| In This Issue:
 FROM
THE BENCH: COMPUTER FORENSIC INVESTIGATIONS UNCOVER
ATTEMPTS TO DESTROY ELECTRONIC EVIDENCE
Court Upholds Repayment of Fees Incurred in
a Computer Forensic Investigation
United States v. Gordon, 393 F.3d 1044 (9th
Cir. 2004). After discovering missing stock shares,
an employer suspected embezzlement and requested the
defendant’s laptop computer for examination. The
employer specifically told the defendant not to delete
anything from the hard drive. A computer forensic analysis
revealed the defendant attempted to overwrite files
on the computer by running “Evidence Eliminator,”
a software wiping program, at least five times the night
before he turned over the computer. The defendant was
convicted of embezzlement and ordered to pay restitution,
including reimbursing the employer for $1,038,477 of
the total $1,268,022 costs spent on the forensic analysis.
On appeal, the defendant argued the trial court should
not have awarded the employer investigation costs, including
the costs of the forensic examination. The appellate
court rejected this argument and affirmed the district
court’s award, noting the defendant “purposefully
covered his tracks as he concealed his numerous acts
of wrongdoing from [his employer] over a period of years.
As the victim, [the employer] cannot be faulted for
making a concerted effort to pick up his trail and identify
all the assets he took amid everything he worked on.”
Use of “Evidence Eliminator” to
Destroy Electronic Documents Leads to Summary Judgment
DirecTV, Inc. v. Borow, 2005 WL 43261 (N.D.Ill.
Jan. 6, 2005). The plaintiff brought a motion for summary
judgment, claiming the defendant used the plaintiff’s
satellite television signal without authorization and
then spoliated evidence of the unauthorized use. The
court had previously awarded sanctions against the defendant
for deliberately destroying evidence by using “Evidence
Eliminator,” a software wiping utility program,
to erase electronic evidence requested by the plaintiff.
The plaintiff’s computer forensic expert examined
the computer and recovered some of the deleted files,
including programs used by satellite pirates to intercept
the plaintiff’s encrypted signal and files listing
the name of piracy websites the defendant visited. Other
files were permanently deleted. The defendant argued
“somebody else” was responsible for these
actions, even though he declared the computer remained
in his exclusive possession. Granting the plaintiff’s
summary judgment motion, the court noted, “[t]he
fact that [the defendant] deleted certain files on his
computer only five weeks after the start of this litigation
creates an inference that he destroyed evidence that
would have been harmful to his defense.”
Defendant Ordered to Preserve Information Based
on Evidence of Attempted Document Destruction
Hypro, LLC v. Reser, 2004 WL 2905321 (D.Minn.
Dec. 10, 2004). Alleging breach of various employment
and confidentiality agreements and conspiracy to misappropriate
trade secrets, the plaintiff filed a motion to preserve
and protect evidence. The plaintiff claimed the defendant
installed “Incinerate,” a software wiping
utility, on his company laptop that deleted 94 megabytes
of information, and returned the laptop without mentioning
the deleted files. The plaintiff informed the court
that it had made a backup copy of all of the documents
on the laptop prior to the defendant’s actions,
and a comparison of the backup copy with the returned
laptop revealed the defendant had deleted documents
relating to his involvement in the activities at issue.
Based on the plaintiff’s allegations, the court
ordered all parties to preserve and “not erase,
alter, modify, or destroy” any evidence, including
email and electronic documents.
THE BRILL FILES: SECURITY IS A MOVING TARGET
*** Written by Alan Brill, Senior Managing Director
for Kroll Ontrack, The Brill Files reflects his work
in the field with clients who have encountered some
not-so-pleasant events and what was done to remedy the
situation. With more than 25 years of consulting experience,
Mr. Brill has assisted organizations with a wide range
of technology security issues and is an internationally
recognized speaker and instructor.
If you would like to explore the opportunity of Alan
Brill speaking at a conference you are supporting or
organizing, please contact Amanda Karls at
(952) 516-3637 or at akarls@krollontrack.com.
***
When my team is called on to conduct security assessments
for an organization, we inform clients that corporate
security is a constantly changing target. A company
that was secure yesterday may not necessarily be secure
tomorrow - or even today for that matter.
Nearly all systems and environments are in a constant
state of change. Sometimes system changes are the result
of external requirements like Sarbanes-Oxley, HIPAA
or industry-specific standards, such as those set for
financial institutions. In other situations, changing
operating system platforms and applications are necessary
to meet shifting customer and market demands. This combination
provides for a constant level of turbulence that can
make security an ever-changing challenge.
Last year, we ran into an executive who fought hard
to prevent us from conducting a brief security assessment.
Financially, the executive felt the assessment was a
waste of money since auditors had recently evaluated
the company’s security protocols and given the
company a “clean bill of health.”
