| In This Issue:
 FROM
THE BENCH: COURTS ADDRESS ISSUES RELATING TO COMPUTER
FORENSIC EXPERTS AND DATA ADMISSIBILITY
Court Adopts mySimon Framework and
Orders Independent Expert to Mirror Image Hard Drives
Experian Info. Solutions, Inc. v. I-Centrix, L.L.C.,
No. 04 C 4437 (N.D. Ill. July 21, 2005). Claiming breach
of contract and misappropriation of trade secrets, the
plaintiffs filed suit against the defendant, a former
employee, and his new company, formed after he stopped
working for the plaintiffs. During discovery, the plaintiffs
sought to obtain mirror images of the defendant’s
computers. The defendant argued the request was overbroad,
would capture proprietary information, and would hinder
the defendant’s business operations. Alternatively,
in the event the court decided the mirror images were
discoverable, the defendant proposed that it use the
standards set forth in Simon Prop. Group L.P. v.
mySimon, Inc., 194 F.R.D. 639 (S.D. Ind. 2000).
In mySimon, an independent expert created and
examined a mirror image of the defendant’s hard
drive and then submitted potentially relevant documents
to the defendants. The plaintiffs argued the method
was too narrow as it would not allow them to evaluate
“relevant contextual data” and “metadata”
found in the mirror image. The court adopted a modified
version of the mySimon framework, adding a
provision to facilitate the recovery of metadata specified
in a list generated by the plaintiffs. The court ordered
“an independent expert [to] review the bitstream
copy for contextual information and metadata that falls
within the scope of this list, as well as for documents
relevant to Plaintiff’s discovery requests.”
Appellate Court Finds Computer Evidence Sufficient
to Support Child Pornography Conviction
United States v. Bass, 411 F.3d 1198 (10th
Cir. 2005). The defendant appealed a conviction of five
counts of knowing possession of child pornography on
the grounds the evidence was insufficient to support
the convictions. At trial, the defendant argued he did
not know the images were automatically saved to the
computer. However, he admitted he attempted to remove
child pornography from the computer using two software
programs, “History Kill” and “Window
Washer.” Based on this admission, the appellate
court found sufficient evidence existed to support the
convictions. The defendant also challenged the sufficiency
of his indictments, stating they were deficient because
they identified the images as “bmp” files
rather than “jpeg” files (which actually
existed on the computer). The court also rejected this
argument and declared “[t]he images identified
in [the defendant’s] indictment indisputably came
from his computer.” The court noted the file type
identification change resulted from the forensic examiner’s
software but was numerically identical to what existed
in the defendant’s computer.
THE BRILL FILES: COMPUTER FORENSIC BEST PRACTICES
– SETTING THE STAGE FOR A SUCCESSFUL DIGITAL INVESTIGATION
*** Written by Alan Brill, Senior Managing Director for Kroll
Ontrack, The Brill Files reflects his work in the field
with clients who have encountered some not-so-pleasant
events and what was done to remedy the situation. With
more than 25 years of consulting experience, Mr. Brill
has assisted organizations with a wide range of technology
security issues and is an internationally recognized
speaker and instructor. ***
Using computer forensic best practices – industry
standard protocols for conducting an electronic evidence
examination – is important in ensuring relevant
digital data is admitted if a case goes to trial. Recently,
one of our computer forensic experts worked on a case
that illustrates the importance of following best practice
techniques throughout a computer forensic examination.
An individual who recently resigned from a large global
company asked Kroll Ontrack to investigate a data spoliation
accusation brought by the company. The company accused
the employee of deliberately wiping nearly all of the
data contained on a company-issued laptop and snap server
before returning it to the company when his employment
ended. Using various computer forensic techniques, our
assignment was to analyze and describe the contents
of the laptop, including any remaining active files
and any files that were deleted or overwritten.
After arriving at the company, one of our experts examined
an exact, bit-by-bit mirror image of the laptop and
the snap server. He also gathered all pertinent supporting
data about the hardware at issue (i.e. the models and
serial numbers of the laptop, hard drives and the server).
Next, the expert made working copies of the acquired
image files that were collected, and each copy was verified
to ensure it matched its original. The expert made certain
that only working copies were used for subsequent examination
and analysis.
The expert then performed a deleted recovery of the
imaged laptop hard drive. Using industry-standard software,
he viewed the images and generated file listings of
the active files and folders and of previously deleted
files and folders. He also performed a keyword search
of active files, previously deleted files, unallocated
space, and slack space. Using a subset of keywords identified
by the company, he conducted an additional keyword search
exclusively on the active files.
After conducting an analysis on the active files, the
expert searched the unallocated space to identify any
possibly recoverable files or segments. He reviewed
the active and deleted files in an effort to locate
and categorize those that could be identified as user-created
document or spreadsheet files; emails; text files (which
would include Web page “cookies”); HTML
files (Web page information cached to the computer);
and image and movie files (typically containing a .jpg,
.gif, .mpeg, or .avi extension).
After completing his review of the laptop, the expert
discovered that six gigabytes of active data –
including Microsoft Word documents, spreadsheets, and
email – still remained on the laptop. Based on
these findings, the employee was able to refute the
company’s allegation that the employee had wiped
nearly 100% of the data off of the hardware at issue.
