| In This Issue:
 FROM
THE BENCH: COURTS ADDRESS ISSUES RELATING TO COMPUTER
FORENSIC PROTOCOLS
Court’s Chambers Used to Make Forensic
Image of Defendant’s Hard Drive
Warner Bros. Records, Inc. v. Souther,
2006 WL 1549689 (W.D.N.C. June 1, 2006). In a copyright
infringement case, the plaintiffs accused the defendant
of unlawfully downloading and distributing copyrighted
materials through a peer-to-peer, online media distribution
system. After the defendant failed to provide electronic
copies of her computer’s desktop and registry
files in response to a production request, the court
ordered the defendant to bring the computer to an evidentiary
hearing. At the hearing, the court permitted the plaintiff’s
forensic technician to make a mirror image of the defendant’s
computer in the court’s chambers. Issuing a protective
order, the court restricted the plaintiffs from using
or disclosing any electronic information obtained from
the computer that was unrelated to the case. The court
also reserved the right to issue Rule 37 sanctions against
the defendant for failing to provide the electronic
files, after having the opportunity to consider the
defendant’s computer skills and the reasonableness
of her efforts to comply with the discovery request.
Citing Sedona Principles, Court Allows Forensic
Imaging of Former Employee’s Home Computer
Quotient, Inc. v. Toon, 2005 WL 4006493 (Md.
Cir. Ct. Dec. 23, 2005). In a breach of contract suit,
the plaintiff alleged that the defendant, while employed
by the plaintiff, provided a former employee access
to the plaintiff’s computer system so that the
former employee could obtain trade secrets and confidential
information. In order to preserve potentially relevant
e-mail evidence on the defendant’s personal computer,
the plaintiff filed an emergency motion for expedited
discovery. The plaintiff offered to pay for a computer
expert to make a mirror image of the defendant’s
computer and stipulated the contents could be sealed
until further court order. In granting the emergency
motion, the court found a “substantial probability”
that relevant electronic evidence, including e-mails
and instant messages, “could be made less accessible
to the parties merely by the defendant’s normal
course of computer use, regardless of his intentions
and motive.” The court observed, “the unintentional
destruction of relevant evidence should be halted when
it can be done so in a fashion that is minimally intrusive
and where [the other party] is willing to bear the full
cost of the process.” Citing the Sedona Principles,
the court granted the emergency order, finding in certain
circumstances, preservation orders may aid the discovery
process by promoting efficiency and by specifying the
parties’ preservation obligations. The court requested
the defendant’s lawyers screen the computer data
for privacy, privilege, and relevancy issues before
disclosing the contents to the plaintiffs.
THE BRILL FILES: COMPUTER FORENSIC EXPERTS INVESTIGATE
DETAINED DATA
*** Written by Alan Brill, Senior Managing Director
for Kroll Ontrack, The Brill Files reflects his work
in the field with clients who have encountered some
not-so-pleasant events and what was done to remedy the
situation. With more than 25 years of consulting experience,
Mr. Brill has assisted organizations with a wide range
of technology security issues and is an internationally
recognized speaker and instructor. ***
I recently read a news story featuring one of the latest
“ransomware” viruses to infect cyberspace.
“Cryzip,” a Trojan virus, captures documents
on an infected computer by using a commercial zip library
that stores the documents inside of an encrypted zip
file. The virus then leaves instructions on the victim’s
computer detailing how to retrieve the encrypted documents.
In order to unzip the file and access documents, a victim
of the virus must pay $300 ransom in exchange for a
decryption password (see http://www.foxnews.com/story/0,2933,187845,00.html).
Cases involving data encryption issues certainly can
be among the most difficult for a computer forensic
expert to resolve. In one of the latest cases Kroll
Ontrack worked on, for example, we were asked to identify
and break hundreds of encrypted files contained on backup
tapes. Unless the encryption could be broken, our client
would not be able to access critical data needed for
an internal corporate investigation.
Initially, our computer forensic experts extracted
all of the data contained on the backup tapes. We then
proceeded to identify the target data – the data
requiring decryption – and segregated it from
the rest of the data. Using specialized computer forensic
tools, we de-duplicated the target files and eliminated
more than 150 duplicative files.
After the de-duping process, our forensic experts were
left with approximately 400 original files that needed
password decrypting. We separated the remaining files
into sets of 50 files and ran each set through a password
cracking utility.
Our experts discovered some of the passwords were not
truly encrypted but were instead protected cells. We
broke these passwords instantly and were able to break
all of the other passwords, except one, on the remaining
encrypted files within minutes. The remaining password
required a more extensive analysis and, after trillions
of attempts, we cracked the password – in less
than 12 hours.
This case study presents just one example of how a
computer forensic expert can use innovative techniques
and tools to assist in retrieving password-protected
and encrypted data. If faced with a case in which crucial
data is held hostage by an encryption-napper, you should
engage a computer forensic expert who can assist in
cracking the case.
*** If you would like to explore the opportunity
of Alan Brill speaking at a conference you are supporting
or organizing, please contact Amanda Karls at (952)
516-3637or at akarls@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: TIPS FOR PREPPING A COMPUTER
FORENSIC EXPERT FOR TRIAL
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators are expected to understand the inner
workings of computers and how they relate to computer
conduct issues. ***
After a lengthy discovery process filled with client
interviews, discovery requests, depositions, interrogatories,
and case scheduling hurdles, you have finally made it
to trial. As the trial date looms near, you must plan
one of the most important pieces of your case –
preparing a computer forensic expert to testify at trial.