During the week we spent at the company, we discovered
the auditors’ report was not a glowing testimonial
to the level of security. On the contrary, while nothing
egregious existed, the auditors had a number of recommendations
that they (and we) believed to be important. The executive
had not approved or budgeted to comply with these recommendations.
Instead, he relied on direct reports that told him specific
areas of the company were “problem-free”
and did not need a review.
Since the prior audit, we noticed a number of significant
changes in the environment, including new versions of
several key applications, a change of vendor for one
important application, and a change in platforms for
several systems, which had evolved from Unix to Linux-based
systems. We also noted a lack of internal assessments
documenting the effect of these changes on the security
of the systems. In one case, we learned the company
had failed to make necessary changes to ensure the complete
backup and recoverability of an application.
The point is simple. Security is a shifting objective
and must be re-evaluated on a regular basis. All changes
– from major changes like replacing applications
to minor changes like system patches – affect
security. While the needed security measures differ
from organization to organization, one thing is clear
– you must have a process in place for formally
assessing the security impact as a result of changes
in hardware, software or business process.
TECHNOLOGY YOU SHOULD KNOW: 10 STEPS TO PREPARE FOR
A COMPUTER FORENSIC INVESTIGATION
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators must understand the inner workings
of computers and how they relate to any computer conduct
at issue. ***
When an investigation involves cyber issues, computers
– from a single hard drive to a network of servers
and personal computers – are often the best place
to begin collecting potential evidence. A firm grasp
of basic data handling concepts and computer forensic
best practices is the first step to ensure a successful
investigation. Below are 10 basic guidelines law firms
and corporations should follow when handling digital
data in a computer forensic investigation.
1) Do not turn the computer off or on, run any programs,
or attempt to access data on a computer. An expert
will have the appropriate tools and experience to
prevent data overwriting, damage from static electricity,
or other spoliation concerns.
2) Secure any relevant media – including hard
drives, laptops, BlackBerries, PDAs, cell phones,
CD-ROMs, DVDs, USB drives, and MP3 players –
the subject may have used.
3) Suspend automated document destruction and recycling
policies that may pertain to any relevant media or
users at issue.
4) Identify the type of data you are seeking, the
information you are looking for, and the urgency level
of the examination.
5) Once the machine is secured, obtain information
about the machine, peripherals, and the network to
which it is connected, including:
- the make/model/serial number of all relevant
media;
- a description of the e-mail, instant messaging,
or other communications systems used, including
details about the network configuration for email
and file storage on servers and workstations;
- a list of applications used; and
- a description of the user’s job function
to determine the user’s technical capabilities.
6) Obtain passwords to access encrypted or password-protected
files, if possible.
7) Compile a list of names, e-mail addresses and
other identifying information about those with whom
the subject might have communicated.
8) If the computer is accessed before the forensic
expert is able to secure a mirror image, note the
user(s) that accessed it, what files they accessed
and when this occurred. If possible, find out why
the computer was accessed.
9) Maintain a "chain of custody" for each
piece of original media, indicating where the media
has been, whose possession it has been in, and the
reason for that possession.
10) Develop a list of key words or phrases to use
when searching for relevant data.
In addition to following these tips, consulting a skilled
computer forensic investigator early on in the process
will increase the likelihood of a successful digital
recovery, analysis and investigation.
KROLL ONTRACK NEWS & EVENTS
Kroll
Ontrack Wins Top Electronic Discovery Award from Law
Technology News®
Kroll Ontrack has won the 2004 Law Technology News®
Award for the top “Electronic Data Discovery System.”
In 2004, the editors of Law Technology News®
asked the publication’s 40,000+ subscribers to
select products and vendors that represented outstanding
achievement in legal technology in 13 award categories.
Online ballots were solicited from LTN’s
subscriber audience of law firm partners and managing
partners, legal administrators, MIS/IT directors and
specialists, corporate counsel, litigation support specialists,
librarians and other legal professionals. Only subscribers’
ballots were accepted. Winners were determined based
on the most-mentioned product/company in each category.
In addition to being recognized by Law Technology
News® as the top electronic discovery expert,
Kroll Ontrack has taken top honors in the “electronic
evidence discovery vendor” category for the third
consecutive year in the Ninth Annual AmLaw Tech Survey,
which was released in September 2004. Law Office
Computing magazine has also named Kroll Ontrack
as the winner of the “Electronic Discovery”
category in the 10th Annual Readers’ Choice Awards
in its August/September 2004 issue.
Meet Kroll Ontrack Representatives at the Following
Events: (For a complete listing of sponsored
and speaking events, please visit http://www.krollontrack.com/upcomingevents/.)
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law. If
you are aware of any additional local court rules or
new cases in this area of the law, please contact us
by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, staff
attorney with Kroll Ontrack, with assistance from Charity
J. Delich, a Kroll Ontrack law clerk. Ms. Lange has
published numerous articles and speaks regularly on
the topics of electronic discovery, computer forensics,
and technology’s role in the law. She can be contacted
by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
