FROM THE BENCH: COURTS TACKLE ISSUES RELATING TO COMPUTER FORENSIC PROTOCOLS AND FRIVOLOUS LAWSUITS
	THE BRILL FILES: PURSUING DATA PIRACY – KROLL ONTRACK EXPERTS UNCOVER ATTEMPTED DIGITAL HEIST
	TECHNOLOGY YOU SHOULD KNOW: MAXIMIZING METADATA IN A COMPUTER FORENSICS INVESTIGATION
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: COURTS TACKLE ISSUES RELATING TO COMPUTER FORENSIC PROTOCOLS AND FRIVOLOUS LAWSUITS

Court Sets Forth Protocols for Computer Forensic Examination
AutoNation, Inc. v. Hatfield, 2006 WL 60547 (Fla.Cir.Ct. Jan. 4, 2006). In a case involving a trade secret theft action, the plaintiff sought, and the court issued, an injunction against the defendant. The injunction required the defendant to return hard copy files, electronic files, computer disks and other computer storage media relating to the plaintiff’s business. In addition, the court ordered a third party to make her personal computer available to the plaintiff for forensic examination by an expert. The expert was to determine whether the plaintiff’s material existed on the computer and if e-mails the defendant had sent to the third party’s address were forwarded, altered or used. The court permitted the expert to copy any of the plaintiff’s material on the computer and then delete all such material from the computer. Finally, the court authorized the defendant and the third party to have an independent forensic expert in attendance at the inspection.

Court Dismisses Suit Against Computer Forensic Expert
Kathrein v. McGrath, 2006 WL 287433 (7th Cir. Feb. 7, 2006). In a case involving a defamation action, the plaintiff was ordered to stop posting pornographic material on a Web site and to stop creating redirections from that site to other pornographic Web sites. Suspecting the plaintiff violated the order, the allegedly defamed individual sought to hold the plaintiff in contempt. The plaintiff admitted he inserted a command that would redirect users of the Web site, but stated the programmed redirection would occur only after a three hundred billion second delay. Doubting the delay feature existed, the individual sought and received an order permitting immediate inspection of the plaintiff’s computer. A computer forensic expert inspected the computer and concluded the computer he was given was not the one used as the server for the Web site. Admitting he switched computers, the plaintiff claimed he left the old computer outside his office and did not know who took it. The court awarded the individual the costs of the expert’s wasted investigation. The plaintiff then filed a lawsuit against the expert (cited above) claiming the expert drafted a fraudulent bill and violated federal statutes by performing an inspection beyond the scope of his authority. The expert sought dismissal of the suit. The trial court dismissed, ordering the plaintiff to pay more than $20,000 to the expert for his attorneys' fees in defending a frivolous lawsuit. On appeal, the court concluded dismissal was warranted because the plaintiff lacked standing to challenge the fraudulent bill. Because the appellate court’s reason for dismissal differed from the trial court’s reason for dismissal, the appellate court vacated the sanctions award and remanded the case for re-evaluation.

THE BRILL FILES: PURSUING DATA PIRACY – KROLL ONTRACK EXPERTS UNCOVER ATTEMPTED DIGITAL HEIST

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflects his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

More than ever, organizations must consciously safeguard sensitive electronic data from unscrupulous individuals seeking to pirate and exploit this information. In some cases, even painstakingly detailed security protocols cannot prevent an organization from experiencing electronic data security breaches. Recently, Kroll Ontrack was asked to work on case involving a data theft situation.

In this case, a large, multi-national company engaged the services of a well-known courier to transport a confidential database stored on a USB drive. Unfortunately, an individual heisted the drive while it was in transit. After discovering he was being investigated in the matter, the suspected thief smashed the USB drive and threw it away. The suspect later retrieved the drive and turned it over to the company for examination. He claimed he had not stolen or sold the database information but had merely used the hard drive to store videos of his favorite television show. Unless the company could find evidence verifying this story, the company faced the possibility of having to rescind several major contracts.

At the company’s request, Kroll Ontrack immediately went to work on the case. Pursuant to a court order, Kroll Ontrack’s Paris, France office made mirror images of the USB drive and a hard drive from the suspect’s personal computer. While our French forensic experts conducted an investigation on the suspect’s personal hard drive, our U.K. experts began to recover the data on the damaged USB drive. The investigation of the suspect’s personal drive corroborated the suspect’s story – there was no evidence of data copying or selling.

However, further confirmation was needed from the smashed drive. After repairing extensive damage on the USB drive, our experts restored the media to a working condition and conducted a targeted recovery of the smashed drive.

Armed with information attained from the recovery, we were able to demonstrate to the company the suspect’s exact steps – when he had accessed the stolen USB drive and how he had deleted the database, renamed the hard drive, and moved episodes of the television show onto the stolen hard drive. The experts even deduced how the suspect was able to move the data between hard drives without copying it. When the investigation was complete, the team had solid evidence showing a strong correlation with the suspect’s version of events. Based on this, the company was able to rest assured their information was safe.