Preparing a computer forensic expert to testify can
raise numerous questions and concerns. How can a computer
forensic expert’s testimony assist in solidifying
your case? What information should you know before beginning
expert witness preparation? How does prepping a computer
forensic expert differ from prepping any other expert?
How can you help the expert connect with and convince
the jury? The following five tips can help you sharpen
your computer forensic expert witness’ ability
to persuade the jury, thwart attacks from opposing counsel
and shine at trial.
- Emphasize the Expert’s Credentials.
An expert with impeccable credentials and solid computer
investigative experience can be one of the most important
weapons in your case arsenal. Indeed, opposing counsel
will use every opportunity available to attack your
expert’s reliability and expertise. Establishing
expert credibility during trial will involve highlighting
the expert’s direct, provable experience handling
the type of technical situation at issue in the case.
Additionally, counsel should point out the expert’s
technical and professional skills, such as his or
her case experience (including both volume and types
of cases handled), formal education, certifications
and ongoing field training, publication and presentation
experience, and testifying background.
- Understand Technical Terminology.
For most lawyers, terms like “encryption,”
“slack space,” “file allocation
table,” and “date/time stamps” are
virtually meaningless. However, proper witness preparation
requires counsel to develop a working familiarity
with any computer technology terms likely to come
up in the case at hand. In addition to comprehending
terms contained in your own expert’s report,
you should also understand terminology mentioned by
your opponents. Possessing this knowledge will allow
you to pick apart the opposing expert’s report
and to prepare for addressing shortfalls in your own
case.
- Familiarize Yourself with the Computer Forensic
Investigation Process. A typical computer
forensic investigation involves the following steps:
(1) consultation with clients and computer forensic
experts; (2) data collection; (3) data preservation;
(4) data recovery and analysis; and (5) expert testimony
and reporting. Lawyers should acquire general knowledge
about the processes that take place during each of
these steps and how these procedures work into their
overall theory of the case. This will also help a
litigator pinpoint process gaps in the opposing expert’s
computer investigation.
- Ask the Expert to Educate You About Issues
Raised in Your Specific Case. In addition
to understanding the general scope of a computer forensic
investigation, you should develop intimate knowledge
about the specific technical issues that will need
to be addressed in your case. An expert can help explain
shortcomings in your case and assist with uncovering
weaknesses in the opposing side’s case –
an indispensable tool during cross-examination of
the opposing party’s expert. The expert can
also help pinpoint weaknesses and potential areas
for impeachment in an opposing expert’s computer
forensic report.
- Coach the Expert on Communication Skills.
Regardless of how much education, experience and skill
they possess, testifying computer forensic experts
will be virtually valueless if they cannot clearly
explain case technicalities to the judge or jury.
Attorneys should realize most computer forensic experts
have backgrounds in information technology or high-tech
investigative police work, making highly complex technical
terms second nature to them. It’s imperative
you work with an expert on phrasing case explanations
in layman’s terms and work to avoid the use
of technical acronyms. In addition, you should prepare
the expert for which questions they will be asked
at trial on direct examination, why those questions
are likely to be asked, and what tactics the opposing
side may employ on cross-examination.
KROLL ONTRACK NEWS & EVENTS
Meet Kroll Ontrack Representatives at the Following
Events:
7/27/06
- 7/28/06
|
Paralegal
Super Conferences |
Washington
D.C. |
8/21/06
- 8/24/06
|
ILTA
06': Evolving Together |
Orlando,
FL |
8/31/06
- 9/1/06
|
E-Discovery
Advisor Summit |
Phoenix,
AZ |
9/14/06
- 9/15/06
|
Electronic
Discovery Certification Course |
Eden
Prairie, MN |
9/18/06
-9/20/06 |
2nd
E Discovery
|
New
York, NY |
9/19/06
- 9/20/06 |
E-Discovery
"A-to-Z" Workshop
|
Seattle,
WA |
10/3/06 |
Orange
County Association of Legal Support Specialists |
Orlando,
FL |
10/4/06
- 10/5/06
|
Paralegal
Super Conferences |
Philadelphia,
PA |
10/4/06
- 10/5/06 |
E-Discovery
"A-to-Z" Workshop
|
Atlanta,
GA |
10/19/06
- 10/20/06
|
Paralegal
Super Conferences |
San
Francisco, CA |
10/24/06 |
Document
Retention And Destruction In The Age Of Electronic
Documents
|
Boston,
MA |
10/30/06
- 11/1/06 |
HTCIA
International Training Conference & Expo |
Cleveland,
OH |
11/13/06
- 11/14/06 |
Advanced
Electronic Discovery Certification Course |
Eden
Prairie, MN |
11/29/06 |
Maine
State Bar Association Employment & Labor Section
Meeting |
TBD |
12/4/06
- 12/5/06
|
Electronic
Discovery Certification Course |
Eden
Prairie, MN |
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of electronic discovery
law. If you are aware of any additional local court
rulings or new cases in this area of the law, please
contact us by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, staff
attorney with Kroll Ontrack, with assistance from Melanie
Bradshaw, a Kroll Ontrack law clerk. Ms. Lange has published
numerous articles and speaks regularly on the topics
of electronic discovery, computer forensics, and technology's
role in the law. She can be contacted by writing to
mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
