FROM THE BENCH: COURTS RESOLVE ISSUES RELATING TO MIRROR IMAGING EXAMINATIONS AND REQUESTS
	THE BRILL FILES: AN INVESTIGATIVE REPORT ON DATA WIPING UTILITIES – PART ONE
	TECHNOLOGY YOU SHOULD KNOW: THE EVIDENCE CAN LIE – FIVE WAYS TO BOTCH DATA INTEGRITY IN A COMPUTER FORENSIC INVESTIGATION
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: COURTS RESOLVE ISSUES RELATING TO MIRROR IMAGING EXAMINATIONS AND REQUESTS

Hash Value Search Supports Summary Judgment Finding for Respondents
Liturgical Pubs., Inc. v. Karides, 2006 WL 931892 (Wis. Ct. App. Apr. 12, 2006). Appealing a dismissal of unfair competition and computer theft claims, the appellant claimed the trial court erred in granting summary judgment for the respondents. During discovery, the trial court ordered mirror images of the respondents’ computers be made; however, inspection of the images was limited to a hash value search and the trial court appointed a referee to assist in the process. When hash value matches were not found, the appellant requested a second inspection to search for specified words, evidence of reformatting, wiping or deleting of files, and other computer activity. As the first inspection yielded nothing, the trial court ruled further discovery would be unreasonable. Ultimately, the trial court found the appellant failed to present evidence establishing the respondents misappropriated computer data. In affirming the trial court’s decision, the appellate court concluded the trial court “acted within the scope of its discretion in denying [the appellant’s] additional request, which essentially amounted to a fishing expedition.”

Plaintiff Permitted to Mirror Image Defendants’ Personal Computers at Plaintiff’s Expense
Balboa Threadworks, Inc. v. Stucky, 2006 WL 763668 (D. Kan. Mar. 24, 2006). Alleging copyright infringement, the plaintiffs sought to mirror image the hard drives of the defendants’ business and personal computers. The defendants objected to the mirror imaging of any computers not related to the business, claiming such data fell outside the scope of discovery. In response, the plaintiffs argued any of the defendants' computers could have been used to download the copyrighted patterns at issue so all of the computers should be imaged to preserve any relevant information. The court found it reasonable to conclude that relevant evidence could be found on any of the defendant’s computers, noting a personal computer was used to draft a document related to the alleged infringement. Thus, the court ordered “all of Defendants' computers and peripheral equipment, such as ZIP Drives, shall be made available for mirror imaging, at Plaintiffs' expense, in accordance with the protocol previously agreed to by the parties.”

THE BRILL FILES: AN INVESTIGATIVE REPORT ON DATA WIPING UTILITIES – PART ONE

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflects his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

Numerous companies sell software products designed to permanently erase various types of data. The use of these products is becoming increasingly popular as computer users become savvier about the accessibility of sensitive information stored on a computer. Unfortunately for many of these users, not all of these products actually deliver on their promises.

To test whether these products perform as promised, several of my fellow forensic experts here at Kroll Ontrack conducted a study of four commercially available products – all claiming to perform various wiping utility functions. We determined how effective these tools really were and how much evidence (actual data or evidence of the tool) was truly recoverable after the tool was used. For each test, the investigators tested the product by wiping the target data at least seven times (matching U.S. Department of Defense standards).

The investigation was not designed to determine whether one tool was better than another or to disparage or support any of the products. For this reason, the product names will remain anonymous and are simply labeled as Products 1 – 4. The goal of the investigation was to raise awareness for attorneys and technologists seeking to uncover data in cases where a wiping utility is alleged to have been used. Below is a brief summary of how these products held up during testing.

Secure File Deletion
For each product, the computer forensic investigator created a Microsoft® Word document and wiped the file with seven passes. The results were as follows:

• Product 1: “Wiped” file names were referenced on other locations of the drive. After the program was uninstalled, remnants of the program itself remained on the drive in the form of folders, deleted files and link files.
• Product 2: While the file contents were successfully wiped using the tool’s default settings, link files referencing the file name still existed on the hard drive.
• Product 3: After the program was run, the file remained in the “My Documents” folder. The file name and dates (creation, accessed, modified) were scrambled beyond recovery. However, a search for the name of the file resulted in four matches. In all four locations where the file name match resulted, the file name was referenced back to its original location – the “My Documents” folder.
• Product 4: Although the file no longer existed in the original folder, evidence proving a wiping utility was used existed (the “wiped” file had a scrambled name and unknown extension). The last accessed, file created, and last written times were also altered, and the modified time/date reflected the time the file was erased. The slack space of the scrambled file revealed the product’s installation information, version, user name, and license holder.

Internet History Wiping
For each product tested, the investigator navigated to various Web sites. The investigator then proceeded to clear Internet related traces by selecting the features in each tool that claimed to delete typed URLs, cookies, temporary/cache files, and other Internet history. Below are the findings.

