In This Issue:

	From the Bench: Courts Rely on Computer Forensic Experts
	The Brill Files: Considerations When Recycling Your Old GPS System
	Technology You Should Know: Anti-Forensic Techniques and What to Watch For
	News & Events

From the Bench: Courts Rely on Computer Forensic Experts

Illegal Images Inadvertently Stored in RAM Constitute Sufficient Evidence to Uphold Conviction
State v. Jensen, 173 P.3d 1046 (Ariz.App.Div. Jan. 15, 2008). In this criminal case, the defendant appealed his conviction for sexual exploitation of a minor, claiming the evidence was insufficient to support the jury verdict that he knowingly possessed or received child pornography. The government conducted a forensic examination of the defendant’s computer, which revealed three images that were automatically saved to the hard drive. Two of the images were found on the hard drive in temporary internet file folders and the third was recovered from an unallocated cluster. Disregarding the defendant’s claims he did not knowingly possess the images as they were saved automatically into the computer’s random access memory (RAM), the court determined the defendant’s active search for the images was sufficient to support the conviction.

Extensive Co-mingling of ESI Stored in Database Gives Rise to Lawful Seizure of Entire Database
United States v. Comprehensive Drug Testing, Inc., 2008 WL 191672 ( Cal. Jan. 24, 2008). In this investigation into illegal steroid use by professional athletes, the government executed a search warrant seizing computer equipment and storage devices, claiming they could not be sorted on-site due to extensive co-mingling with other data. The defendants sought return of the evidence, arguing its seizure constituted a callous disregard for the privacy rights of individuals named in the seized databases. The court, realizing the special complexities caused by ESI and the particular difficulty faced in instances where the data is incomprehensible and unusable when outside its native format, found in favor of the government and determined the seizures were reasonable.

Defendant Ordered to Produce Mirror Images to Determine Compliance with Previous Discovery Order
Bro-Tech Corp. v. Thermax, Inc., 2008 WL 356928 (E.D.Pa. Feb. 7, 2008). In this discovery dispute, the plaintiffs moved to compel the defendants to produce forensically sound copies of numerous electronic data storage devices that allegedly contained the plaintiffs’ proprietary information. Per an earlier court order, the defendants were directed to return and then purge the plaintiffs’ electronic files that were stored on its servers, hard drives and thumb drives. Agreeing with the plaintiffs that an examination of the defendants’ hard drives and servers was necessary to determine if a violation occurred, the court ordered the defendants to produce the forensic copies to the plaintiffs’ attorneys on a “confidential-designated counsel” basis.

The Brill Files: Considerations When Recycling Your Old GPS System

For many people, the Global Positioning System (GPS) has made traveling from place to place extremely convenient. Whether hand-held or installed in a car, GPS technology uses space satellites to transmit signals that are received by GPS receivers. Once you type in your destination address, GPS technology determines your location, can provide map information and plot out your route.

For Christmas last year, I was thrilled to receive a GPS. I mounted it to my dashboard and away I went. I was amazed at the accuracy of the technology; how it was able to recalculate directions when I made a wrong turn or needed to stop mid- route for an errand. I found myself relying upon my GPS more and more when I was unsure of my route. It wasn’t until I purchased a new car equipped with a newer model GPS machine that I considered recycling my Christmas present.

One must keep in mind that the GPS system is a computer, much like any desktop or laptop. In other words, prior destinations are stored in the computer’s slack space, making them later recoverable with the use of computer forensic tools. This consideration may become important when deciding what to do with an older GPS machine. A second owner may be able to recover stored data, such as your home address or other places you have traveled. It is not enough to simply reset the machine back to the factory settings because the data may be recoverable. You should do an entire system wipe to prevent the future owner from being able to recover your home address.

If you would like to explore the opportunity of world-renown forensics expert, Alan Brill, speaking at a conference you are supporting or organizing, please contact Kristin Husom at 952 516 3781 or at khusom@krollontrack.com.

