FROM THE BENCH: COURTS ADDRESS DATA WIPING UTILITIES AND EVIDENCE OF COMPUTER HACKING
	THE BRILL FILES: BATTLE OF THE EXPERTS – KROLL ONTRACK REFUTES OPPOSING COMPUTER FORENSIC EXPERT'S ERRONEOUS REPORT
	TECHNOLOGY YOU SHOULD KNOW: TEN WAYS COMPUTER FORENSICS CAN BOLSTER A CASE
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: COURTS ADDRESS DATA WIPING UTILITIES AND EVIDENCE OF COMPUTER HACKING

Terminating Sanction Upheld for "Brazen" Electronic Data Destruction
Electronic Funds Solutions v. Murphy, 36 Cal.Rptr.3d 663 (Cal. Ct. App. 2005). In a lawsuit involving various business tort claims, the defendants appealed a default judgment and argued the trial court abused its discretion. During discovery, the plaintiffs' computer forensic expert discovered four of the defendants' hard drives had been "wiped" after the date the court ordered their production. The expert further concluded data had been copied from the hard drives before the wiping and selected data was reinstalled after the wiping. On one of the computers, the defendants appeared to have aborted the data wiping program minutes before they were required to turn it over to the plaintiffs' expert. Based on the defendants' intentional data destruction, the court entered a terminating sanction and awarded a default judgment of $24 million in punitive and compensatory damages in favor of the plaintiffs. On appeal, the court upheld the terminating sanctions in light of the "defendants' brazen violation of a discovery order in the face of an express warning." The court stated, the "Plaintiffs recovered e-mails from the computer only because defendants had not run the program properly... defendants' actions have made it virtually impossible to determine what items defendants destroyed." The court remanded the case, finding the damage award inconsistent with the amount sought in the complaint.

Computer Forensic Testimony Supports Sufficiency of Evidence
United States v. Ray, 428 F.3d 1172 (8th Cir. 2005). The defendant appealed an extortion conviction relating to an attempt to extort $2.5 million from a company by sending emails threatening to exploit a breach in the company's computer security. Arguing insufficiency of the evidence, the defendant contended the government had not established who actually sent the emails. During the government's investigation, a computer forensic expert had examined the defendant's hard drive and found three threatening emails and other incriminating evidence. The expert testified the emails and documents were created by someone typing on the computer. The expert also stated that someone had logged onto the Internet from the computer using the screen name and password used to send the emails. Further, the expert found no evidence of remote access or hacking into the computer. Based on this evidence, as well as the defendant's admission he logged onto his computer and the Internet several times a day, the appellate court upheld the conviction.

THE BRILL FILES: BATTLE OF THE EXPERTS – KROLL ONTRACK REFUTES OPPOSING COMPUTER FORENSIC EXPERT'S ERRONEOUS REPORT

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflects his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

One of my Kroll Ontrack colleagues recently worked on a case involving a battle of the experts, which resulted in an interesting twist of circumstances. (See MMI Prods., Inc. v. Long, 2005 WL 757073 (D.Md. Apr. 1, 2005), rev’d, 2005 WL 2334158 (D.Md. Aug. 15, 2005)). In this case, a manufacturing and distribution company alleged a former employee misappropriated a company-issued Dell laptop before he left the company. In support of its claim, the company hired a computer forensic expert to analyze the employee’s hard drive. The company’s expert concluded “there was an attempt to overwrite data through a selective restoration from a previous backup session or a reinstallation of Microsoft Windows 2000.” The expert further declared the selective restoration happened at a backup session possibly occurring on December 10, 2002.

In defending the action, the employee hired a Kroll Ontrack computer forensic expert to examine the opposing expert’s analysis and conclusions. After completing his investigation, the Kroll Ontrack expert determined the other expert’s findings were erroneous. Based on information from the Dell support Web site, our expert discovered the laptop at issue had been shipped to the company on December 21, 2002. The shipment clearly occurred after December 10, 2002, the date the opposing expert opined the restoration activity might have taken place. Thus, as the employee could not even have had the laptop before it was shipped from Dell, he could not have performed a selective restoration of it on December 10. Notably, the opposing expert's report failed to reflect any effort to determine the laptop’s manufacturing or shipping date.

The opposing expert also wrote in his report that email and data fragments located in unallocated space showed intentional deletion by the laptop user. However, our expert concluded that any deletions, overwrites, email fragments, and data found in unallocated space were the result of normal processes, not efforts by a user to delete information. The only files intentionally deleted were documents that were personal to the employee, which the employee testified he had deleted. Further, a number of email fragments referenced by the opposing expert were actually located in active file space or the active Outlook Express program mail boxes. Finally, although opposing counsel initially maintained the laptop had not been accessed or even turned on since they received it from their client, our expert noted the laptop had been imaged by the opposing expert after at least two sessions of non-forensic access while the company's lawyers had control of the laptop.

Based on these findings, a magistrate judge proposed the company and its counsel pay Kroll Ontrack’s costs as a sanction for failing to make reasonable inquiries into the reliability of their own expert's report. Although the trial court found no error with the magistrate’s factual findings, it declined to award costs based on its determination that the party and its attorneys should not be sanctioned for deficiencies or errors in the expert's report. The court also noted the company “had since in effect surrendered. It decided its expert's conclusion was useless and determined not to call him at trial.”

