| In This Issue:
 FROM
THE BENCH: COURTS ADDRESS EMPLOYMENT CASES INVOLVING
COMPUTER FORENSIC ISSUES
Default Judgment Granted for Deleting, Altering
and Accessing Electronic Data Despite Litigation Hold
Krumwiede v. Brighton Assocs., L.L.C., 2006
WL 1308629 (N.D. Ill. May 8, 2006). In an employment
lawsuit, the defendants sought a default judgment against
the plaintiff for destroying relevant computer data.
The plaintiff insisted that the data had not been intentionally
destroyed, arguing that the files “probably”
still existed on the defendants’ laptop with only
minimal alterations in the files' metadata fields. However,
a neutral computer forensic expert analyzed the laptop
and concluded that the combination of a “court
order violation, deliberate movement of file data, admitted
deletion activities, multiple use of defrag, use of
ZIP file to conceal or transport [the defendants’]
data, [and use of] multiple USB devices ... [establishes
that] [the plaintiff] did intend to destroy evidence
and did intend to conceal the existence and/or movement
of data.” Issuing a default judgment against the
plaintiff, the court found the plaintiff had continued
to delete, modify and access thousands of files despite
knowing the laptop was subject to a litigation hold.
The court declared, “[this] will send a strong
message to other litigants, who scheme to abuse the
discovery process and lie to the Court, that this behavior
will not be tolerated and will be severely sanctioned.”
Attorney-Client and Work Product Protection
Claims Upheld for “Deleted” E-mails and
Electronic Documents
Curto v. Medical World Communications, Inc.,
2006 WL 1318387 (E.D.N.Y. May 15, 2006). In an employment
action, the defendants objected to a finding that the
plaintiff had not waived her right to assert attorney-client
and work product protection claims concerning e-mails
and data contained on two laptops owned by the plaintiff’s
former employer. Specifically, the defendants claimed
a magistrate judge erred in considering whether the
employer properly enforced its computer usage policy.
Before returning the laptops to her employer, the plaintiff
deleted all personal files, including protected communications.
Two years later, the employer’s computer forensic
expert restored some deleted files and e-mails. The
employer produced the recovered data to the plaintiff’s
counsel, who claimed many of these documents were privileged.
Agreeing with the magistrate that the plaintiff reasonably
believed the documents and e-mails were confidential,
the court noted, “Plaintiff's laptops were not
connected to [the employer's] computer server and were
not located in [the employer's] offices; thus, [the
employer] was not able to monitor Plaintiff's activity
on her home-based laptops or intercept her e-mails at
any time.”
THE BRILL FILES: AN INVESTIGATIVE REPORT ON DATA
WIPING UTILITIES – PART TWO
*** Written by Alan Brill, Senior Managing Director
for Kroll Ontrack, The Brill Files reflects his work
in the field with clients who have encountered some
not-so-pleasant events and what was done to remedy the
situation. With more than 25 years of consulting experience,
Mr. Brill has assisted organizations with a wide range
of technology security issues and is an internationally
recognized speaker and instructor. ***
Part I of this article, published in the May 2006
CyberCrime & Computer Forensics News, available
at http://www.krollontrack.com/newsletters/cybercrime.aspx,
revealed the results of Kroll Ontrack’s research
into four common data wiping products. Part II of this
article provides an inside look into the evidence that
may or may not be recovered as a result of using a data
wiping utility on a computer hard drive.
Through the use of data wiping tools such as “Evidence
Eliminator,” “History Kill” and “Window
Washer,” individuals have tried to cover up, obscure
or destroy evidence of criminal activities, corporate
fraud and other illegal or unauthorized conduct. While
data wiping utilities may destroy telltale evidence
in some cases, the mere use of a wiping tool does not
always mean the data is permanently destroyed. In many
situations, as revealed in Kroll Ontrack’s research
of four data wiping products, a skilled expert may uncover
data fragments or evidence indicating the tool was used,
lending support and credibility to a case.
If you suspect a wiping utility has been used in a
case, have a computer forensic expert investigate the
media at issue. The findings may provide support for
your case – from uncovering important file traces
to revealing evidence the wiping utility was used.
Crucial File Traces. In some cases,
data wiping utilities can leave crucial file traces
on a hard drive. Files stored on a hard drive are saved
with a precise pattern of characters generated by the
computer’s operating system. When a hard drive
or portion of a hard drive is “wiped” using
a wiping utility, the program attempts to overwrite
data with a benign or randomly generated pattern of
characters. If run properly, a wiping utility will make
the data unrecoverable by most computer forensic experts.
But in some instances, even when the product is run
according to the instructions, traces of data may be
left behind. In our research, several products left
full files or file names intact, ripe for detection
and recovery by a trained computer forensic investigator.
These file traces could be enough for a judge or jury
to surmise what evidence existed on the drive before
the wiping software was used and why the user was attempting
to permanently delete this information.
Wiping Tool References. When a wiping
utility is run, a reference to the wiping tool is usually
recorded on the drive, revealing the use of the utility.
In our study, for example, the computer forensic investigators
found – even after products were uninstalled –
remnants of the programs remained on the hard drives
in the form of folders, deleted files and link files.
