Skip to content

Minimizing the Risk of Employee Theft, Tampering or Destruction of Corporate Data

In 2008, an ex-network administrator for the City of San Francisco refused to give up passwords to the city’s wide area network, effectively locking the city out of its own system and leaving the network without administrative control for 12 days.  The incident cost the city approximately $900,000, spent on trying to regain control of its network.  The ex-network administrator was recently convicted and sentenced to four years in state prison.

This may seem like an extreme case, but similar situations can happen in any business setting and can cost thousands of dollars to remedy, or more in lost revenue.  There are a number of ways employees can effectively “lock” their employer out of their company issued computer.

  • Hard Drive Encryption: Employees can load free software to encrypt the hard drive and make accessing information and recovery difficult or impossible.
  • Hard Drive Wipe: Employees can use commercial and free wiping tools to wipe their hard drive of information.
  • Vanish Software:  A type of software that can destroy all copies of data after a period of time specified by the user – making the data unrecoverable.
  • Password Protection of File: Employees can password protect files on the company computer and refuse to reveal the password, as evidenced in the case above.
  • Destroy Computer: Employees can remove a computer hard drive and physically destroy it.

When employees use the above techniques to “lock” or destroy their hard drive, often, investigators can no longer access the drive’s contents, or the drive’s contents may be erased, leaving no information for the investigator to find.  Although the files and the information held within the files are unrecoverable, evidence of the above mentioned wiping tools can usually still be found.

As the City of San Francisco found out in 2008, it can cost employers thousands of dollars to regain control of their information, and can even result in lost court cases due to missing evidence, lost physical and intellectual property, and can also result in lost business and/or clients.

If employers are interested in protecting themselves from employee theft, information tampering or data destruction, the following list of considerations should be addressed to ensure information protection.

  • Do you limit employees’ ability to wipe or encrypt company issued computer hard drives? It is possible to limit employees’ ability to download software like Drive Scrubber or TrueCrypt, making it difficult for employees to load harmful software on their computers.
  • Do you disable user’s ability to write to external media (USB, CD, DVD, etc)? Disabling user’s ability to write to external media discourages the saving of files to media and taking off-site, and maybe to a competitor.
  • Do you require employees to store all information on the network, not on desktops or laptops? Requiring employees to store all information on the network prevents information from being lost or stolen if a laptop is taken off-site.  Networks are also backed up.  If an employee was to delete or corrupt information, a backup would exist.  Additionally, many networks will provide an audit trail of user activity, which could help to link file activities to employee user accounts.
  • Are strong policies written and in place for storage and use of information? Well written policies for storage and use of information are critical because they allow employees to understand their roles and responsibilities within predefined limits.  Employees understand how data is to be used, stored and accessed and a well written and instituted policy will hold employees accountable, and may spell out any legal liability.
  • Are backup and data retention policies and procedures in place and followed to preserve documents and activity on the network? Backup and data retention policies are important for the preservation of information.  If data is deleted or corrupted, intentional or unintentional, a backup copy would exist and the data would be recoverable.
  • Have you considered the risk of new technologies used by your employees? As technology advances, so does the opportunity for misuse.  PDAs and cell phones now allow a user to transport large amounts of information.  Users taking information off-site significantly increases the company’s risk of lost or stolen information.

Posted in Computer Forensics.

By Perry-Smith LLP

Computer Forensics in the Court Room

Computer Forensic evidence may play a critical role in helping ascertain the facts in your case if the appropriate steps are taken in a timely manner and you fully understand what evidence may be available to you.

Three recent court cases have illustrated how Computer Forensic investigations can assist in trade secrets, probate and estate investigations and employment law.

Deceuninck North America v. Michael Hutfless and Sensibuilt Building Solutions, Inc.
Computer forensic evidence assisted Deceuninck North American (DNA) in winning a $1.158 Million verdict in a trade secrets case against a former employee and the company he went to work for, Sensibuilt. DNA sued the former vice president and the deck manufacturing company he went to work for, for misappropriation of trade secrets. When DNA learned that the former employee had gone to work for Sensibuilt, a computer forensic investigation of his DNA work computer led to the discovery that he had downloaded more than 2,000 of DNA’s confidential documents onto a USB flash drive just prior to departing the company. The forensic investigation also uncovered that the employee “wiped” clean his home computer’s hard drive, further impairing discovery. For more information on wiping, please visit our previous article: Is it possible to permanently delete data off of a computer, making it unrecoverable?

