| In This Issue:
 FROM THE CASE FILES:
KROLL ONTRACK EXPERTS RECOVER COMPUTER "TIME
BOMB"
In
United States v. Lloyd, 269 F.3d 228 (3rd Cir.
2001), a unanimous three-judge panel of the 3rd U.S.
Circuit Court of Appeals found that a man convicted of
planting a computer "time bomb" in his former employer’s
computer system is not entitled to a new trial on the
basis of a juror prejudice. The man was originally
convicted in large part due to the testimony of experts
retained from Kroll Ontrack, Inc. The ruling reinstated
the trial court's verdict in which the Defendant was
convicted on one count of computer sabotage.
The
prosecution's theory of the case was that the Defendant
had planted a computer "time bomb" in the central file
server of Omega's computer network while he was still
employed there, and that the
program "detonated"
after he was fired, causing significant damage and
business interruption to Omega's operations.
Kroll Ontrack experts testified at the original
trial that the "purge" of Omega's files was intentional,
and that only someone with supervisory-level access to
the network could have accomplished such
a feat.
Uncovering evidence of a string of commands entitled
"FUSE.EXE," Kroll Ontrack experts characterized the
commands as a "time bomb" because anyone who attempted
to log on to the server after the commands were in place
detonated the program and caused a massive deletion of
data. The program was similar to a Microsoft program
called "DELTREE," but reconfigured for Novell. Kroll
Ontrack experts ruled out the possibility of accidental
deletion (one of the Defense's main contentions) because
of the specificity of the commands and also testified
that after examining the hard drive recovered from the
Defendant's home, the exact same strings of commands
that comprised "FUSE.EXE" were located.
United States v. Lloyd was one of the
first cases of its kind, but it definitely has not been
the last. With computer crimes increasing in both number
and destructive power, law enforcement officers,
investigators, lawyers, and judges are increasingly
bombarded with technical issues. Keeping up with the
state of the law in this area is crucial in issuing
accurate and thorough computer forensic
opinions.
See Kroll Ontrack’s electronic evidence case list for
more cases in this area of the law.
http://www.krollontrack.com/LawLibrary/CaselawList/
FROM THE BRILL FILE: DON’T
GET LOCKED OUT OF YOUR OWN
COMPUTERS
Written by Alan Brill, Senior Managing
Director for Kroll Ontrack, The Brill Files reflect his
work in the field with clients who have encountered some
not-so-pleasant events and what was done to remedy the
situation. As computer
security now plays a more central role in corporate
America, hardware and software manufacturers are moving
to provide more embedded security features that provide
particular users the ability to take computer security
into their own hands.
It is pretty clear that when
corporations buy a computer for an employee to use in
the daily course of business, it belongs to the company.
Thus, the company should have a right to review the
contents of the machine whenever it deems
appropriate. (Of course, we recommend that this policy
be fully communicated to the employees who use corporate
computer resources and that they acknowledge their
understanding of this.)
What we are seeing from a technology
viewpoint is an increasing capability being built into
new computers to safeguard hard drive data through
encryption. For example, on new IBM Thinkpad and
NetVista PCs, an administrator can use IBM’s
Embedded Security System to encrypt the contents of hard
drive files with a strong cryptographic algorithm. And
with new fingerprint readers being
developed by
IBM’s business partners, decryption will require not
only a password, but biometric
authentication.
Moving into the future, the Microsoft
Next-Generation Secure Computing Base (NGSCB – formerly
code-named “Palladium") promises authorized users the
ability not only to encrypt files on the hard
drive,
but to implement encryption of signals inside the PC,
starting at the keyboard level. As the chipsets and
associated hardware and software become available, NGSCB
promises to provide powerful capability to protect
corporate information both within a machine and as the
data moves between systems. (My old friend Scott
Charney, formerly of the U.S. Justice Department, is now
Chief Security Architect for Microsoft and deserves more
of the credit for championing this work that he will
ever accept).
The new embedded security features
represent a significant potential danger for computer
forensics experts and their clients. Simply put, whoever
is in charge of a PC with embedded security hardware and
software like that implemented by IBM or planned by
Microsoft has the capability of effectively locking the
machine and its contents against all intruders. If the
ultimate keys to these systems are not
maintained by
corporate IT or IT Security management, the alternative
is worrisome, and probably should be viewed as
unacceptable – end-users who are permitted to set
themselves up as systems
administrators will have
the capability to lock their own companies out of the
machines. They will be able to possess strongly
encrypted files that may well be effectively impossible
for the company to
access, even with the assistance
of experienced computer forensic specialists.
The challenge, I think, is clear. If you
do not begin to take steps now to take positive control
of all corporate computing resources, understand that
your users may take control, and it may be difficult
to get it back. Begin planning now for the evolution
of this technology. You should have your IT department
serve as the Administrator of all machines, so that they
hold the ultimate “keys”
to the security system.
Encryption may be fully appropriate, but only if you can
get to the data if needed. If the end-user plays the
role of administrator, you may find yourself locked out
of your own
computer.
Kroll Ontrack News and
Events:
To learn more about electronic discovery
and computer forensics, attend one of these
events:
Visit our Upcoming Events section at http://www.krollontrack.com/upcomingevents/
to learn about these presentations and more.
Kroll Ontrack Requests
Your Input
Our
legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law. If you
are aware of any additional local court rules or new
cases in this area of the law, please do not hesitate to
contact us by writing to abrill@krollontrack.com.
For
more information about electronic discovery and computer
forensics services, contact Kroll Ontrack at
1-800-347-6105 or www.krollontrack.com.
| 
