| In This Issue:
 FROM
THE BENCH: GOVERNMENT ORDERED TO PROVIDE DEFENDANT WITH
MIRROR IMAGE OF SEIZED HARD DRIVE
In United States v. Alexander, 2004 WL 2095701
(E.D.Mich. Sept. 14, 2004), the government seized the
defendant’s computer to search for evidence that
the defendant unlawfully transferred obscene pictures
over the Internet. After the seizure, the defendant
requested that the government provide him with a mirror
image of his computer hard drive to allow his computer
forensic expert to examine the drive for potential evidence.
In an affidavit, the computer forensic expert declared
he planned to form an opinion, based upon his examination
of the hard drive, as to whether the defendant knowingly
received the obscene images. The expert stated that
a mirror image was necessary so he could perform his
analysis in his own laboratory, using his own computer
forensic software and hardware, which might be difficult
to transport to another location. The government objected,
declaring the defense forensic expert could review the
mirror image only under its supervision.
Determining the hard drive could contain relevant dates,
times and circumstances surrounding the receipt of the
pictures, the court directed the government to produce
the mirror image. The court ordered the computer forensic
expert to maintain a mirror image copy log, containing
the date, time, description, and purpose of developing/copying
images from the mirror image of the hard drive. The
court also required the expert to sign a statement,
agreeing to the terms of the order and acknowledging
that he could be held in criminal contempt of court
for failing to comply with the order.
THE BRILL FILES: PERSONAL DIGITAL ASSISTANTS: BIG
EVIDENCE CAN COME IN SMALL PACKAGES
*** Written by Alan Brill, Senior Managing Director
for Kroll Ontrack, The Brill Files reflect his work
in the field with clients who have encountered some
not-so-pleasant events and what was done to remedy the
situation. With more than 25 years of consulting experience,
Mr. Brill has assisted organizations with a wide range
of technology security issues and is an internationally
recognized speaker and instructor. ***
When digging for relevant electronic data, my colleagues
and I search every available source of evidence, including
information gathered from backup tapes, laptops, hard
drives, DVDs, and CD-Roms. In addition to these standard
locations for electronic evidence, my team also searches
for data from a whole host of unconventional electronic
gadgets including Personal Digital Assistants (PDAs).
PDAs, such as Palm Pilots, BlackBerries and PocketPCs,
combine a range of basic functions including computing
tasks, cell phone and fax capabilities, and personal
organizational capabilities. If litigation arises, these
handheld computers can contain valuable evidentiary
information. For instance, a search performed on a PDA
can reveal appointment and contact information, email
exchanges, and evidence relating to electronic documents.
PDA users also have the option of creating and saving
information, including confidential data, on a PDA and
then synchronizing the data with their computer at a
later time. Since this option is available, relevant
evidence may exist on a PDA that was never saved to
a laptop or operating system, making it available only
through a thorough forensic examination of the PDA.
Recently, a client approached us with a request to
uncover information from several Palm Pilots, including
several models containing both system and file passwords.
A system password locks the Palm Pilot until the correct
password is entered, while a file password locks individual
files. We were able to bypass both the system and file
passwords and recover all of the data from the Palm
Pilots. We produced the recovered data to the client,
who was able to perform keyword searching on the recovered
documents.
If you decide a PDA is important in your case, enlist
the services of a competent computer forensic expert.
This will improve your chances of obtaining crucial
evidence. An expert will be able to perform a forensic
examination on most PDAs, including those using the
Palm, Windows CE, and BlackBerry operating systems.
Although PDAs do not record the exact file information
found on a standard computer system, an expert can extract
and keyword search files, emails, address books, memos,
and other information contained on a PDA.
Keep in mind that some PDA models contain password
protection devices that are unbreakable. On other models,
password breaking techniques can override these devices,
allowing access to pertinent information. When examining
a PDA, you should also look at any of its accompanying
accessories, such as software, cradles, cables, chargers,
flash memory cards, and manuals.
Should litigation arise, make sure you do not overlook
evidence hiding in today’s newest high tech gadgets
– including PDA. After all, big evidence can come
in small packages.
*** If you would like to explore the opportunity
of Alan Brill speaking at a conference you are supporting
or organizing, please contact Tommy Sangchompuphen at
(952)906-4846 or at tsangchompuphen@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: WHAT TO LOOK FOR WHEN
HIRING A COMPUTER FORENSIC EXPERT - PART II
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators are expected to comprehend the inner
workings of computers and how they relate to any computer
conduct at issue. ***
This article is the second part in a series focusing
on computer forensic experts. Last month’s column
featured qualifications you should look for when hiring
a computer forensic expert. To read last month’s
column, please visit http://www.krollontrack.com/newsletters/cybercrime.asp
and click on “October 2004”. This month’s
column continues with general questions your expert
might encounter if he or she needs to testify about
the case.
