FROM THE BENCH: COMPUTER FORENSIC EXPERT HELPS PROVE INTERNET TRADEMARK INFRINGEMENT ALLEGATIONS
	THE BRILL FILES: DON’T BECOME A VICTIM OF INFORMATION SECURITY TUNNEL VISION
	TECHNOLOGY YOU SHOULD KNOW: FIVE KEY PRINCIPLES FOR EXAMINING ELECTRONIC EVIDENCE
	KROLL ONTRACK NEWS & EVENTS

FROM THE BENCH: COMPUTER FORENSIC EXPERT HELPS PROVE INTERNET TRADEMARK INFRINGEMENT ALLEGATIONS

Computer forensic experts assist lawyers by investigating civil matters in a variety of manners. From uncovering fabricated evidence to detecting and explaining sources of relevant information, computer forensic experts can help put together critical pieces of the electronic evidence puzzle. In Philip Morris USA, Inc. v. Otamedia Ltd., 2004 WL 1878751 (S.D.N.Y. Aug. 20, 2004), a case involving allegations of trademark infringement and unfair competition, a computer forensic expert helped clarify complex technical matters relating to the defendant’s deceptive sales practices.

In Philip Morris, the plaintiff accused the defendant of illegally using the Internet to sell the plaintiff’s brand of cigarettes, which was intended only for sale abroad, to customers in the United States. The court entered a judgment prohibiting the defendant from supplying, shipping, or importing the plaintiff’s cigarettes to Web sites, customers, or affiliates in the U.S. Contending the defendant violated this order by continuing to sell the cigarettes through certain Internet domain names, the plaintiff sought to modify the judgment to include transferring ownership of the defendant’s Internet domain names to the plaintiff.

The plaintiff offered testimony from a computer forensic expert to demonstrate that the defendant continued to sell gray market cigarettes. The computer forensic expert explained that when an Internet user typed search terms such as “online cigarettes” into a search engine, the defendant’s Web site would pop up because of the domain names the defendant used. A truncated link to the Web site also prominently indicated the sale of the plaintiff’s cigarettes.

Arguing the plaintiff’s cigarettes comprised “merely a fraction” of the products sold, the defendant presented two batches of sales data. The plaintiff’s computer forensic expert examined the sales data and found inconsistencies in computer programming formulas, individual sales records, and customer email confirmations. After being confronted with the expert’s analysis, the defendant admitted its sales data was unreliable, and likely fraudulent.

Finding the defendant’s “supporting testimony and data … so riddled with fabrication and deception as to warrant the inference that the truth is the exact opposite of what [the defendant] contends,” the court ordered the transfer of the defendant’s domain names to the plaintiff.

THE BRILL FILES: DON’T BECOME A VICTIM OF INFORMATION SECURITY TUNNEL VISION

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

Shortsighted security planning is a common mistake among information technology (IT) personnel in today’s high-tech corporations. While IT departments must focus on proper computer and network security protocol for issues such as firewalls, intrusion detection/prevention systems, secure network architectures, and authentication strategies, they also need to consider other security gaps to ensure they are completely protecting all the company’s information assets.

Security, including information protection, works on a weak-link principle. Somewhere in the security chain a weak link likely exists as a result of complex computer systems, widely interconnected networks, technological dependence, or multifaceted software. For example, a database may be extremely well protected from hackers by at least a half-dozen software and architectural strategies. If, however, you back the database up to an unsecured backup tape, particularly in an un-encrypted form, your overall security plan may be compromised.

A couple of cases I was recently involved in help to illustrate this point. One case involved a client who lost valuable research and development information when someone broke into their office and stole the company’s servers and backup tapes. The client’s office was not secured by a simple burglar alarm system, and the backup tapes were left sitting unsecured in the server room. In another case we worked on, the client suffered damages when an unqualified employee, who was not subjected to a human resources background check, became overwhelmed with the work he was asked to perform and destroyed parts of the client’s network. In this particular case, even the best laid plans for external information security would not have prevented this security breach.