Technology You Should Know: Anti-Forensics -- What to Watch For

Computer forensics is the systematic investigation of digital media and its contents. Anti-forensics refers to techniques that attempt to compromise computer forensic methods. While anti-forensic tools and techniques definitely serve legitimate purposes, such as protecting private information, when these tools fall into the wrong hands they can also be used for suspect purposes. As the use of anti-forensic tools continue to rise, it is critical for computer forensic experts to be aware of common methods and to be prepared to search for evidence of anti-forensics during each investigation.

Anti-forensics methods tend to be used for three purposes – to hide, falsify and destroy data. In the first scenario, a person might attempt to hide evidence by placing it in an unusual location or renaming it, therefore making it less likely to be included in a forensic investigation. The evidence is not necessarily destroyed or altered, just less likely to be found. This method can be displaced by thorough analysis and the use of an investigator who is aware of the need to search in uncommon locations and through files with all naming conventions.

The next common method of anti-forensics is to falsify data. This method seeks to alter real evidence without leaving the impression of modification in an attempt to mislead the examiner into believing the viewed information is legitimate. Often this method is employed when the individual is attempting to pretend to be someone he is not or trying to change the timeframe in which something appears to have occurred. For example, manipulation of the system clock will result in out of sequence LOG files and metadata, making the last accessed dates appear to have occurred prior to the date the data was created.

A third anti-forensics method is data destruction, which attempts to hide wrong-doing by wiping the evidence from the hard drive. An investigator should look for two indicators – evidence of the data wiping software in the file system, registry, or system event log and evidence of actual data destruction such as false MFT records and unusual HEX patterns in unallocated space. In addition, evidence of missing data in the Internet history and evidence of CD-Rom burning artifacts should also give rise to a suspicion of evidence destruction.

Awareness of these methods is the first step in beating anti-forensic techniques. If something does not seem right, inquire further into its authenticity. It is good practice to ask the client at the beginning of the investigation about the likelihood that anti-forensic methods have been deployed. Wrong-doers will forever attempt to beat the system, but do not let those attempts get in the way of finding the truth.

Back To Top

NEWS & EVENTS

Kroll Ontrack Launches Enhanced Version of Ontrack Firstview to Optimize E-mail Analysis in Litigation and Internal Investigations
To better aid legal and technology teams, on February 5, 2008, Kroll Ontrack announced the launch of a new version of its e-mail investigation and analytics software, Ontrack® Firstview™ 2.0. Now supporting the top two largest e-mail platforms, Microsoft® Exchange™ and IBM® Lotus Notes™, Ontrack Firstview 2.0 also offers advanced search and in-depth reporting capabilities to expedite the identification of significant e-mail communications in internal investigations and litigation. Because IT is often called upon by legal teams to assist with internal investigations and litigation, Ontrack Firstview’s advanced search functionality and reporting capabilities permit faster identification of critical e-mail messages allowing legal teams to demonstrate conclusions through: conceptual searching, advanced visualization and advanced reporting. For more information, please visit: http://www.ontrackfirstview.com/.

Kroll Ontrack Launches Enhanced Version of Ontrack Inview to Further Streamline the E-Discovery Process
On February 5, 2008, Kroll Ontrack announced the launch of Ontrack® Inview™ 5.4., an enhanced version of its industry-leading online repository and document review tool. Providing legal document review teams with the most sophisticated and comprehensive review technology available today, Ontrack Inview 5.4 will further streamline the document review and production processes through new Document Delivery Wizard, User Group Security, and Multilingual Intelligence capabilities. For more information, please visit: http://www.ontrackinview.com/.

Meet our representatives at the following events:

Visit www.krollontrack.com/upcomingevents for more information on these events and others.

Back To Top

We Request Your Input

Our legal consultants, project managers, and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please contact us by writing to jshogren@krollontrack.com.

This newsletter is written by Joni Shogren, a Kroll Ontrack staff attorney with assistance from Gina Jytyla, also a Kroll Ontrack staff attorney. Ms. Shogren can be contacted by writing to jshogren@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or www.krollontrack.com.