Lessons in Computer Forensics

My colleague Josh Gilliland analyzed the legal issues in Emergency Response Specialists, Inc., v CSA Ocean Scis., Inc., in our prior blog post. This case also had several fascinating issues that may have been overlooked, as well as a few questions that could have been addressed. ERS claimed the produced emails were corrupted during a computer that crashed. CSA then requested the emails be produced in native file format. What format was requested and produced in the initial production? What type of computer did Ms. Moore use at work? How could the emails stored on the server have been corrupt? What would cause the attachments to become separated and inaccessible from the emails? What backup system was in place? Did Ms. Moore use the recovery software herself to attempt recovery from the server? What was the name of the recovery software? Did ERS maintain their own email server or was their email hosted by a third party? It may have been helpful to have a technical expert that would have verified that Entourage is not in fact a company, but a Microsoft email application that leveraged Microsoft’s Exchange Server.

CSA also uncovered evidence or an admission during the ERS deposition that certain photographs produced were in fact videos. Were files types listed in the Discovery Requests or Deposition Notice? Was the accuracy of the production certified? Could it have been an attempt to conceal or otherwise obfuscate the evidence in the matter? To conform with best practices, it is always helpful to identify who collected the ESI, how they collected it and what methods were used for processing, review and production.

During another deposition, Carl Haywood admitted that responsive text messages may have been stored on his work cell phone, though ERS did not have his phone’s passcode. Was a custodian interview conducted? What efforts were undertaken to extract this information for review?

Certain technical aspects of the matter may also be addressed. Entourage was a Microsoft email platform that was replaced by Microsoft Outlook for Macintosh computers. It was an older application that would not have been used in 2014, as Microsoft Outlook version 2011 was already in use at that time. Entourage offered the ability to use a Microsoft Exchange Email Server or a Web-based setup that is common when a third party hosts a company’s email. Occasionally, a custodian may store a local copy of their email on their computer to work with the data “offline” or to preserve an archive of their communications. Regardless, the data is synchronized with a server, whether managed by the company of their hosting provider. Because of this, a crashed computer may not have been a relevant issue, as the data would be stored on a server.

Ms. Moore claimed Entourage gave her recovery software to use. Although Entourage can create a database, Entourage is not a company, Microsoft was the maker of Entourage. The opposing party could have questioned Ms. Moore’s background and experience in attempting recovery of corrupt email databases. Lacking the requisite credentials to perform that type of work, it may have been prudent for CSA to assert that spoliation had occurred, even if inadvertent.

Cell phones, especially modern ones, contain security features that necessitate the use of pass codes to extract data. In rare instances, some may be bypassed, though this process may increase costs exponentially and is avoidable in most cases. The parties may obtain this information from custodians, especially upon departure from an organization. Also, when conducting custodian interviews and assessing potential sources of responsive information, computers and Cloud-based repositories should be identified, as they may be used to synchronize data stored on mobile devices, including smartphone and tablets. When the actual devices are inaccessible, a backup file may be the only alternative for obtaining the data.

To address the chronology aspect of the events, CSA could have requested that ERS submit a Declaration that identified, in detail, when a preservation notice was received, what steps ERS took to preserve and collect the potentially relevant ESI, when they performed those tasks, and when they became aware of the corrupted database. Further, during the 30(b)(6) deposition, CSA could have questioned the deponent on the email architecture that ERS employed within their Enterprise or whether they used a hosting service. Additional questions could have addressed technologies and intervals of backups, as well as retention periods for email and storage locations.

These issues may be brought to the surface and memorialized in documentary form or elicited through oral testimony. Parties have certain obligations to satisfy during the Discovery process to ensure they maintain the integrity of digital evidence and produce responsive material to the opposing party. Engaging an expert’s services, especially when the fact pattern resembles the issues listed above, may help counsel and the court to achieve clarity.

ESI is More Than Email

The case of Emergency Response Specialists, Inc., v CSA Ocean Scis., Inc., is an excellent example of the challenges in civil litigation. The case is from Alabama that highlights the many types of ESI that can be relevant in a case. It also highlights the importance of collection experts and phone passwords.

The first relevant opinion is by Magistrate Judge Harwell Davis, III. See, Emergency Response Specialists, Inc. v. CSA Ocean Scis., Inc. (N.D.Ala. Aug. 4, 2016, No. 2:14-cv-02214-WMA) 2016 U.S. Dist. LEXIS 113221 (Hereafter ERS 1). The second is by District Court Judge R. David Proctor, who adopted and accepted Judge Davis’ recommendations. See, (Emergency Response Specialists, Inc. v. CSA Ocean Scis., Inc. (N.D.Ala. Aug. 23, 2016, No. 2:14-cv-02214-RDP) 2016 U.S. Dist. LEXIS 112639 (Hereafter ERS 2).

