| In This Issue:
 FROM THE BENCH: COMPUTER FORENSIC ANALYSIS HELPS APPELLATE COURTS ISSUE SEVERE SANCTIONS
In several recent cases, computer forensic experts helped expose concealed and falsified electronic evidence. The experts’ analysis and testimony of the computer conduct at issue played a vital role in each of the appellate decisions.
In QZO, Inc. v. Moyer, 2004 WL 502288 (S.C. Ct. App. Mar. 15, 2004), a corporation alleged that the defendant, a former officer and shareholder of the corporation, violated state trade secret laws by planning to compete with the corporation. Since the corporation believed the defendant had evidence of its allegations on a computer, it requested the computer be turned over.
The trial court granted a temporary restraining order (TRO), directing the defendant to hand over the computer to the corporation or to a neutral third party. The defendant waited seven days after the TRO was issued to deliver the computer to the corporation. The corporation then hired a computer forensic expert to inspect and retrieve any potential evidence from the computer’s hard drive. The expert discovered that the hard drive had been reformatted a day before the defendant delivered the computer to the corporation, which had effectively erased any evidence that may have been on the computer.
The corporation requested sanctions in the form of a default judgment against the defendant for intentionally violating the TRO. The trial court granted the corporation’s motion for sanctions and entered a default judgment in favor of the corporation. The defendant appealed, claiming the evidence was insufficient to support such severe sanctions. On appeal, the appellate court affirmed the trial court’s judgment, determining the sanctions were not too severe.
A computer forensic expert played a crucial role in another case, Munshani v. Signal Lake Venture Fund II, 2004 WL 584588 (Mass. App. Mar. 26, 2004). In the breach of contract action, the plaintiff appealed a superior court judgment that dismissed his complaint on the grounds that he had intentionally fabricated an email message and then attempted to hide the fabrication.
In the original action, the plaintiff presented an email as evidence that precluded the trial court from dismissing his claim. The defendant, however, alleged the plaintiff had fabricated the email and moved for a preservation and production order. The court issued the order and appointed a neutral computer forensics expert to investigate the allegations. The expert determined the plaintiff had fabricated the email and prepared a 147-page report outlining the facts. The judge adopted the expert’s report as his findings on the issue and dismissed the plaintiff’s suit, ordering him to pay the expert’s costs and the defendant’s attorney fees. See Munshani v. Signal Lake Venture Fund II, 13 Mass.L.Rptr. 732 (Mass.Super. 2001).
On appeal, the plaintiff admitted he fabricated the email and submitted a false affidavit. The plaintiff argued that the judge erred in finding the email was material to the case and that dismissal sanctions were too severe under the circumstances. The appellate court rejected the plaintiff’s argument and declared that the judge was justified in “imposing the ultimate sanction of dismissal.”
THE BRILL FILES: THINK TWICE BEFORE USING HOTEL INTERNET CONNECTIONS
*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***
My work involves a lot of travel. To help me keep in touch with my office, family, and friends when on the road, I find Internet access crucial. For that reason, I always make sure the hotel I am going to is able to accommodate this. But there is more that you need to know when accessing the Internet when away from home or the office.
Even though many hotels provide Internet service, they do not always make the service widely available, nor do they consistently price the service. For example, some hotels charge for the use of the Internet connection, while others include it in the room price even if you do not use it. Although most hotels use hard-wired connections, some use wireless technology. Some hotels have fast connections, while at others, data transfers at a snail’s pace. Despite all of this, however, you should remember not to ignore information security when traveling.
For hotels that provide Internet access through wireless technology, remember some of the wireless connectivity security issues I have written about in past newsletters (to read past newsletters, visit http://www.krollontrack.com/LawLibrary/ComputerForensicsNewsletter). At some hotels (and other “hot spots”), their objective is to make it easy to attach to the network, thereby causing a real limit on the security they provide. Without encryption, someone can easily intercept your transmissions. Unless your transmission is protected by end-to-end security (through SSL, SHTML, VPN or a similar technology), whatever you see and send can be intercepted. Moral of the story: think before you hook up to the hotel (or coffee shop) wireless network.
Even at the hotel where I write this month’s column, the only way to connect to the Internet (other than an international dial-up to my ISP) is to use the computers at the hotel’s business center. Remember that using someone else’s computer puts much of the security into their hands. Consider these hotel computer use tips (which are based on true experiences):
- A computer stores a lot of information that could be recoverable by a corrupt hotel employee or subsequent user of that computer. If you use a hotel or other public computer, you should take a minute to erase the computer’s history files, cache files, and cookie files before you finish using the machine.
