FROM THE BENCH: APPELLATE COURT UPHOLDS ADMISSION OF COMPUTER EVIDENCE
	THE BRILL FILES: HASH VALUES - THE DIGITAL FINGERPRINT
	TECHNOLOGY YOU SHOULD KNOW: MIRROR IMAGING BEST PRACTICES
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: APPELLATE COURT UPHOLDS ADMISSION OF COMPUTER EVIDENCE

State v. Levie, 695 N.W.2d 619 (Minn. Ct. App. 2005). In a case involving allegations of attempting to use a minor in a sexual performance, the trial court admitted evidence of the defendant’s Internet use and of the existence of an encryption program on his computer. Specifically, the trial court admitted parts of a computer forensic report, which revealed the defendant used search terms such as “Lolita” relating to sex with minors. The computer forensic expert who authored the report testified the computer also contained the text of a statute relating to sex with minors as well as an encryption program. The expert stated the encryption program could "basically encrypt any file" and that "other than the National Security Agency" he was not aware of anyone who could break such an encryption. On appeal, the defendant argued that his case was prejudiced because the court specifically used evidence of his Internet use and the encryption program in finding him guilty. The defendant further contended these factors were unrelated to the charges in the case. The appellate court rejected the defendant’s argument and found the evidence was appropriately admitted, noting “the district court did exclude other and more inflammatory search terms and phrases because it found them more prejudicial than probative…Evidence of appellant's computer usage and the presence of an encryption program on his computer was relevant to the state's case.”

THE BRILL FILES: HASH VALUES - THE DIGITAL FINGERPRINT

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflects his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

In my years as a computer forensic expert, I have seen data thieves attempt to heist company confidential information using virtually every method possible; including fax, email – both corporate and non-corporate (Hotmail and Yahoo!) – email attachments, file transfer protocol (FTP), copying to a laptop, removable media devices, and flash media. When trying to decipher if the thief copied the data from one piece of media to another, a “hash value” can help determine whether the exact same file exists on both pieces of media.

Hashing is a nearly 100 percent accurate way to determine if two files are exactly the same. A hash value is a unique identification number generated from the data contained in a file and is equivalent to a digital fingerprint. This unique number is produced through the use of a mathematical algorithm commonly accepted by computer scientists and cryptographers. If even one bit of the file is altered, an entirely different hash value will be generated if the algorithm is again applied to the file after the alteration. If two files produce the same hash value, no differences exist between the data inside each file, offering support for an argument that the data was copied from one media to another.

Several months ago, we worked on a case in which hashing proved valuable. A large hospitality service company suspected one of its employees was forwarding confidential data to an individual at a competitor’s office. The company asked us to attempt to determine if data that existed on one of their computers was copied to the computer of a competitor’s employee and used after a specific date.

A file listing of both hard drives was initially created. One of Kroll Ontrack’s engineers then hashed the drives and conducted a comparison between the reported results. The result report provided the file name, file extension, file path, creation date, hash value, and the number of times the file appeared on each of the hard drives, along with other information.

These hash value comparisons revealed that numerous Microsoft Word and Excel files, originally located on our client’s computer, were also located on the competitor’s machine. The hash values for each of the files on the company’s hard drive matched the hash values for the corresponding files on competitor’s hard drive, indicating the data in the two files was exactly the same. Our forensic analysis demonstrated that more than 100 files from the company’s computer contained the same hash value as those on the competitor’s computer. Using the hashing evidence, our client was able to present a solid argument that the files were copied from the company’s computer to the competitor’s computer.

