| In This Issue:
 FROM THE BENCH: COURTS ADDRESS DESTRUCTION AND MISAPPROPRIATION OF ELECTRONIC DATA
Destruction of Electronic Data
Arista Records, Inc. v. Sakfield Holding Co. S.L., 2004 WL 881851 (D.D.C. Apr. 22, 2004). In a copyright infringement suit, the court issued an order compelling the defendant to produce computer servers, which hosted the defendant’s Web site and contained records of its users. When the plaintiffs’ computer expert inspected the servers, he discovered the vast majority of that information had been intentionally destroyed after the defendant learned that litigation was imminent. The expert found the defendant ran a program, designed to erase electronically stored information, more than 50 times from a remote location in an attempt to delete all electronic data from the servers. In spite of the defendant’s attempts, the expert recovered a small amount of data to support the plaintiffs’ claims. Although the defendant attempted to attack the plaintiffs’ methodologies for extrapolating the number of users and downloads, the court indicated that the defendant was “in a poor position to attack plaintiffs’ evidence,” noting that “[d]estruction of evidence raises the presumption that disclosure of the materials would be damaging.” The court decided not to issue sanctions but instead encouraged the plaintiffs to move for appropriate sanctions as the case progressed.
Electronic Document Theft
In a similar case, LeJeune v. Coin Acceptors, Inc., 2004 WL 1067795 (Md. May 13, 2004), a computer forensic expert helped expose an employee’s attempt to download company confidential documents. In this case, which involved the violation of a state trade secrets act, an employer alleged a former employee copied proprietary electronic documents from his work laptop to a compact disk (CD), shortly before he went to work for a competitor. The employee stated that, for the sake of simplicity and because he did not know how to save individual files onto a CD, he had transferred his entire “My Documents” folder, which contained personal files such as his wedding photographs, and inadvertently captured some of his former employer’s confidential business documents. The employer’s computer forensics expert refuted the employee’s claims, testifying that a file, which was not contained in the “My Documents” folder, was also copied to the CD. The expert also determined the employee had attempted to hide the document transfer by deleting information about the downloads from the laptop. Based on this evidence, the appellate court affirmed the lower court’s finding that the evidence supported a finding of trade secret misappropriation.
 THE BRILL FILES: RECYCLING MADNESS
*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***
In a recent case, several key employees who had resigned from Company A, turned up a couple weeks later at a competitor, Company B. Suddenly, Company B seemed to have access to customer lists, price lists, employee home addresses and phone numbers, and other private information belonging to Company A.
Company A’s counsel came to Kroll Ontrack, seeking to obtain any evidence indicating the former employees violated their non-compete agreements and misappropriated company confidential information. The former employees’ computers were a crucial aspect in obtaining this information. Although this would normally be a routine investigation in the world of computer forensics, it was made more difficult because we were unable to access the actual desktop computers. Company A’s I.T. department had “recycled” the machines within 24 hours of the employees’ departures. We were able to investigate Company A’s I.T. infrastructure, but found no relevant evidence on the servers or in the company’s email system.
As a matter of company policy, the I.T. department informed us that they promptly reassign an ex-employee’s computer to another employee “even before the person’s seat cools off.” They further explained they completely overwrite the hard drive of the computer and use a “ghost” program to lay in a standard set of preconfigured and “ready-to-go” software. Company A told us they did not want to not have “idle computer equipment,” and this recycling speed had become a metric the I.T. department used to measure its efficiency.
Fortunately for Company A, our investigators turned up enough evidence of wrongdoing to permit the company to take action, in spite of the rapid recycling policies.
When someone in your organization leaves, what happens to their company PC? Do you, like Company A, assume that the content of the hard drive is valueless? Or do you recognize that there may come a time when you wish you had that data?
Several alternatives to instant recycling are available for companies in the digital age. One approach is to “store-the-drive” by simply removing the hard drive, sealing it in a bag, and storing it in a safe. The drive is replaced by another drive, making the machine ready to use. If removing the actual drive is not an option, creating a bit-by-bit mirror image of the drive is another way to completely save all data contained therein. After a designated period of time, the hard drive is wiped and re-used or the image of the hard drive is destroyed. This approach provides the maximum flexibility for conducting full-scale forensic analysis (including analysis of deleted files) in the future because the actual hard drive or a complete copy is archived.
