computer forensics challenges of 2008; computer forensics challenges of 2008; the major issues...
TRANSCRIPT
Computer Forensics Challenges of 2008;Computer Forensics Challenges of 2008;
The major issues effecting the use of digital forensics in family
law cases in South Carolina.
Presented byPresented by
Steven M. Abrams, J.D., M.S.Steven M. Abrams, J.D., M.S.
Abrams Millonzi Law Firm, Abrams Millonzi Law Firm, P.C.P.C.
Steven M. Abrams, Esq. Steven M. Abrams, Esq. Computer Forensics ExaminerComputer Forensics Examiner Attorney at Law (SC)Attorney at Law (SC), Private Investigator (NY), Private Investigator (NY)
Computer Forensics BioComputer Forensics Bio 1983 – 2008 (25yr) 1983 – 2008 (25yr) Trained under Military and Law Trained under Military and Law
Enforcement Supervision – NCJA, Enforcement Supervision – NCJA, NW3C, NYPD, FBI, SLEDNW3C, NYPD, FBI, SLED
350 CF Cases350 CF Cases 75% 75% Domestic RelationsDomestic Relations Law enforcement work: USSS, Law enforcement work: USSS,
FBI, Mt. Pleasant PD, ...FBI, Mt. Pleasant PD, ... Member: HTCIA, SCALI, Member: HTCIA, SCALI,
ALDONYS, IEEEALDONYS, IEEE Permanent Member: SLED PI Permanent Member: SLED PI
Business Advisory CommitteeBusiness Advisory Committee Instructor: Numerous CLEs, Instructor: Numerous CLEs,
Seminars, US and Foreign Seminars, US and Foreign GovernmentsGovernments
What we will cover today:What we will cover today:Issues confronting the use of Issues confronting the use of
Computer Forensics in Family CourtComputer Forensics in Family Court Common Abuses of the Discovery Common Abuses of the Discovery
Process.Process. Need to Check Licenses and Need to Check Licenses and
Credentials of Computer Forensics Credentials of Computer Forensics examiners.examiners.
Need to critically evaluate CF Need to critically evaluate CF evidence.evidence.
Lack of Uniform rules for E-Discovery Lack of Uniform rules for E-Discovery in State Courts.in State Courts.
Computer Forensics?Computer Forensics?Computer forensics, also called cyberforensics Computer forensics, also called cyberforensics and digital forensics, is the application of and digital forensics, is the application of computer investigation and analysis techniques to computer investigation and analysis techniques to gather evidence suitable for presentation in a gather evidence suitable for presentation in a court of law. The goal of computer forensics is to court of law. The goal of computer forensics is to perform a structured investigation while perform a structured investigation while maintaining a documented chain of evidence to maintaining a documented chain of evidence to find out exactly what happened on a computer find out exactly what happened on a computer and who was responsible for it. and who was responsible for it.
Why do Computer Why do Computer Forensics?Forensics?
Forget dumpster diving. Computers harbor more personal Forget dumpster diving. Computers harbor more personal information and secrets than anyone can discard into a 20-information and secrets than anyone can discard into a 20-gallon trash container.gallon trash container. A typical computer holds A typical computer holds information people once stored in information people once stored in wallets, cameras, contact wallets, cameras, contact lists, calendars, and filing cabinetslists, calendars, and filing cabinets. Computers are the . Computers are the treasure trove of personal contacts, personal finance, and treasure trove of personal contacts, personal finance, and correspondence. correspondence. Practically every investigation - can benefit from the proper Practically every investigation - can benefit from the proper analysis of the suspect's computer systems."analysis of the suspect's computer systems." - - Incident Response, Investigating Computer CrimeIncident Response, Investigating Computer Crime, Pg.88, Pg.88
Family Law Matters are particularly Family Law Matters are particularly suited to digital forensics.suited to digital forensics.
Home Computers, Cell Phones are usually Home Computers, Cell Phones are usually jointly owned and used marital propertyjointly owned and used marital property..
Household financial records often on home Household financial records often on home computer. Hidden assets traceable on PC.computer. Hidden assets traceable on PC.
Increasingly Increasingly paramours contacted by paramours contacted by computercomputer – email & websites / cell phone . – email & websites / cell phone .
Arrangements for liaisons made using Arrangements for liaisons made using computer; computer; flightflight and and hotel reservationshotel reservations..
Pornography, Pornography, Pornography…Pornography, Pornography, Pornography…
A Typical Digital A Typical Digital Forensics InvestigationForensics InvestigationAn actual domestic relations case An actual domestic relations case
exampleexampleThe names of the parties have been changed to protect their identities.The names of the parties have been changed to protect their identities.