As demonstrated by this case, responding to data theft can require a multi-dimensional and multi-jurisdictional approach in order mitigate damage. The availability of a variety of skill sets – from knowledge about recovering damaged information to expertise in conducting a detailed investigation of that information – can be necessary to uncover the digital fingerprints left behind by a data pirate.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: MAXIMIZING METADATA IN A COMPUTER FORENSICS INVESTIGATION

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. ***

Metadata, “data about the data,” can provide key pieces of relevant evidence and information about a particular e-mail, spreadsheet or other electronic document in a computer forensic investigation. For example, metadata provided a case-cracking clue in a 30-year-old case involving the Wichita, Kansas BTK killer.

In the BTK case, police investigators examined an electronic letter detailing the killer’s exploits. The letter was sent via e-mail from the BTK killer to a local television station. The letter’s metadata properties revealed the first name of the author and an organization’s name. Using that information, investigators were able to track down the killer. For more information on the case, see http://www.crimelibrary.com/serial_killers/unsolved/btk/25.html. As illustrated by the BTK case, metadata can be used to uncover essential traces about a document's past life.

What is Metadata?
Metadata is information about a document such as who created a file, the date it was created and when it was last modified. The availability of metadata depends on the properties of the file type (e.g., Microsoft Office documents, Word Perfect documents, some graphics files, etc.). Depending on the type of application, a single document has the potential of having hundreds of metadata fields. Two primary types of file metadata can prove useful during a forensic investigation:

• System Metadata – Data stored externally from the file and used to track file locations; it is usually operating system dependant and contains information about the file (e.g., file names, dates, path locations, sizes, etc.).
• Application Metadata - Information embedded within the file itself (i.e., tracked changes, document author, document version, Macros, e-mail “to,” “from,” “subject,” etc.); it moves with the file when copied and varies depending on the type of file in question.

Like other forms of electronic evidence, metadata can be easily altered if proper preservation precautions are not taken. To avoid altering metadata during a forensic investigation, an expert should work off of a mirror image (exact, bit-by-bit) copy of the media at issue.

What Clues Can Metadata Provide?
Due to its backstage quality, metadata can provide a number of telltale clues. In most cases, for example, computer users are not aware of the computer's metadata "log," which documents the date and time a file is created, accessed and modified. This trail of evidence can help tell the story about a computer user's conduct or the history of a particular file. Even after the data itself has been wiped, directory entries, pointers or other metadata relating to the deleted data may remain on the computer.

Where timelines are at issue, metadata time and date stamps can offer clues into a computer user’s actions. For instance, in State v. Guthrie, 627 N.W.2d 401 (S.D. 2001), a case involving a criminal prosecution for murder, forensic analysis of metadata revealed a computer printed suicide note, offered to exculpate the defendant, was created several months after the victim’s death.

Metadata also can help establish or discount elements of a legal claim or defense. In Munshani v. Signal Lake Venture Fund II, 805 N.E.2d 998 (Mass. App. 2004), the plaintiff presented an e-mail as evidence precluding the trial court from dismissing his claim. The defendant, however, alleged the plaintiff had fabricated the e-mail and moved for a preservation and production order. The court issued the order and appointed a neutral computer forensic expert to investigate the allegations. The document’s metadata assisted the expert in determining the plaintiff had fabricated the e-mail. The judge adopted the expert’s report as his findings on the issue and dismissed the plaintiff’s suit, ordering him to pay the expert’s costs and the defendant’s attorney fees.

Aside from uncovering information about a particular case, metadata can help authenticate and interpret evidence by providing date and time stamps, network access logs, evidence of simultaneous user activity, version control information and more. Without this documentation, an electronic document is incomplete, and courts may refuse to admit a key piece of evidence if it finds the data unreliable. Once a forensic investigation is completed, an expert can testify about how metadata verifies the credibility of an electronic document. The expert also can help the judge or jury understand, interpret and evaluate the relationship between a piece of evidence and its associated metadata.

KROLL ONTRACK NEWS & EVENTS

Kroll Ontrack is now accepting nominations for the 4th Annual Electronic Evidence Thought Leadership Awards. The annual awards aim to recognize legal professionals and law firms whose work has shaped the future of electronic discovery and computer forensics. Nominations are being accepted for the following award categories:

• Thought leading law firm
• Thought leading litigator
• Thought leading antitrust practitioner
• Thought leading litigation support
• Thought leading Scholar
• Thought leading electronic discovery case of the year
• Thought leading computer forensic case of the year

Deadline for nominations is set for March 24, 2006. To nominate one or more thought leaders, go to http://www.krollontrack.com/thoughtleader/. Winners will be announced in early April.

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensics services, contact Kroll Ontrack at 1-800-347-6105 or http://www.krollontrack.com/.