Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 68

Computer Forensics Challenges of 2008; The major issues effecting the use of digital forensics in family law cases in South Carolina. PowerPoint PPT Presentation


  • 172 Views
  • Uploaded on
  • Presentation posted in: General

Computer Forensics Challenges of 2008; The major issues effecting the use of digital forensics in family law cases in South Carolina. Presented by Steven M. Abrams, J.D., M.S. Abrams Millonzi Law Firm, P.C.

Download Presentation

Computer Forensics Challenges of 2008; The major issues effecting the use of digital forensics in family law cases in South Carolina.

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

Computer Forensics Challenges of 2008;Themajor issues effecting the use of digital forensics in family law cases in South Carolina.

Presented by

Steven M. Abrams, J.D., M.S.

Abrams Millonzi Law Firm, P.C.


Steven m abrams esq computer forensics examiner attorney at law sc private investigator ny l.jpg

Steven M. Abrams, Esq. Computer Forensics ExaminerAttorney at Law (SC), Private Investigator (NY)

Computer Forensics Bio

  • 1983 – 2008 (25yr)

  • Trained under Military and Law Enforcement Supervision – NCJA, NW3C, NYPD, FBI, SLED

  • 350 CF Cases

  • 75% Domestic Relations

  • Law enforcement work: USSS, FBI, Mt. Pleasant PD, ...

  • Member: HTCIA, SCALI, ALDONYS, IEEE

  • Permanent Member: SLED PI Business Advisory Committee

  • Instructor: Numerous CLEs, Seminars, US and Foreign Governments


What we will cover today issues confronting the use of computer forensics in family court l.jpg

What we will cover today:Issues confronting the use of Computer Forensics in Family Court

  • Common Abuses of the Discovery Process.

  • Need to Check Licenses and Credentials of Computer Forensics examiners.

  • Need to critically evaluate CF evidence.

  • Lack of Uniform rules for E-Discovery in State Courts.


Computer forensics l.jpg

Computer Forensics?

Computer forensics, also called cyberforensics and digital forensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.


Why do computer forensics l.jpg

Why do Computer Forensics?

Forget dumpster diving. Computers harbor more personal information and secrets than anyone can discard into a 20-gallon trash container.A typical computer holds information people once stored in wallets, cameras, contact lists, calendars, and filing cabinets. Computers are the treasure trove of personal contacts, personal finance, and correspondence. 

Practically every investigation - can benefit from the proper analysis of the suspect's computer systems."

- Incident Response, Investigating Computer Crime, Pg.88


Family law matters are particularly suited to digital forensics l.jpg

Family Law Matters are particularly suited to digital forensics.

  • Home Computers, Cell Phones are usually jointly owned and used marital property.

  • Household financial records often on home computer. Hidden assets traceable on PC.

  • Increasingly paramours contacted by computer – email & websites / cell phone .

  • Arrangements for liaisons made using computer; flight and hotel reservations.

  • Pornography, Pornography, Pornography…


A typical digital forensics investigation l.jpg

A Typical Digital Forensics Investigation

An actual domestic relations case example

The names of the parties have been changed to protect their identities.


Scenario l.jpg

Scenario

  • Domestic Relations Matter

  • Lisa - Wife of client having an affair.

  • Paramour: “Michael”

  • Email Address: [email protected]

  • Lisa has installed new web cam

  • Explicit emails recovered referring to web cam

  • Michael claims to be 41 years old

  • Lisa has taken a trip to ??

  • Goal: Locate Paramour (and Lisa)


Procedure search for web cam related content l.jpg

Procedure – Search for web cam related content

  • MPG’s are a popular movie format, along with MOV and WMV.

  • Search for MPGs turn up many fragments and some link (lnk) files containing information about movies accessed on this computer.

  • One “lisa” movie link file found, but lisa movie itself is not found on hard drive

  • It may contain important evidence


Evidence lisamov00396 lnk l.jpg

Evidence - LisaMOV00396.LNK

Shortcut File

  • LisaMOV00396[87073].lnk.html


Procedure l.jpg

Procedure

  • Do a keyword search for “LisaMOV00396.MPG”

  • There were no files by that name on the hard drive

  • Search Recycler for LisaMOV00396.MPG


Evidence info2 dat l.jpg

Evidence – INFO2.DAT

  • Recycle Bin Index …

(Movie has been renamed Dc73.MPG by Recycler, and is still intact!)


