FROM THE BENCH: SANCTIONS DENIED WHERE PLAINTIFF RELIED ON COMPUTER FORENSIC ANALYSIS IN FILING SUIT AGAINST DEFENDANTS
	TECHNOLOGY YOU SHOULD KNOW: EXPLAINING FILE SYSTEMS
	THE BRILL FILE: UNCOVERING EMAIL SECRETS
	KROLL ONTRACK NEWS AND EVENTS

FROM THE BENCH: DEFENDANT HAS NO EXPECTATION OF PRIVACY ON WORK COMPUTER

In The Carlton Group v. Tobin, 2003 WL 21782650 (S.D.N.Y. July 31, 2003), a financial services company brought suit against several Defendants claiming that the Defendants deleted files from the Plaintiff’s computers, conspired to steal confidential and proprietary information from its computer network, and used that information to compete unlawfully with the Plaintiff.

One group of Defendants, Mission Capital, is a company that competes directly with the Plaintiff’s company, and the individual Mission Capital Defendants were formerly employed by the Plaintiff. The other group of Defendants, PDP Capital, is an investment advisor and fund management company and does not compete with the Plaintiff or Mission Capital. All parties in the suit maintain offices in the same business suite, and all tenants of this office suite share a communication switch and data transmission line that connect the tenants' computers to the Internet. As such, all the computers in the suite constitute a network, although the tenants do not have access to each other's computers.

The PDP Defendants, maintaining that they had no involvement in the theft of the Plaintiff’s computer information, sought sanctions against the Plaintiff and Plaintiff’s counsel for filing suit against them lacking in evidentiary support. The Plaintiff maintains that its allegations against PDP were objectively reasonable based upon information from its computer forensic experts that PDP had deliberately established a link between computer systems to move data back and forth between the Plaintiff’s computer network and the PDP computer. Denying the PDP Defendants’ motion for sanctions, the court held that the Plaintiff made a substantial pre-filing inquiry that gave them a reasonable basis for believing that PDP Defendants conspired with the Mission Defendants.

TECHNOLOGY YOU SHOULD KNOW: EXPLAINING FILE SYSTEMS

***As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue. To better understand the computer forensic process, it is necessary to understand some of the basic computer terminology-file systems, deleted file retrieval, slack and unallocated space-just to name a few.

This inaugural “Technology You Should Know” column will feature a discussion about file allocation tables and their interaction during a computer forensic investigation. In the following months’ columns, deleted file retrieval, slack and unallocated space, and more advanced technology topics such as encryption and disk configuration, will be discussed. ***

File Systems determine how and where files are placed on a hard drive, with the goal of trying to optimize data retrieval, which is generally instructed by the computer’s central processing unit (CPU). When looking for a file, the File System uses the file allocation table (FAT) to determine where on the hard drive the file has been placed, if it is a FAT based File System. The file system can be likened to a library card catalogue system that attempts to organize the location of books within the library in the most optimal manner. To find a book, one looks up the name in the card catalogue, which then points to the book's location. Microsoft’s FAT and NTFS File Systems are two of the most common file systems used in computer operating systems.

The FAT is used to place files in free clusters of space on the hard drive (unlike a video cassette tape or phonograph record where files are placed in a logical order from beginning to end). Each entry in the FAT corresponds directly to one cluster, with each cluster initially labeled as free or allocated to a file. These cluster allocations can be 12, 16, or 32 bits long (FAT12, FAT16, or FAT32). Only one file is allocated to a cluster, even if that file does not fill up the entire cluster. A large file will be allocated to several clusters.

FAT entries are expressed in hexadecimal numbers, not words. Unallocated clusters are indicated by a set of zeros. The “FFFF” or “FFF8” entries (known as “terminators”) indicate the end of a file. A sample FAT is seen below.

Another common file system is NTFS. NTFS has an advanced structure that is designed to overcome the limitations of other file systems such as FAT. The allocated files in an NTFS system are stored in the Master File Table (MFT), with each file descriptor containing the name, attributes, and location of the file. A separate file describes the free or unallocated clusters on the drive. Computer forensic engineers need specialized tools to decipher or examine the data contained in an MFT.

The file allocation table is one of the places computer forensic engineers examine when conducting a computer forensic investigation. Look for next month’s “Technology You Should Know” column, which will discuss the role file systems play in recovering deleted files.

THE BRILL FILE: UNCOVERING EMAIL SECRETS

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Alan has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor.***

Given the candor and ease with which emails are drafted and sent, computer forensic engineers are frequently called upon to investigate email communication. Whether archived, deleted, or never sent, computer forensic engineers, using a combination of commercial and proprietary tools, can collect and analyze email activity. Some of the most common email situations in which this technology is utilized include: online harassment, trade secret misappropriation, divorce scandals, office affairs, and corporate fraud.

For example, Kroll Ontrack recently was asked to examine the email evidence in a sexual harassment case. In the case, the Plaintiff was the assistant to the one of the company executives. The assistant claimed that she suffered quid pro quo sexual harassment from the company chairman and was fired from her job after putting an end to the affair. Kroll Ontrack examined an email message allegedly sent from the assistant’s supervisor to the company chairman stating that he had “fired her like you told me to do.” Kroll Ontrack’s investigation proved that the supervisor had not sent the message, but rather that the assistant had generated it using her administrative access to her supervisor’s email account.

Visit our Upcoming Events section at http://www.krollontrack.com/upcomingevents/ to learn about these presentations and more.

Kroll Ontrack Requests Your Input

Our legal consultants, project managers, and technology experts strive to stay on top of e-evidence law. If you are aware of any additional local court rules or new cases in this area of the law, please do not hesitate to contact us by writing to electronicdiscovery@krollontrack.com.

For more information about electronic discovery and computer forensics services, contact Kroll Ontrack at 1-800-347-6105 or www.krollontrack.com.