ScenarioScenario
Domestic Relations MatterDomestic Relations Matter Lisa - Wife of client having an affair.Lisa - Wife of client having an affair. Paramour: Paramour: “Michael”“Michael” Email Address: Email Address: “[email protected]”“[email protected]” Lisa has installed new Lisa has installed new web camweb cam Explicit emails recovered referring to Explicit emails recovered referring to web web
camcam Michael claims to be Michael claims to be 41 years old41 years old Lisa has taken a Lisa has taken a trip to ??trip to ?? Goal: Goal: Locate Paramour (and Lisa)Locate Paramour (and Lisa)
Procedure – Search for web cam Procedure – Search for web cam related contentrelated content
MPG’s are a popular movie format, MPG’s are a popular movie format, along with MOV and WMV.along with MOV and WMV.
Search for MPGs turn up many Search for MPGs turn up many fragments and some link (lnk) files fragments and some link (lnk) files containing information about movies containing information about movies accessed on this computer. accessed on this computer.
One “lisa” movie link file found, but One “lisa” movie link file found, but lisa movie itself is not found on hard lisa movie itself is not found on hard drivedrive
It may contain important evidenceIt may contain important evidence
Evidence - Evidence - LisaMOV00396.LNK
LisaMOV00396[87073].lnk.htmlLisaMOV00396[87073].lnk.html
Shortcut File
Link target information
Local PathC:\Documents and Settings\lisa\My Documents\My eBooks\LisaMOV00396.MPG
Volume Type Fixed Disk
Volume Serial Number 3C16-A175
File size 0
Creation time (UTC) N/A
Last write time (UTC) N/A
Last access time (UTC) N/A
Optional fields
Relative Path..\My Documents\My eBooks\LisaMOV00396.MPG
Working directoryC:\Documents and Settings\lisa\My Documents\My eBooks
ProcedureProcedure
Do a keyword search for Do a keyword search for ““LisaMOV00396.MPG”
There were no files by that name on the hard drive
Search Recycler for LisaMOV00396.MPG
Evidence – INFO2.DATEvidence – INFO2.DAT
Recycle Bin Index …Recycle Bin Index …
Filename Dc73.MPG
Original Name
C:\Documents and Settings\lisa\My Documents\My eBooks\LisaMOV00396.MPG
Date Recycled
7/22/2006 2:34:03 PM
Removed from Bin
No
(Movie has been renamed Dc73.MPG by Recycler, and is still Movie has been renamed Dc73.MPG by Recycler, and is still intact!)intact!)
Evidence –Evidence – DC73.MPGDC73.MPG
Listen to the accent in the speaker’s voice
Procedure – Search hard drive Procedure – Search hard drive for “metro6969”for “metro6969”
A keyword search for “metro6969” A keyword search for “metro6969” turns up many explicit emails turns up many explicit emails between Lisa and Michael.between Lisa and Michael.
One email contains One email contains Michael’s Michael’s business email signaturebusiness email signature, probably , probably by accident.by accident.
Evidence - EmailEvidence - Email
(Signature from paramour’s deleted (Signature from paramour’s deleted email recovered with FTK)email recovered with FTK)
……
Michael E. SmithMichael E. Smith
Metropolitan Plumbing Co., Inc.Metropolitan Plumbing Co., Inc.
Procedure – Look up CompanyProcedure – Look up Company
Using accent as a guide (New Using accent as a guide (New England)England)
Search for Business Filings on D&B Search for Business Filings on D&B for “Metropolitan Plumbing Co.”for “Metropolitan Plumbing Co.”
Business Report from D&BBusiness Report from D&B
Comprehensive Business ReportCompany Name: METROPOLITAN PLUMBING CO INCAddress: HICKSVILLE, MA 02799Phone: (508) 632−6969FEIN:00-000000Associated People:Business Contacts:MICHAEL SMITH, SSN: 025−55−0000, Date Last Seen: Apr, 2005HICKSVILLE, MA 02799MICHAEL SMITH, SSN: 025−55−0000, PRESIDENT,Date Last Seen: Apr, 2006
Procedure – Use SSN to Procedure – Use SSN to Locate ParamourLocate Paramour
Using IRBSearch.com person search Using IRBSearch.com person search lookup SSN… to produce background lookup SSN… to produce background report on paramour.report on paramour.
Evidence – Background ReportEvidence – Background Report
Subject Information:Subject Information:
Name:Name: MICHAEL E SMITH
Date of Birth:Date of Birth: 04/1965
Age:Age: 41
SSN:SSN: 025−55−0000 issued in
MassachusettsMassachusetts between 01/01/1971 and 12/31/1973
Active Address(es):Active Address(es):
MICHAEL E SMITHMICHAEL E SMITH − 591 MARKET ST, FRANCIS MA 02099−1513,
NORFOLK COUNTYNORFOLK COUNTY (May 1993 − Sep 2006)
SMITH MARY ANNESMITH MARY ANNE (508) 540−1234
Eureka!Eureka!
It’s now a simple matter to place It’s now a simple matter to place Michael under surveillance and have Michael under surveillance and have him lead us to Lisa, who is waiting for him lead us to Lisa, who is waiting for him at a local roadside motel. him at a local roadside motel.