Evidence dc73 mpg l.jpg

Evidence –DC73.MPG

Listen to the accent in the speaker’s voice


Procedure search hard drive for metro6969 l.jpg

Procedure – Search hard drive for “metro6969”

  • A keyword search for “metro6969” turns up many explicit emails between Lisa and Michael.

  • One email contains Michael’s business email signature, probably by accident.


Evidence email l.jpg

Evidence - Email

(Signature from paramour’s deleted email recovered with FTK)

Michael E. Smith

Metropolitan Plumbing Co., Inc.


Procedure look up company l.jpg

Procedure – Look up Company

  • Using accent as a guide (New England)

  • Search for Business Filings on D&B for “Metropolitan Plumbing Co.”


Business report from d b l.jpg

Business Report from D&B

Comprehensive Business Report

Company Name: METROPOLITAN PLUMBING CO INC

Address: HICKSVILLE, MA 02799

Phone: (508) 632−6969

FEIN:00-000000

Associated People:

Business Contacts:

MICHAEL SMITH, SSN: 025−55−0000,

Date LastSeen: Apr, 2005

HICKSVILLE, MA 02799

MICHAEL SMITH, SSN: 025−55−0000, PRESIDENT,

Date Last Seen: Apr, 2006


Procedure use ssn to locate paramour l.jpg

Procedure – Use SSN to Locate Paramour

  • Using IRBSearch.com person search lookup SSN… to produce background report on paramour.


Evidence background report l.jpg

Evidence – Background Report

Subject Information:

Name: MICHAEL E SMITH

Date of Birth: 04/1965

Age: 41

SSN: 025−55−0000 issued in

Massachusettsbetween 01/01/1971 and 12/31/1973

Active Address(es):

MICHAEL E SMITH − 591 MARKET ST, FRANCIS MA 02099−1513,

NORFOLK COUNTY (May 1993 − Sep 2006)

SMITH MARY ANNE (508) 540−1234


Eureka l.jpg

Eureka!

It’s now a simple matter to place Michael under surveillance and have him lead us to Lisa, who is waiting for him at a local roadside motel.


Issues confronting the use of cf in family court l.jpg

Issues confronting the use of CF in Family Court

Issue #1: Willful Spoliation –

An increasingly common occurrence


Issues effecting cf in family law matters 1 issue spoliation l.jpg

Issues effecting CF in Family law Matters: #1 Issue: Spoliation

Willful deliberate spoliation is becoming an increasingly common occurrence in domestic relations matters.


Typical example of willful spoliation l.jpg

Typical example of willful spoliation

You are called in to examine a computer produced in response to a court order. Upon opening the case of the eight year old computer, which you note was missing the screws that hold the cover closed, you observe the following…


Actual evidence photo 1 l.jpg

Actual Evidence Photo 1

Dust Bunnies !


Actual evidence photo 2 l.jpg

Actual Evidence Photo 2

Cob Webs!


Actual evidence photo 3 l.jpg

Actual Evidence Photo 3


Actual evidence photo 4 l.jpg

Actual Evidence Photo 4

The Hard Drive was

Pristine,

almost sterile.


Rule 1 parties cheat in e discovery especially in domestic relations cases l.jpg

Rule # 1: Parties cheat in e-discovery, especially in domestic relations cases.

  • Never assume that material produced during the course of electronic discovery is complete or authentic; Use forensic evidence to establish authenticity.

  • Electronic data is fragile and easily lost or manipulated.


Rule 1 parties cheat in e discovery especially in domestic relations cases29 l.jpg

Rule # 1: Parties cheat in e-discovery, especially in domestic relations cases.

  • Opposing counsels are usually well-meaning, but clients are often beyond their control.

  • Clients often have an unreasonable belief that they will not get caught.

  • Hire a knowledgeable computer forensics expert to review materials produced during electronic discovery.


Most common method of spoliation wiping programs anti forensics l.jpg

Most common method of spoliation:Wiping Programs (Anti-forensics)

  • Wiping software makes data recovery difficult or impossible by deleting and overwriting data on the hard drive.

    Wiping can be detected in two ways:

  • Detect disk wiping by examining the data in disk sectors for regular patterns indicative of wiping.

  • Detect wiping software with Gargoyle Investigator™ Forensic Pro software.


