~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proving Spoliation with Computer Forensics
With electronic discovery and computer forensics, there are varying methods in which spoliation occurs. In one instance, there could be failure to properly implement a litigation hold. This can occur when there is a "disconnect" between counsel and technical personnel. The opinion and order from Zubulake v. UBS Warburg summarizes this situation best, "What we've got here is a failure to communicate." On the other hand, there are blatant acts to destroy, hide, or withhold information stored on a computer. In either scenario, computer forensics will help you determine and likely prove the spoliation that has occurred.
For those of you that have worked directly with your client's IT department in a discovery request, I am sure that you can understand how difficult it can be to determine whether or not they completely understand what a litigation hold means to their department. Trust me, if they agree to implement the litigation hold without complaining, they do not understand. They often state that the custodians will be told not to delete anything. What they often fail to tell you are the little things of importance such as:
· They have an email retention policy that automatically deletes email older than 365 days.· The email program used by the custodian automatically deletes all email sent and deleted when they close it.· All of the data for that custodian is on their PC and is not backed up.· The backup tapes will start overwriting in 2 weeks.
These are the simple miscommunications that you can almost guarantee will cause issues in your discovery process if not addressed at the appropriate time. My September and October newsletters go into detail of how to avoid this situation by working with your clients to gather the information prior to litigation ever occurring. For those clients that do not take the prospect of ediscovery affecting them, my November newsletter was written to assist you.
While miscommunications are often the source for spoliation that does occur in ediscovery, attempts of deliberate spoliation are a different story. Not only can computer forensic professionals oftentimes recovery the deleted information, we can also prove the act of spoliation. Let's walk through some examples from cases that Forensic Discoveries has handled and an example from a colleague:
· In theft of intellectual property case, the defendant was given order not to alter any information on their computer. On the night that the defendant was given the order, numerous files that contained relevant information were deleted and recovered from the windows recycle bin.
· In a routine discovery effort in a divorce case to determine hidden assets, it was found that the computer hard drive had been formatted and the Microsoft Windows operating system had been reinstalled two days prior to being provided to opposing counsel for analysis.
· In a product liability case, emails discussing the dangers of the product between product development and senior management had been deleted less than one week after the preservation order had been issued.
· In an investigation involving insurance fraud, it was found that the accused had deleted the Internet browser history on the computer prior to the investigation. Recovering the Internet history found the computer owner had been researching topics on google such as "how to burn a house" and "how long to collect insurance money".
· In a contract dispute, it was found that various documents that contained meeting minutes, that had digital copies of board member signatures, had been altered prior to being produced.
In some instances, it may not be possible to recover the information. As the typical computer user is becoming aware, the "delete" key isn't labeled properly. The "delete" key should be relabeled to "hide" because it simply hides the information from the operating system waiting to be found by a computer forensics professional. To be a bit more thorough, destructive computer programs are being used to destroy the information. There are many applications that serve this function such as "file shredder", "windows washer", "eraser", and my personal favorite "evidence eliminator". "Evidence eliminator" is not my favorite based on its functionality but because the name alone welcomes suspicion and its behavior is the most obvious to detect in a computer forensics examination. While some people know that the delete key does little more than entertain you, the majority does not know that most operating systems keep track of the name of the program that was executed, when it was executed, and how many times it has been executed. There is currently a case in California in which this capability is getting some press. These "wiping" programs will make it difficult to recover the data that was destroyed in its entirety. However, being able to prove that these programs were executed could easily lead one to conclude that the information deleted was unfavorable to the spoliator.
Spoliation during electronic discovery can be attributed to different factors. Although it doesn't help the situation or improve the situation in the eyes of the courts, miscommunications can be a major contributor. On the other end of the spectrum are deliberate efforts to withhold, hide, or destroy information. The use of computer forensics will assist in possibly recovering the information and proving the act of spoliation.
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Finding a Computer Forensics Expert
Below is a very good article on finding the right computer forensics expert for you and your firm. If you do not already have a law.com login, you will need to create one to log in.
"In some areas of modern litigation, the entire case is driven by the findings of computer forensic experts. Even in garden variety e-discovery cases, the aid of a computer forensic expert can be essential to assess document authenticity, production compliance and the existence of spoliation. Gregory L. Fordham of K&F Consulting, Inc., discusses how to find and select a computer forensic expert."
Read the complete article here
If you would like a copy of my curriculum vitae or resume, please send me an email with "CV" in the subject line and I will reply with a copy.
|
Justice Breyer Is Among Victims in Data Breach
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sometime late last year, an employee of a McLean investment firm
decided to trade some music, or maybe a movie, with like-minded users
of the online file-sharing network LimeWire while using a company
computer. In doing so, he inadvertently opened the private files of his
firm, Wagner Resource Group, to the public.
