| In This Issue:
 FROM
THE BENCH: COURTS EVALUATE DIGITAL EVIDENCE
Lawsuit Dismissal Upheld Based on Evidence
Uncovered by Computer Expert
Breezevale Ltd. v. Dickinson, 879 A.2d 957
(D.C. Cir. 2005). A tire distributing company brought
an action against its attorneys for legal malpractice.
The company alleged the attorneys should have delayed
the deposition of one of the company’s employees
until the company could further investigate the employee’s
conduct. The employee being deposed claimed she forged
documents relating to a lawsuit against a tire manufacturing
company at the direction of and in collaboration with
company executives. At trial, the court dismissed the
legal malpractice lawsuit and imposed fees upon the
company for knowingly bringing a suit based on forged
documents. A computer evidence expert testified two
documents were created on the employee's computer with
a last access date that corroborated the employee's
testimony. In addition, the expert determined one of
the documents was computer-generated, even though the
defendant did not own a computer at that time. Other
evidence of forgery included two documents that were
typed on a letterhead that did not exist at the time
of the alleged document create dates. Based on this
evidence, the trial court came to the “inescapable
conclusion” the documents at issue were forged.
The appellate court affirmed the lawsuit dismissal and
award of $4 million in fees based on its finding that
sufficient evidence demonstrated the company’s
executives knew and participated in the forgeries. However,
the court vacated the $1 million punitive sanctions,
noting, “[t]he other sanctions imposed by the
trial court themselves bore ‘punitive’ elements.”
Court Considers Web Site Cookies in Motion
to Exclude Evidence
Inventory Locator Serv., LLC v. Partsbase, Inc.,
2005 WL 2179185 (W.D.Tenn. Sept. 6, 2005). The plaintiff
alleged the defendant unlawfully accessed the plaintiff’s
computerized database, and the defendant counterclaimed
arguing similar conduct on the part of the plaintiff.
In support of its counterclaims, the defendant offered
"Web server logs," purporting to record various
unlawful entries into the defendant's computer system
from an internet protocol ("IP") address assigned
to the plaintiff. The plaintiff sought, inter alia,
to exclude the evidence, arguing the logs were "incredible
on their face," appeared to have been altered,
had been moved and deleted, and were inadmissible hearsay.
As evidence that the logs were altered or fabricated,
the plaintiff noted a "cookie anomaly." When
a user from a specific IP address logs onto the defendant’s
Web site, a “cookie” containing information
such as the IP address from which the user was logging
in, would be created and recorded alongside the entry
in the server logs. According to the plaintiff, none
of the cookies corresponded with the entries allegedly
coming from its IP address. In response, the defendant
submitted the affidavit from a technology services company
president who explained the “cookie anomaly”
as a technical glitch not confined to entries from the
plaintiff’s IP address. Weighing this evidence,
the court determined evidence exclusion was not warranted
as “[a]bsent more detailed evidence or expert
testimony” it could not determine if the “cookie
anomaly” undermined the authenticity of the defendant’s
log records.
THE BRILL FILES: INSTANT MESSAGING – AN UNTAPPED
SOURCE FOR TELLTALE EVIDENCE
*** Written by Alan Brill, Senior Managing Director
for Kroll Ontrack, The Brill Files reflects his work
in the field with clients who have encountered some
not-so-pleasant events and what was done to remedy the
situation. With more than 25 years of consulting experience,
Mr. Brill has assisted organizations with a wide range
of technology security issues and is an internationally
recognized speaker and instructor. ***
Instant messaging (“IM”) allows an Internet
user to instantly communicate a written message to friends
or colleagues who are logged into the same instant messaging
software in real-time. The speed and ease with which
users can express themselves has made IM the modern
equivalent to water cooler conversations in the workplace.
Unfortunately for some individuals who type and send
messages they previously may have flippantly spoken
to a co-worker, these conversations have the potential
to be etched in stone on a computer hard drive or IM
archive.