Evidence of the existence of a wiping piece of software,
its installation date, and when it was used may be relevant
and useful to a fact finder attempting to discern events
in a case. It also may form the basis for a negative
inference instruction, tipping the scales in favor of
your client.
Permanent Data Destruction. Some wiping
utilities may effectively and permanently eliminate
data. However, even if crucial evidence has been destroyed
by a wiping tool, courts may impose sanctions for intentional
or even unintentional/negligent electronic data destruction.
When presented with such evidence a court may decide
to issue sanctions in the form of an adverse inference
instruction, preclusion of evidence, monetary fines,
or even a case dismissal or default judgment.
*** If you would like to explore the opportunity
of Alan Brill speaking at a conference you are supporting
or organizing, please contact Amanda Karls at (952)
516-3637or at akarls@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: FOCUSING IN ON FIVE FUNDAMENTAL
FILE TYPES FOR FORENSICS
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators are expected to understand the inner
workings of computers and how they relate to computer
conduct issues. ***
During a computer forensic investigation, many different
file types can be rich sources of evidence. Five important
file types that can be uncovered during a forensic investigation
include:
- Active Files. Active files are
readily visible to the operating system and/or application
software with which it was created and immediately
accessible to users without requiring “un-deletion”,
modification or reconstruction (e.g., word processing
documents, spreadsheet files and programs and files
used by the computer’s operating system). In
addition to locating active files in standard locations,
a computer forensic investigator will also search
for active files hidden in obscure directories or
designated to be hidden from the operating system.
- Archive Files. Archival files are
not directly accessible to a computer user. They are
files typically maintained by an organization for
long-term storage and record keeping purposes (e.g.,
data stored on backup tapes or disks, usually for
disaster recovery purposes). Archived files can be
recovered from backup tapes and disks, but sometimes
retrieval will take effort. Any expert using industry-standard
technology and “best practices” should
be able to address data originating on virtually any
operating system or hardware by using their library
of archival hardware and software tools.
- Deleted Files. Deleted files once
existed on the computer as live data, but have since
been deleted by the computer system or by the end-user.
Deleted files remain on storage media in whole or
in part until they are overwritten by ongoing usage
or “wiped” with a software program specifically
designed to remove deleted data. A computer forensic
investigator may be able to recover deleted data depending
on how the files were deleted, the amount of time
passage or computer usage since deletion, and the
use of file deletion/destruction programs.
- Slack Files. File slack is wasted
media space created as a result of the computer’s
method of allocating clusters in storage files. File
slack can exist on floppy disks, hard drives, Zip
disks, and other computer storage media. Forensic
investigators can use file slack to help uncover lost
or hidden data or help identify network login names,
passwords or other sensitive information, and e-mail
and word processing document fragments.
- Temporary Files. Operating systems
and programs automatically create temporary files
in order to free memory space or to act as a safety
net in preventing data loss when a program performs
certain functions. Typically, these files are found
in the same location as the original file or in a
folder designated for temporary files. Likewise, Temporary
Internet Files are created by an Internet browser
each time a Web page is opened. Computer forensic
experts can often uncover temporary file information,
which may provide insight into a user’s activities.
KROLL ONTRACK NEWS & EVENTS
Kroll Ontrack Names 2006 Electronic Evidence
Thought Leader Award Recipients
On June 20, Kroll Ontrack will present its
fourth annual Electronic Evidence Thought Leadership
Awards at the Willard Hotel in Washington, D.C. The
winners will be recognized at the Electronic Evidence
Thought Leadership Series titled “Transatlantic
E-Discovery: Options, Obstacles, and Opportunities.”
The event will feature a panel of seasoned legal experts
discussing the challenges attorneys and corporations
face when involved in cross-boarder electronic discovery.
For additional details about the awards, recipients,
or to register to attend the panel luncheon, visit http://krollontrack.com/thoughtleader/.
The 2006 Electronic Evidence Thought Leadership Award
Winners include:
- Thought Leading Law Firm: Crowell
& Moring
- Thought Leading Corporation:
Bristol-Myers Squibb
- Thought Leading Litigator: Dennis
C. Brown, Esq., Munger, Tolles & Olson LLP
- Thought Leading Antitrust Practitioner:
John J. Rosenthal, Esq., Howrey LLP
- Thought Leading Litigation Support:
Pam Roberts, Novartis
- Thought Leading Scholar: Ret.
Judge John Carroll
- Thought Leading Electronic Discovery Case
of the Year: Williams v. Sprint/United
Mgmt Co.
- Thought Leading Computer Forensic Case of
the Year: Paramount Pictures Corp. v.
Davis
Meet Kroll Ontrack Representatives at the Following
Events:
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of electronic discovery
law. If you are aware of any additional local court
rulings or new cases in this area of the law, please
contact us by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, staff
attorney with Kroll Ontrack, with assistance from Charity
J. Delich, a Kroll Ontrack law clerk. Ms. Lange has
published numerous articles and speaks regularly on
the topics of electronic discovery, computer forensics,
and technology's role in the law. She can be contacted
by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