Issues confronting the use Issues confronting the use of CF in Family Courtof CF in Family Court
Issue #1: Willful Spoliation – Issue #1: Willful Spoliation –
An increasingly common An increasingly common occurrenceoccurrence
Issues effecting CF in Family law Matters:Issues effecting CF in Family law Matters:
#1 Issue: Spoliation #1 Issue: Spoliation
Willful deliberate spoliation is Willful deliberate spoliation is becoming an increasingly common becoming an increasingly common occurrence in domestic relations occurrence in domestic relations matters.matters.
Typical example of willful spoliationTypical example of willful spoliation
You are called in to examine a You are called in to examine a computer produced in response to a computer produced in response to a court order. Upon opening the case court order. Upon opening the case of the eight year old computer, of the eight year old computer, which you note was which you note was missing the missing the screws that hold the cover screws that hold the cover closedclosed, you observe the following…, you observe the following…
Actual Evidence Photo 1Actual Evidence Photo 1
Dust Bunnies !
Actual Evidence Photo 2Actual Evidence Photo 2
Cob Webs!
Actual Evidence Photo 3Actual Evidence Photo 3
Actual Evidence Photo 4Actual Evidence Photo 4
The Hard Drive wasThe Hard Drive was
Pristine, Pristine,
almost sterile.almost sterile.
Rule # 1: Parties cheat in e-discovery, Rule # 1: Parties cheat in e-discovery, especially in domestic relations cases.especially in domestic relations cases.
Never assumeNever assume that material that material produced during the course of produced during the course of electronic discovery is electronic discovery is complete or complete or authentic; Use forensic evidence authentic; Use forensic evidence to establish authenticity.to establish authenticity.
Electronic data is fragile and Electronic data is fragile and easily easily lost or manipulated. lost or manipulated.
Rule # 1: Parties cheat in e-discovery, Rule # 1: Parties cheat in e-discovery, especially in domestic relations cases.especially in domestic relations cases.
Opposing counsels are usually well-Opposing counsels are usually well-meaning, but meaning, but clients are often clients are often beyond their controlbeyond their control. .
Clients often have an Clients often have an unreasonable unreasonable belief that they will not get caughtbelief that they will not get caught..
Hire a Hire a knowledgeable computer knowledgeable computer forensics expertforensics expert to review materials to review materials produced during electronic discovery.produced during electronic discovery.
Most common method of spoliation:Most common method of spoliation:Wiping Programs (Anti-forensics)Wiping Programs (Anti-forensics)
Wiping software makes data recovery Wiping software makes data recovery difficult or impossible by deleting and difficult or impossible by deleting and overwriting data on the hard drive.overwriting data on the hard drive.
Wiping can be detected in two ways:Wiping can be detected in two ways: Detect disk wiping by examining the data in Detect disk wiping by examining the data in
disk sectors for regular patterns indicative disk sectors for regular patterns indicative of wiping.of wiping.
Detect wiping software with Gargoyle Detect wiping software with Gargoyle Investigator™ Forensic Pro software.Investigator™ Forensic Pro software.
22ndnd Most common method of Most common method of spoliation:spoliation:
Evidence TamperingEvidence Tampering
Includes any attempt to alter the data on the hard Includes any attempt to alter the data on the hard drivedrive
Most commonly done by Most commonly done by reformatting hard drivereformatting hard drive and and reloading the O/Sreloading the O/S (Windows). (Windows).
The original data is usually at least partially The original data is usually at least partially recoverable from a reformat / reload.recoverable from a reformat / reload.
Other tampering includes Other tampering includes changing time and date changing time and date stampsstamps on files to pre or post date them. on files to pre or post date them.
Rarely, we have seen one spouse fabricate evidence to Rarely, we have seen one spouse fabricate evidence to appear as if other spouse was responsible for data appear as if other spouse was responsible for data remaining on hard drive. remaining on hard drive.
How can evidence tampering How can evidence tampering be detected?be detected?
Analysis of artifacts within several key areas of the hard Analysis of artifacts within several key areas of the hard drive can lead to conclusive evidence of willful drive can lead to conclusive evidence of willful spoliation and evidence tampering. (For example: spoliation and evidence tampering. (For example: reformatting HD)reformatting HD)
The key areas include;The key areas include; Windows RegistryWindows Registry Link filesLink files – shows files that were on system and when– shows files that were on system and when Event LogsEvent Logs – shows when/if system clock reset– shows when/if system clock reset Disk PartitionDisk Partition and and System DirectorySystem Directory Meta DataMeta Data – –
shows when hard drive reformatted and Windows shows when hard drive reformatted and Windows install date.install date.
Keyword searches for Keyword searches for deleted data in unallocated deleted data in unallocated Drive Freespace.Drive Freespace.
Deletion dates obtained from Deletion dates obtained from Recycler INFO2 structureRecycler INFO2 structure
The Windows RegistryThe Windows Registry
The Windows Registry conceptually The Windows Registry conceptually can be thought of as a special can be thought of as a special directory where Windows and other directory where Windows and other software programs store system data software programs store system data needed for proper operations of the needed for proper operations of the operating systems and installed operating systems and installed software. User activity within software. User activity within Windows is tracked and stored in the Windows is tracked and stored in the Registry.Registry.