The following tips will help an organization avoid becoming a victim of information security shortsightedness:

• Look for holes in your computer and network security plans. Watch for gaps in your current security policies and fix them as soon as they surface. Consider employing a computer security expert to conduct a proactive security audit of your systems.
  
• Evaluate issues relating to physical and personnel security. Manage risk by mitigation. From protecting sensitive information with alarm and video surveillance systems to performing background checks on potential employees, an organization must take steps to avoid vulnerability.
  
• Integrate all aspects of security. When multiple departments are responsible for various security aspects at a company, all departments must work together to ensure weaknesses in security does not exist.
  
• Mitigate damages with risk management. Not all risk can be eliminated, but you can work with an insurer to help mitigate risks that cannot be avoided. Make sure you are aware of the available coverage (so you know what risks you will continue to carry), costs involved, and discounts you may receive due to your current security program.

In order to achieve a reasonable level of information security, you must take into account computer and network security issues as well as physical security, personnel security, and risk management issues. Effective use of security measures can help an organization reduce the chance of becoming a victim of information security tunnel vision.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637 or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: FIVE KEY PRINCIPLES FOR EXAMINING ELECTRONIC EVIDENCE

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue. ***

Recently, the Technical Working Group for the Examination of Digital Evidence, sponsored by the National Institute of Justice, released a special report entitled “Forensic Examination of Digital Evidence: A Guide for Law Enforcement” (see http://www.ncjrs.org/pdffiles1/nij/199408.pdf).

While the report is intended for law enforcement officers, its principles and procedures offer guidance for computer forensic experts dealing with private civil investigations as well. In particular, the guidelines contain the following five key principles computer forensic experts should follow when examining electronic evidence:

• Implement Computer Forensics Policies and Procedures. Computer forensic examinations are often detailed and complex. For instance, multiple pieces and types of media may be at issue – from computers containing large quantities of data to backup tapes or email systems. Moreover, computer forensic experts will often find many different software programs, email systems, and servers that require an examination. In each case, a computer forensic expert may perform different handling methods when retrieving, copying, or searching the data. Since all of this information can become extremely complex and technical in nature, computer forensic experts must develop uniform forensic protocols.
• Evaluate Electronic Evidence Thoroughly. Digital evidence should be thoroughly assessed with respect to the scope of the case to determine the most appropriate course of action. This includes examining the circumstances surrounding the acquisition of the evidence, and identifying any special factors when on-site at the scene of the computer activities in question.
• Protect and Preserve Evidence. A reliable computer forensic investigation always requires proper preservation procedures. Experts must use techniques that are generally understood within the industry and are considered reliable when handling data. This includes maintaining chain-of-custody control, protecting data from magnetic fields and other dangers that can damage data, mirror imaging, and using validated analysis tools that accurately convey the information being reviewed.
• Examine Electronic Evidence Thoroughly. General forensic principles apply when extracting and analyzing digital evidence. Whenever possible, the examination should not be conducted on original evidence. Extraction, both physical and logical, refers to the recovery of data from the media. Analysis is the process of interpreting the extracted data to determine its significance to the case. Some examples of analysis that may be performed include timeframe, data hiding, application and file use/access, and ownership and possession of information.
• Document and Report Findings Accurately. The examiner is responsible for completely and accurately reporting the process used to examine the digital evidence as well as his or her findings and results of the examination. Documentation is an ongoing process throughout the examination and often includes:
  • Taking notes when consulting with those involved in the case.
  • Taking notes to allow complete duplication of actions (this includes documenting dates, times, descriptions, and results of actions taken).
  • Documenting any irregularities encountered.

In addition, sample reports, worksheets, training resources, and a glossary are included in the working group guide.

KROLL ONTRACK NEWS & EVENTS

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please do not hesitate to contact us by writing to mlange@krollontrack.com.

Portions of this newsletter are written by Michele C.S. Lange, staff attorney with Kroll Ontrack. Charity Delich, a Kroll Ontrack law clerk, helped prepare the case summaries. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology’s role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensic services, contact Kroll Ontrack at 1-800-347-6105 or www.krollontrack.com.