| In This Issue:
 FROM THE BENCH: COMPUTER FORENSIC EXAMINATIONS PLAY CRUCIAL ROLE IN RECENT CASES
Court Sanctions Defendant for Deleting Computer
Files in Attempt to Hide Document Theft
Advantacare Health Partners, LP v. Access IV,
2004 WL 1837997 (N.D.Cal. Aug. 17, 2004). The plaintiffs
filed suit against the defendants, former employees
of the plaintiffs, alleging the defendants' newly created
company competed directly with the plaintiffs' business.
In support of their claims, the plaintiffs hired a computer
forensic expert to examine the defendants' former work
computers. The forensic expert discovered that, prior
to leaving the company, one of the defendants accessed
the plaintiffs' computer network, copied company confidential
files, and deleted the copied files from his hard drive,
in an attempt to conceal the file copying. Based on
this evidence, the court granted the plaintiffs' request
to make forensic copies of the defendants' current home
and business computers and server. The forensic expert
found that after the court issued the order, numerous
computer searches for data deletion software were performed
and a program called "BC Wipe" was used to delete more
than 13,000 files from the defendant's home and office
computers and server. The forensic expert also found
an additional 100 files deleted just hours before the
defendants submitted the hard drives to the plaintiffs
for analysis. Based on these facts, the court ordered
the defendants to permanently delete the files and authorized
the plaintiffs to re-image the defendants' hard drives
to verify compliance. Upon re-imaging the hard drives,
the plaintiffs' expert discovered thousands of confidential
files still existed on the drives. The defendants argued
they could not ensure whether they had deleted all of
the files because the plaintiffs failed to identify
the files by name, directory, and computer. Declining
to accept the defendants' argument, the court stated,
"[d]efendants' behavior, from the very inception of
this case, has demonstrated willfulness, fault, and
bad faith." The court awarded $20,000 in sanctions and
indicated that it would instruct the jury to make a
negative inference concerning the deleted files.
Court Dismisses Charges Where State Fails to
Produce Forensic Image of Hard Drive
State v. Kandel, 2004 WL 1774781 (Minn. App.
Aug. 10, 2004). In a criminal prosecution for possession
of child pornography, the state appealed a trial court's
order dismissing the case against the defendant as a
sanction for the state's discovery violations. Pursuant
to a court order, the defendant had requested a "forensically
sound" image copy of his computer hard drive, which
had been turned over to the state by someone other than
the defendant. When the state failed to comply with
this and other discovery requests, the defendant moved
to suppress any evidence derived from the computer and
to have the charges dismissed. Refusing to award sanctions
at that time, the district court granted the state more
time to produce the disclosures. However, the state
still had not produced the requests or allowed the defendant
to access the computer even after several months had
passed. As a result, the trial court granted the defendant's
motions for suppression and dismissal. On appeal, the
state argued that it did not want to lose the forensic
value of the computer by giving access to the defendant
since that would violate laws prohibiting dissemination
of child pornography. Affirming the trial court's decision,
the appellate court noted, "[a]lthough dismissal is
an extreme sanction, '[t]he values sought to be achieved
through reciprocal discovery will be attained only if
the rules are properly observed, and to this end the
trial courts must have the ability to make those obligations
meaningful'."
THE BRILL FILES: RECOVERING FILES OTHERS FOUND IMPOSSIBLE
TO CRACK
*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***
Kroll Ontrack was recently involved in a case with one of the largest
district attorney (DA) offices in the United States.
The DA's office asked us, under highly confidential
circumstances, if we could recover any of the more than
30,000 files stored on certain CD-ROMs. The DA's office
believed these files were likely written in a foreign
language. The files contained potentially valuable evidence
and were completely inaccessible to the average computer
user.
The DA's office came to us after another computer forensic
company unsuccessfully attempted to open the files,
surmising that the files were encrypted or compressed
with some unknown piece of software or, alternatively,
so corrupt they were unreadable and unrecognizable.
Our computer forensic engineers went to work, attempting
to access the seemingly inaccessible files. After completing
an extensive analysis, our engineers determined the
files were "GIF" (Graphics Interchange Format) files
containing non-standard headers that prevented them
from opening. The documents likely were scanned and
saved as GIF files by a custom software application
which replaced the standard headers to allow for better
categorizing, coding and restoring of the files. The
software application replaced the standard GIF headers
with non-standard headers, making the documents readable
only by the customized software application that created
them - an application our forensic engineers did not
have access to. Our engineers replaced the non-standard
headers with standard ones, enabling the district attorney's
office to open, read and analyze all 30,000-plus files.
