| In This Issue:
 FROM
THE BENCH: COMPUTER FORENSIC EXPERTS AID IN INVESTIGATIONS
Appellate Court Finds Preliminary Injunction
Warranted Based on Computer Forensic Expert’s
Findings
Liebert Corp. v. Mazur, 2005 WL 762954 (Ill.
Ct. App. Apr. 5, 2005). The plaintiffs sought to enjoin
several of its former employees from allegedly using
electronic “e-commerce” Web sites –
containing confidential customer lists, quotations and
price books – in a new, competing business. One
of the defendants admitted that he downloaded price
books from the company’s server to his laptop
on the day he resigned. The plaintiffs hired a computer
forensic expert to examine the laptop, and the expert
discovered confidential files were accessed, downloaded
and placed in a Zip file. The expert also determined
a new Zip folder – containing quote histories
and budgets – was created and subsequently copied
from the hard drive to a CD-Rom on the same day the
defendant was served with the plaintiffs’ complaint
and preliminary injunction motion. During the copy,
the computer automatically placed the files in a “CD
burning folder”, a folder most computer users
are not aware exists. During the next few days, in a
“mass wave of deletion,” over 12,000 files
were deleted from the defendant’s computer. The
laptop’s application log, which tracks programs
like the CD-Rom burning program, was also deleted four
days after the complaint was served. Despite this evidence,
the trial court denied the plaintiff’s motion
for a preliminary injunction, finding insufficient evidence
existed to prove any of the defendants used the price
books before they were destroyed. On appeal, the court
reversed the decision, determining the trial court abused
its discretion, and ordered the trial court to grant
a reasonable preliminary injunction. The appellate court
noted, “[b]ecause [the defendant] destroyed this
crucial piece of evidence [the application log], we
presume it would have showed he successfully copied
the price books on a CD.”
Court Issues Protocol for Imaging Hard Drives
with Assistance of Court-Appointed Referee
Etzion v. Etzion, 2005 WL 689468 (N.Y.Sup.
Feb. 17, 2005). Claiming the defendant had a history
of “past fraudulent conduct,” the plaintiff,
in a divorce proceeding, sought permission for her computer
forensic experts to “impound, clone and inspect
the computer servers, hard drives, individual workstation
P.C., laptop and other items containing digital data”
from the defendant. The plaintiff also requested the
defendant pay attorney fees and computer forensic expert
costs. In response, the defendant stated the request
was overbroad, intrusive and burdensome. He also declared
he had no confidence in the plaintiff’s ability
to safeguard his data based on the plaintiff’s
history of reckless and careless data handling. The
court ordered both parties’ forensic experts,
as well as a court-appointed referee, to meet at the
data collection locations. The plaintiff’s expert
would then copy the hard drives and immediately turn
them over to the referee. After all of the drives were
copied, the experts and referee would examine the hard
drives and both parties would receive hard copies of
relevant business records. The referee would maintain
control over the hard drive images until the case closed.
The court also ordered the plaintiff to bear production
costs and each party to bear the costs of their own
experts.
THE BRILL FILES: SHOULD YOU SEEK A SECOND OPINION?
*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflects his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***
I have a good friend who is a physician. Unfortunately,
a couple of years ago, she was hurt in an accident and
needed orthopedic surgery. She had a great surgeon that
she had known for a long time, but she decided she was
going to get a second opinion. When I asked her why,
she told me that, while the first surgeon is a terrific
doctor and a good friend, her experience taught her
that medicine is both an art and a science. Having a
second competent specialist look at the x-rays and tests
and provide an opinion was important. “Even the
best surgeon,” she told me, “can make a
diagnostic mistake, or suggest a form of surgery that
isn’t the best choice.” Having a second
opinion helps reduce the risk to the patient and avoids
potentially serious problems. It is good, old-fashioned
common sense.
Similarly, when I buy a car, computer, or any important
product or service, I shop around examining the various
options. When electronic evidence is at issue in an
investigation or litigation, the situation is no different.
Sometimes, it is important to confirm the computer forensic
expert’s findings, particularly if you suspect
the expert’s opinion was based on incorrect assumptions
or supported by unfounded allegations. When your case
involves computer forensic experts and investigations,
when should you seek a second opinion?
If your opponent has hired someone as a computer forensic
expert, that person is likely searching for information
the other side has requested. They may overlook things
or operate from an incorrect series of assumptions.
They are often basing their understanding of the case
on facts they have been told by the other side. If an
expert is told that someone has committed “X”
crime and that their job is to provide verification
through computer forensics, the expert may be convinced
there is a smoking gun somewhere in the data. But that
may not always be the case. By having your own expert
investigate the other side’s conclusions, you
will be in the best position to confirm or negate the
accuracy of the findings.
For example, my colleagues and I recently worked on
a case in which a company, claiming a former employee
misappropriated confidential company information, hired
a computer forensic expert to examine the employee’s
computer. Based on their expert’s examination,
the company argued the employee stole private company
files and then attempted to cover up the theft by performing
a selective restoration of the hard drive. The expert
was prepared to testify regarding the dates of the theft
and the details of the cover-up. Knowing this was incorrect,
the employee came to us and requested we take a second
look at the expert’s findings.