That exposed the
names, dates of birth and Social Security numbers of about 2,000 of the
firm's clients, including a number of high-powered lawyers and Supreme
Court Justice Stephen G. Breyer.
Read more here
|
Lawyer Gets Two Year Suspension for Breaking Into eMail Accounts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Charleston, West Virginia attorney Michael P. Markins has been suspended
of nine attorneys at another law firm. Markins, whose wife worked at
the other firm, suspected she was having an affair with one of her
clients. He accessed other attorneys' accounts out of curiosity. When
he resumes his practice, Markins must be supervised for one year. He
must also complete 12 hours of legal ethics education, and pay court
costs of more than US $1,500.
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDiscovery Case Law
Sixth Circuit Finds Demonstrable Abuse of Discretion in Trial Court's Order Requiring Forensic Imaging of State-Owned and Privately-Owned Computers by Plaintiffs' Computer Expert with Assistance from U.S. Marshal
John B. v. Goetz, 2008 WL 2520487 (6th Cir. June 26, 2008).
In this case, state defendants sought mandamus relief from two discovery orders issued by the district court during the course of the class-action litigation. The district court had issued the orders after a discovery dispute arose regarding defendants' duty to preserve and produce ESI relevant to the litigation. In the first order, the district court directed plaintiffs' computer expert and a court-appointed monitor to inspect the state's computer system and the computers of 50 key custodians to ascertain whether any relevant information has been impaired, compromised, or removed. The second order denied reconsideration of the first order and directed that the first order be executed forthwith. Both orders allowed plaintiffs' computer expert to make forensic copies of the hard drives of identified computers, including not only those at the work stations of the state's key custodians, but also any privately owned computers on which the custodians may have performed or received work. The orders also directed the U.S. Marshal, or his designated deputies, to accompany plaintiffs' computer expert to ensure full execution of the orders. The Sixth Circuit entered an emergency stay of implementation of the orders on December 7, 2007, which was previously summarized here. In this decision, the Sixth Circuit concluded that certain aspects of the district court's November 15 and 19 orders constituted a "demonstrable abuse of discretion." Accordingly, it granted, in part, defendants' petition for mandamus and set aside those provisions of the district court's orders that required the forensic imaging of state-owned and privately owned computers, including the provisions that required the U.S. Marshal or his designee to assist plaintiffs' computer expert in the execution of the orders.
Court Issues Forensics Protocol for Hard Drive Examination
Ferron v. Search Cactus, L.L.C., 2008 WL 1902499 (S.D.Ohio April 28, 2008).
In this case involving an alleged violation under the Ohio Consumer Sales Practices Act, the court ordered a protocol for viewing the information contained on the plaintiff's home and office computers. In considering the protocol, the court identified three categories of information contained on the plaintiff's hard drives: confidential personal information, attorney-client privileged information, and information relating to e-mail and website advertisements. The court ordered the plaintiff's computer forensic expert to mirror image the hard drives, removing information deemed personal and confidential that could not lead to the discovery of relevant information. Additionally, the court ordered the defendant's computer forensic expert to meet with the plaintiff to identify for deletion information that is irrelevant and create a privilege log of any relevant information which is privileged. Finally, the court ordered both parties to share the costs associated with their chosen computer forensic expert.After Plaintiff Deleted Hard Drive, Court Orders Adverse Jury Instruction Rather than Case Dismissal
Johnson v. Wells Fargo Home Mortg., Inc., 2008 WL 2142219 (D. Nev. May 16, 2008).
In this mortgage loans and credit dispute, the defendants filed a motion to dismiss, alleging evidence spoliation. Through forensic analysis, the defendants' computer forensic expert established that the plaintiff reformatted both laptops shortly after a production request for the hard drives, and also found two documents containing metadata suggesting the plaintiff created the documents one year later than claimed. Opposing the motion, the plaintiff claimed the hard drives were wiped and reformatted for maintenance purposes due to virus infections. The court ordered an adverse jury instruction creating a presumption in favor of the defendants finding the plaintiff acted willfully; was on notice that information contained on the hard drives was potentially relevant to litigation; and did not produce backup files despite numerous requests. The court reasoned that the harsh sanction of dismissal was not appropriate because the evidence secured by the defendants' computer forensic expert, combined with the adverse jury instruction, did not render it "helpless to rebut any material that [the] plaintiff might use to overcome the presumption" at trial.
INTERNATIONAL AIRPORT CENTERS, L.L.C., et al., Plaintiffs-Appellants,
v.
JACOB CITRIN, Defendant-Appellee.
Read the information here
| |