The key to our successful recovery was not the result
of an automated analysis, but was the result of critical
thinking and a thorough investigation by knowledgeable,
trained, and experienced computer forensic engineers.
This is a great example of how diligent and meticulous
work by skilled computer forensic engineers can result
in recovering computer data - even when others find
the code impossible to crack.
*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Tommy Sangchompuphen at (952)906-4846 or at tsangchompuphen@krollontrack.com. ***
TECHNOLOGY YOU SHOULD KNOW: WHAT TO LOOK FOR WHEN HIRING A COMPUTER FORENSIC EXPERT - PART I
*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue. ***
Enron, Arthur Anderson, Martha Stewart, and Kobe Bryant.
All of these headline stories have at least one thing
in common - attorneys searching for potential smoking
gun evidence buried on computer hard drives, laptops,
backup tapes, and other electronic media. In cases like
these, attorneys will request the assistance of computer
forensic experts to access, examine, and evaluate the
electronic data. In some cases, experts may also need
to present their findings in court.
Regardless of the work performed, computer forensic
experts must demonstrate they possess the requisite
technical expertise to help a jury or judge understand
and evaluate the digital data. What should you look
for in hiring a computer forensic expert? What types
of questions should a computer forensic expert be prepared
to handle at a deposition or at trial? This article
is the first in a two-part series focusing on qualifications
and skills of computer forensic experts.
Hiring a computer forensic expert is no different than
hiring other subject matter experts for litigation.
If you are involved in an arson case, you look for a
skilled arson examiner. If you are involved in a medical
malpractice suit, you look for a doctor who is experienced
in the particular area of medicine at issue. Similarly,
in computer forensics matters, you must seek an individual
having direct, provable experience with the type of
technical situation at issue in your case. For example,
different skill sets are required for the forensic examination
of a single hard drive, as opposed to the examination
of a large, corporate computer network. In addition,
specialized skills are required if data recovery efforts
are needed on the computer media.
When evaluating an expert's technical and professional
skills, seek an expert with a solid curriculum vitae
or resume. Inquire into the number and types of cases
on which the expert has worked and request to speak
with some of the expert's past clients. Look for published
articles or books and ask if the expert has presented
at conferences, meetings, or training sessions. Request
information about the expert's certifications, ongoing
training, and professional memberships. Since a computer
forensic expert may become a witness in the case, you
should also ask about the expert's testimony training
and experience.
Last, and perhaps most importantly, look for an individual
who will fit on your litigation team. The person you
hire is another team member working toward your client's
ultimate goals. Seek an individual who is available
to answer your questions and who will seamlessly work
with you in achieving the best possible outcome for
your client.
Look for Part II of this article in next month’s
Technology You Should Know column. Part II will outline
some common questions you should prepare your computer
forensic experts to address in front of a judge or jury.
KROLL ONTRACK NEWS & EVENTS
Kroll Ontrack Named Top Electronic Discovery Vendor for
Third Consecutive Year
Kroll Ontrack Inc. has taken top honors in the "electronic
evidence discovery vendor" category for the third
consecutive year in the Ninth Annual AmLaw Tech Survey.
This marks the third time that an "electronic evidence
discovery vendor" question has been included in
the survey, which appears in the September 2004 issue
of AmLaw Tech, a quarterly supplement to American Lawyer.
Each time the question has been asked, Kroll Ontrack
has been selected as the top choice by respondents.
More than 130 law firms responded to the question, "What
electronic evidence discovery vendors has the firm used
in the past year?" Multiple answers were allowed.
One-half of all of respondents indicated they used Kroll
Ontrack’s services in the past year, marking an
increase of 19 percent from the previous year’s
survey.
Meet Kroll Ontrack Representatives at the Following
Events:
Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of e-discovery law.
If you are aware of any additional local court rules
or new cases in this area of the law, please do not
hesitate to contact us by writing to mlange@krollontrack.com.
Portions of this newsletter are written by Michele C.S. Lange, staff attorney with Kroll Ontrack. Charity Delich, a Kroll Ontrack law clerk, helped prepare the case summaries. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology’s role in the law. She can be contacted by writing to mlange@krollontrack.com.
For more information about electronic discovery
and computer forensic services, contact Kroll Ontrack
at 1-800-347-6105 or www.krollontrack.com.
|