2 nd most common method of spoliation evidence tampering l.jpg

2nd Most common method of spoliation:Evidence Tampering

Includes any attempt to alter the data on the hard drive

  • Most commonly done by reformatting hard drive and reloading the O/S (Windows).

  • The original data is usually at least partially recoverable from a reformat / reload.

  • Other tampering includes changing time and date stamps on files to pre or post date them.

  • Rarely, we have seen one spouse fabricate evidence to appear as if other spouse was responsible for data remaining on hard drive.


How can evidence tampering be detected l.jpg

How can evidence tampering be detected?

Analysis of artifacts within several key areas of the hard drive can lead to conclusive evidence of willful spoliation and evidence tampering. (For example: reformatting HD)

The key areas include;

  • Windows Registry

  • Link files– shows files that were on system and when

  • Event Logs– shows when/if system clock reset

  • Disk Partition and System DirectoryMeta Data – shows when hard drive reformatted and Windows install date.

  • Keyword searches for deleted data in unallocated Drive Freespace.

  • Deletion dates obtained from Recycler INFO2 structure


The windows registry l.jpg

The Windows Registry

  • The Windows Registry conceptually can be thought of as a special directory where Windows and other software programs store system data needed for proper operations of the operating systems and installed software. User activity within Windows is tracked and stored in the Registry.


The files that constitute the windows xp registry l.jpg

The Files that constitute the Windows XP Registry

  • Windows/System32/config/ directory

    • System

    • Software

    • SAM

    • Security

  • documents and settings/User/

    • Ntuser.dat


Metadata l.jpg

Metadata

What is metadata?

  • Metadata gives any kind of data context. Any item of data is a description of something. Metadata is a type of data where the something being described is data. Or, as it is often put, metadata is data about data.


Microsoft office metadata l.jpg

Microsoft Office Metadata

Microsoft Office files include metadata beyond their printable content, such as the original author's name, the creation, modification, and access date and time of the document, and the amount of time spent editing it. Unintentional disclosure can be awkward or even raise malpractice concerns.


Slide37 l.jpg

Metadata is essential as a means of determining the install date for Windows and date of hard drive formatting.

  • Folders (subdirectories) are just a special type of file. As such they have file creation date and time meta data associated with them.

  • The Windows folder and the system32 subfolder (among others) are created when Windows is installed. The creation date metadata on the Windows folder can tell you when Windows was installed. This can indicate that the hard drive has been tampered with.

  • The metadata on the root folder, and on the bad cluster and partition files can tell you when the partition was created, usually when the drive was formatted.


Metadata is discoverable l.jpg

Metadata is discoverable!

Williams v. Sprint/United Mgmt. Co., 2005 U.S. Dist. LEXIS 21966(D. Kan. Sept. 29, 2005).

  • The Williams court established the following standard:

  • [W]hen a party is ordered to produce electronic documents as they are maintained in the ordinary course of business, the producing party should produce the electronic documents with their meta data intact, unless that party timely objects to production of meta data, the parties agree that the meta data should not be produced, or the producing party requests a protective order. Id.


Typical case example w v h l.jpg

Typical Case Example : W v. H

  • Custody matter between W and her former husband H.

  • W has joint custody with H over 4 yr old daughter. (W increasingly erratic behavior. Possibly dangerous.)

  • H and his new wife seek sole custody

  • W allegedly tells a friend via email that “she will sooner kill the child and H, then turn her over to his custody.”


W v h l.jpg

W v. H

  • Attorney for H issues subpoena for W’s computer so he could have the emails examined.

  • W’s attorney files motion to quash subpoena

  • On July 20, Judge issues order from bench for W to turn computer over to her attorney so it can be examined by H’s expert.


W v h41 l.jpg

W v. H

  • On July 25th signed order arrives at W’s attorney’s office.

  • On July 27th W brings computer to her attorney’s office for examination.

  • I examine and copy computer in W’s attorney's office on August 1st.

  • During my exam, I take the following photos of the computer:


Evidence photos from aug 1st l.jpg

Evidence Photos from Aug 1st

Hard drive pristine! 