Pool v. Diana, Court of Appeals of Texas, Third District, Austin. No. 03-08-00363-CV
In the case Pool v. Diana, a computer forensics investigation proved that allegations of will forgery were false and unfounded. A computer forensic examiner’s analysis of a will’s creation software showed that the software had been used a few weeks prior to the will’s execution, along with duplicate drafts of the will being stored on the machine. A comparison of the will residing on the machine, with the will that was executed for probate showed that the will was not a forgery.

Stengart v. Loving Care Agency Inc., Superior Court of New Jersey, No. A-3506-08T1
In a unanimous decision, the New Jersey Supreme Court ruled that attorney-client privilege applied to e-mails sent by an employee using a company-issued laptop to her lawyer through a personal Web-based email account, eliminating Loving Care’s contention that its electronic communications policy eliminated her expectation of privacy. A computer forensic expert hired by Loving Care recovered e-mails that were saved to the computer’s hard drive by Stengart’s web browser. Loving Care’s lawyers reviewed the emails and used the information during discovery, and Stengart’s attorney sought to have them returned under attorney-client privilege. The policy allowed for incidental personal use, but specified that the company reserved the right to “review, audit, intercept, access, and disclose all matters…with or without notice.”

The court disagreed, and found that Stengart had a reasonable expectation of privacy because she used a personal e-mail account; and the company’s policy didn’t specifically address use of private web-based email. This ruling highlights the importance of maintaining a precisely drafted electronic communications policy. Most companies don’t have this issue covered, and may need to add more specificity to existing e-communications policies to make it clear that, even where incidental personal use is allowed, there’s no expectation of privacy.

The cases noted above illustrate how computer forensics can assist in establishing where documents are saved, copied or even deleted. Computer forensic investigation can also establish timelines of document and program use, including but not limited to, creation, modification, copy, and/or deletion. They also illustrate how important electronic communication policies have become to business.

If you think that a computer in your organization may contain important evidence, there are a few important steps that should be taken in order to preserve that evidence. First being, immediately cease any and all use of the computer in question, and be sure to secure the computer to prevent anyone from unknowingly using it. For advice on further steps, please visit our previous article: I think that a computer in my organization may contain important evidence. What are the first steps I should take?

Posted in Computer Forensics.

By Perry-Smith LLP

Reducing Computer Forensic and eDiscovery Costs

Whether we like it or not, computers are playing an even greater part of our every day lives. On a daily basis we interact with computers or devices that hold data, such as our home computer used for checking email or web browsing, our iPod for listening to music, or our BlackBerry’s for checking in with the office email. Computers are everywhere and a lot of people even have these computer devices with them at all times.

“Just about every phase of our life has computers involved, well that carries over in the crime aspect as well,” said Mel Joiner, Supervisor with Computer Crimes Division at the National White Collar Crime Center, or NW3C.

The implications of an Always-Connected society are that so many things we do are based on an interaction with a computer device. For a forensic examiner this means that there are numerous sources that could contain the evidence you are searching for in your investigation. In the past, if a computer device was suspected of containing pertinent evidence, a computer forensics examiner would seize the computer device in order to perform a full forensic search.

While the full seizure and subsequent search may still be required in certain circumstances, it is no longer the only option. There are new computer forensic tools and techniques available that can significantly reduce the costs associated with performing a computer forensic investigation.

These forensic techniques called preview searches still maintain the integrity of the potential evidence and offer insight into the relevance of evidence that may be contained on that computer or device.

An example where preview searches can be deployed is in an internal human resources investigation regarding an employee’s internet conduct. In a recent investigation, we were asked to determine if an employee was spending time on internet auction sites during normal work hours. To aid in an efficient investigation, yet maintain evidentiary integrity, we performed a live preview search of the individuals work computer internet history. Upon determining that the employee had accessed the internet auction site eBay on a daily basis for 12 consecutive business days, it was determined that a full computer search was warranted. If we had not performed the preview search, time could have been wasted obtaining a full forensic image of the hard drive where no misconduct had occurred.

