| In This Issue:
 FROM THE BENCH: VERMONT SUPREME COURT AFFIRMS CONVICTION BASED ON
INSTANT MESSAGING EVIDENCE
In a recent case, State v. Voorheis, 2004 WL 258178 (Vt. Feb. 13, 2004), the jury convicted the Defendant of incitement and attempt to use a child in a sexual performance. The Defendant appealed the conviction claiming that the trial court abused its discretion by not dismissing the charges for lack of sufficient evidence. The key piece of evidence was “instant messaging” text in which the Defendant and the child's mother engaged in graphic and sexually explicit dialog about the child.
At trial, the State introduced evidence retrieved from a computer forensic examination of the mother's computer system and floppy disks. A computer forensic expert testified that instant messaging is not usually saved on a computer and that saving it to floppy disks required “concentrated effort.” The retrieved text contained substantial evidence that the Defendant asked the child's mother to allow the Defendant to carry out a lewd photo session with the child.
On appeal, the Defendant argued that the instant messaging text was “meager evidence” of guilt because the child's mother allegedly altered and edited the text. The Vermont Supreme Court rejected this notion stating that, based upon the electronic instant messaging evidence, the jury could have reasonably concluded that the Defendant intended to use the child in a sexual performance. As such, the court found that there was sufficient evidence to support the incitement charge.
The Vermont Supreme Court also upheld the attempt conviction finding that the retrieved electronic conversations, together with witness testimony, offered ample evidence to support the jury's findings. The court further determined this was a question of credibility and not of sufficiency of the evidence. Accordingly, the jury could find the recovered instant messages reliable and choose to disbelieve that the mother had altered the text.
Based on the above reasons, the Vermont Supreme Court rejected the Defendant's argument and held that the trial court did not abuse its discretion in finding that the instant messaging text sufficiently and fairly supported the jury's finding that the Defendant was guilty beyond a reasonable doubt.
THE BRILL FILES: THE KEY TO SECURING YOUR DATA WHEN YOU TRAVEL MAY BE A FLASH KEY
*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor.
***
Over the years, I have heard more stories of woe concerning data security and travel than I care to remember. You've probably heard variations of them:
- Somebody stole my laptop from my hotel room.
- I think someone searched my computer while I was out.
- I dropped my PC and the screen broke.
- I dropped my PC and now it doesn't boot, and the hard drive is screeching.
One of the things I learned in the military is that anyone who goes into a situation where their plan is “everything works and nothing goes wrong” is an optimist who is setting themselves up for a fall. I am a strong believer in having some concept of an alternative “Plan B.” Frankly, the thought of data theft from my laptop worries me a lot. So do various hardware failures. Here's what I do…
First, I never travel without flash memory. The most common formats are the USB key and small card formats like CompactFlash and SecureDigital. The USB key, not surprisingly, plugs into the computer's USB port. The flash cards plug into a small adapter that fits into the PC card slot on a laptop. The USB key is somewhat more versatile, in the event you have to plug into a desktop machine. When needing to plug a flash card into a desktop machine, a small flash card reader is an alternative that plugs into the USB port and turns the media into the equivalent of a USB key.
Obviously, within the capacity limitations of these devices (up to 4GB is now available and larger ones are expected in the next year), you can store your important files, documents, presentations, spreadsheets, etc. Nevertheless, there are a few other tweaks you might want to consider. If you are seriously worried about data theft from your laptop, at the very least, you should store the data on a flash card. To prevent copies from being stored on the hard drive, you should set the backup settings of your word processor, spreadsheet, and presentation programs so a directory on the flash card is utilized for backups. Also, consider carrying two copies of your important files. Even if one is destroyed, the other probably will be readable.
Of course, the use of flash memory does not guarantee that a perpetrator attempting to steal your important data will not be able to recover any information from your computer, given enough time and skill. For example, data that the operating system stores in its swap files will still remain and can be accessible using computer forensic technology, even if it is no longer active on the hard drive. This is one good reason for keeping your laptop in the hotel's safety deposit box or other secure location when you travel. If you find yourself without a “Plan B” and your data seems inaccessible or some questionable person has had access to your computer, computer forensic experts stand ready to assist you quickly and efficiently.
If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Nicolle Martin at (952)949-4137 or at nmartin@krollontrack.com.
TECHNOLOGY YOU SHOULD KNOW: PRESERVING AN E-EVIDENCE CHAIN OF CUSTODY
***As technology continues to play a larger role in litigation and
internal company investigations, lawyers and investigators are expected
to comprehend the inner workings of computers and how they relate to
any computer conduct at issue. ***
Maintaining a chain of custody for all evidence gathered and analyzed in a computer forensic investigation is of utmost importance to prove the integrity of the evidence in court, if a trial should come to pass. This best practices procedure is true for any investigation, traditional or cyber-based.
A chain of custody documents how the evidence was gathered, analyzed, preserved, and stored and who had control of it at each moment after it was collected. This information is crucial in computer forensic investigations, as digital data can be easily altered or destroyed. Typically this means adhering to the following chain of custody procedures:
- Uniquely identify each item of property to be placed under chain-of-custody control. The investigator should be able to physically examine the item and be able to tell that it is the same one described on the chain of custody form. Some items will have a manufacturer’s name, model number, and serial number, but others (such as tapes or removable media) may have no intrinsic unique identifier.
- Document who the media was received from or who authorized its removal, the location where the media was received, and the date and time at which the investigator took control of the media. If an item is received by mail or other courier service, document this transaction as well.
- Keep a continuous record of custody of the item, from the time the item is acquired, until it is transferred out of the investigator’s control. Every instance of contact with the item and the action performed on the item must be documented throughout the entire investigation.
When called to testify, a computer forensic engineer must be prepared to answer all chain of custody questions about the electronic evidence, including:
- What is the evidence, or what does it purport to be?
- Where did it allegedly come from?
- Who created, discovered, or recovered it?
- How was it created, discovered, or recovered?
- Were there any material changes, alterations, or modifications during the recovery of the evidence such that it may no longer be what it once was?
- What has happened to it since the time it was created, discovered, or recovered?
Just as the computer is becoming a mainstay in today’s workplace, computer forensic evidence is becoming a vital part of most investigations and legal matters. If an investigation progresses to trial, diligent chain of custody procedures at the beginning of the case will help ensure that the electronic evidence can be authenticated in court.
KROLL ONTRACK NEWS & EVENTS
We hope to see you at some of the events listed below, where
representatives of Kroll Ontrack will be attending.
Visit http://www.krollontrack.com/eEvidence/UpcomingEvents/ for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law.
If you are aware of any additional local court rules
or new cases in this area of the law, please do not
hesitate to contact us by writing to mlange@krollontrack.com.
For more information about electronic discovery
and computer forensic services, contact Kroll Ontrack
at 1-800-347-6105 or www.krollontrack.com.
|
