| In This Issue:
 FROM
THE BENCH: COURTS ADDRESS EXPERT QUALIFICATIONS AND
DOCUMENT DESTRUCTION ISSUES
Computer Forensic Expert Qualified to Testify
Based on Knowledge and Experience
Galaxy Computer Servs., Inc. v. Baker, 2005
WL 1278956 (E.D. Va. May 27, 2005). A Chapter 11 debtor
brought an action against two of its former officers,
who purchased a portion of the debtor’s assets,
and the parent company that purchased the assets. Interalia,
the plaintiff, sought to introduce testimony from a
computer forensic expert to establish that the defendants
deleted files from the plaintiff’s computer. The
expert analyzed nine of the plaintiff’s hard drives
and prepared an expert report detailing the deletion
of the foreclosing bank’s directory, all files
containing the word "Baker,” from the plaintiff's
mail server and several other deletions. Seeking to
have the testimony excluded, the defendants argued that
the testimony was irrelevant, the expert did not follow
proper procedures, and the expert was unqualified to
offer opinions about altered or deleted data. The defendants
further argued the expert and its employer failed to
follow their own internal chain of custody procedures,
making them unable to ensure the recovered data was
accurate. Rejecting the defendants’ arguments,
the court declared the expert could testify based on
his knowledge, skill, experience, training and education.
The court also declared the defendants could cross-examine
on any chain of custody issues.
Magistrate Recommends Default Judgment for
‘Evidence Eliminator’ Document Destruction
Communications Ctr., Inc. v. Hewitt, No. S-03-1968
WBS KJM (E.D. Cal. Apr. 5, 2005). In a case arising
from misappropriation of trade secrets, unfair competition
and other allegations, the plaintiff brought a motion
for terminating sanctions against the defendant for
violating a magistrate’s discovery order. The
order required the defendant to produce a compact disc
containing mirror images of any responsive hard drives
in the defendant’s possession. The production
was to be designated for “Attorney’s Eyes
Only” and no documents were to be withheld from
production. Although the defendant produced three CDs,
they were not mirror images of the defendant’s
hard drives. The defendant supplemented the production
with ten discs, which also failed to contain mirror
images. Days after the production, the defendant ran
a software wiping program called Evidence Eliminator
on three of the hard drives. The defendant claimed he
purchased the program only after learning the true meaning
of the “mirror image” as set forth in the
magistrate order. He further stated he used the program
to cover up evidence of an affair and to prevent disclosure
of embarrassing Web sites. The defendant further admitted
that he re-installed an operating system on one of the
drives, despite knowing that this would destroy data
on the drive. The magistrate found this conduct “a
stark affront to the judicial process.” Noting
the destroyed data was “gone forever,” the
magistrate awarded the plaintiff over $145,000 in costs
and fees. The magistrate further recommended that a
default judgment be entered for six out of the eight
causes of action.
THE BRILL FILES: INFORMATION TECHNOLOGY v. COMPUTER
FORENSICS
*** Written by Alan Brill, Senior Managing Director for Kroll
Ontrack, The Brill Files reflects his work in the field
with clients who have encountered some not-so-pleasant
events and what was done to remedy the situation. With
more than 25 years of consulting experience, Mr. Brill
has assisted organizations with a wide range of technology
security issues and is an internationally recognized
speaker and instructor. ***
In most companies, no one possesses more knowledge
about company policies, procedures, capabilities and
vulnerabilities in an IT system than the IT department.
They have helped shape technology within an organization
and understand its capabilities inside and out. However,
despite having intricate knowledge about various operating
systems and other media, IT experts are just that: experts
in IT.
IT personnel may not always understand how to handle
data subject to a computer forensic investigation. The
complexity, equipment requirements and expertise associated
with digital forensics may present enormous challenges
for IT departments with limited resources, training
or experience.
One of our clients recently came to us with a hard
drive from a former employee who left the company and
joined a competitor. The company believed the employee
copied confidential data from his company laptop to
a new laptop, purchased shortly before he left. Using
a commercially available forensic tool, an IT professional
attempted to make a sector-by-sector copy of the original
drive. During the cloning process, he inadvertently
overwrote the original hard drive by copying the target
to the hard drive instead of copying the user’s
hard drive to the target. Unfortunately, we were unable
to recover any of the data. Had the client brought the
hard drive to us from the start, we would have been
able to easily perform a complete analysis of the hard
drive and provide the client with computer forensically
sound results.