Judge Davis explained that the Defendant’s president and majority shareholder had a computer crash that corrupted her email production. ERS 1, at *3. The Defendant used the recovery software from the server company to attempt to recover her messages. Id. The Plaintiffs sought the email in native format. The Defendant claimed the recovered email was all that was available. This was very problematic, as the parent-child relationship between the email and attachments was broken. Moreover, the Defendant explained that if the Plaintiff looked at the email threads, they could determine who was the sender of the emails and the dates each message was sent. Id.

The Plaintiff was allowed to review the email production to determine if the messages could be put in chronological order with senders and recipients.

The Defendant was ordered to produce any other unique emails with attachments if they existed on her Defendant’s laptop. ERS 1, at *3-4. The Court ordered the Defendant to also produce text messages and video files. The text messages introduced a common wrinkle with smartphones: what is the phone password?

The context of the case made it appear that a former employee needed to provide his password to his former work phone in the possession of his former employer. ERS 1, at *4-5. Judge Proctor ordered the former employee to cooperate in providing password. ERS 2, at *2. The Court informed counsel that if the former employee refused to cooperate, to report that to the Court, so the Court could further order the former employee’s cooperation. Id.

There are many lessons from this case. The first is the collection of data in a defensible manner. It is wise to avoid having a party turn themselves into a collection expert. While it is entirely possible the Defendant properly used the recovery software, it would likely be less stressful on the party and counsel to have a computer forensic expert attempt to restore the data. It is likely forensic software would have greater options to recover data than server software. This is highly dependent on what caused the crashed, however, if email and attachments could be recovered, that could reduce the need for motion practice.

The other lesson is there are many forms of potentially relevant ESI. Video files can easily be overlooked in a case. Asking a client effective interview questions, and a meaningful meet and confer between attorneys, can help identify the possible types of relevant ESI in a case. The final lesson is passwords on work issued phones. A service provider might have software that can crack a password. Alternatively, requiring this information when an employee leaves a company could also reduce this pain point.

My colleague Ben Rose will analyze the computer forensic issues from this case in our next blog post.

Recognizing Anti-Forensic Tools in Litigation

Many cases involve the review of computers to search for documents, email, chat, or other records. This data can tell the story of what the parties were doing, when, and often why. In the age of smartphones, it is no surprise that digital records have become so important in proving our cases. This is why it is such a surprise when you examine any device that was used over a long period of time that has no records of interest: empty or missing email, no chat or text messages, no internet history, no pictures or videos.

In some cases, the original device does not have any useful data; it is the second phone or laptop with the relevant data. It is very common to have personal or business emails, pictures, videos, chat or documents or other data on our phones and computers. There are times when a user realizes that the phone or computer contains information that could be damaging to them. This could be after they realize there will be a lawsuit, or in many cases it is after a preservation order has been served. The next thought is often, “Is there anything left that could be helpful?” and “Is there any way to prove that data was intentionally deleted?”

Defining Anti-Forensics

Applications used to delete and remove data from computers are often referred to as “anti-forensics” tools. These tools are inexpensive or even free. These applications deploy different methods to remove data. As you would expect, you get what you pay for in this area and some tools are not as successful as others in their mission to remove data. Many tools do very simple processes that don’t affect many system files or logs that keep track of user activity. Some anti-forensics tools create logs of the files they delete – often giving clear evidence of when the tool was used and what was done.

There are ways to determine if certain anti-forensics tools were used. Highly trained forensic examiners know where to look for data that is not deleted or wiped by these anti-forensics tools. Properly trained and experienced forensic examiners can often recover deleted documents, find log files of anti-forensics processes, locate and interpret system files to show what files were deleted and when. Advanced techniques can be used to find and recover deleted copies of data and files. In many cases, hundreds of deleted files and thousands of Internet history records, or email going back many years, have been recovered and used as evidence in court.

Forensically Triage the Data

Skilled forensic examiners know how to perform a triage on evidence items – knowing how to look for signs that data has not been permanently deleted and overwritten. It is often possible to do a focused analysis of digital devices to find any obvious relevant data and to determine if there is a possibility to find more relevant data using more advanced techniques. This triage process is helpful to reduce exam costs, while giving clients the information they need to know if more advanced analysis could be beneficial to finding data that helps prove their case.

