Loading in 2 Seconds...
Loading in 2 Seconds...
Computer Forensics Challenges of 2008; The major issues effecting the use of digital forensics in family law cases in South Carolina. Presented by Steven M. Abrams, J.D., M.S. Abrams Millonzi Law Firm, P.C.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Steven M. Abrams, J.D., M.S.
Abrams Millonzi Law Firm, P.C.
Computer Forensics Bio
Computer forensics, also called cyberforensics and digital forensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
Forget dumpster diving. Computers harbor more personal information and secrets than anyone can discard into a 20-gallon trash container.A typical computer holds information people once stored in wallets, cameras, contact lists, calendars, and filing cabinets. Computers are the treasure trove of personal contacts, personal finance, and correspondence.
Practically every investigation - can benefit from the proper analysis of the suspect's computer systems."
- Incident Response, Investigating Computer Crime, Pg.88
An actual domestic relations case example
The names of the parties have been changed to protect their identities.
(Movie has been renamed Dc73.MPG by Recycler, and is still intact!)
Listen to the accent in the speaker’s voice
(Signature from paramour’s deleted email recovered with FTK)
Michael E. Smith
Metropolitan Plumbing Co., Inc.
Comprehensive Business Report
Company Name: METROPOLITAN PLUMBING CO INC
Address: HICKSVILLE, MA 02799
Phone: (508) 632−6969
MICHAEL SMITH, SSN: 025−55−0000,
Date LastSeen: Apr, 2005
HICKSVILLE, MA 02799
MICHAEL SMITH, SSN: 025−55−0000, PRESIDENT,
Date Last Seen: Apr, 2006
Name: MICHAEL E SMITH
Date of Birth: 04/1965
SSN: 025−55−0000 issued in
Massachusettsbetween 01/01/1971 and 12/31/1973
MICHAEL E SMITH − 591 MARKET ST, FRANCIS MA 02099−1513,
NORFOLK COUNTY (May 1993 − Sep 2006)
SMITH MARY ANNE (508) 540−1234
It’s now a simple matter to place Michael under surveillance and have him lead us to Lisa, who is waiting for him at a local roadside motel.
Issue #1: Willful Spoliation –
An increasingly common occurrence
Willful deliberate spoliation is becoming an increasingly common occurrence in domestic relations matters.
You are called in to examine a computer produced in response to a court order. Upon opening the case of the eight year old computer, which you note was missing the screws that hold the cover closed, you observe the following…
Dust Bunnies !
The Hard Drive was
Wiping can be detected in two ways:
Includes any attempt to alter the data on the hard drive
Analysis of artifacts within several key areas of the hard drive can lead to conclusive evidence of willful spoliation and evidence tampering. (For example: reformatting HD)
The key areas include;
What is metadata?
Microsoft Office files include metadata beyond their printable content, such as the original author's name, the creation, modification, and access date and time of the document, and the amount of time spent editing it. Unintentional disclosure can be awkward or even raise malpractice concerns.
Williams v. Sprint/United Mgmt. Co., 2005 U.S. Dist. LEXIS 21966(D. Kan. Sept. 29, 2005).
Hard drive pristine!
Data on hard drive largely consisted of 0x35, or ASCII 5’s
In binary this is “00110101” which is a common wiping pattern.
File: Frunlog.lnkFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\Recent\Frunlog.lnkAlias: Extension: lnkFile Type: Shortcut FileCategory: OtherSubject: Created: 7/25/2005 5:48:42 PMModified: 7/25/2005 5:48:44 PMAccessed: 7/26/2005
File: SYSTEM.DATFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\SYSTEM.DATAlias: Extension: DATFile Type: Windows 9x/Me Registry FileCategory: OtherSubject: Created: 7/25/2005 10:37:22 PMModified: 7/26/2005 6:17:06 PMAccessed: 7/26/2005
File: USER.DATFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\USER.DATAlias: Extension: DATFile Type: Windows 9x/Me Registry FileCategory: OtherSubject: Created: 7/26/2005 6:13:06 PMModified: 7/26/2005 6:17:06 PMAccessed: 7/26/2005
File: MARY.PWLFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\MARY.PWLAlias: Extension: PWLFile Type: Windows PWL file (new)Category: OtherSubject: Created: 7/25/2005 5:37:22 PMModified: 7/25/2005 5:37:24 PMAccessed: 7/26/2005
File: SCANDISK.LOGFull Path: maxtor4gb\Part_1\NO NAME-FAT32\SCANDISK.LOGAlias: Extension: LOGFile Type: Unknown File TypeCategory: UnknownSubject: Created: 7/25/2005 8:22:54 PMModified: 7/25/2005 8:22:56 PMAccessed: 7/25/2005
W deleted files in attempt to cover up 7/25 Windows install
Recycle Bin Index
Date Recycled:7/25/2005 5:48:41 PM
Removed from Bin:Yes
QZO, Inc. v. Moyer, 594 S.E.2d 541 (S.C. Ct. App. 2004).