This case illustrates how IT experts are not experts
in computer forensics. Because of the fragile nature
of electronic evidence, a company should engage expert
assistance if the IT staff lacks the requisite equipment,
time, training and experience to perform the imaging,
recovery and analysis of data. Failure to adhere to
strict forensic industry standards will not only result
in the loss of critical data but may also impinge the
credibility of any data counsel attempts to offer into
evidence. Ultimately, a court may refuse to admit a
key piece of evidence if it finds the data unreliable
due to improper handling or chain of custody issues.
An expert may also be necessary if calling an IT person
as a witness at trial is undesirable or if a conflict
of interest might hurt the case. The bottom line: a
properly trained computer forensic expert will put your
company in the best position to uncover digital clues.
*** If you would like to explore the opportunity
of Alan Brill speaking at a conference you are supporting
or organizing, please contact Michele Lange at (952)
906-4927 or at mlange@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: STEERING CLEAR OF COMPUTER
FORENSIC LANDMINES
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators are expected to understand the inner
workings of computers and how they relate to computer
conduct issues. ***
As the cases indicate, no longer can parties or their
counsel claim to be unaware of digital data. Instead,
judges are expecting electronic evidence savvy litigators
in their halls of justice. Listed below are five tenets
that counsel and their clients need to understand when
facing a computer forensic issue in a case.
1) Understand that delete does not mean delete.
The case law, both at the State and Federal level, is
full of civil and criminal decisions where individuals
failed to understand that the “delete” key
on the keyboard is not equivalent to the paper shredder.
Each and every electronic document leaves an electronic
fingerprint. This fingerprint is then stored or captured
on the hard drive, even if the user merely opens a document
from a floppy drive and sends it to the printer. The
fingerprint remains magnetically embedded on the drive
(and ripe for the picking by computer forensic experts)
regardless of the fact that the user directs the computer
to “delete” the data. Unless and until one
resaves over the digital fingerprint, which typically
occurs only when the all hard drive space has been utilized,
might the fingerprint disappear for good.
2) Create a mirror image of the media to preserve
evidence. When litigation ensues or it is foreseeable
that a user’s computer might be a good source
of salient evidence, a mirror image is crucial. There
is nothing more frustrating to a litigator than to be
in the midst of discovery and be told “that information
is on John’s laptop and we let him take that out-of-date
machine with him when he left the company” or
“Sue is now using John’s old computer.”
The costs associated with imaging a hard drive are minuscule
compared to the costs involved in attempting to locate
and, if possible, retrieve the data later on down the
road.
3) Avoid tainting the computer evidence.
While electronic files are easy and convenient to create
and duplicate, they are also easy to alter or damage.
For example, simply booting a computer or opening a
file can change potentially valuable dates, times and
other behind the scenes information about the data.
Sanctions for spoliation of electronic evidence include
adverse inferences or presumptions (at either the case
level or the issue level), preclusion of evidence, monetary
sanctions, and even dismissal or default.
4) Know the difference between formatting,
defragmenting and wiping and their effects on a hard
drive. Often, people assume that data is unrecoverable
after one of these techniques is employed. This is largely
untrue. In most cases, formatting does not harm the
data on the hard drive. Defragmenting a computer will
not harm the active data (the data that a user can access
on their own from the desktop) but may render normally
recoverable deleted data (the data that only a forensic
engineer can recover) virtually unrecoverable. If run
properly, a wiping utility will make the data completely
unrecoverable by commercial computer forensic experts.
5) Be able to identify reputable forensic experts.
Use only qualified forensic experts who use
proper protocols to not only collect and recover the
data important to your case, but who can articulate
their results and conclusions to a finder of fact clearly
and accurately.
KROLL ONTRACK NEWS & EVENTS
Meet Kroll Ontrack Representatives at the Following
Events:
| 7/25/05 |
Association
of Trial Lawyers of America - 2005 Annual Convention |
Toronto,
Canada |
| 8/22/05
- 8/23/05 |
CPA
Associates International |
Chicago,
IL |
| 8/22/05
- 8/25/05 |
ILTA
2005 |
Phoenix,
AZ |
| 8/29/05
- 8/31/05 |
HTCIA
2005 International Conference, Training & Expo |
Monterey,
CA |
| 9/12/05
- 9/13/05 |
E-Discovery
Certification Course - DETAILS COMING SOON! |
Eden
Prairie, MN |
| 9/22/05
- 9/23/05 |
Glasser
LegalWorks - E-Discovery: An A-to-Z Workshop |
Los
Angeles, CA |
| 10/19/05
- 10/23/05 |
DRI
2005 Annual Meeting |
Chicago,
IL |
| 11/2/05
- 11/5/05 |
National
Conference of Bankruptcy Judges 79th Annual Meeting |
San
Antonio, TX |
| 12/1/05
- 12/2/05 |
E-Discovery
Certification Course - DETAILS COMING SOON! |
Eden
Prairie, MN |
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