While a hash value does not conclusively prove a file was copied, it provides a solid basis for arguing that copying likely occurred. The file’s “digital fingerprint” can assist experts in uncovering and piecing together whether a particular file may have been copied.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Michele Lange at (952) 906-4927 or at mlange@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: MIRROR IMAGING BEST PRACTICES

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. This month’s column was authored by Jason Paroff, Esq., the director of Computer Forensics Operations for Kroll Ontrack. ***

Within the computer forensics arena, it is well established that an expert using industry best practices will first make a mirror image of the media at issue if it is practicable to do so. When creating a mirror image, an expert uses special hardware or software tools to capture an exact bit-by-bit copy of all the data on a hard drive or set of hard drives. This image includes the data located in “slack” (the unused space in a computer cluster) and “unallocated” space (space on a drive that may contain data, but that is not allocated to an active file). Mirror imaging retrieves as much data as possible, is an exact copy of the original drive, and allows the investigator to “freeze time” by having a complete snapshot of the drive.

An investigator can image a drive using various proprietary and/or commercially available hardware and software tools. Hardware tools will capture a bit-by-bit copy of the hard drive and generate an MD5 hash value for authentication purposes. Most products have a portable design, a necessity if on-site imaging is anticipated. Hardware tools can be expensive, costing between $2,000-3,000 for each device. One disadvantage of hardware cloners or imagers is that they are usually designed for one purpose and one type of media only (mostly IDE drives). Although these devices are generally very reliable, many still have difficulty recognizing and imaging all the various brands of drives on the market today, and most do not effectively handle read or write errors on the surface of the drive. Today’s investigator needs more than one way to image a drive for those times when hardware cloners encounter problems.

Computer forensic investigators also can use software tools to image a drive. These products are usually slower at imaging data than some of their hardware counterparts. They also can be expensive to purchase and usually require more configuration than hardware tools.

Whether using hardware imagers/cloners or a software tool, be sure the product is specifically designed for computer forensic work. It is also important to validate the product, and each new version of it, independently and to use a write-blocking device – a tool that ensures the data on the hard drive is not altered in any way – for added protection. In addition, make sure a proper chain of custody is kept during the imaging process. Creating a hash value is an important step in the imaging and chain of custody process because it allows parties in litigation to verify that what they have in court is the same evidence that an investigator took at an earlier time. This is especially critical in litigation because courts usually will only admit a mirror image if the offering party can demonstrate it is an exact copy of the original media. Bear in mind that – along with the personnel handling the media – physical considerations such as dust, temperature extremes and magnetic fields can damage or destroy data if not controlled.

When should you call in an expert to mirror image a drive? An expert should be used any time the training and experience of IT staff would seem insufficient if they were to be called as witnesses. In addition, if an IT department lacks the tools and equipment to handle the job or if their current workload prevents them from focusing properly on the case, an expert is necessary. While a properly trained individual can easily image a drive, many other reasons exist for contacting an external computer forensic expert. First, maintaining a secure and proper chain of custody is a crucial and difficult step in the process. Testifying under oath and being subjected to cross-examination on the chain of custody can be even tougher – particularly for an IT person with little experience. It is also important to use an expert if a conflict of interest exists, with the IT staff, that may eventually hurt your case.

Remember, when approaching any computer investigation, the mirror image of the hard drive at issue may become a key piece of evidence in the case. If not imaged properly, valuable electronic evidence could be lost, corrupted and – more importantly – rendered inadmissible in court.

KROLL ONTRACK NEWS & EVENTS

Kroll Ontrack Ranks as Most Used Electronic Discovery Solution
Kroll Ontrack was identified as the most used electronic discovery solution among all other providers in Legal Assistant Today’s 4th Annual Technology Survey, available in its May/June 2005 issue. The survey detailed technology use among readers of Legal Assistant Today from across the country and was conducted by mailing a questionnaire to a random, computer-generated sample of 2,000 of the magazine’s current subscribers. “We are very pleased to have been recognized by the readers of Legal Assistant Today as the most used electronic discovery solution,” said Kristin Nimsger, vice president of Legal Technologies at Kroll Ontrack. “We are very proud of the products and services we bring to the electronic discovery marketplace and we are constantly enhancing our offerings to accommodate changing market needs. We believe that this recognition from our customers will demonstrate the credibility of our organization, and will bring focus to the full range of legal technology solutions that we offer.”

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensics services, contact Kroll Ontrack at 1-800-347-6105 or http://www.krollontrack.com/.