There is More to ESI Besides Email Messages

The case of Emergency Response Specialists, Inc., v CSA Ocean Scis., Inc., is an excellent example of the challenges in civil litigation. The case is from Alabama that highlights the different types of ESI that can be relevant in a case. The case also highlights the importance of retaining collection experts and knowing phone passwords.

The first relevant opinion is by Magistrate Judge Harwell Davis, III. See, Emergency Response Specialists, Inc. v. CSA Ocean Scis., Inc. (N.D.Ala. Aug. 4, 2016, No. 2:14-cv-02214-WMA) 2016 U.S. Dist. LEXIS 113221 (Hereafter ERS 1). The second is by District Court Judge R. David Proctor, who adopted and accepted Judge Davis’ recommendations. See, (Emergency Response Specialists, Inc. v. CSA Ocean Scis., Inc. (N.D.Ala. Aug. 23, 2016, No. 2:14-cv-02214-RDP) 2016 U.S. Dist. LEXIS 112639 (Hereafter ERS 2).

Judge Davis explained that the Defendant’s president and majority shareholder had a computer crash that corrupted her email production. ERS 1, at *3. The Defendant used the recovery software from the server company in an attempt to recover her messages. Id. The Plaintiffs sought the email in native format. The Defendant claimed the recovered email was all that was available. This was very problematic, as the parent-child relationship between the email and attachments were broken. Moreover, the Defendant explained that if the Plaintiff looked at the email threads, they could determine who was the sender of the emails and the dates each message was sent. Id. As such, the Court gave the Plaintiff the opportunity to review the email production to determine if the messages could be put in chronological order with senders and recipients. Id.

The Court ordered the Defendant to produce any other unique emails with attachments if they existed on her Defendant’s laptop.ERS 1, at *3-4. The Defendant was also ordered to produce text messages and video files that were responsive to discovery requests. The text messages introduced a common wrinkle with smartphones: what is the phone password?

The context of the case made it appear that a former employee needed to provide his password for his former work phone, which was in the possession of his former employer, in order to recover the text messages on the device. ERS 1, at *4-5. Judge Proctor ordered the former employee to cooperate in providing password to the Defendant. ERS 2, at *2. The Court informed counsel that if the former employee refused to provide his password, to report that to the Court, so the Court could further order the former employee’s cooperation in recovering the text messages. Id.

There are many lessons from this case. The first is the collection of data in a defensible manner. It is wise to avoid having a party turn themselves into a collection expert. While it is entirely possible the Defendant properly used the recovery software, it would likely be less stressful on the party and counsel to have a computer forensic expert attempt to restore the data. It is likely forensic software would have greater options to recover data than server software. This is highly dependent on what caused the crashed, however, if email and attachments could be recovered, that could reduce the need for motion practice.

The other lesson is there are many forms of potentially relevant ESI. Video files can easily be overlooked in a case. Asking a client effective interview questions, and a meaningful meet and confer between attorneys can help identify the possible types of relevant ESI in a case. The final lesson is passwords on work issued phones. A service provider might have software that can crack a password. Alternatively, requiring this information when an employee leaves a company could also reduce this pain point.

Best Practices for the Collection of ESI

McGibney v. Retzlaff is a Federal case in the Northern District of California. Judge Beth Labson Freeman heard the Defendant’s Motion to Dismiss for Lack of Personal Jurisdiction. Her initial comment was “this case sees the Internet at is worst.” See, McGibney v. Retzlaff, No. 14-cv-01059-BLF, 2015 U.S. Dist. LEXIS 79434 (N.D. Cal. June 18, 2015).

I see a much different issue in this case. The identification of potentially relevant ESI is sorely lacking. The Court was informed about harassment via Internet postings on Twitter, Facebook, and a blog. The Plaintiff asserted that the Defendant used many aliases on these social media platforms, as well as with email.

Preservation and collection of data should occur once potentially relevant ESI is identified. There was no reference in the opinion that listed the Plaintiff’s efforts to preserve the relevant electronically stored information. We see these issues time and again. Here are our recommendations to acquire relevant ESI:

1. Propound Discovery upon the social media providers. The Stored Communication Act generally prohibits the production of stored content without a search warrant or government subpoena. However, those who receive a Discovery Request can identify subscriber information and account login information. Subscriber information may be anonymous, though at times will provide a lead to develop further, such as the IP Address that may be resolved to a specific Internet Service Provider. People are creatures of habit and may use the same username with their ISP, as they do with their social media account(s).

