FROM THE BENCH: APPELLATE COURT REVIEWS ADMISSIBILITY OF COMPUTER FORENSIC EVIDENCE
	THE BRILL FILES: A WALK ON THE WIFI SIDE
	TECHNOLOGY YOU SHOULD KNOW: TRACKING INTERNET HISTORY – COOKIES, CACHE, AND HISTORY LOGS
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: APPELLATE COURT REVIEWS ADMISSIBILITY OF COMPUTER FORENSIC EVIDENCE

In a recent case, Kupper v. State, 2004 WL 60768 (Tex. App. Jan. 14, 2004), a jury convicted the Defendant of four counts of aggravated sexual assault of a minor and sentenced him to 38 years confinement for each count. The Defendant appealed the conviction, challenging, among other things, the admissibility of email messages retrieved from the deleted files on his work computer and an email message and a photograph retrieved from the temporary Internet files on his work computer.

At trial, a police detective trained in computer forensics testified that she “imaged” (or made complete forensic copies of) the Defendant’s home and work computers and engaged in a computer forensic investigation to locate the evidence in question against the Defendant. The detective then made copies of suspect documents on the duplicate hard drives. The documents admitted as exhibits at trial were exact copies of the copies she made from the hard drives.

On appeal, the Defendant contended that the State did not show that the exhibits came from a computer the Defendant actually used. The appellate court noted trial testimony from the detective stating that she was directed to the Defendant’s computer when she went to his workplace and that no evidence existed that she imaged a computer other than the one assigned to the Defendant.

The Defendant also argued that one of the exhibits used at trial was obtained from the computer’s deleted files, and thus the hard drive had been altered or tampered with by the State in recovering the document. At trial, the detective testified the documents were downloaded or "recovered" as a deleted file from the hard drive. The appellate court noted the Defendant failed to explain how retrieving a document from a "deleted" file on a hard drive -- by downloading or recovering it -- altered the hard drive or the document itself and stated that the Defendant offered no evidence of any alteration or deletion in the documents.

The appellate court rejected all of the Defendant’s arguments and concluded the police detective’s testimony established the appearance, contents, substance, internal patterns, or other distinctive characteristics, taken in conjunction with the circumstances, authenticated the computer evidence. The appellate court further determined there was no evidence raising chain-of-custody issues. Accordingly, the appellate court concluded the trial court did not abuse its discretion in admitting the computer exhibits in the case against the Defendant.

THE BRILL FILES: A WALK ON THE WIFI SIDE

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

It was one of the largest financial services companies in the world and frankly, we were honored that they chose Kroll Ontrack to report to their top management on the state of their information security. My colleague and I were interviewing one of the senior technology officials when our laptop, which we were using to take interview notes, made a very odd sound. We both looked at it and saw that the machine had just found an unencrypted wireless network using the popular WiFi standard. Moreover, the machine had automatically associated itself with the network and had obtained an IP address from the wireless access point.

“Yes,” said the official when we asked, “we do have a wireless network, but it can only talk to authorized users and without a password, what harm could you possibly do?” We proceeded to ask if he was serious, and he assured us that he was.

Within a few minutes, we had reconfigured the laptop so it would capture all of the traffic being broadcast by the wireless access point. A few minutes later, we had captured about 25,000 packets, and a quick look at their content turned the executive’s complexion an unfortunate shade of green. His people had told him it was secure, but the reality was that it was neither encrypted nor had safeguards in place to limit its connectivity only to authorized machines. In fact, we found that the administrator’s password was the default password straight from the device’s set-up guide.

We asked for a map of their office campus, reconfigured our computer to show us the strength of the wireless signal, and headed out for a walk. The access point was broadcasting its signal widely enough that we were able to get good reception on the street adjacent to the office complex…strong enough that someone sitting in a car or van could easily intercept and capture all of the traffic on the network, which was completely unencrypted. As we continued on our walk, we found another unsecured access point, which was located above the ceiling tiles in another building. And we found an informal (and unprotected) peer-to-peer network of laptops, all of which had built-in WiFi connectivity.

What would you find if you checked your site? What is the possibility that someone – perhaps with no authorization – has plugged an access point into your network? With prices as low as $25 for WiFi technology, we find that companies sometimes use WiFi simply to rearrange their offices without having to run network cables. What they do not realize is that they may be placing their organization at risk.

There are a number of software packages you can use to find and measure WiFi signals, but it can sometimes be tricky to interpret the results. The company we were visiting asked us to provide the hardware, software, and training to enable them to have their I.T. security people make frequent sweeps of their campus to find unauthorized access points. When is the last time you had a test run of your offices? Is there a wireless surprise in store for you?

If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637 or at akarls@krollontrack.com.

TECHNOLOGY YOU SHOULD KNOW: TRACKING INTERNET HISTORY – COOKIES, CACHE, AND HISTORY LOGS

***As technology continues to play a larger role in litigation and internal company investigations, lawyers, and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue. ***

In some computer forensic cases, a user’s Internet activity is helpful in figuring out the “who, what, when, and where” of the computer investigation. Sometimes this information is readily available on the individual’s computer in the form of Internet history logs, cookies, and cache or temporary files.

Internet history logs track the Web sites that a user accesses over a certain time period. Some links to these Web sites are viewable in a browser drop-down box for quick access to recently viewed pages.

A cookie is a small file automatically created and stored on a user’s hard drive when the user visits an Internet Web site. The computer uses this information to remember the user when he or she visits the particular Web site again in the future. Using cookies, Web sites can personalize the user’s Internet experience or facilitate faster authentication for the user. Cookies can contain a designated user name, a password created to access the site, a log of prior visits, customized settings and other data that tracks how the user customizes the site. Cookies also can record the address of the Web site a user visited just prior to arriving at the site depositing the cookie.

Each time you open a Web page, your browser typically creates a cache file (aka: temporary files) of the page's text, graphics, and applications. When you open the page again, your browser checks the Web site’s server for changes to the page. If the page has changed, your browser retrieves a new version over the network. If the page has not changed, your browser uses the cache files from your computer’s memory to display the page.

While some users take steps to erase their browser history logs, users with basic computer skills often fail to dispose their cookies or clean out their cache. Internet history logs, cookies, and cache can be treasure troves in computer forensic investigations where an individual’s Internet activity is at issue.

KROLL ONTRACK NEWS AND EVENTS

Call for Nominations - 2004 Electronic Evidence Thought Leadership Awards

Submit your nominations for the 2004 Electronic Evidence Thought Leadership Awards! Each year, Kroll Ontrack acknowledges significant contributions to the development of the body of law, practice and procedure in the area of electronic evidence. Visit http://www.krollontrack.com/thoughtleader to submit your nominations online and receive a free gift. All nomination forms must be received by Monday, March 1, 2004.

We hope to see you at some of the events listed below, where representatives of Kroll Ontrack will be attending.

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please do not hesitate to contact us by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensic services, contact Kroll Ontrack at 1-800-347-6105 or www.krollontrack.com.