Preview search is also useful in determining if a computer contains documents or emails that reference certain individuals. If the preview search reveals that emails to and from a certain individual are present, a full forensic copy of the hard drive can be obtained for further investigation. If the preview search does not yield any relevant search hits, the computer could potentially be disregarded for the investigation or eDiscovery compliance.

Posted in Computer Forensics. Tagged with .

By Perry-Smith LLP

What is Metadata?

Metadata is defined as “data about data”, or more simply, electronic data not necessarily seen on a printed document.

There are two types of metadata, internal and external.  Internal metadata is metadata about a specific file and is saved by the program that created the file (i.e. Microsoft Word).  Computer operating systems also keep metadata of their own; this can be considered external metadata. 
 
The Windows operating system requires a filing system to know where each file is located to allow files to be accessed when called upon.  This filing system is called the Master File Table (MFT).  The MFT contains external metadata about each file and can include, but is not limited to:

  • Date file was created, modified, accessed
  • Location of file on the hard drive
  • Physical and logical size of the file

An example of internal metadata can be found in every Microsoft document.  This information may include, but is not limited to:

  • Name and/or initials of person who created the file
  • Name of the computer on which the file was created
  • Name of previous document owners
  • Document versions

Microsoft Office (including Word, Excel, Access and PowerPoint) is not the only application that embeds internal metadata.  In fact, most applications do, including PDF files which have embedded author, title or other information.  JPEG image files also contain internal metadata that may include the following:

  • Make and model of the digital camera
  • Time and date the picture was taken
  • Distance the camera was focused at
  • GPS location information where the picture was taken
  • Small preview image (thumbnail) of the picture

Metadata can be an important part of a computer forensics investigation when the author or timeline of a file related to the creation, opening or saving of that file is imperative to determine.  Metadata can be extracted using computer forensic software.  Recent examples of metadata usage in litigation include:

  • Determining the date when a USB device was inserted into a computer
  • Determining what user last saved and printed a Microsoft Word file
  • Determining when a PDF file was first placed in a directory on a company’s main file server

Posted in Computer Forensics. Tagged with .

By Perry-Smith LLP

The Plain View Doctrine and Electronic Searches

The Ninth Circuit Court of Appeals ruled in the case United States of America v. Comprehensive Drug Testing, Inc., and set guidelines for investigators who are looking for electronic evidence. 
 
Case background:  
         
Federal investigators obtained a warrant to search the computer records of a laboratory that in 2003 had tested hundreds of Major League Baseball players for steroid use.  The warrant authorized obtaining the records of 10 players. In the course of searching computer records for the 10 players, government investigators came across evidence of illegal drug use by others and argued they had a right to seize those records as well.
 
Generally, the plain view doctrine applies, for example, when police officers execute a search warrant for a certain type of weapon and walk in to find drug paraphernalia on the table.  In that case, the drug paraphernalia may be used to support additional charges.  Though drug paraphernalia wasn’t included in the search warrant, the officers didn’t have to do anything to find it. It was in plain view.
 
However, the Ninth Circuit determined the plain view doctrine should not apply in this case involving Major League Baseball and the Laboratory. Unlike the example above, the investigators didn’t just come across evidence against other players.  The directories and files had to be opened. Quoting the court:
 
To allow investigators to search through every file, and act on any evidence of illegality they find there, “creates a serious risk that every warrant for electronic information will become, in effect, a general warrant, rendering the Fourth Amendment irrelevant.”
 
The court then set out the following requirements for executing search warrants on digital evidence.

  • Officers applying to search digital devices have to waive the plain view doctrine
  • The search must be conducted by a third party (i.e. Computer Forensics experts)
  • The third party will then turn over only the evidence included in the warrant to the investigators
  • If illegal material not covered in the search warrant (like child pornography) is recovered, it is to be destroyed
  • Any other evidence not covered in the warrant would then be returned to the device owner.

To date, there have been no real implications of this decision in civil cases, although it may alter criminal matters.  Implications for criminal cases include third parties being required to conduct the search, requirements for specific search criteria within search warrants, and any recovered evidence not covered in the original warrant would be then required to be returned to the device owner.