W v h forensic evidence encase image from w s hard drive l.jpg

W v. H – Forensic EvidenceEnCase Image from W’s Hard Drive

  • Case Information:

  • Case Number: 2005-29

  • Evidence Number: 1

  • Unique Description: Maxtor 4GB

  • Examiner: SM Abrams

  • Notes: Maxtor 4GB from Dell Tower

  • --------------------------------------------------------------

  • Information for E:\image\maxtor4gb:

  • Physical Evidentiary Item (Source) Information:

  • Drive Interface Type: USB

  • Drive Model: Maxtor 8 4320D5 USB Device

  • [Drive Geometry]

  • Bytes per Sector: 512

  • Cylinders: 525

  • Sectors per Track: 63

  • Sector Count: 8,437,500

  • Tracks per Cylinder: 255

  • Source data size: 4119 MB

  • Sector count: 8437500

  • MD5 checksum: bf7c9baa773530bb3300fbf3aa5c5f60

  • SHA1 checksum: 6a3965440b9df1a4b61a2e12ff555ec60238f42d

  • Image Information:

  • Segment list:

  • E:\image\maxtor4gb.E01

  • Image Verification Results:

  • MD5 checksum: bf7c9baa773530bb3300fbf3aa5c5f60 : verified

  • SHA1 checksum: 6a3965440b9df1a4b61a2e12ff555ec60238f42d : verified


W v h forensic evidence encase image from c s hard drive l.jpg

W v. H – Forensic EvidenceEnCase Image from C’s Hard Drive

Data on hard drive largely consisted of 0x35, or ASCII 5’s

“555555555555555…”

In binary this is “00110101” which is a common wiping pattern.


W v h forensic evidence windows first run log dated 7 25 l.jpg

W v. H – Forensic EvidenceWindows First Run Log dated 7/25

File: Frunlog.lnkFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\Recent\Frunlog.lnkAlias: Extension: lnkFile Type: Shortcut FileCategory: OtherSubject: Created: 7/25/2005 5:48:42 PMModified: 7/25/2005 5:48:44 PMAccessed: 7/26/2005


W v h forensic evidence registry files created 7 25 05 l.jpg

W v. H – Forensic EvidenceRegistry files created 7/25/05

File: SYSTEM.DATFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\SYSTEM.DATAlias: Extension: DATFile Type: Windows 9x/Me Registry FileCategory: OtherSubject: Created: 7/25/2005 10:37:22 PMModified: 7/26/2005 6:17:06 PMAccessed: 7/26/2005


W v h forensic evidence registry files created 7 25 0547 l.jpg

W v. H – Forensic EvidenceRegistry files created 7/25/05

File: USER.DATFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\USER.DATAlias: Extension: DATFile Type: Windows 9x/Me Registry FileCategory: OtherSubject: Created: 7/26/2005 6:13:06 PMModified: 7/26/2005 6:17:06 PMAccessed: 7/26/2005


W v h forensic evidence w s password file created on 7 25 l.jpg

W v. H – Forensic EvidenceW’s password file created on 7/25

File: MARY.PWLFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\MARY.PWLAlias: Extension: PWLFile Type: Windows PWL file (new)Category: OtherSubject: Created: 7/25/2005 5:37:22 PMModified: 7/25/2005 5:37:24 PMAccessed: 7/26/2005


W v h forensic evidence scandisk runs as part of windows9x install on 7 25 l.jpg

W v. H – Forensic EvidenceScandisk runs as part of Windows9x install on 7/25

File: SCANDISK.LOGFull Path: maxtor4gb\Part_1\NO NAME-FAT32\SCANDISK.LOGAlias: Extension: LOGFile Type: Unknown File TypeCategory: UnknownSubject: Created: 7/25/2005 8:22:54 PMModified: 7/25/2005 8:22:56 PMAccessed: 7/25/2005


W v h forensic evidence l.jpg

W v. H – Forensic Evidence

W deleted files in attempt to cover up 7/25 Windows install

Recycle Bin Index

Filename: Dc0.TXT 

Original Name:C:\SETUPXLG.TXT 

Date Recycled:7/25/2005 5:48:41 PM

Removed from Bin:Yes


W v h forensic evidence w swapped hd in dell dimension xps l.jpg

W v. H – Forensic EvidenceW swapped HD in Dell Dimension XPS

  • The computer was manufactured by Dell.

  • Dell maintains online inventory of all systems shipped. Dell reported that W’s computer was shipped on 10/15/1997 with an IBM 6.4GB hard drive.

  • I found a Maxtor 4.0GB hard drive installed in W’s machine. It was not the original hard drive!

  • Who upgrades by putting in a smaller / older hard drive than the original?