My colleagues and I were recently involved in a case
where a company executive found himself in this exact
situation. A large corporation approached us requesting
that one of our computer forensic experts investigate
a claim relating to inappropriate IM activity. One of
the company’s entry-level employees had accused
the executive of sexually harassing her during several
IM “chats.” Denying the conversations took
place, the executive claimed the employee was simply
seeking revenge because she was denied a promotion.
Our experts were brought in to search for potential
evidence on the employee’s computer to see if
her claims held any merit. Using keyword searching and
other techniques, the expert uncovered IM records evidencing
a romantic affair between the executive and the employee.
After the affair soured, the employee threatened to
expose the executive if she did not receive a promotion.
Armed with this hard evidence, the corporation was better
able to reach a resolution in the situation.
As IM programs such as Google Talk, AOL instant messenger,
MSN Messenger, and Yahoo! Messenger increase in popularity,
today’s organizations must weight the pitfalls
and advantages associated with this software. Below
are some tools to assist organizations in tackling this
issue.
- Capitalize on IM technology. Many
IM archive systems allow organizations to conform
to regulatory requirements, manage IM on a long-term
basis, reduce database backup processes, and leverage
the corporate knowledge contained within their IM
archive.
- Initiate an IM policy. If organizations
choose to use IM as a means of communicating, they
should have an effective IM management policy in place
for monitoring and regulating IM use. The policy should
be in writing, and the company should ensure employees
have read and understand the policy. As IM technology
is constantly improving, companies should also update
written IM policies on a regular basis.
- Evaluate security risks. Organizations
should discuss the dangers of unarchived or unsecured
data in order to determine their acceptable level
of risk. An organization should also install software
at both the server and firewall level either to prevent
IM use or to monitor and archive it. Once this software
is installed, an organization will be able to obtain
the text files of the IM correspondence.
- Consider implementing a private IM system.
The market offers enterprise-wide, private IM systems
that operate on the company’s own servers. A
private system has its own archive, ensuring instant
messaging content is permanently stored. Some private
systems work on a local subnet instead of an Internet
connection, making messages inaccessible from the
outside world.
By implementing an effective management plan, organizations
can provide the convenience and efficiency of IM communication
while minimizing the risks associated with inappropriate
use. If an organization using IM discovers such conversations
may contain a key piece of evidence, it should enlist
the services of a computer forensic expert. The expert
will be in the best position to explore the limits of
the IM technology used, helping uncover potentially
telltale evidence in your next case.
*** If you would like to explore the opportunity
of Alan Brill speaking at a conference you are supporting
or organizing, please contact Amanda Karls at (952)
516-3637or at akarls@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: DIGGING IN ON DATA DESTRUCTION
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators are expected to understand the inner
workings of computers and how they relate to computer
conduct issues. ***
In the last few months, emerging cases across the country
have featured data destruction tools like “Evidence
Eliminator,” “History Kill,” and “Window
Washer” among others. Using these programs, individuals
have tried to cover up evidence of criminal activity,
corporate fraud, and other potentially damaging digital
evidence. For example, a recent headline featured the
CEO of Bowne, who was indicted for possessing at least
two child pornography movies and deleting 12,000 other
files when he learned about a government investigation
into a child-porn Web site. Computer records obtained
during the investigation and an IP address that traced
back to Bowne tipped off the government to the CEO’s
alleged activity. See, John Foley, “CEO Porn Charge
Provides A PC-Use Lesson,” InformationWeek,
Jul. 11, 2005. Available at: http://www.securitypipeline.com/165701168.
When a hard drive or portion of a hard drive is “wiped,”
an individual runs a commercially available software
“shredder” program to intentionally overwrite
data with a specific or randomly generated pattern of
“1s” and “0s”. If run properly,
a wiping utility will make the data unrecoverable by
commercial computer forensic experts. Despite this,
some tools still may be able to drill deeper into a
wiped hard drive to recover pieces of data. However,
this process is time-consuming, risky and extremely
expensive. Depending on the wiping program used, computer
forensic experts may also be able to determine the date,
time and the specific program that was used to conduct
the wiping.