After examining a mirror image of the hard drive, we
determined nearly all of the deleted and overwritten
files occurred as a result of a routine operating system
installation and did not demonstrate an attempt to overwrite
or delete data through a selective restoration process.
We also discovered the computer was accessed –
before either expert reviewed it – in a non-forensic
manner while in the company’s custody. These findings
rendered the opposing expert’s report unreliable
and our client was able to rebut the company’s
false accusations.
Even if you are not rebutting opposing counsel’s
computer forensic expert, a second opinion may still
be important. If you initially used an expert that was
unable to find information about your case, a second
expert may be able to come up with a new solution for
uncovering potential evidence. If the expert you used
the first time around did not have the knowledge, equipment
or training to pinpoint and retrieve the information,
do not hesitate to seek out another expert with the
necessary resources to properly handle your request.
Never think twice about getting a second opinion when
it comes to digital evidence.
*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Michele Lange at (952) 906-4927 or at mlange@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: CHARTING THE CELL PHONE
FORENSIC WATERS
*** As technology continues to play a larger role in litigation
and internal company investigations, lawyers and investigators
are expected to understand the inner workings of computers
and how they relate to computer conduct issues. ***
The twenty-first century technology boom is generating new technical
developments each and every day. Devices an expert may
not have even considered examining a year ago may now
be crucial in conducting a thorough investigation. For
example, iPods, MP3 players, USB drives, and digital
camera flash media can all store data files as well
as photos and/or music, making them a potentially key
source of evidence in a computer forensic investigation.
The cell phone is one such indispensable innovation
that is also adding to the complexity of a computer
forensics investigation. A wide variety of cell phones
exist in the marketplace and are used by nearly everyone
– from corporate executives conducting major business
transactions to teenagers chatting with their friends.
As technology advances, cell phones are offering users
more functionalities and capabilities. For instance,
consumers are increasingly buying “smartphones”
– cell phones offering limited computer capabilities
such as email and instant messaging. Nokia has announced
that it will release the first cell phone with a 4-gigabyte
hard drive capable of storing thousands of music files
at the end of this year. If a piece of media can store
music, it can store other forms of data too, such as
confidential company information.
As cell phones increase in technical functionality,
attorneys must be aware of the potential role they may
play in leading to valuable sources of evidence in litigation.
For instance, a cell phone may be able to help corroborate
a witness’ testimony, support other technical
evidence, or poke holes in opposing counsel’s
case. They can hold a wealth of data, including text
messages, pictures, contact information, and calendars.
For the computer forensic expert, cell phones can prove
especially useful; offering clues into a user’s
actions which may lead to making a valuable connection
between suspects and victims or to deciphering the cell
phone user’s last actions.
However, there are a few key points to be aware of
when considering an investigation on cell phone media.
Data stored on a cell phone can be fragile and conducting
an investigation on a cell phone can be a daunting task
– one best left to the experts. While some cell
phone data will survive a depletion of the cell phone’s
battery, some will not. If faced with a case involving
information stored on a cell phone, a qualified computer
forensic expert may be the only one able to retrieve
case-cracking information in a thorough and precise
manner. As cell phone investigations are relatively
uncharted waters, both the law and technology involved
with investigating cell phones are still developing.
As a result, many cell phone investigations will require
trial and error for both the computer forensic expert
and the attorney requesting the information.
Nevertheless, if cell phone evidence is important to
your case, it may be worth consulting an expert to see
what data may be recoverable. An expert working on a
cell phone may be able to recover data held on a SIM
card – a small smart card that fits inside phones
and stores personalized information about its user,
such as phone book entries – including SMS (short
message service, also referred to as text messages)
data, the phone’s IMSI (International Mobile Subscriber
Identity), a phone directory, and LAC (local area code).
An expert may also be able to recover data held in a
cell phone handset, which may reveal things like the
phone’s IMEI (International Mobile Equipment Identity),
time information, and missed, dialed, or received calls.
As technology continues to evolve and improve, an expert’s
ability to recover and restore data on new technical
devices will grow to meet those demands. The best course
of action is to consider working with a computer forensics
expert to determine if any evidence is retrievable from
these up and coming technology devices. Not only will
the expert have an opportunity to explore the limits
of the technology, but they might be able to help uncover
smoking gun evidence involved in your case.
KROLL ONTRACK NEWS & EVENTS
American Bar Association Begins Second Printing
of E-Discovery Resource
Due to the success of its first print run, the American
Bar Association recently announced a second printing
of Electronic Evidence and Discovery: What Every
Lawyer Should Know. The book, authored by Kroll
Ontrack’s Kristin Nimsger and Michele C.S. Lange,
is a comprehensive manual on electronic discovery and
assists lawyers in grasping legal issues associated
with electronic evidence and technology. A copy of the
book can be ordered by calling (800) 285-2221 or by
visiting http://www.abanet.org/abapubs/books/5450035.
Cost of the book is $89.95 ($79.95 for Science and Technology
Law members) with all proceeds benefiting the American
Bar Association.
Meet Kroll Ontrack Representatives at the Following
Events:
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