The potential impact and lesson to be learned for civil cases is two-fold.  First, unlike criminal cases where illegal material not covered in the search warrant must be destroyed, in civil matters, forensic experts would be obligated to report to the appropriate authorities any recovered content that may be illegal.  Second, we can learn from the last requirement regarding evidence not covered in the warrant having to be returned to the device owner. The lesson to be learned and applied to civil matters is to ensure that the scope of any search performed by a computer forensic expert is clearly spelled out in advance.  This may be done via a protective order, including keywords to be searched in a writ of possession, or in an expert retention letter.

Posted in Computer Forensics. Tagged with .

By Perry-Smith LLP

I think that a computer in my organization may contain important evidence. What are the first steps I should take?

The first step one should take in this situation is to immediately cease any and all use of the computer in question. Further use of this computer may damage any relevant evidence. If the suspected computer is turned off, it should remain off. Be sure to secure the computer at this point to prevent anyone from unknowingly using it.

If the computer is on, it is important that you do not go through a normal shutdown process. Instead, call a computer forensic expert for immediate instructions on what to do next. It is also imperative that you do not allow the internal IT staff to conduct a preliminary investigation. At this point all you have is information and data; there is no evidence. Unless the internal IT staff is certified in computer forensics and trained on evidentiary procedures, they may not have maintained the chain of custody or followed other accepted evidence techniques. Secondly, even if proper evidence handling techniques have been used, the collection process itself has been altered and likely tainted the data collected. By opening, printing and saving files the meta-data has been permanently changed. Lastly, the act of turning on the computer changes caches, temporary files and slack file space which along with the alteration of the meta-data may have seriously damaged or destroyed any evidence that was on the computer.

Even if extensive damage is done by the internal IT staff, a computer forensics expert may be able to salvage the damaged evidence. However, this can be a time-consuming process which often costs several times more than the original analysis would have cost. Nevertheless, it is not always possible to restore evidence from computers that have been mishandled. You will want to keep a detailed log of who had access to the machine in question, what was done to it and where the computer has been stored since the dates in question. If the hard drive is removed for a forensic examination, be sure to document the date and time in the system and note whether it differs from the current time.

It is relatively easy to avoid the most common procedural mistakes when it comes to computer forensics. Do not solely rely on the internal IT staff for computer forensics investigations. If there is even a small chance that evidence from a suspected computer system will be needed, consult a Computer Forensic expert to assist or perform an analysis to forensically collect and report on any potential evidence.

Posted in Computer Forensics. Tagged with .

By Perry-Smith LLP

The Art of Keyword Searching

In our July issue of Computer Forensics for Attorneys, we discussed California Assembly Bill No. 5 – The E-Discovery Act.  As a follow up, we want to call attention to the need for careful consideration of keyword search terms in e-discovery.
 
Keyword searching is a very popular and important part of the e-discovery process and computer forensic investigations.  Keyword searches are most commonly used to search for specific terms appearing in repositories of electronic data.  Keyword searches can be an effective tool for finding documents needed in litigation.  However, keyword searches are far from perfect and will identify only those electronic documents containing the precise terms specified.  The keyword search will not catch documents using words that are close, but not identical to the search terms such as: abbreviations, synonyms, nicknames, initials or misspelled words.  On the other hand, using more search terms may reduce the risk that an electronic search will miss a relevant document, however, only at the price of increasing, often dramatically, the number of irrelevant documents found in the search.  This a serious problem because counsel must manually review whatever documents the searches yield in order to sift out unrelated documents, make privilege determinations and designate confidential documents.
 