Data wiping differs from other forms of spoliation
such as defragmentation or overwriting. Defragmentation
is the process of reorganizing a computer’s “filing
cabinet” and is designed to make the computer
run more efficiently by putting pieces of files as close
to each other as possible.
Defragmenting a computer will not harm the active data
(the data users can access on their own from the desktop)
but may render a great deal of the normally recoverable
deleted data (the data only a forensic engineer can
recover) virtually unrecoverable. Depending on the size
the drive, data volume and order of operations, deleted
files might be recoverable even after defragmentation.
A complete computer forensic investigation will help
identify data that is recoverable after defragmentation.
While similarities exist between data wiping and hard
drive overwriting, overwriting involves a more extensive
process. First, the selected files are erased and the
computer trash bin is emptied. Next, a large quantity
of data is loaded onto the operating system so each
unassigned byte of storage is filled up with meaningless
data. For example, an individual might download random
text from a Web site and copy it to the hard drive over
and over, until the unassigned space on the hard drive
is completely full.
If evidence of data wiping, defragmentation or overwriting
could be important in your case, consult a computer
forensic expert to examine the media at issue. Even
though many of these utilities and methods are highly
successful, most are not completely foolproof. Experienced
computer forensic investigators often are able to find
bits and pieces of files left on the computer. Even
more damaging, investigators frequently uncover evidence
of the program itself as well as the date and time the
program was used on the computer. When evidence of data
destruction is apparent, the results of a thorough forensic
examination will help attorneys and their clients best
assess the merits of the case.
KROLL ONTRACK NEWS & EVENTS
Growth of Legal Technology Industry Fuels
Job Opportunities
As a result of the growth in the legal technologies
industry, Kroll Ontrack is seeking qualified candidates
for several available Discovery Services Project Manager
positions. Among other duties, these individuals will
be responsible for managing multiple projects from lead
to close-out and assisting with project scoping, conference
calls, and customer presentations.
For more information about these opportunities and
other open positions at Kroll Ontrack, visit: http://www.krollontrack.com/careers/jobsearch.asp.
Meet Kroll Ontrack Representatives at the Following
Events:
| 10/21/05
- 10/22/05 |
Atlanta
Paralegal SuperConference |
Atlanta,
GA |
| 10/19/05
- 10/23/05 |
DRI
2005 Annual Meeting |
Chicago,
IL |
| 10/27/05
- 10/28/05 |
9th
Annual Electronic Discovery & Records Retention
Conference |
Chicago,
IL |
| 11/3/05
- 11/4/05 |
LawTech
Forum |
New
York, NY |
| 11/2/05
- 11/5/05 |
National
Conference of Bankruptcy Judges 79th Annual Meeting |
San
Antonio, TX |
| 11/15/05
- 11/16/05 |
The
Third Annual West Coast General Counsel Conference |
San
Francisco, CA |
| 11/17/05
- 11/18/05 |
9th
Annual Electronic Discovery & Records Retention
Conference |
New
York, NY |
| 12/1/05
- 12/2/05 |
|
Eden
Prairie, MN |
| 12/6/05
- 12/7/05 |
|
New
York, NY |
| 12/8/05
- 12/9/05 |
9th
Annual Electronic Discovery & Records Retention
Conference |
San
Francisco, CA |
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology
experts strive to stay on top of electronic discovery
law. If you are aware of any additional local court
rulings or new cases in this area of the law, please
contact us by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, staff
attorney with Kroll Ontrack, with assistance from Charity
J. Delich, a Kroll Ontrack law clerk. Ms. Lange has
published numerous articles and speaks regularly on
the topics of electronic discovery, computer forensics,
and technology's role in the law. She can be contacted
by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
