| In This Issue:
 FROM
THE BENCH: COURTS WEIGH COMPUTER FORENSIC MIRROR IMAGE
AND INSTANT MESSAGING EVIDENCE
Court Finds Computer Mirror Image Properly
Admitted
State v. Morris, 2005 WL 356801 (Ohio Ct.
App. Feb. 16, 2005). The defendant appealed convictions
relating to pandering sexually-oriented matter involving
minors. The defendant’s son testified he called
the police after finding pornographic images of minors
in the recycle bin of his computer, which the defendant
had previously used. During a forensic analysis of the
computer, a computer forensic expert mirror imaged the
hard drive. Before returning the computer, the expert
overwrote the hard drive, erasing all data on the drive.
At trial, the state presented the mirror image copy
as evidence. The expert testified it was standard protocol
not to run tests on the original hard drive in order
to prevent corrupting the evidence and stated the mirror
image was an exact copy of the original hard drive.
The expert further noted he wiped the hard drive because
it was corrupt and repeatedly accessing and testing
the drive would have rendered it useless. On appeal,
the defendant argued he was denied an opportunity to
examine the original hard drive to see if it contained
exculpatory evidence. The court declared state evidentiary
rules permit admission of duplicates and noted the expert
had testified that the copy was an exact copy of the
original hard drive. The court upheld the convictions,
finding the defendant failed to specifically argue what
type of exculpatory evidence may have been lost during
the copying procedure and the original was not destroyed
in bad faith.
Court Admits Instant Message Transcript
United States v. Brand, 2005 WL 77055 (S.D.N.Y.
Jan 12, 2005). In prosecuting charges against the defendant
for transporting minors for illegal sexual activity,
the government claimed the defendant used America Online
instant messaging software in an attempt to engage in
sexual conduct with “Julie,” an undercover
government agent posing as a minor. The government sought
to admit two transcripts of AOL internet communications
between the defendant and two other undercover agents,
who had sent and received instant messages from the
defendant. The defendant argued the transcripts should
not be admitted as they were irrelevant, unfairly prejudicial
and potentially confusing to the jury. The court determined
one of the chat transcripts was admissible since it
was sufficiently similar to the charged conduct, permitting
a reasonable jury to infer the defendant was motivated
by a sexual intent in his interactions with "Julie."
The court found the other chat was not admissible as
it was not sufficiently relevant due to its non-sexual
subject matter.
THE BRILL FILES: FORMING AN ONSITE DATA COLLECTION PLAN OF ATTACK
*** Written by Alan Brill, Senior Managing Director
for Kroll Ontrack, The Brill Files reflects his work
in the field with clients who have encountered some
not-so-pleasant events and what was done to remedy the
situation. With more than 25 years of consulting experience,
Mr. Brill has assisted organizations with a wide range
of technology security issues and is an internationally
recognized speaker and instructor. ***
Collecting electronic data can be a staggering task
in any computer forensic investigation due to the wide
variety of electronic storage locations and the vast
amount of data available in today’s electronic
workplace. Initial data collection steps can be the
most critical part of the investigation – one
misstep can be costly for you and your client.
In the days immediately following the first Gulf War,
I accompanied a team of Kroll computer forensic engineers
to Kuwait. We were asked to perform an onsite data collection,
which included imaging, searching and analyzing computers
left behind by retreating Iraqi forces for information
pertaining to looted assets, missing Kuwaiti citizens,
and individuals who had collaborated with the occupation
government.
Although not every onsite data collection is as potentially
hazardous as the one in Kuwait, there are many situations
where an onsite collection may be the only feasible
course of action. Onsite data collections are increasingly
used in cases involving large organizations with multiple
office locations and many targeted custodians and as
a precautionary measure in cases where an opposing party
is likely to contest data authenticity or integrity.
In my career, I have had the opportunity to work with
hundreds of clients, collecting their data onsite before
beginning a forensic investigation.
The following guidelines will assist you in formulating
a forensically sound onsite data collection plan:
- Employ a qualified computer forensic engineer.
The individual collecting the data should be specially
trained to understand various topologies of information
technology systems to ensure the data gathering process
is efficient and conforms to forensic standards. Ask
questions about the individual’s background
and about how many similar data collections they have
performed.
- Plan ahead. Under normal circumstances
– and given no read errors or other issues with
the drive being imaged – an expert should be
able to image an 80 gigabyte hard drive in one to
two hours. Whether the drive is filled with data or
entirely empty makes little difference when conducting
forensic data imaging – it is the total capacity
of the drive that matters. Multiplying this time by
the number of hard drives being imaged will give you
an estimate of the total time you should allot for
an onsite data capture. For larger jobs, an expert
may use multiple imaging devices to simultaneously
image drives, reducing the total amount of imaging
time.
