FROM THE BENCH: CHILD PORNOGRAPHY CHARGES UPHELD - COURT RELIES ON DELETED COMPUTER FILES
	THE BRILL FILES: GETTING THE FAX FACTS
	TECHNOLOGY YOU SHOULD KNOW: LIMITATIONS OF CONDUCTING COMPUTER FORENSIC INVESTIGATIONS IN-HOUSE
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: CHILD PORNOGRAPHY CHARGES UPHELD - COURT RELIES ON DELETED COMPUTER FILES

A computer expert is frequently needed to retrieve and interpret computer evidence, which may be essential in helping a fact finder understand, unravel, and accept relevant electronic information. For example, in People v. Dominguez, 2004 WL 1068809 (Cal. Ct. App. May 13, 2004), a case involving a child pornography prosecution, a computer expert’s testimony helped to clarify complex and relevant electronic information.

The prosecution’s computer forensic expert recovered 45 child pornography images deleted from the computer’s active memory, and 20 deleted “favorites folders,” which marked prior visits to child pornography Web sites. The expert also testified that he uncovered a series of manual searches for child pornography on the defendant’s computer. In addition, the expert uncovered child pornography “cookie files,” which are designed to make return visits to a Web site faster.

Since the files in the favorites folders were held in the computer’s active memory, the trial court admitted them, asserting they were clearly created by the computer user. Although the court refused to admit the evidence about the “cookie files,” it allowed evidence of the manual Internet searches for child pornography Web sites. The jury entered a verdict convicting the defendant of possession of child pornography.

On appeal, the defendant noted, inter alia, that, because the evidence was located in his computer’s inactive memory and could not be recovered without the use of specialized computer programs, it was insufficient evidence to support the conviction. In rejecting the defendant’s argument, the court declared that “[t]he fact that the evidence of that possession was the result of a forensic examination of the inactive memory of his computer is meaningless.” As such, the court determined the evidence supported the defendant’s conviction for possession of child pornography.

THE BRILL FILES: GETTING THE FAX FACTS

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

Recently, we received a phone call from a client who believed someone within its organization had printed an electronic mail message and faxed it to a competitor. The competitor told our client it had received the document by fax, but it only produced a redacted copy of the document that eliminated the fax’s printed data at the top of the page which may have revealed the source. We were brought in to help the client determine which fax machine transmitted the confidential information. The redacted copy made our investigation more difficult, but certainly not impossible.

Since the 1980s, fax machines have been familiar, widely used forms of technology. Nonetheless, many users do not really know what evidentiary value fax machines have when it comes to determining when documents were sent or received. For instance, most fax machines keep a record of phone numbers to which documents were transmitted, the date and time of the transmission, and the number of pages sent. For received faxes, the machine will record the transmitting fax machine’s identity (if it is transmitted) as well as the date, time, and number of pages transmitted.

However, it is crucial to remember that most fax machines only store a limited number of send/receive records. On average, a machine stores the amount of information that can be printed on a page, which is about 50 records. However, some machines keep fewer logs. When the log fills up, it prints out and clears the machine’s memory.

As such, time was of the essence in this case because we had to retrieve the data before the machine cleared it. We sent one of our forensic engineers to work with the client’s I.T. personnel. They had a variety of brands and models of fax machines. Each had a specific set of push-button commands to retrieve the reports. Upon retrieving all reports from each fax machine in the corporation, we were able to help our client target the machine that sent the confidential information to the competitor.

In addition to checking a fax machine’s data log, one should also check for data from the phone system. If fax lines are run through a company telephone system, one may be able to get detailed data on the numbers called as well as how long each call lasted. Even if fax machine lines do not run through a company system, you may still be able to get long-distance call information.