The Files that constitute the The Files that constitute the Windows XP Registry Windows XP Registry
Windows/System32/config/ directoryWindows/System32/config/ directory SystemSystem SoftwareSoftware SAMSAM SecuritySecurity
documents and settings/documents and settings/UserUser// Ntuser.dat Ntuser.dat
MetadataMetadata
What is metadata?What is metadata? Metadata gives any kind of data Metadata gives any kind of data
context. Any item of data is a context. Any item of data is a description of something. Metadata is description of something. Metadata is a type of data where the something a type of data where the something being described is data. Or, as it is being described is data. Or, as it is often put, often put, metadata is data about metadata is data about data.data.
Microsoft Office MetadataMicrosoft Office Metadata
Microsoft Office files include Microsoft Office files include metadata metadata beyond their printable content, such beyond their printable content, such as the original as the original author's nameauthor's name, the , the creation, modification, creation, modification, andand access date and timeaccess date and time of the of the document, and the document, and the amount of time amount of time spent editingspent editing it. it. Unintentional Unintentional disclosure can be awkward or even disclosure can be awkward or even raise malpractice concerns.raise malpractice concerns.
Metadata is essential as a means of Metadata is essential as a means of determining the install date for Windows determining the install date for Windows
and date of hard drive formatting.and date of hard drive formatting. Folders (subdirectories) are just a special Folders (subdirectories) are just a special
type of file. As such they have file creation type of file. As such they have file creation date and time meta data associated with date and time meta data associated with them.them.
The Windows folder and the system32 The Windows folder and the system32 subfolder (among others) are created when subfolder (among others) are created when Windows is installed. Windows is installed. The creation date The creation date metadata on the Windows folder can tell metadata on the Windows folder can tell you when Windows was installed. This can you when Windows was installed. This can indicate that the hard drive has been indicate that the hard drive has been tampered with.tampered with.
The metadata on the root folder, and on the The metadata on the root folder, and on the bad cluster and partition files can tell you bad cluster and partition files can tell you when the partition was created, usually when the partition was created, usually when the drive was formatted.when the drive was formatted.
Metadata is discoverable!
Williams v. Sprint/United Mgmt. Co.Williams v. Sprint/United Mgmt. Co., 2005 U.S. , 2005 U.S. Dist. LEXIS 21966Dist. LEXIS 21966 (D. Kan. Sept. 29, 2005).(D. Kan. Sept. 29, 2005).
The The WilliamsWilliams court established the following court established the following standard: standard:
[W]hen a party is ordered to produce electronic [W]hen a party is ordered to produce electronic documents as they are maintained in the ordinary documents as they are maintained in the ordinary course of business, the producing party should course of business, the producing party should produce the electronic documents with their meta produce the electronic documents with their meta data intact, unless that party timely objects to data intact, unless that party timely objects to production of meta data, the parties agree that production of meta data, the parties agree that the meta data should not be produced, or the the meta data should not be produced, or the producing party requests a protective order. producing party requests a protective order. IdId..
Typical Case Example : W v. HTypical Case Example : W v. H
Custody matter between W and her Custody matter between W and her former husband H.former husband H.
W has joint custody with H over 4 yr old W has joint custody with H over 4 yr old daughter. (W increasingly erratic daughter. (W increasingly erratic behavior. Possibly dangerous.)behavior. Possibly dangerous.)
H and his new wife seek sole custodyH and his new wife seek sole custody W allegedly tells a friend via email that W allegedly tells a friend via email that
““she will sooner kill the child and H, she will sooner kill the child and H, then turn her over to his custody.”then turn her over to his custody.”
W v. HW v. H
Attorney for H issues subpoena for Attorney for H issues subpoena for W’s computer so he could have the W’s computer so he could have the emails examined.emails examined.
W’s attorney files motion to quash W’s attorney files motion to quash subpoenasubpoena
On July 20, Judge issues order from On July 20, Judge issues order from bench for W to turn computer over to bench for W to turn computer over to her attorney so it can be examined her attorney so it can be examined by H’s expert.by H’s expert.
W v. HW v. H
On July 25On July 25thth signed order arrives at W’s signed order arrives at W’s attorney’s office.attorney’s office.
On July 27On July 27thth W brings computer to her W brings computer to her attorney’s office for examination.attorney’s office for examination.
I examine and copy computer in W’s I examine and copy computer in W’s attorney's office on August 1attorney's office on August 1stst..
During my exam, I take the following During my exam, I take the following photos of the computer:photos of the computer:
Evidence Photos from Aug 1stEvidence Photos from Aug 1st
Hard drive pristine!