Where the “store-the-drive” approach is not practical, an alternative approach involves identifying the directories that contain only company-issued software and copying everything else to CDs or DVDs. When you subtract the software, most users have only a few hundred megabytes of actual data on their machines, and burning this onto external storage using high-speed processes is generally not burdensome. While it does not permit complete in-depth forensic analysis down the road, it may preserve the smoking gun evidence you may need.
We recommend that your corporate I.T. staff discuss this issue with the company’s legal department and the document retention management team to determine what plan will best serve your company’s interests should you be faced with a similar situation.
*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at
(952) 516-3637 or at akarls@krollontrack.com. ***
TECHNOLOGY YOU SHOULD KNOW: USING FILE SLACK TO TRACK DOWN ELECTRONIC DATA
*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue. ***
A thorough computer forensic investigation involves analyzing all potentially relevant forms of data created and stored on a computer, whether or not they are easily accessible. This includes examining file slack, which is wasted media space due to the computer’s method of allocating clusters in storing files. The following questions are frequently asked about computer file slack:
1. What is file slack?
Depending on their contents, files are created in different lengths. On DOS, Windows, and Windows NT-based computers, files are stored in clusters, which are fixed blocks of data. Because the size of a cluster hardly ever exactly matches the size of a file, extra data storage space exists from the end of the file to the end of the last cluster assigned to the file. This space is known as “file slack.”
2. What media types contain file slack?
File slack can exist on floppy disks, hard disks, zip disks, and other computer storage media.
3. How is file slack classified?
Whenever slack space exists, the computer tries to fill up the space using RAM or drive data. RAM slack is randomly selected data from the memory of the computer. It may contain information that was created, viewed, modified, downloaded or copied since the computer was last booted. Drive slack contains information that is not currently in use by the computer - data that may have remnants of previously deleted files or data from the format pattern associated with the original disk configuration.
4. When is file slack created or deleted?
In DOS, Windows, Windows 95, Windows 98 and Windows NT/2000/XP systems, file slack is automatically created each time a file is saved to a disk. When a file is deleted, the drive slack remains in the last cluster at the end of the deleted file. Until the data is overwritten be a new file, the clusters will stay on the disk in the form of unallocated storage space (currently unused space). Depending on the cluster size on the drive, quite a bit of data may remain. Unlike other unallocated space, slack space will remain as long as the file that has allocated the particular cluster remains. It is quite possible to find file slack space from events taking place years earlier.
5. How does analyzing file slack benefit a computer forensics investigation?
File slack can help uncover lost or hidden data or help identify network logon names, passwords, and other sensitive information. File slack can also contain email and word processing document fragments. A thorough computer forensic investigation can help uncover file slack data and more, helping you determine the “who, what, when, where, and how” of computer related activity in your case.
KROLL ONTRACK NEWS & EVENTS
KROLL ONTRACK ACQUIRES QUORUM LITIGATION SERVICES
On May 14, 2004, Kroll Ontrack Inc. announced that it acquired Quorum Litigation Services LLC, a leading provider of paper scanning, coding, and optical character recognition (OCR) services based in Eagan, MN. The acquisition positions Kroll Ontrack to become the global provider of comprehensive documentary evidence management solutions. Kroll Ontrack’s president, Ben Allen noted, “This is a perfect marriage of complementary capabilities for our collective clientele. Kroll Ontrack is a market leader in electronic discovery and Quorum is a market leader in litigation paper document support. Together we become the only single-source provider of large-scale electronic and paper-based discovery solutions, creating a true one-stop-shop for companies and law firms around the world that need to efficiently manage large volumes of data for review and production in support of litigation or regulatory compliance matters."
Meet Kroll Ontrack Representatives at the Following Events:
Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law.
If you are aware of any additional local court rules
or new cases in this area of the law, please do not
hesitate to contact us by writing to mlange@krollontrack.com.
Portions of this newsletter are written by Michele C.S. Lange, staff attorney with Kroll Ontrack. Charity Delich, a Kroll Ontrack law clerk, helped prepare the case summaries. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology’s role in the law. She can be contacted by writing to mlange@krollontrack.com.
For more information about electronic discovery
and computer forensic services, contact Kroll Ontrack
at 1-800-347-6105 or www.krollontrack.com.
|