2. Email tracing and serving Discovery upon hosting providers. Email is a transitory medium that contains valuable metadata within the email “header.” Email servers and IP addresses may be identified, as well as accurate (and sometimes obfuscated) email addresses. In the case of Google, the Gmail username refers to the whole account. Again, these are leads to be explored.

3. Preservation notices. These communications should include as much specific information as possible, including account names and date ranges. Time is also of the essence. The opposing party and the third-party who hosts the content should be put on notice, although third parties will be held to a somewhat lower standard in many cases. Nonetheless, a recipient’s obligations and the propounding party’s expectations should be clearly identified.

4. ESI Collection. Social media and email collections should conform to industry standards for the handling of digital evidence. Methods should be defensible and repeatable, and qualified individuals should perform these tasks. Certain software solutions should be used to eliminate the alteration of evidence and its metadata, thereby reducing the potential for spoliation. Also, declarations should be submitted, when necessary, to reduce the risk of inadmissibility for key evidence.

Authenticating Photos with Metadata

The admissibility of digital evidence bridges the rules of evidence and computer forensics. In the case of Riverkeeper, Inc. v. Brooklyn Ready Mix Concrete, photos were offered by a witness to show unlawful dumping by the Defendant. Riverkeeper, Inc. v. Brooklyn Ready Mix Concrete, No. 14-CV-1055 (NGG) (SMG), 2016 U.S. Dist. LEXIS 108357, at *10-11 (E.D.N.Y. Aug. 16, 2016).

The Court explained, “The standard for admissibility of photographs requires the witness to recognize and identify the object depicted and testify that the photograph is a fair representation of what it purports to portray.” Riverkeeper, at *10, citingZerega Ave. Realty Corp. v. Hornbeck Offshore Transp., LLC, 571 F.3d 206, 214 (2d Cir. 2009). The witness stated in his affidavit that he was both the photographer and the photos were accurate representations of what he observed on the date the photos were taken. The Court held the proffering party had offered an adequate foundation for the photos.

The Defendants challenged the authenticity of the photos, claiming that the photos were not taken on the day the photographer stated the photos were taken. Riverkeeper, at *10. The Court rejected the challenge, explaining that the defendants did not produce “any evidence calling into question the reliability of the metadata establishing the photographs’ creation dates.” Riverkeeper, at *10. The Court went on to say that the defendants “did not arrange for a forensic examination of the camera or the photographs, despite being given such an opportunity by the Court. The Court found that the defendants’ challenges to the authenticity of the photographs were not persuasive. Riverkeeper, at *10.

This case illustrates a number of interesting aspects of authenticating and admitting digital photos as evidence, as well as a number of potential pitfalls of circumventing the forensic examination process. Let’s break down the basic facts: The Plaintiff submitted a number of digital photos taken with an unknown camera, possibly a digital camera or from a smartphone, which is very common these days. If the evidence had only been produced in hard copy form, a number of arguments could have been made against admission, including the ability of the Defendant to acquire and examine the evidence in its native file format.

In this case, the Plaintiff provided the Court copies of the original electronic files, including metadata that was not specifically described. The court noted the filenames appeared to correspond to date and time stamps, due to the naming convention. Exhibit O was listed with the filename 20150914_110215.jpg. The question arose as to whether or not the filenames were created programmatically from the digital device or if they were renamed as they were copied to new media. If the latter is accurate, the file date and time stamps would also have been altered, giving rise to a potential spoliation claim.

Unfortunately, the Defendant claimed the photos may have been taken on other dates, asserting they were not authentic. Also, the Defendant did not take advantage of the opportunity to validate the Plaintiff’s claims by utilizing a digital forensic examination of the evidence, nor did he challenge any potential chain of custody issues. This weakened his position and resulted in his testimony that “he really didn’t know when the pictures were taken.”

Recognition and identification of evidence are necessary characteristics for admissibility. The photographer claimed in an affidavit that he took the photos and they were an accurate representation of what he witnessed. His testimony was consistent in this regard. Although the standard was met, recommended practices with digital evidence would include the following:

1. Digital evidence is acquired in a forensically sound or defensible manner. Forensically sound ensures that no alteration to the evidence occurs. This is usually accomplished with various hardware or software solutions. With civil matters, a “defensible” collection may be required. Defensible may be defined as a repeatable process that is documented.
2. The evidence is authenticated with a hash algorithm. Common standards are known as “Message Digest 5 (or MD5)” or “SHA-1.” These are mathematical values that may be considered “digital fingerprints.”
3. Evidence is stored on a “forensically-prepared” piece of media. Removable “thumb drives” or external drives may be used. Forensically-prepared means the drive has undergone a data “wiping” process to prevent any potential cross-contamination or comingling of evidence.
4. A Chain of Custody form is completed to specifically identify the evidence, and to track who handled the evidence.
5. A digital forensic examination is conducted on the evidence. The file properties and hash values are recorded. The examination may reveal any alteration based on date and time stamps, and file sizes and/or hash values (if an exemplar is available for review). The file metadata may also include Exchangeable Image File Format (or EXIF) data. This information provides additional details, such as the specific make and model of the device the image was created with, photography settings such as f-stop and ISO speeds, software and version number, compression, and the distance from the source, to name a few.

To conclude, technology, processes and people trained in digital evidence exist to ensure that the evidence at issue is handled and authenticated properly before presenting to the Court. Additionally, these skills may be used when suspicions arise as to the reliability of the evidence that is proffered.

Proactive Approaches to Compliance Require Broad Optics

Highly-regulated industries such as healthcare, energy, financial and government are advised to stay on top of compliance needs which include legal and enterprise risk. This quest serves the health of the organization and keeps regulators happy. What best practices support this rather challenging goal? It begins with common-sense and continues with a centralized approach to research and investigation.

Common-Sense Approach

The goal of compliance efforts is to mitigate threats to the health of an enterprise and to stay within the legal requirements imposed by regulation and law. The primary focus in the compliance arena in most industries / sectors is on fraud and corruption. Nefarious actors are finding new ways to pillage and cheat and there are an almost infinite number of ways within which to carry out their schemes. But how does one herd these cats?

The most commonly used approach is to find anomalies – outliers that suggest activity is outside the “norm.” The idea is to find a baseline of “normal activity” and then identify any activity that falls sufficiently outside that baseline. If a salesperson’s average monthly sales at a company is $1 million a month, why is salesperson ‘A’ doing three times that amount? Does she simply have exceptional skills or is she taking bribes or kickbacks? Salesperson ‘A’ has sales that fall well outside the norm – this is an outlier or anomaly and a place to focus efforts. Using this approach, virtually any enterprise with changing needs can attempt to address risk. Merely redefine what is “normal” and the process starts anew.

How does one establish the norm? Of course, this is highly dependent on context but company records are a great place to start. Here are some ideas, to name only a few:

• What constitutes a typical transaction? Certain data analytics tools can take years of records and identify what constitutes a “typical” transaction. Are there transactions that deviate from this baseline? Do they suggest checks-and-balances are being bypassed? Are there unknown actors in the sequence of a transactional process?
• What are common communications patterns? An area of study called “graph theory” is helpful in this area; one implementation is what many know as “social network analysis.” Graph theory helps establish communication patterns that can then be used to find outliers. Among the many email domains, why do we find one small set of emails using a particular domain? Is someone communicating with a competitor? Are trade secrets being sent outside of the company?

Anomaly detection is one method. There are also technologies that find strong correlations between events or things. If there are thefts occurring, who was working at that time (i.e. is there a strong correlation)? Are dips in profit associated with transactions with certain entities (suggesting skimming or other misappropriation)? There are also ways to identify language used by those who are committing nefarious acts. The tool set is rich but the high-level attack must be a common-sense one.

A Centralized Approach to Investigation

A myopic approach to compliance only leaves cracks where risk can slip through. At times, compliance professionals focus on particular verticals within an organization without consideration of their entire eco-system.

An area of study called “Business Process Management” is used to identify all business units, their workflows and accompanying technical infrastructure. Compliance professionals are increasingly focusing in this area to wrap their solutions around the high-level needs and for a centralized approach. Some of the topics in the technical arena include:

• Review of Corporate Email – use of e-discovery tools to analyze employee communications.
• Log Analysis – collection of logs from all enterprise software applications to follow activity in a centralized way. Web servers, emails applications, ERP systems, network appliances and firewall software, among others, send their logs to one analytics’ implementation.
• Call center and Surveillance Monitoring Analytics – new solutions analyze call-center discussion in near real-time. Surveillance systems use facial recognition to help identify activity.
• Social Media and Online Sources – social media and other online sources can be monitored in real-time to track other enterprise-relevant activity.

The above approaches, while not an exhaustive list, are combined with more conventional approaches such as interviews, surveillance and database-records research to bring a holistic picture into focus.

Using common-sense approaches considered in a centralized way, compliance professionals will be able to find balanced and efficient ways to mitigate risk and to remain compliant with relevant regulation.