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: TEN WAYS COMPUTER FORENSICS CAN BOLSTER A CASE

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. ***

The “Information Age” has resulted in virtually every business transaction taking place on a computer. PCs have replaced typewriters for even basic correspondence, and computers have become standard home appliances. Just as with television, it is unnecessary for people to understand how computers work, or the way data is physically stored on them, in order to effectively use one.

Similarly, when a case involves electronic evidence, parties and their attorneys may not always understand how evidence is retrieved and analyzed. However, they should be aware of the types of evidence that can be found with the help of a computer forensic expert. Below are ten ways computer forensics can assist in uncovering evidence that may bolster a case.

1. Password Breaking. After scanning the data to determine if any security features are present, a computer forensic expert can attempt to break passwords or encryption and access a file’s previously inaccessible content.
2. Deleted Files. Deleted files are files and directories recovered after being deleted from the active data. An expert may be able to recover deleted file fragments or deleted files in their entirety.
3. File Slack and Unallocated Space. When a file is deleted, it will stay on the drive as unallocated storage space until overwritten by a new file. When overwritten by a smaller file, the previous file’s data may become part of the file slack of the new file. Searching file slack and unallocated space can help uncover lost or hidden data and can help identify network logon names, passwords, and other sensitive information.
4. Embedded Data. Embedded data, hidden and unavailable to computer users who are not technically adept, can be a significant form of evidence. Such data may include embedded metadata that is generally not visually reproduced when a document is printed. This can describe the content, quality, condition, history, and other characteristics of the data.
5. Internet History Logs. Internet history logs track Web sites accessed by a user during a certain time period. Recently viewed Web pages, which may be accessible in a browser drop-down box for quick access to recently viewed pages, can provide insight into a user’s activities.
6. Cookies. Cookies are small files automatically created and stored on a user’s hard drive when the user visits an Internet Web site. The computer uses this information to remember the user when he or she returns to the particular Web site. Cookies can contain evidence in the form of designated user names, passwords, a prior visit log, customized settings and other data that tracks how the user customizes the site.
7. Temporary Internet Files (Cache). When a Web site is accessed, an Internet browser automatically creates temporary Internet files that contain the page's text, graphics and applications. When a user returns to a page, the browser checks the Web site’s server for changes to the page. These files can help an expert piece together a user’s Internet actions.
8. Instant Messaging Conversations. Instant messaging (IM) conversations are recoverable in some cases. Typically IM sessions are saved in volatile memory, memory that purges its contents when the computer or hardware device loses power. Recovering an IM session stored in this format is not likely. However, an expert may be able to recover the contents of an IM session cached to the hard drive or to a swap file. Private IM software used by some companies may log the chat sessions, making chances of recovery good.
9. Date and Time Stamps. Date and time stamps are records that mathematically link a document to the time and date it was created, modified or last accessed. They are stored as part of a file’s metadata in the same "index" area as the name of the file itself. Even if the relevant data no longer exists, a forensic expert may be able to recover date and time information about the files.
10. Recycle Bin Data. Recycle Bin data can be useful in determining what files were deleted and when they were deleted. When the Recycle Bin is emptied, this data is no longer accessible to the typical user. However, a forensic expert can scan the drive for “emptied” Recycle Bin data.

KROLL ONTRACK NEWS & EVENTS

Kroll Ontrack Expands Electronic Discovery Education Courses for 2006
Kroll Ontrack has announced an expanded schedule of electronic discovery continuing legal education programs for 2006. With the addition of new courses for advanced litigation support professionals and attorneys, Kroll Ontrack is offering a more comprehensive curriculum for legal professionals of varying skill levels.

The popular "Electronic Discovery Certification Course" which began in 2003, again will be offered quarterly throughout 2006. A new bi-annual "Advanced E-Discovery Certification Course" has been added for 2006 specifically for litigation support professionals seeking a more advanced curriculum of e-discovery techniques. And for attorneys seeking an intense immersion in e-discovery essentials, the "Attorney E-Discovery Training Course" will be offered two more times this year. Each course will be held on Kroll Ontrack’s campus in Eden Prairie, Minnesota, giving each attendee the ability to tour a state-of-the-art electronic discovery processing facility.

Kroll Ontrack’s new "Advanced E-Discovery Certification Course" course will be offered to litigation support professionals who have completed the basic certification course, or have demonstrated expertise in e-discovery processes and procedures. With new technologies, case law and practices available nearly every day, this course will work to further enhance their grasp of practical applications and make them more skilled e-discovery practitioners.

In response to requests from practicing attorneys, Kroll Ontrack also has begun offering the "Attorney E-Discovery Training Course". This intense, one-day course guides attorneys through the entire e-discovery process and explains the latest case law and technology developments. Upon completion of this course, attorneys will be able to better manage e-discovery issues in litigation as well as offer sound advice to their organizations or clients.

2006 Course Dates and Tuition:

"E-Discovery Certification Course"
February 9-10, June 12-13, September 14-15, December 4-5
Early-bird tuition - $995, regular tuition - $1500

"Advanced E-Discovery Certification Course"
March 23-24, November 13-14
Early-bird tuition - $995, regular tuition - $1500 (special discounts given to past attendees)

"Attorney E-Discovery Training Course"
April 7, October 12
Early-bird tuition - $345, regular tuition - $495

To find more details on all Kroll Ontrack’s educational offerings or to sign up for an upcoming course, visit the Kroll Ontrack events Web site at www.krollontrack.com/upcomingevents.

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensics services, contact Kroll Ontrack at 1-800-347-6105 or http://www.krollontrack.com/.