W v. H – Forensic EvidenceW v. H – Forensic EvidenceEnCase Image from W’s Hard DriveEnCase Image from W’s Hard Drive
Case Information: Case Number: 2005-29 Evidence Number: 1 Unique Description: Maxtor 4GB Examiner: SM Abrams Notes: Maxtor 4GB from Dell Tower
--------------------------------------------------------------
Information for E:\image\maxtor4gb:
Physical Evidentiary Item (Source) Information: Drive Interface Type: USB Drive Model: Maxtor 8 4320D5 USB Device [Drive Geometry] Bytes per Sector: 512 Cylinders: 525 Sectors per Track: 63 Sector Count: 8,437,500 Tracks per Cylinder: 255 Source data size: 4119 MB Sector count: 8437500 MD5 checksum: bf7c9baa773530bb3300fbf3aa5c5f60 SHA1 checksum: 6a3965440b9df1a4b61a2e12ff555ec60238f42d
Image Information: Segment list: E:\image\maxtor4gb.E01
Image Verification Results: MD5 checksum: bf7c9baa773530bb3300fbf3aa5c5f60 : verified SHA1 checksum: 6a3965440b9df1a4b61a2e12ff555ec60238f42d : verified
W v. H – Forensic EvidenceW v. H – Forensic EvidenceEnCase Image from C’s Hard DriveEnCase Image from C’s Hard Drive
“555555555555555…”
Data on hard drive largely consisted of 0x35, or ASCII 5’s
In binary this is “00110101” which is a common wiping pattern.
W v. H – Forensic EvidenceW v. H – Forensic EvidenceWindows First Run Log dated 7/25Windows First Run Log dated 7/25
File: Frunlog.lnkFile: Frunlog.lnkFull Path: maxtor4gb\Part_1\NO NAME-FAT32\Full Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\Recent\Frunlog.lnkWINDOWS\Recent\Frunlog.lnkAlias: Alias: Extension: lnkExtension: lnkFile Type: Shortcut FileFile Type: Shortcut FileCategory: OtherCategory: OtherSubject: Subject: Created: 7/25/2005 5:48:42 PMCreated: 7/25/2005 5:48:42 PMModified: 7/25/2005 5:48:44 PMModified: 7/25/2005 5:48:44 PMAccessed: 7/26/2005Accessed: 7/26/2005
W v. H – Forensic EvidenceW v. H – Forensic EvidenceRegistry files created 7/25/05Registry files created 7/25/05
File: SYSTEM.DATFile: SYSTEM.DATFull Path: maxtor4gb\Part_1\NO NAME-FAT32\Full Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\SYSTEM.DATWINDOWS\SYSTEM.DATAlias: Alias: Extension: DATExtension: DATFile Type: Windows 9x/Me Registry FileFile Type: Windows 9x/Me Registry FileCategory: OtherCategory: OtherSubject: Subject: Created: 7/25/2005 10:37:22 PMCreated: 7/25/2005 10:37:22 PMModified: 7/26/2005 6:17:06 PMModified: 7/26/2005 6:17:06 PMAccessed: 7/26/2005Accessed: 7/26/2005
W v. H – Forensic EvidenceW v. H – Forensic EvidenceRegistry files created 7/25/05Registry files created 7/25/05
File: USER.DATFile: USER.DATFull Path: maxtor4gb\Part_1\NO NAME-FAT32\Full Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\USER.DATWINDOWS\USER.DATAlias: Alias: Extension: DATExtension: DATFile Type: Windows 9x/Me Registry FileFile Type: Windows 9x/Me Registry FileCategory: OtherCategory: OtherSubject: Subject: Created: 7/26/2005 6:13:06 PMCreated: 7/26/2005 6:13:06 PMModified: 7/26/2005 6:17:06 PMModified: 7/26/2005 6:17:06 PMAccessed: 7/26/2005Accessed: 7/26/2005
W v. H – Forensic EvidenceW v. H – Forensic EvidenceW’s password file created on 7/25W’s password file created on 7/25
File: MARY.PWLFile: MARY.PWLFull Path: maxtor4gb\Part_1\NO NAME-FAT32\Full Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\MARY.PWLWINDOWS\MARY.PWLAlias: Alias: Extension: PWLExtension: PWLFile Type: Windows PWL file (new)File Type: Windows PWL file (new)Category: OtherCategory: OtherSubject: Subject: Created: 7/25/2005 5:37:22 PMCreated: 7/25/2005 5:37:22 PMModified: 7/25/2005 5:37:24 PMModified: 7/25/2005 5:37:24 PMAccessed: 7/26/2005Accessed: 7/26/2005
W v. H – Forensic EvidenceW v. H – Forensic EvidenceScandisk runs as part of Windows9x install on 7/25Scandisk runs as part of Windows9x install on 7/25
File: File: SCANDISK.LOGSCANDISK.LOGFull Path: maxtor4gb\Part_1\NO NAME-FAT32\Full Path: maxtor4gb\Part_1\NO NAME-FAT32\SCANDISK.LOGSCANDISK.LOGAlias: Alias: Extension: LOGExtension: LOGFile Type: Unknown File TypeFile Type: Unknown File TypeCategory: UnknownCategory: UnknownSubject: Subject: Created: 7/25/2005 8:22:54 PMCreated: 7/25/2005 8:22:54 PMModified: 7/25/2005 8:22:56 PMModified: 7/25/2005 8:22:56 PMAccessed: 7/25/2005Accessed: 7/25/2005
W v. H – Forensic EvidenceW v. H – Forensic Evidence
W deleted files in attempt to cover W deleted files in attempt to cover up 7/25 Windows installup 7/25 Windows install
Recycle Bin IndexRecycle Bin Index
Filename:Filename: Dc0.TXT Dc0.TXT
Original Name:Original Name: C:\SETUPXLG.TXT C:\SETUPXLG.TXT
Date Recycled:Date Recycled: 7/25/2005 5:48:41 PM7/25/2005 5:48:41 PM
Removed from Bin:Removed from Bin: YesYes
W v. H – Forensic EvidenceW v. H – Forensic EvidenceW swapped HD in W swapped HD in Dell Dimension XPSDell Dimension XPS
•The computer was manufactured by Dell.
