Newsbits 2010

• December 2010 (Topic 44): eMail and eDocuments = eEvidence

  Your client's ask "Why should I bother to keep all this stuff?" Inevitably, even with a routine destruction policy, the documents they deleted will have been the ones which would have sustained their position. eStorage is much cheaper than court imposed monetary sanctions or the negative impact to your case. A 2TB storage device is under $100 and will keep millions of documents.

• November 2010 (Topic 43): What is Forensically Sound?

  It is not just the computer forensic tools (software and hardware) that make your evidence "forensically sound." It takes software, hardware, extensive training, and constant continuing education to develop a technically competent computer forensic investigator. However, all of the foregoing is useless without intuition, the ability to sort the wheat from the chaff, and the written and verbal skills to present the results in court.

  MOST IMPORTANT is a solid set of directions from the attorney as to what we are looking for and what are the goals. Keep your investigators informed.

• October 2010 (Topic 42): Using "Court Approved Forensic Tools" = a Myth

  Courts have no jurisdiction to endorse or sanction any particular computer forensic software or hardware tools or methods. It is ability of the investigator to articulate, in layman terms, the methodologies they use. Computer Forensics is not rote-it is a combination of reproducible art and science.

  It is the attorney's responsibility to craft questions which give their expert the most credence in the mind of the jury.

• September 2010 (Topic 41): FBI given a "pass" on forensic procedure?

  US v. Smith: The FBI was unable to use forensically sound procedures to recover data from the suspect's "thumb drive." Instead, the examiner pulled the data directly from the media, which altered it: Similar to surgeon doing open heart surgery without sterile conditions or even gloves. The surgery was successful but the patient died from infection-or in this case Smith went to jail. Does this mean "the end justifies the means" for the government-without regard to the 4th Amendment? The FBI did not have the technical skill to examine it forensically-and yet the Court admitted the fruit of the poisoned tree. Sources below.

  Source: 2010 WL 1949364 paraphrased from Quinlan Computer Crime and Technology in Law Enforcement July 2010
  Source: http://cyb3rcrim3.blogspot.com/2010/05/thumb-drives-4th-amendment-and.html

• August 2010 (Topic 40): Should I pull the plug or not?

  Your client calls in a panic because their key employee just absconded with all of company trade secrets and accounting records. Nobody is sure if the employee is erasing their computer hard drive or not. "You're my lawyer, what should I do?" the company president beseeches. NEVER tell them to use the normal shut down procedures. Tell them NOT to touch anything DO NOT touch any keys on the keyboard or the mouse. Tell them to pull the power cable at the wall-this will kill the computer. Any evidence in RAM memory will be lost. However, it is better to lose the RAM evidence than the hard drive. Then call ACTForensic.com, Inc for 24/7 emergency response.

• July 2010 (Topic 39): Digital Investigation Management

  Digital evidence is crucial to today's lawsuits. Whether your case is large or small there will be computer based evidence. Not only must evidence be found, but you must have competent help to assist you interpreting and managing this aspect of your case. As a full service firm, we can handle all of your eDiscovery data needs from pre-meet and confer planning through expert trial testimony.

• June 2010 (Topic 38): 5 errors in eDiscovery Investigations

  You hire Private Investigators without an Engagement Letter which includes: Scope, Methods, Confidentially, Fees, and Arbitration.
  You hire Private Investigators without verifying references, valid BSIS PI License number, degrees, and credentials.
  You hire Private Investigators who do not provide W-9 and proof of current Workmen's Compensation and E&O Insurance.
  You hire Private Investigators who subcontract with unlicensed persons - this is a violation of law.
  You hire Private Investigators say they can do a job without knowing what the job entails.

• May 2010 (Topic 37): Digital Forensics-the foundation of evidence

  With a limit on discovery motions, a well crafted eDiscovery request will reduce the need to go back to court for more items. Knowing, in advance, what can be obtained from the other party, and what you have to provide to them, will make the Digital Forensic Evidence gathering much more efficient and effective. Involve your investigators in Meet and Confer to help you identify the data needed.

• April 2010 (Topic 36): Hardware Leaping Forward

  What used to take a room full of vacuum tubes, miles of magnetic tape, and many operators is 1/10,000th of what is in today's computer. Then came Solid State Devices (SSD). Currently 64Gb "thumb drives" are available for around $150. Within a couple of years mechanical hard drives will disappear. This newest technology is the NOT AND (NAND). What we need to know is a 1Tb (1,000Gb) chip will be the size of a medium sized postage stamp and maybe a nickel thick. It will have no wires and be very fast. What does this mean to us? No moving parts = no failures. Your laptop will carry the all world's information on it and still have room for your pictures!

• March 2010 (Topic 35): Courts Split on Computer Forensics

  What computer based data can be admitted under the "plain view doctrine" from a Search Warrant (SW)? The 9th DCA says not admissible if not specified in the SW: an objective test. The 10th DCA says admissible if it was within the scope of the SW but outside of where the examiner should have been looking: a subjective test-inadvertent discovery. The 4th DCA agrees with the 9th DCA: the scope of the SW is what is written, not in the mind of the examiner. Now comes the 7th DCA agreeing with the "inadvertent" discovery theory of the 10th DCA. Computer Forensic Discovery Law is trailing the technology. Look for the USSC to take on this issue. BTW, if you are not up to speed on the FRCP you need to be. Also, Calif. passed its own version of the rules late last year.

• February 2010 (Topic 34): Near-Duplication v. De-Duplication

  When assigning tasks to reviewers, all documents of the same "ilk" should go to the one reviewer or a team. Why? In a large case, De-Duplication spread across a group of reviewers may let an important document slip by because it might not seem important by itself. The next technology in this process is Near-Duplication. N-D is a process which looks at the "similarity" of text within a document. It bundles these together for human review.

• January 2010 (Topic 33): New Year's Resolution 2010

  I will:
  1. Set my virus protection and Microsoft updates to Daily and Automatic.
  2. NOT download cool stuff from the Internet because it is probably loaded with bad things that may "crash" my computer, or worse, open my employer's computer network to hackers and thieves who WILL steal our trade secrets. Then I will be out of work!!
  3. NOT send or forward non-business email while@ work, no matter how interesting the pictures are.
  4. BACK UP MY DATA EVERY DAY!!! Otherwise it will cost a lot of money and time to have ACTForenisc.com recover it.