• Product 1: Any “deleted” Internet usage data was easily recoverable with forensic software. Time stamps associated with the user’s surfing activities were also available.
• Product 2: This feature was not available.
• Product 3: Even though some files were deleted beyond recovery (many files contained in the Cookies folder), data about the user’s Internet Activity was still retained.
• Product 4: Data relating to all of the Web sites visited and the time stamps associated with the user’s surfing activities still existed after wiping.

Recycle Bin Wiping
To test the product’s recycle bin wiping capabilities, the investigator placed various file types into the recycle bin and proceeded to wipe the recycle bin with the default seven pass setting. The outcome of this test was as follows:

• Product 1: Although this product deleted files from the recycle bin, it did not remove the file contents, making the files easily recoverable with forensic software.
• Product 2: While evidence of the recycle bin files did not exist, references were identified on the hard drive indicating where the files resided on the system prior to deletion.
• Product 3: File names and contents were unrecoverable. A keyword search revealed a file’s name in a link file within the “Recent” folder of the user’s profile. Keyword hits of the file name also existed in unallocated space and the Registry.
• Product 4: Forensic software revealed the recycle bin did not contain any data. Further analysis did not recover any of the files nor were INFO2 records (records that allow Windows to undelete a file and a user to restore original information about the file) found.

Look for Part II of this article in next month’s Brill Files. Part II will offer lessons that can be learned from the results of this study.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: THE EVIDENCE CAN LIE – FIVE WAYS TO BOTCH DATA INTEGRITY IN A COMPUTER FORENSIC INVESTIGATION

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. ***

"Concentrate on what cannot lie. The evidence...,” advises Gil Grissom of the popular television show “CSI: Crime Scene Investigation”. While this sound bite makes for good television drama, in reality this statement is not entirely accurate. The fact is evidence can be misleading – if it is not properly preserved and handled during a forensic investigation of any kind.

Just like fingerprints, DNA, or other types of evidence, digital evidence is fragile and can be altered if precautions are not taken to ensure the evidence is kept as close as possible to the condition in which it was found. If data integrity is not maintained, you may risk losing critical evidence – or worse, impinging the credibility of any recovered data, potentially rendering it unreliable, or inadmissible in a court of law.

Below are five ways in which the integrity of evidence can be questioned, if adequate safeguards are not in place.

1. Booting a Computer and Accessing Files. Turning a computer on, opening and viewing files and installing analysis software on a hard drive are a few ways pivotal data can be changed. For example, booting a computer may cause the hard drive to be reconfigured in a way that overwrites data that would have remained more accessible if the “boot” did not occur. Additionally, tampering with files can change important metadata fields such as create dates or modified dates associated with those files.
2. Opening a Hard Drive Outside of a Cleanroom Environment. Data reliability is a key consideration in every case involving electronic evidence. A “cleanroom” is a controlled environment that ensures reliability is maintained by regulating factors that can otherwise damage sensitive evidence. If there is physical damage to the drive, the drive should always be opened in a cleanroom setting to ensure extracted data is protected from elements such as airborne particles, temperature, humidity, air pressure, airflow patterns, vibration, noise, and lighting. Opening a drive outside of this environment can damage the drive and/or supporting hardware, destroy data and void the warranty on the drive.
3. Failing to Conduct an Analysis on a Mirror Image Copy. A forensic mirror image of a hard drive is an exact, bit-by-bit copy of the drive. The mirror image copy provides a complete “snapshot” of the drive, captures both active and deleted data, and ensures the integrity of evidence is preserved. Computer forensic investigators should always conduct their investigation on the image copy, making certain metadata information is properly preserved on the original piece of media.
4. Neglecting to Maintain a Proper Chain of Custody. In any computer forensic investigation, the media at issue must be properly secured and a proper chain of custody must be maintained. Failure to do so can give the opposing party an opportunity to point out holes in your case. Or, a court may find the evidence lacks requisite reliability to be admitted into evidence. When documenting the chain of custody on a piece of media, indicate where the media has been, whose possession it has been in, and the reason for possession.
5. Ignoring Alternative Sources in the Event of Evidence Destruction. In some cases, the best piece of evidence may have been destroyed before an investigation begins. Fortunately, digital clues can materialize in multiple places. Thus, identifying all sources where critical information may be located can be vital to an investigation. For example, even if an ex-employee completely reformats a hard drive, in an attempt to cover up incriminating e-mails, those e-mails may be available from other sources. A computer forensic expert may still be able to find the e-mails from other sources, such as company back-up tapes or other media.

KROLL ONTRACK NEWS & EVENTS

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensics services, contact Kroll Ontrack at 1-800-347-6105 or http://www.krollontrack.com/.