- Someone with unscrupulous intentions could attach a keystroke interceptor on the machine in attempt to obtain your user IDs and passwords. Take caution when using a hotel business center computer to access password-protected Internet sites.
- If you use the hotel’s printer, request that the printer be turned off and restarted after you finish printing. If this precaution is not taken, a simple press of a button on many printers will allow subsequent users to reprint the last document sent through the printer.
Certainly, there are times when it is appropriate to use these facilities, but do not let the potential for connecting to your email, office, financial dealings, and any other online aspects of your life make you forget the need to connect securely. On the road, you are your own information security officer.
*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Nicolle Martin at (952)949-4137 or at nmartin@krollontrack.com. ***
TECHNOLOGY YOU SHOULD KNOW: DATE AND TIME STAMPS
*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue. ***
As the Ozo and Munshani cases illustrate, electronic evidence uncovered by computer forensic experts can provide powerful proof to the court in substantiating a party’s claims. Such evidence sometimes includes determining the time and date computer files were created, modified, or last accessed. In some situations, dates and times of file deletion also may be available. The following questions are commonly asked about computer file date and time stamps:
1. What is a date and time stamp?
Date and time stamps are records that mathematically link a document to the time and date it was created, modified, or last accessed. They are stored as part of a file’s metadata (data about data) in the same "index" area as the name of the file itself. Even if the relevant data no longer exists, date and time information about the files might still be available. However, users must beware. Date and time stamps can be altered if a computer is booted up or if a novice user opens a file to analyze the associated dates. As such, in order to properly capture date and time stamps on computer files, computer forensic best practices must always be employed.
2. How are date and time stamps created?
In Microsoft-based operating systems, date and time stamps are automatically recorded. This includes the dates and times a file was created, modified, and last accessed. Deleted file stamps are located in a special hidden file within the recycle bin, which can show when the file was deleted. Once the recycle bin is emptied, this special file is cleared as well and any information about when the file was deleted will probably be lost. However, in some cases, all or part of the file may be recoverable.
3. How are date and time stamps changed?
Each date and time stamp records the “last” time a file was created, modified, or accessed. The first time a new file is saved, all of the times will match. After that, the last accessed date will change as a result of any viewing, copying, or manipulating of the file. The last modified date and time will change anytime changes to a file are made, even if it is merely re-saved without changes. Although dates and times generally function this way, a detailed analysis may be required in many cases to show what really happened when.
4. How do computer forensic experts detect changes to a computer system’s date and time stamp?
When a computer system’s date and time setting is altered or unavailable, an expert can use a dynamic date and time stamp analysis to determine the actual date and time associated with the system. This method compares the dates and times contained in a file to the modified, accessed, and created times of the file. From this comparison, an expert can derive the approximate actual system time. There are also many other sources of date and time information that are external to the system and can be compared if needed. Examples include email headers, Web pages, various server logs (if available), and logs that may be on the drive itself.
5. How is dynamic date and time stamp analysis helpful in computer forensics?
Date and time stamps can help to reconstruct a timeline for when a computer file was last created, modified, deleted, or accessed. However, if the computer system clock is wrong, a file’s date and time stamp might also be wrong. By using dynamic date and time analysis, the computer forensic expert can attempt to uncover the actual dates and times associated with the computer files.
Thoroughly documenting date and time stamps is essential in verifying the accuracy of a computer forensics investigation and lends credibility to an expert’s report and testimony.
KROLL ONTRACK NEWS & EVENTS
Meet Kroll Ontrack Representatives at the Following Events:
Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law.
If you are aware of any additional local court rules
or new cases in this area of the law, please do not
hesitate to contact us by writing to mlange@krollontrack.com.
Portions of this newsletter are written by Michele C.S. Lange, staff attorney with Kroll Ontrack. She has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology’s role in the law. Charity Delich, a Kroll Ontrack law clerk, helped prepare the case summaries. If you are aware of any additional local court rules or new cases in this area of the law, please contact Ms. Lange by writing to mlange@krollontrack.com.
For more information about electronic discovery
and computer forensic services, contact Kroll Ontrack
at 1-800-347-6105 or www.krollontrack.com.
|