Remember that a computer forensic investigation can include data locations outside the computer box. When looking for information relevant to your next investigation, do not forget to get the facts on your fax.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637 or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: LIMITATIONS OF CONDUCTING COMPUTER FORENSIC INVESTIGATIONS IN-HOUSE

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue. ***

In today’s digital world, corporate America is increasingly seeing the need to forensically examine its employees’ computer conduct. When an incident occurs, corporations tend to have the corporate security or information technology staff attempt to confirm or deny suspicions by “taking a quick look” at the suspect’s computer. Unfortunately, the act of “taking a quick look,” if not carried out using proper computer forensic protocols, most often results in unintended and unnoticed changes to the digital files.

When conducting computer forensic investigations, a corporation must determine whether the work should be performed by an in-house I.T. staff member or outsourced to a computer forensic expert. When making this crucial decision, corporations should carefully weigh the following factors and considerations:

• Experience. Merely booting up a computer can change information, such as times or dates on files contained within an operating system. As such, failing to create a sound mirror image (a bit-by-bit copy of a hard drive) before beginning an investigation could destroy valuable trails of electronic information. In order to avoid altering or missing potentially valuable data, an investigation should be performed by an individual with experience in creating mirror images and maintaining media integrity. After the image is obtained, the investigator needs to understand the goal of the investigation and how to best proceed in locating the desired evidence. In deciding whether to seek expert assistance, corporations should evaluate the computer forensic experience of the internal I.T. team members.
• Technology Access. Conducting a computer forensic investigation requires access to appropriate technology and tools to image the media, look at the active data, restore deleted data, or search for data contained in slack or unallocated space. Corporations without such tools, and corresponding training on these tools, should avoid conducting computer forensic investigations in-house.
• Chain of Custody. A crucial part of a computer forensic investigation is documenting chain of custody procedures. This indicates where the media has been, whose possession it has been in, and the reason for that possession. This is crucial should the investigation proceed to litigation and the evidence is sought to be admitted in court. An I.T. employee, who is unfamiliar with standard chain of custody procedures, may have difficulty documenting the requisite protocol for ensuring that the evidence was not changed, altered, or modified from the form in which it existed on the drive before it was imaged.
• Impartiality. Computer forensic investigations usually involve acts of wrongdoing that can be sometimes unpleasant or extremely delicate. Asking an in-house I.T. department to investigate company computers may place them in the awkward position of investigating their colleagues or superiors. Such investigations might also expose them to potentially hostile information contained on the subject computer. The impartiality of a third-party expert should be a factor in determining whether to perform computer forensics within the company.
• Courtroom Testimony. Whoever conducts a computer forensic investigation is exposed to the possibility of becoming a witness in the case. They are at risk for intense cross examination of their credentials and the processes used in the investigation. Whether you want your employees exposed to this is something to take into consideration when deciding how to conduct your investigation.

KROLL ONTRACK NEWS & EVENTS

KROLL ONTRACK ACQUIRES QUORUM LITIGATION SERVICES
On May 14, 2004, Kroll Ontrack Inc. announced that it acquired Quorum Litigation Services LLC, a leading provider of paper scanning, coding, and optical character recognition (OCR) services based in Eagan, MN. The acquisition positions Kroll Ontrack to become the global provider of comprehensive documentary evidence management solutions. Kroll Ontrack’s president, Ben Allen noted, “This is a perfect marriage of complementary capabilities for our collective clientele. Kroll Ontrack is a market leader in electronic discovery and Quorum is a market leader in litigation paper document support. Together we become the only single-source provider of large-scale electronic and paper-based discovery solutions, creating a true one-stop-shop for companies and law firms around the world that need to efficiently manage large volumes of data for review and production in support of litigation or regulatory compliance matters."

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please do not hesitate to contact us by writing to mlange@krollontrack.com.

Michele C.S. Lange, staff attorney with Kroll Ontrack, wrote portions of this newsletter. Charity Delich, a Kroll Ontrack law clerk, helped prepare the case summaries. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology’s role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensic services, contact Kroll Ontrack at 1-800-347-6105 or www.krollontrack.com.