•Dell maintains online inventory of all systems shipped. Dell reported that W’s computer was shipped on 10/15/1997 with an IBM 6.4GBIBM 6.4GB hard drive.
•I found a Maxtor 4.0GBMaxtor 4.0GB hard drive installed in W’s machine. It was not the originalIt was not the original hard hard drive! drive!
Who upgrades by putting in a smaller / older hard drive than the original?
W v. HW v. H Conclusion and ConsequencesConclusion and Consequences
I determined:I determined: Drive was Drive was swappedswapped.. The replacement hard drive had been The replacement hard drive had been wiped with “5’s”.wiped with “5’s”. Windows was installedWindows was installed on on evening that W found out evening that W found out
about court orderabout court order arriving at her attorney’s office. arriving at her attorney’s office. Possibility Possibility W may still have original hard drive.W may still have original hard drive.
W faced contempt of court for not producing HD. W faced contempt of court for not producing HD. H H opted for civil contemptopted for civil contempt because we felt because we felt W still W still
had original hard drivehad original hard drive, and failed to produce it. , and failed to produce it. Case settled before RSC hearing.Case settled before RSC hearing.
Possible Remedies for SpoliationPossible Remedies for Spoliation
Least SeriousLeast Serious Monetary SanctionsMonetary Sanctions
Less SeriousLess Serious Negative InferenceNegative Inference
Most Serious Most Serious If P, Dismiss CaseIf P, Dismiss Case If D, Strike Answer, Default JudgmentIf D, Strike Answer, Default Judgment
Consequences of cheating on e-discovery :
Dismissal of Plaintiff’s case
QZO, Inc. v. MoyerQZO, Inc. v. Moyer, 594 S.E.2d 541 (S.C. , 594 S.E.2d 541 (S.C. Ct. App. 2004). Ct. App. 2004).
Summary:Summary: The Appellate Court affirmed The Appellate Court affirmed
dismissal in this trade secret case where a dismissal in this trade secret case where a formerformer
corporate officer had “reformatted” his hard corporate officer had “reformatted” his hard drivedrive
a day before delivering the computer to thea day before delivering the computer to the
plaintiff’s expert pursuant to a court order.plaintiff’s expert pursuant to a court order.
Consequences of cheating on e-discovery :
Strike Δ’s Answer, Default Judgment
Commissioner v. WardCommissioner v. Ward, 2003 N.C. App. LEXIS , 2003 N.C. App. LEXIS 1099 (N.C Ct. App. 2003). Docket #: 02-838 1099 (N.C Ct. App. 2003). Docket #: 02-838
Summary:Summary: The defendants refused to cooperate in discovery The defendants refused to cooperate in discovery matters which required plaintiff's counsel to file matters which required plaintiff's counsel to file three different three different motions to compelmotions to compel.. At one of the storage locations the plaintiff At one of the storage locations the plaintiff found DAT tapes, discs, cassettes, videos, CD ROMs and other found DAT tapes, discs, cassettes, videos, CD ROMs and other electronic data. The DAT tapes were obsolete and the data could electronic data. The DAT tapes were obsolete and the data could not be accessed without knowledge of the underlying software. not be accessed without knowledge of the underlying software. The defendant admitted accessing the tapes at an earlier time, The defendant admitted accessing the tapes at an earlier time, but refused to answer questions about the software during but refused to answer questions about the software during deposition proceedings.deposition proceedings. The Court found that the defendants had The Court found that the defendants had willfully and intentionally refused to comply with the discovery willfully and intentionally refused to comply with the discovery order and the lower court struck the defendant's answer and order and the lower court struck the defendant's answer and prevented defendants from defending and granted default prevented defendants from defending and granted default judgment against certain claims.judgment against certain claims. The Appellate Court affirmed the The Appellate Court affirmed the ruling.ruling.
Consequences of cheating on e-discovery:
Negative Inference
Arndt v. First Union Nat'l BankArndt v. First Union Nat'l Bank, 613 S.E.2d 274 (N.C. Ct. App. , 613 S.E.2d 274 (N.C. Ct. App. 2005).2005).
