Post Process

Everything to do with E-discovery & ESI

Archive for December 16th, 2009

A Tug of War over Forensics Applications and Formats

Posted by rjbiii on December 16, 2009

From two different blogs, we read of a fascinating criminal case involving a tug of war over evidence. Ultimately, the main points made by both the prosecution and defense missed the mark. A little knowledge could have gone a long way.

We begin by browsing over to Law Professor Susan Brenner CYB3RCRIM3 blog, to a post entitled Encase v. Ghost. Here she describes the case of State v. Dingman, 149 Wash.App. 648, 202 P.3d 388 (Washington Court of Appeals 2009), where a construction contractor specializing in building sunrooms was given a large deposit and money for materials, but who allegedly never finished the job. At trial, Mr. Dingman was convicted of 16 counts of theft and 11 counts of money laundering. He appeals. Why?

Because of the tug of war over evidence residing on his computer. Prior to trial, Dingman requested access to the files on his computers, which were seized by the state and still locked up. The state evidently made Encase images available to the defendant, but that wasn’t good enough. Why?

According to testimony, neither the Dingman legal team nor their forensics expert possessed a copy of the EnCase application (they thought) necessary to read the image. And Encase costs over $3,000 and required another $1,500 for training, according to Defendant’s expert. The State should, as they had in the past, provide a copy of the hard drive in a non-Encase format. Even better, allow the Defense to use its own tools to image the drives themselves. Ghost was specifically mentioned as the Defense’s tool of choice. The State objected. Why?

Evidently, the State believed that the Hard Drives could be damaged should they be released from custody, and that Ghost might produce an inaccurate copy. The States expert noted that he had a copy of Ghost, but did not use the tool for forensics. The State also argued that it didn’t need to “conform” its investigation to the “whims” of the defense, and that the Encase images had been happily accepted by all other defendants prior to this case. The trial court denied Defendant’s motion, and ordered the Prosecution to provide Encase images to the Defense.

After receiving a continuance to allow Defense the time to examine the drives, the trial court refused to grant a second, despite the Defense’s assertion that it had only been partially successful in reviewing the evidence. The Defense and their expert had only been able to access two of the nine drives, and on those two encountered files that it could not open. The trial continued, leading to the conviction of Mr. Dingman on several charges. Of course, we are not done. Why?

On appeal, the higher court cited a Federal district court decision stating that a defense expert should be able to “`utilize his or her hardware or software.'” The prosecution had not established for appropriate restrictions necessary to limit discovery in the manner occurring in the instant case. The Court of Appeals continued by holding that the lower court had “erred by requiring that the State provide only an EnCase mirror image of Dingman’s hard drives to the defense.” The State Supreme Court declined to review the opinion, and Mr. Dingman gets a new trial, should the state decide to a mulligan.

There is plenty wrong here. A lack of knowledge, and of collaboration, has cost the state a bit of money, time, and perhaps secured the liberty of someone who may not deserve it. Rather than lay it out here, however, I’ll direct you to Craig Ball’s commentary, where he does a fine job of discussing all of the issues. His post is called Stubborn v. Stupid.

Posted in Computer Forensics, EnCase, State Courts, Washington | Tagged: | Leave a Comment »

DECAF for your COFFEE? New tool fights forensics application’s attempt to get your data

Posted by rjbiii on December 16, 2009

Ars Technica posts an article describing the battle that might occur inside your P.C.:

In response to Microsoft’s Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources, two developers have created “Detect and Eliminate Computer Assisted Forensics” (DECAF), a counter intelligence tool designed to thwart the Microsoft forensic toolkit. DECAF monitors the computer it’s running on for any signs that COFEE is operating on the machine and does everything it can to stop it.

More specifically, the program deletes COFEE’s temporary files, kills its processes, erases all COFEE logs, disables USB drives, and even contaminates or spoofs a variety of MAC addresses to muddy forensic tracks. It can be told to disable almost every piece of hardware on a machine and delete pre-defined files in the background. The 181KB DECAF program even has a ‘Spill the cofee’ mode in which it simulates COFEE’s presence to give the user an opportunity to test his or her configuration before actually using it. Source code for DECAF has not been made available, since the authors fear it will be reverse engineered, making it unclear what else the tool might be doing and whether or not it is completely safe to use.

Posted in Articles, Computer Forensics, Computer Security | Tagged: , | Leave a Comment »

Case Blurb: Scalera; Inherent Authority of a Federal Court to Impose Sanctions

Posted by rjbiii on December 16, 2009

The court has the inherent power to impose sanctions for the spoliation of evidence, even where there has been no explicit order requiring the production of the missing evidence.

Scalera v. Electrograph Sys., 2009 U.S. Dist. LEXIS 91572 (E.D.N.Y. Sept. 29, 2009)(citing Residential Funding Corp. v. DeGeorge Fin. Corp., 306 F.3d 99, 107 (2d Cir. 2002))

See Case Summary here.

Posted in 2nd Circuit, Case Blurbs, E.D.N.Y., Magistrate Judge A. Kathleen Tomlinson, Sanctions, Spoliation | Leave a Comment »

Case Blurb: Scalera; Definition of Spoliation

Posted by rjbiii on December 16, 2009

“Spoliation is ‘the destruction or significant alteration of evidence, or the failure to preserve property for another’s use as evidence in pending or reasonably foreseeable litigation.'”

Scalera v. Electrograph Sys., 2009 U.S. Dist. LEXIS 91572 (E.D.N.Y. Sept. 29, 2009)

See the Case Summary here.

Posted in 2nd Circuit, Case Blurbs, E.D.N.Y., Magistrate Judge A. Kathleen Tomlinson, Spoliation | Leave a Comment »

Case Blurb: Scalera; Courts states test for Imposition of Adverse Inference for Spoliation (2nd Cir.)

Posted by rjbiii on December 16, 2009

A party seeking an adverse inference instruction as a sanction for the spoliation of evidence must establish that:
(1) “the party having control over the evidence had an obligation to preserve it at the time it was destroyed,”
(2) “the records were destroyed with a ‘culpable state of mind,'” and
(3) “the destroyed evidence was ‘relevant’ to the party’s claim or defense such that a reasonable trier of fact could find that it would support that claim or defense.”

“A party seeking sanctions for spoliation has the burden of proving that the alleged spoliator had an obligation to preserve evidence, acted culpably in destroying it, and that the evidence would have been relevant to the aggrieved party’s case.”

Scalera v. Electrograph Sys., 2009 U.S. Dist. LEXIS 91572 at *6-7, 23 (E.D.N.Y. Sept. 29, 2009)(citing Toussie v. County of Suffolk, 2007 U.S. Dist. LEXIS 93988, 2007 WL 4565160, at *6 (E.D.N.Y. Dec. 21, 2007) and Ramirez v. Pride Dev. & Constr. Corp., 244 F.R.D. 162, 164 (E.D.N.Y. 2007)).

See Case Summary here.

Posted in 2nd Circuit, Adverse Inference, Case Blurbs, E.D.N.Y., Magistrate Judge A. Kathleen Tomlinson, Spoliation | Leave a Comment »