W v h conclusion and consequences l.jpg

W v. HConclusion and Consequences

  • I determined:

    • Drive was swapped.

    • The replacement hard drive had been wiped with “5’s”.

    • Windows was installed on evening that W found out about court order arriving at her attorney’s office.

    • Possibility W may still have original hard drive.

  • W faced contempt of court for not producing HD.

  • H opted for civil contempt because we felt W still had original hard drive, and failed to produce it.

  • Case settled before RSC hearing.


Possible remedies for spoliation l.jpg

Possible Remedies for Spoliation

Least Serious

  • Monetary Sanctions

    Less Serious

  • Negative Inference

    Most Serious

  • If P, Dismiss Case

  • If D, Strike Answer, Default Judgment


Consequences of cheating on e discovery dismissal of plaintiff s case l.jpg

Consequences of cheating on e-discovery :Dismissal of Plaintiff’s case

QZO, Inc. v. Moyer, 594 S.E.2d 541 (S.C. Ct. App. 2004). 

Summary:  The Appellate Court affirmed

dismissal in this trade secret case where a former

corporate officer had “reformatted” his hard drive

a day before delivering the computer to the

plaintiff’s expert pursuant to a court order.


Consequences of cheating on e discovery strike s answer default judgment l.jpg

Consequences of cheating on e-discovery :Strike Δ’s Answer, Default Judgment

Commissioner v. Ward, 2003 N.C. App. LEXIS 1099 (N.C Ct. App. 2003).  Docket #:  02-838   

Summary:The defendants refused to cooperate in discovery matters which required plaintiff's counsel to file three different motions to compel. At one of the storage locations the plaintiff found DAT tapes, discs, cassettes, videos, CD ROMs and other electronic data. The DAT tapes were obsolete and the data could not be accessed without knowledge of the underlying software. The defendant admitted accessing the tapes at an earlier time, but refused to answer questions about the software during deposition proceedings. The Court found that the defendants had willfully and intentionally refused to comply with the discovery order and the lower court struck the defendant's answer and prevented defendants from defending and granted default judgment against certain claims. The Appellate Court affirmed the ruling.


Consequences of cheating on e discovery negative inference l.jpg

Consequences of cheating on e-discovery: Negative Inference

Arndt v. First Union Nat'l Bank, 613 S.E.2d 274 (N.C. Ct. App. 2005).

Docket #:  COA04-807 

Summary:  An employer appealed the decision of the jury awarding a former employee wages lost as a result of a unilateral change to his bonus plan. On appeal, the Court affirmed the rulings of the lower court including an adverse inference imposed for failure of the employer to issue a litigation hold after litigation was apparent. The employer failed to preserve certain e-mail and profit and loss electronic documents. The adverse inference instruction read as follows, "Evidence has been received that tends to show that certain profit and loss statements and E-mails were in the exclusive possession of the defendant, First Union; and, [sic] have not been produced for inspection, by the plaintiff or his counsel, even though defendant, First Union, was aware of the plaintiff's claim. From this, you may infer, though you are not compelled to do so, that the profit and loss statements and the E-mails would be damaging to the defendant. You may give this inference such force and effect as you think it should have, under all the facts and circumstances. You are permitted this inference, even if there is no evidence that the defendant acted intentionally, negligently or in bad faith. However, you should not make this inference, if you find that there a [sic] fair frank and satisfactory explanation for the defendant's failure to produce the documents." 


Consequences of cheating on e discovery negative inference arndt v first union nat l bank l.jpg

Consequences of cheating on e-discovery: Negative Inference Arndt v. First Union Nat'l Bank

Summary:  An employer appealed the decision of the jury awarding a former employee wages lost as a result of a unilateral change to his bonus plan. On appeal, the Court affirmed the rulings of the lower court including an adverse inference imposed for failure of the employer to issue a litigation hold after litigation was apparent. The employer failed to preserve certain e-mail and profit and loss electronic documents.


Negative inference language arndt v first union nat l bank l.jpg

Negative Inference LanguageArndt v. First Union Nat'l Bank

"Evidence has been received that tends to show that certain profit and loss statements and E-mails were in the exclusive possession of the defendant, First Union; and, [sic] have not been produced for inspection, by the plaintiff or his counsel, even though defendant, First Union, was aware of the plaintiff's claim. From this, you may infer, though you are not compelled to do so, that the profit and loss statements and the E-mails would be damaging to the defendant. You may give this inference such force and effect as you think it should have, under all the facts and circumstances. You are permitted this inference, even if there is no evidence that the defendant acted intentionally, negligently or in bad faith. However, you should not make this inference, if you find that there a [sic] fair frank and satisfactory explanation for the defendant's failure to produce the documents." 