When a “smoking gun” piece of electronic
evidence is at issue during a trial, a computer forensic
expert can help simplify complicated and confusing technical
issues. For example, a computer forensic expert should
be prepared to answer the following general questions
during a direct examination:
- What are your qualifications?
Forensic Expert: Although this answer will vary depending
on a particular expert’s training, experience
and knowledge, all computer forensic experts should
focus on testifying about their most significant credentials.
A judge will typically qualify a computer forensic
witness as an “expert” based upon the
extent of the individual’s formal training,
education, study of current professional standards
in the computer forensic field, and any other specialized
experience the expert has with computer forensics.
- What is computer forensics?
Forensic Expert: Computer forensics is the “who,
what, when, where, and how” of electronic evidence.
Using specialized techniques and tools, a computer
forensic engineer attempts to recover and analyze
electronic data.
- How would you describe a typical computer forensic
investigation?
Forensic Expert: An investigation involving computer
forensics typically begins by making a bit-by-bit
image or copy of the hard drive or electronic media
in question, thereby preserving the integrity of the
original media. This image of the data includes all
of the unused and partially overwritten spaces on
the electronic media where important evidence may
reside. When properly done, a forensically sound image
does not alter the information on the original hard
drive or electronic media.
- Once the media has been preserved, what did
you do next?
Forensic Expert: Computer forensic experts use computer
forensic recovery tools and techniques to perform
a deleted recovery on the hard drive and to investigate
the data contained on the hard drive.
- Are these recovery tools and techniques generally
accepted among computer forensic engineers?
Forensic Expert: Techniques accepted as generally
reliable in the forensics field include having computer
forensics policies and protocols in place, thoroughly
preserving, protecting, and evaluating the evidence,
and documenting and reporting the results vigilantly.
Computer forensic experts should have employed all
of these strategies throughout the investigation of
the media.
- Is there any chance that the evidence was changed,
altered or modified between the time you imaged the
drive and today?
Forensic Expert: Computer forensic experts maintain
a complete chain of custody on each of piece media
in their possession. This documentation indicates
where the media has been, whose possession it has
been in, and the reason for that possession. There
should be no opportunity for any of the evidence to
be changed, altered or modified from the form in which
it existed on the drive when it was imaged.
When hiring a qualified computer forensic expert make
sure he or she can skillfully answer the above generic
computer forensics questions, as well as case-specific
questions about the investigation, when giving a deposition
or testifying in court.
KROLL ONTRACK NEWS & EVENTS
Kroll Ontrack Releases New Version of its Industry-Leading
Online Review Tool, ElectronicDataViewer™
On October 11, 2004, Kroll Ontrack released ElectronicDataViewer™
4.0, the powerful new version of its industry-leading
online repository and review tool.
ElectronicDataViewer gives litigation teams all the
advantages of native file and tiff image review, combined
in one powerful tool. With ElectronicDataViewer, reviewers
have the option to redact or produce a document in a
tiff image. In doing so, they may promote single native
documents or entire contents of folders to tiff images
immediately within the tool. Another new feature includes
the ability to review electronic and paper documents
together in the same tool. ElectronicDataViewer effectively
integrates paper-sourced documents that have been scanned
and coded, with their electronic document counterparts
in a single online repository. These new features, combined
with time-tested functionalities – such as sophisticated
concept and keyword searching, unparalleled assistance
in the search for potentially privileged documents,
and the creation of an automated privilege log –
continue to make ElectronicDataViewer one of the most
powerful resources an attorney can have when reviewing
and producing documents.
To learn how ElectronicDataViewer’s newest capabilities
will change the discovery process or to request an in-house
or online demonstration, please contact Kroll Ontrack
at 1-800-347-6105.
Meet Kroll Ontrack Representatives at the Following
Events:
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law. If
you are aware of any additional local court rules or
new cases in this area of the law, please do not hesitate
to contact us by writing to mlange@krollontrack.com.
Portions of this newsletter are written by Michele
C.S. Lange, staff attorney with Kroll Ontrack. Charity
Delich, a Kroll Ontrack law clerk, helped prepare the
case summaries. Ms. Lange has published numerous articles
and speaks regularly on the topics of electronic discovery,
computer forensics, and technology’s role in the
law. She can be contacted by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensic services, contact Kroll Ontrack at
1-800-347-6105 or www.krollontrack.com.
|