Docket #: COA04-807 Docket #: COA04-807
Summary:Summary: An employer appealed the decision of the jury awarding a former employee An employer appealed the decision of the jury awarding a former employee wages lost as a result of a unilateral change to his bonus plan. On appeal, the Court wages lost as a result of a unilateral change to his bonus plan. On appeal, the Court affirmed the rulings of the lower court including an adverse inference imposed for affirmed the rulings of the lower court including an adverse inference imposed for failure of the employer to issue a litigation hold after litigation was apparent. The failure of the employer to issue a litigation hold after litigation was apparent. The employer failed to preserve certain e-mail and profit and loss electronic documents. employer failed to preserve certain e-mail and profit and loss electronic documents. The adverse inference instruction read as follows, "Evidence has been received that The adverse inference instruction read as follows, "Evidence has been received that tends to show that certain profit and loss statements and E-mails were in the tends to show that certain profit and loss statements and E-mails were in the exclusive possession of the defendant, First Union; and, [sic] have not been produced exclusive possession of the defendant, First Union; and, [sic] have not been produced for inspection, by the plaintiff or his counsel, even though defendant, First Union, was for inspection, by the plaintiff or his counsel, even though defendant, First Union, was aware of the plaintiff's claim. From this, you may infer, though you are not compelled aware of the plaintiff's claim. From this, you may infer, though you are not compelled to do so, that the profit and loss statements and the E-mails would be damaging to to do so, that the profit and loss statements and the E-mails would be damaging to the defendant. You may give this inference such force and effect as you think it the defendant. You may give this inference such force and effect as you think it should have, under all the facts and circumstances. You are permitted this inference, should have, under all the facts and circumstances. You are permitted this inference, even if there is no evidence that the defendant acted intentionally, negligently or in even if there is no evidence that the defendant acted intentionally, negligently or in bad faith. However, you should not make this inference, if you find that there a [sic] bad faith. However, you should not make this inference, if you find that there a [sic] fair frank and satisfactory explanation for the defendant's failure to produce the fair frank and satisfactory explanation for the defendant's failure to produce the documents." documents."
Consequences of cheating on e-discovery:
Negative Inference Arndt v. First Union Nat'l BankArndt v. First Union Nat'l Bank
Summary:Summary: An employer appealed the An employer appealed the decision of the jury awarding a former decision of the jury awarding a former employee wages lost as a result of a employee wages lost as a result of a unilateral change to his bonus plan. On unilateral change to his bonus plan. On appeal, the Court affirmed the rulings of appeal, the Court affirmed the rulings of the lower court including the lower court including an adverse an adverse inference imposed for failure of the inference imposed for failure of the employer to issue a litigation hold after employer to issue a litigation hold after litigation was apparent.litigation was apparent. The employer The employer failed to preserve certain e-mail and profit failed to preserve certain e-mail and profit and loss electronic documents. and loss electronic documents.
Negative Inference LanguageArndt v. First Union Nat'l BankArndt v. First Union Nat'l Bank
"Evidence has been received that tends to show "Evidence has been received that tends to show that certain profit and loss statements and E-mails that certain profit and loss statements and E-mails were in the exclusive possession of the defendant, were in the exclusive possession of the defendant, First Union; and, [sic] have not been produced for First Union; and, [sic] have not been produced for inspection, by the plaintiff or his counsel, even inspection, by the plaintiff or his counsel, even though defendant, First Union, was aware of the though defendant, First Union, was aware of the plaintiff's claim. From this, you may infer, though plaintiff's claim. From this, you may infer, though you are not compelled to do so, that the profit and you are not compelled to do so, that the profit and loss statements and the E-mails would be loss statements and the E-mails would be damaging to the defendant. You may give this damaging to the defendant. You may give this inference such force and effect as you think it inference such force and effect as you think it should have, under all the facts and should have, under all the facts and circumstances. You are permitted this inference, circumstances. You are permitted this inference, even if there is no evidence that the defendant even if there is no evidence that the defendant acted intentionally, negligently or in bad faith. acted intentionally, negligently or in bad faith. However, you should not make this inference, if However, you should not make this inference, if you find that there a [sic] fair frank and you find that there a [sic] fair frank and satisfactory explanation for the defendant's satisfactory explanation for the defendant's failure to produce the documents." failure to produce the documents."
Issues confronting the use Issues confronting the use of CF in Family Courtof CF in Family Court
Issue #2: Unqualified and Issue #2: Unqualified and Unlicensed Computer Unlicensed Computer Forensics PractitionersForensics Practitioners
July 27, 2007 http://www.usdoj.gov/usao/cae
BOGUS EXPERT IN COMPUTER FORENSICS SENTENCED TO 21-MONTH PRISON TERM FOR PERJURY
FRESNO – United States Attorney McGregor W. Scott announced today JAMES EARL EDMISTON, 36, of Long Beach, California, was sentenced by United States District Judge Lawrence J. O’Neill in Fresno to a prison term of 21 months for his convictions of two counts of perjury. He will also be required to serve a term of supervised release of 36 months upon his release from custody.
.
EDMISTON had been retained by at least two Fresno criminal defense attorneys to provide computer forensic analysis in several child sexual exploitation prosecutions.