- Consider performing the collection during non-business
hours. An expert can often complete data collection
during non-business hours, leaving business operations
affected only for a limited time (if affected at all).
This can also prevent the target of an investigation
from being aware of the collection.
- Obtain a mirror image. In cases involving
a computer forensic data collection, when feasible,
best practices require a complete bit-by-bit copy
of the media so all activity occurring on the media
is available in the investigation.
- Employ proper imaging technology. When
data is collected onsite, the expert should use hard
drive imaging technology that transfers the target
data to a portable device. In addition, the target
computer should not be booted. Instead, power is provided
to the drive to copy the data, preserving valuable
metadata and other trails of data that could be altered
if the computer is booted.
- Make two copies of the original media.
When a forensic analysis is anticipated, often two
copies of the original media are made. A copy of the
media is made for archival purposes and a second copy
is made for the investigator to use in his or her
recovery and analysis.
- Follow a strict chain of custody. Keep
a continuous record of custody for the item –
from the time the item is acquired until it is transferred
out of the investigator’s control.
Keep in mind electronic evidence, like other types
of evidence, is fragile. Entering data, loading software,
performing routine system maintenance or simply booting
a computer can destroy certain data or metadata that
is stored on the hard drive. Failure to adhere to strict
industry standards regarding data collection may not
only result in the loss of critical data, but may also
impinge upon the reliability of any data that is recovered,
potentially rendering it inadmissible in a court of
law.
*** If you would like to explore the opportunity of
Alan Brill speaking at a conference you are supporting
or organizing, please contact Amanda Karls at
(952) 516-3637 or at akarls@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: ARE INSTANT MESSAGES
RECOVERABLE?
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators must understand the inner workings
of computers and how they relate to any computer conduct
at issue. ***
Instant messaging (IM) is one of the most popular and
fastest growing mediums of high-tech communication in
today’s digital age. In fact, according to a recent
survey, 53 million adults trade instant messages, and
24% of them swap instant messages more frequently than
email.
IM allows for “real-time” communication
between users over the Internet and is a cross between
email (it is a typed message) and a telephone call (it
is instant and not usually recorded). Most users choose
to download free IM software from the Internet. Once
the software is in place, users can set up a list of
correspondents (one software manufacturer refers to
this as a “buddy list”) and can send an
instant message to any of their contacts who happen
to be online. In an IM conversation, both users see
the messages as text that appears in windows on their
computer screens. Some programs also feature video and
voice conferencing.
Depending on the instant messaging software used, forensic
analysis of computers using IM programs may or may not
recover user conversations. Typically, IM sessions are
saved in volatile memory, memory that purges its contents
when the computer or hardware device loses power. Recovering
an IM session stored in this format is not likely.
However, it is possible to recover the contents of
an IM session if it was cached to the hard drive or
to a swap file. A swap file is a portion of the hard
drive set aside for the exclusive use of the operating
system, which uses the space as virtual memory. Data
that is in memory, but unused at the moment, can be
“swapped” from actual memory to the hard
drive swap file and later moved back into actual memory
when needed for processing. Data stored by the operating
system in its swap files can be accessed using computer
forensic technology, even if it is no longer active
on the hard drive. If this occurs, keyword searches
for the user names or contents of the messages may locate
remnants of the conversation. In addition, third-party
software – such as private IM software available
for company-wide use – may log the chat sessions,
making chances of recovery good.
Even though free services like MSN Messenger and AOL
Instant Messenger by default will not log conversations,
users still have the option to store the conversations
in a location of their choice on the computer’s
directory. If a user deliberately saved the IM session
to a text file, the content of the IM session may be
identified and retrieved. Even if the user later deletes
the file, it still may be recoverable in whole as a
deleted file or in part or as text in the unallocated
or slack space.
If an IM session is recoverable, the validity of the
session must be scrutinized. Since the session is often
stored as a text file, a user can edit or manufacture
the content. Date and time stamps, which may help validate
the session, may only be recovered if the session was
saved to a file and the user set his or her preferences
to save date and time stamps.
IM presents new challenges for computer forensic engineers,
corporations and attorneys. When mining for potentially
valuable electronic data, IM may be a necessary and
valuable evidentiary source. If IM could be at issue
in one of your cases, contact a qualified computer forensic
expert to assist you in determining what can be uncovered.
KROLL ONTRACK NEWS & EVENTS
Meet Kroll Ontrack Representatives at the Following
Events: (For a complete listing of sponsored
and speaking events, please visit http://www.krollontrack.com/upcomingevents/.)
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
This newsletter is written by Michele C.S. Lange, staff
attorney with Kroll Ontrack, with assistance from Charity
J. Delich, a Kroll Ontrack law clerk. Ms. Lange has
published numerous articles and speaks regularly on
the topics of electronic discovery, computer forensics,
and technology’s role in the law. She can be contacted
by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