Summary: The Appellate Court affirmed
dismissal in this trade secret case where a former
corporate officer had “reformatted” his hard drive
a day before delivering the computer to the
plaintiff’s expert pursuant to a court order.
Commissioner v. Ward, 2003 N.C. App. LEXIS 1099 (N.C Ct. App. 2003). Docket #: 02-838
Summary:The defendants refused to cooperate in discovery matters which required plaintiff's counsel to file three different motions to compel. At one of the storage locations the plaintiff found DAT tapes, discs, cassettes, videos, CD ROMs and other electronic data. The DAT tapes were obsolete and the data could not be accessed without knowledge of the underlying software. The defendant admitted accessing the tapes at an earlier time, but refused to answer questions about the software during deposition proceedings. The Court found that the defendants had willfully and intentionally refused to comply with the discovery order and the lower court struck the defendant's answer and prevented defendants from defending and granted default judgment against certain claims. The Appellate Court affirmed the ruling.
Arndt v. First Union Nat'l Bank, 613 S.E.2d 274 (N.C. Ct. App. 2005).
Docket #: COA04-807
Summary: An employer appealed the decision of the jury awarding a former employee wages lost as a result of a unilateral change to his bonus plan. On appeal, the Court affirmed the rulings of the lower court including an adverse inference imposed for failure of the employer to issue a litigation hold after litigation was apparent. The employer failed to preserve certain e-mail and profit and loss electronic documents. The adverse inference instruction read as follows, "Evidence has been received that tends to show that certain profit and loss statements and E-mails were in the exclusive possession of the defendant, First Union; and, [sic] have not been produced for inspection, by the plaintiff or his counsel, even though defendant, First Union, was aware of the plaintiff's claim. From this, you may infer, though you are not compelled to do so, that the profit and loss statements and the E-mails would be damaging to the defendant. You may give this inference such force and effect as you think it should have, under all the facts and circumstances. You are permitted this inference, even if there is no evidence that the defendant acted intentionally, negligently or in bad faith. However, you should not make this inference, if you find that there a [sic] fair frank and satisfactory explanation for the defendant's failure to produce the documents."
Summary: An employer appealed the decision of the jury awarding a former employee wages lost as a result of a unilateral change to his bonus plan. On appeal, the Court affirmed the rulings of the lower court including an adverse inference imposed for failure of the employer to issue a litigation hold after litigation was apparent. The employer failed to preserve certain e-mail and profit and loss electronic documents.
"Evidence has been received that tends to show that certain profit and loss statements and E-mails were in the exclusive possession of the defendant, First Union; and, [sic] have not been produced for inspection, by the plaintiff or his counsel, even though defendant, First Union, was aware of the plaintiff's claim. From this, you may infer, though you are not compelled to do so, that the profit and loss statements and the E-mails would be damaging to the defendant. You may give this inference such force and effect as you think it should have, under all the facts and circumstances. You are permitted this inference, even if there is no evidence that the defendant acted intentionally, negligently or in bad faith. However, you should not make this inference, if you find that there a [sic] fair frank and satisfactory explanation for the defendant's failure to produce the documents."
Issue #2: Unqualified and Unlicensed Computer Forensics Practitioners
BOGUS EXPERT IN COMPUTER FORENSICS SENTENCED TO 21-MONTH PRISON TERM FOR PERJURY
FRESNO – United States Attorney McGregor W. Scott announced today JAMES EARL EDMISTON, 36, of Long Beach, California, was sentenced by United States District Judge Lawrence J. O’Neill in Fresno to a prison term of 21 months for his convictions of two counts of perjury. He will also be required to serve a term of supervised release of 36 months upon his release from custody.
As part of his work on those cases, EDMISTON prepared and executed declarations under penalty of perjury in which he claimed that he had been a computer consultant for twelve (12) years, that he had a master’s degree in computer engineering from the California Institute of Technology, and that he had been qualified as an expert witness in computers and their online usage by numerous state and federal courts throughout California.
An investigation revealed that EDMISTON did not, in fact, have degrees from the California Institute of Technology, the University of California at Los Angeles, or the University of Nevada at Las Vegas, as he alleged.
Court documents show that EDMISTON also concealed his prior criminal record that includes a prison term that he served in the mid-1990s as a result of forgery convictionsin the California Superior Court, Los Angeles County.
In sentencing EDMISTON to prison, Judge O’Neill specifically commented that,
“the defendant’s crimes went to the very heart of the judicial system which is designed to seek the truth in each case.”
Arizona, Arkansas, Connecticut, Florida, Georgia(?), Hawaii, Illinois, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, West Virginia, Wisconsin
(As of 7/2007)
Issue #3: lack of uniform rules for e-discovery in state court.