Issues confronting the use of cf in family court59 l.jpg

Issues confronting the use of CF in Family Court

Issue #2: Unqualified and Unlicensed Computer Forensics Practitioners


Slide60 l.jpg

July 27, 2007 http://www.usdoj.gov/usao/cae

BOGUS EXPERT IN COMPUTER FORENSICS SENTENCED TO 21-MONTH PRISON TERM FOR PERJURY

FRESNO – United States Attorney McGregor W. Scott announced today JAMES EARL EDMISTON, 36, of Long Beach, California, was sentenced by United States District Judge Lawrence J. O’Neill in Fresno to a prison term of 21 months for his convictions of two counts of perjury. He will also be required to serve a term of supervised release of 36 months upon his release from custody.

.


Slide61 l.jpg

EDMISTON had been retained by at least two Fresno criminal defense attorneys to provide computer forensic analysis in several child sexual exploitation prosecutions.

As part of his work on those cases, EDMISTON prepared and executed declarations under penalty of perjury in which he claimed that he had been a computer consultant for twelve (12) years, that he had a master’s degree in computer engineering from the California Institute of Technology, and that he had been qualified as an expert witness in computers and their online usage by numerous state and federal courts throughout California.

An investigation revealed that EDMISTON did not, in fact, have degrees from the California Institute of Technology, the University of California at Los Angeles, or the University of Nevada at Las Vegas, as he alleged.

Court documents show that EDMISTON also concealed his prior criminal record that includes a prison term that he served in the mid-1990s as a result of forgery convictionsin the California Superior Court, Los Angeles County.


Slide62 l.jpg

Despite a lack of credentials to do so, EDMISTON did, in fact, testify under oath as an “expert” in cases in courts in California.

In sentencing EDMISTON to prison, Judge O’Neill specifically commented that,

“the defendant’s crimes went to the very heart of the judicial system which is designed to seek the truth in each case.”


35 states requiring pi licenses for computer forensics and e discovery practitioners l.jpg

35 States Requiring PI Licenses for Computer Forensics and E-discovery Practitioners

Arizona, Arkansas, Connecticut, Florida, Georgia(?), Hawaii, Illinois, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, West Virginia, Wisconsin

(As of 7/2007)


Sc law requires computer forensic practitioners to be licensed l.jpg

SC law requires Computer Forensic Practitioners to be licensed.

  • PI License (SC Title 40, Chap. 18) “securing evidence” for a civil or criminal legal proceeding.

  • Exempts Licensed Attorney, CPA, or Engineer

  • Exempts employees doing internal investigation for employer, unless employer is a PI Agency.

  • SC Attorney General Opinion (April 2007) SLED to promulgate specific regulations for computer forensics firms. SLED CF Committee working on stiffer regulations now.

  • Out of state CF vendors must be licensed in SC if evidence collected here, or destined for use in a legal proceeding here. (Accountability, Long Arm access)


Issues confronting the use of cf in family court65 l.jpg

Issues confronting the use of CF in Family Court

Issue #3: lack of uniform rules for e-discovery in state court.


Slide66 l.jpg

Need for certainty in e-discovery matters heard in State Court as there is in Federal Court under the revised FRCP.

  • FRCP 2006 revisions have leveled the playing field in federal court in matters involving discovery of electronically stored information.

  • Comparable revisions in the State rules of civil procedure are needed to promote certainty and fairness to all parties, and to simplify the job of the court.

  • National Conference of Commissioners on Uniform State Laws – Model Rules


Take home message l.jpg

Take Home Message

  • Check Licenses and Credentials of CF examiners. (Degrees vs Certification)

  • Question validity of CF evidence.

  • Consider Stiffer Sanctions for willful spoliation to curb abuses of the discovery process.

  • Promote the adoption of Uniform rules for E-Discovery in State Courts.


Questions l.jpg

Questions?

Abrams Millonzi Law Firm, P.C.

Abrams Computer Forensics

1558 Ben Sawyer Blvd., Suite D

Mount Pleasant, SC 29464

(843) 216-1100

[email protected]


  • Login