By strictly adhering to solid computer forensic best
practices throughout the data collection, recovery and
analysis, the expert helped set the stage for success
in this forensic examination.
*** If you would like to explore the opportunity
of Alan Brill speaking at a conference you are supporting
or organizing, please contact Amanda Karls at (952)
516-3637or at akarls@krollontrack.com.
***
TECHNOLOGY YOU SHOULD KNOW: EXPERT ADVICE WHEN SELECTING
A COMPUTER FORENSIC EXPERT
*** As technology continues to play a larger role
in litigation and internal company investigations, lawyers
and investigators are expected to understand the inner
workings of computers and how they relate to computer
conduct issues. ***
Choosing a qualified computer forensic expert is a
critical element in a case calling for an investigative
and detailed analysis of electronic data. The expert
must have the proper experience and training to successfully
identify and attempt to retrieve possible evidence that
may exist on a computer system. As many “experts”
exist in the computer forensic arena, attorneys must
be very careful when selecting the right computer forensic
expert as this decision could make or break their case.
When selecting a computer forensic expert, consider
the following aspects:
Ensure the expert is qualified.
Determine if the expert has sufficient direct experience
with the relevant electronic media at issue. The expert
must be thoroughly familiar with both the technology
and the concepts surrounding the case and should have
extensive technical, legal and industry experience.
A seasoned expert will be better able to help determine
what information is technically feasible to collect,
how to best analyze that information, and how to interpret
the resulting findings.
Find an expert with the ability to think outside
the computer box.
Computers are not the only form of electronic evidence
that investigators should consider when evaluating cyber-evidence.
While computer records can be decisive or at least helpful
in many cases, they are not the whole story. Building
access systems, video monitoring programs, and phone
logs could be fundamental to an investigation in the
digital age. Also, an expert should look for physical
evidence associated with the computer media. For example,
notes containing computer passwords may be laying in
plain view.
Make certain the expert follows computer forensic
best practices.
A firm grasp of basic data handling concepts and computer
forensic best practices is the first step to ensure
a successful investigation. Check to see if the expert
adheres to strict industry standards regarding data
collection and preservation. Electronic evidence, just
like other types of evidence, is fragile. For example,
simply booting a computer or opening a file can change
potentially valuable metadata – dates, times and
other behind-the-scenes information about the data.
The credibility of any recovered data is based on proper
evidence handling. If a forensic analysis is done on
a piece of media, an expert must make a mirror image
– a bit-by-bit snapshot of the original drive
– of the media in order to preserve the integrity
of the original media.
Question the expert’s chain of custody
documentation.
Maintaining a written "chain of custody" on
pieces of relevant media is the best way to proactively
ensure admission of the data into evidence at trial.
A proper chain of custody ensures the reliability of
evidence and minimizes any risk that evidence was changed,
altered or modified from its original form on the hard
drive. Inquire about the expert’s chain of custody
documentation and ask to see a sample in order to ensure
such documentation will meet best practice requirements.
KROLL ONTRACK NEWS & EVENTS
Kroll Ontrack Named Most Used Electronic Discovery
Service Provider In Two Major Industry Surveys
The American Lawyer's 10th Annual AmLaw Tech
Survey has identified Kroll Ontrack as the industry's
most used electronic discovery provider among leading
law firms. This year's survey marks the fourth year
in a row that Kroll Ontrack has been recognized as the
clear winner in the electronic discovery provider category.
The survey also identified Kroll Ontrack’s online
review software, ElectronicDataViewer™, as the
industry’s second most used online document repository
tool in discovery. The annual survey tracks technology
trends as well as which products and services the country’s
top 200 law firms are using. The AmLaw Tech Survey can
be found as a supplement to the September issue of The
American Lawyer.
Law Office Computing’s 11th Annual Reader’s
Choice Awards recently recognized Kroll Ontrack as one
of the most used service providers in the electronic
discovery category. Electronic discovery has been its
own category in the annual survey for two years and
this marks the second year in a row that Kroll Ontrack
has been chosen by the readers of Law Office Computing
as their electronic discovery provider of choice. Results
were taken from a nationwide survey of 2,000 randomly
selected Law Office Computing subscribers in
which readers were asked to select which technology
services they use the most. Look for the winners and
finalists in each category in a special feature in the
August/September 2005 issue.
Growth of Legal Technology Industry Fuels Job
Opportunities
As a result of the growth in the legal technologies
industry, Kroll Ontrack is seeking qualified candidates
for several available Discovery Services Project Manager
positions. Among other duties, these individuals will
be responsible for managing multiple projects from lead
to close-out and assisting with project scoping, conference
calls, and customer presentations.
For more information about these opportunities and
other open positions at Kroll Ontrack, visit: http://www.krollontrack.com/careers/jobsearch.asp.
Meet Kroll Ontrack Representatives at the Following
Events:
Visit http://www.krollontrack.com/upcomingevents/
for more information on these events and others.
KROLL ONTRACK REQUESTS YOUR INPUT
Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.
For more information about electronic discovery and
computer forensics services, contact Kroll Ontrack at
1-800-347-6105 or http://www.krollontrack.com/.
|