As part of his work on those cases, EDMISTON prepared and executed declarations under penalty of perjury in which he claimed that he had been a computer consultant for twelve (12) years, that he had a master’s degree in computer engineering from the California Institute of Technology, and that he had been qualified as an expert witness in computers and their online usage by numerous state and federal courts throughout California.
An investigation revealed that EDMISTON did not, in fact, have degrees from the California Institute of Technology, the University of California at Los Angeles, or the University of Nevada at Las Vegas, as he alleged.
Court documents show that EDMISTON also concealed his prior criminal record that includes a prison term that he served in the mid-1990s as a result of forgery convictions in the California Superior Court, Los Angeles County.
Despite a lack of credentials to do so, Despite a lack of credentials to do so, EDMISTON did, in fact, testify under oath as EDMISTON did, in fact, testify under oath as an “expert” in cases in courts in California.an “expert” in cases in courts in California.
In sentencing EDMISTON to prison, Judge O’Neill specifically commented that,
“the defendant’s crimes went to the the defendant’s crimes went to the very heart of the judicial system which very heart of the judicial system which is designed to seek the truth in each is designed to seek the truth in each case.”case.”
35 States Requiring PI Licenses for 35 States Requiring PI Licenses for Computer Forensics and Computer Forensics and E-discovery PractitionersE-discovery Practitioners
Arizona, Arkansas, Connecticut, Florida, Arizona, Arkansas, Connecticut, Florida, Georgia(?), Hawaii, Illinois, Indiana, Iowa, Georgia(?), Hawaii, Illinois, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, York, North Carolina, North Dakota, Ohio, Oregon, Oregon, South CarolinaSouth Carolina, Tennessee, , Tennessee, Texas, Utah, Vermont, Virginia, West Texas, Utah, Vermont, Virginia, West Virginia, WisconsinVirginia, Wisconsin (As of 7/2007)(As of 7/2007)
SC law requires Computer Forensic SC law requires Computer Forensic Practitioners to be licensed.Practitioners to be licensed.
PI License (SC Title 40, Chap. 18) “sPI License (SC Title 40, Chap. 18) “securing ecuring evidenceevidence” for ” for a civil or criminal legal a civil or criminal legal proceedingproceeding..
Exempts Licensed Attorney, CPA, or EngineerExempts Licensed Attorney, CPA, or Engineer Exempts employees doing internal investigation for Exempts employees doing internal investigation for
employer, unless employer is a PI Agency.employer, unless employer is a PI Agency. SC Attorney General OpinionSC Attorney General Opinion (April 2007) SLED to (April 2007) SLED to
promulgate specific regulationspromulgate specific regulations for computer for computer forensics firms. forensics firms. SLED CF Committee working on SLED CF Committee working on stiffer regulations now.stiffer regulations now.
Out of state CF vendors must be licensed in SC if Out of state CF vendors must be licensed in SC if evidence collected here, or destined for use in a legal evidence collected here, or destined for use in a legal proceeding here. (Accountability, Long Arm access)proceeding here. (Accountability, Long Arm access)
Issues confronting the use Issues confronting the use of CF in Family Courtof CF in Family Court
Issue #3: lack of uniform Issue #3: lack of uniform rules for e-discovery in state rules for e-discovery in state
court.court.
Need for certainty in e-discovery matters Need for certainty in e-discovery matters heard in State Court as there is in Federal heard in State Court as there is in Federal
Court under the revised FRCP.Court under the revised FRCP. FRCP 2006 revisions have leveled the FRCP 2006 revisions have leveled the
playing field in federal court in matters playing field in federal court in matters involving discovery of electronically stored involving discovery of electronically stored information.information.
Comparable revisions in the State rules of Comparable revisions in the State rules of civil procedure are needed to promote civil procedure are needed to promote certainty and fairness to all parties, and to certainty and fairness to all parties, and to simplify the job of the court. simplify the job of the court.
National Conference of Commissioners on National Conference of Commissioners on Uniform State Laws – Model RulesUniform State Laws – Model Rules
Take Home MessageTake Home Message
1.1. Check Licenses and Credentials of CF Check Licenses and Credentials of CF examiners. examiners. (Degrees vs Certification)(Degrees vs Certification)
2.2. Question validity of CF evidence.Question validity of CF evidence.
3.3. Consider Stiffer Sanctions for willful Consider Stiffer Sanctions for willful spoliation to curb abuses of the spoliation to curb abuses of the discovery process. discovery process.
4.4. Promote the adoption of Uniform Promote the adoption of Uniform rules for E-Discovery in State Courts.rules for E-Discovery in State Courts.
Questions?Questions?Abrams Millonzi Law Firm, P.C.Abrams Millonzi Law Firm, P.C.
Abrams Computer ForensicsAbrams Computer Forensics
1558 Ben Sawyer Blvd., Suite D1558 Ben Sawyer Blvd., Suite D
Mount Pleasant, SC 29464Mount Pleasant, SC 29464
(843) 216-1100(843) 216-1100
[email protected]@abramsforensics.comm