through recognized computer forensic training, combined with on-the-job experience, will give computer forensic experts the skills they need to find the e-smoking gun.
KROLL ONTRACK NEWS & EVENTS
Kroll Ontrack Unveils Multi-Million Dollar Data Center to Ensure Fastest, Most Reliable, and Most Secure E-Discovery Services
Kroll Ontrack unveiled its new $10-million-plus, state-of-the-art data center – an enterprise-class electronic business environment designed to provide clients with the most extensive, resilient, controllable, secure, and comprehensive legal technology solutions available in the marketplace. Kroll Ontrack’s data center is wholly dedicated to discovery services and designed and maintained to meet the growing demands facing the industry. With more than half a petabyte (one petabyte equals a thousand terabytes) in capacity, its data center relies on proven computing technology, including routers and switches from Cisco Systems and Extreme Networks; diverse and redundant Internet connections through Sprint, Time Warner and Onvoy; and, environmental monitoring by ADT Security Services to provide unparalleled data protection and disaster tolerant features. To provide the highest quality service to its customers, Kroll Ontrack’s data center is scalable to support an unexpected volume of information that could vary based on each customer’s requirements.
Meet Kroll Ontrack Representatives at the Following Events:
Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law.
If you are aware of any additional local court rules
or new cases in this area of the law, please do not
hesitate to contact us by writing to mlange@krollontrack.com.
Portions of this newsletter are written by Michele C.S. Lange, staff attorney with Kroll Ontrack. Charity Delich, a Kroll Ontrack law clerk, helped prepare the case summaries. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology’s role in the law. She can be contacted by writing to mlange@krollontrack.com.
For more information about electronic discovery
and computer forensic services, contact Kroll Ontrack
at 1-800-347-6105 or www.krollontrack.com.
|
