| In This Issue:
 FROM THE COURTS: PLAINTIFF SANCTIONED FOR
DESTROYING EVIDENCE IN
“ WEE HOURS” PRIOR TO
COMPUTER FORENSIC EXAMINATION
One
area where e-evidence caselaw is developing rapidly is
in the area of sanctions. Courts have not hesitated to
admonish or sanction parties for bad faith maneuvering,
rule violations, and negligent or
intentional
spoliation. Sanctions for such conduct have included:
adverse inferences or presumptions (at either the case
level or the issue level), preclusion of evidence,
monetary sanctions, and dismissal or default.
A
recent Northern District of Illinois case directly on
point is Kucala Enters., Ltd. v. Auto Wax Co.,
2003 WL 21230605 (N.D.Ill. May 27, 2003). In this patent
suit, the district court ordered the inspection of the
Plaintiff’s computer. The Defendant hired a computer
forensic investigator to create a forensic image of the
computer hard drive and analyze the results. The
computer forensic expert was able to identify that the
night before the computer image was created, “Evidence
Eliminator” was used to delete and overwrite over 12,000
files. The expert further determined that 3,000
additional files had been deleted and overwritten three
days earlier.
Even
though there was no clear indication that relevant
evidence was among the destroyed files, the court
described the Plaintiff’s actions as “egregious conduct”
and emphasized the Plaintiff’s apparent intent to
destroy evidence that it had a duty to maintain. The
magistrate judge recommended to the district court that
the Plaintiff's case be dismissed with prejudice and
that the Plaintiff be ordered to pay the Defendant's
attorney fees and costs incurred in defending the
motion.
FROM THE BRILL
FILE:
JUMPING TO CONCLUSIONS IS NOT AN OLYMPIC SPORT
– PART I
Written by Alan Brill, Senior Managing
Director for Kroll Ontrack, The Brill Files reflect his
work in the field with clients who have encountered some
not-so-pleasant events and what was done to remedy the
situation. Jumping to
conclusions can underestimate any investigator’s case,
including a computer forensic expert digging for digital
fingerprints. This month I will address how it is
sometimes easy to jump to plausible computer forensic
conclusions without having the necessary evidence for
support. In next month’s newsletter, I will address
another area where it is easy to make unsupported
computer forensic assumptions – computer ownership and
possession.
“Who
Done It?”
On many of today’s “cop and lawyer” TV
shows, the burning question is almost always “Who Done
It?” In the TV world, the answer to this question has to
be reached in a 30 or 60-minute timeframe due to
constraints and entertainment value. They get the
confession, break the alibi, match the DNA, or simply
catch the perpetrator in the act.
In
real-life, computer forensics is not always as neatly
packaged as Hollywood makes it appear. In performing
computer forensic work, you have to be constantly on
guard against jumping to conclusions that may be
plausible, but are still conclusions. For example, we
had a case in which an email clearly originated in the
account of a specific employee. The employee denied
sending it, but there was clear and irrefutable computer
forensic evidence to show that the message did not
originate elsewhere. The company wanted to know if we
could provide them with a sworn statement indicating
that the employee had sent the email message in
question. The company was shocked when we said we could
not do so without further investigation.
In
bridging the gap with the client, we explained that we
could show with great certainty, and based on strong
forensic evidence, that the message originated from the
employee’s email account. However, to answer the
question of “who done it” – whether the employee
originated the message – we had to expand our
investigation beyond the simple forensic examination of
the employee’s computer.
From
the viewpoint of the computer, your identity is based on
the authentication system that is in place. It may be
something as simple as a user-ID and password. Whoever
enters the combination of ID and password correctly is,
from the computer’s viewpoint, you. It became necessary
to understand the company’s authentication system,
including but not limited to, asking some of the
following questions.
- Details of the system configuration. (In many
cases, the user does not enter a separate password for
their email client program. Their system-level logon
is sufficient.)
- The level of password security, including
password lengths, alphanumeric requirements, and
frequency of password changes.
- Whether there was a policy and awareness
program reminding employees not to share their
passwords with others.
- The history of related incidents to determine
whether practices like password sharing are
commonplace.
- Access to the computer. Can the system be
accessed from outside the company’s premises? Can a
message only be entered into the system from the
particular computer? Who had physical access to it?
After asking detailed questions and examining
deeper issues, we were able to provide a reasoned
opinion that we could back up with specific
investigative findings. To do otherwise is jumping to
conclusions that we cannot support, which undermines
any investigator’s case.
Kroll Ontrack News and
Events:
To
learn more about electronic discovery and computer
forensics, attend one of these events:
Visit our Upcoming Events section at http://www.krollontrack.com/upcomingevents/
to learn about these presentations and more.
Kroll Ontrack Requests
Your Input
Our
legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law. If you
are aware of any additional local court rules or new
cases in this area of the law, please do not hesitate to
contact us by writing to abrill@krollontrack.com.
For
more information about electronic discovery and computer
forensics services, contact Kroll Ontrack at
1-800-347-6105 or www.krollontrack.com.
| 