In the case of William A. Gross. Constr. Assocs., Inc. v. Am. Mfrs. Mut. Ins. Co., 2009, the defendant agreed to produce the relevant documents of a non-party construction manager.  Disagreement arose amongst the parties regarding appropriate search terms to segregate project related emails from the construction manager’s unrelated emails.  The construction manager offered no potential search terms and the court was forced into the “uncomfortable position” of crafting a search without adequate information.  The court took this opportunity to write a brief opinion addressing the need for care and collaboration in crafting search terms.  The court presented an excerpt from an opinion of Magistrate Judge Paul Grimm regarding the proper selection of keyword terms:
 
“While keyword searches have long been recognized as appropriate and helpful for ESI search and retrieval, there are well-known limitations and risks associated with them, and proper selection and implementation obviously involves technical, if not scientific knowledge. – Selection of the appropriate search and information retrieval technique requires careful advance planning by persons qualified to design effective search methodology.  The implementation of the methodology selected should be tested for quality assurance, and the party selecting the methodology must be prepared to explain the rationale for the method chose to the court, demonstrate that it is appropriate for the task and show that it was properly implemented.”
 
The court’s opinion gave a clear warning that it is imperative that the topic of keyword searches goes beyond that of a layman and requires cooperation of opposing counsel and computer forensics and e-discovery experts.

Posted in Computer Forensics. Tagged with .

By Perry-Smith LLP

Data Recovery Myths and Misconceptions

Attorneys are often provided hard disks or other media with potential evidence or other important data.  What if that hard drive won’t start up (boot)?  When a hard drive won’t work, it is usually because of one of two reasons: 1) corrupted data that is not allowing the drive to boot, and/or 2) a physical problem with the disk.  There are quite a few myths about what to do when a hard drive won’t work.  It’s likely you’ve heard at least one of the following myths:

  • Hit, Slap, Drop or Tap It – Though tapping the hard drive may end up loosening the drive arm; it most likely that this will cause damage to the hard drive.
  • Freeze or Heat It – Heating a hard drive can lead to melted parts, and freezing a hard drive can result in condensation inside the drive, in other words, water in the hard drive.  Do not freeze or heat a hard drive in attempts to get it to work.
  • Open and Spin It – Hard drives are manufactured in areas that have virtually no air contaminants.  Opening a hard drive in a normal home or office, no matter how clean it may be, will expose the hard drive to dust and humidity, hard drives worst enemies. 
  • Use Norton – Some data recovery software does work when there is a pure logical problem.  The difficulty comes when the disk is showing some kind of physical problem.  In this case, the software ends up doing more physical harm than good.  In order to use data recovery software, it is important that you know the drive is having a software problem, not a physical one.
  • It’ll Fix Itself – Often times, hard drives will start up again if left alone.  But the most important thing to remember is, if it starts up, make sure you are prepared and are able to backup your data immediately!

While most of these myths may carry some truth, the fact of the matter is, using any of these methods to jump-start a hard drive will usually cause irreparable damage to the hard drive and data contained in it.  Data recovery is a specialty because many people and companies can suffer great losses if they lose their data in an accident with no backup.  If a hard drive is experiencing a software problem, problems in the programming, it is likely that data can be recovered from the drive, but only if the drive is in physically good condition.  In most cases, a data recovery expert can assist in this process.

Posted in Computer Forensics. Tagged with .

By Perry-Smith LLP

Are there certain steps I should advise my client to protect their organization when employees exit?

In a recent study conducted by a national IT security firm, nearly half of all financial services and Wall Street workers in New York admitted to being worried about layoffs and in preparing for the worst, more than half of them said they had already downloaded competitive corporate data that they planned to use to get their next jobs.  In good times and bad, the following steps should be taken to ensure that systems and data will be protected when employees exit.
  • Know your employees access and enable role-based security: Actively document and review all users’ access to critical applications and data as well as the physical building, and additionally employees’ access should always be role-based.
  • Get IT involved early: In order to ensure proper new user access and timely terminated employee access removal, it is important for IT to be tightly synchronized with HR.
  • Enact security programs & policies: Make sure the organization is using systems to secure content, prevent data loss and manage threats.  Such systems include firewalls, content and spam filtering tools and antivirus software.  Additionally, having the ability to monitor and evaluate how access rights are being used is critical to identifying system misuse.
  • Part on good terms, but plan for bad times: Even if a layoff goes smoothly, a company should still collect evidence of its own due diligence in case there’s some sort of investigation in the future.  For example, taking and retaining an image of existing employees’ computers may prove to be an inexpensive tool that can be used in the future if litigation were to arise.

Posted in Computer Forensics. Tagged with .

By Perry-Smith LLP

Is it possible to permanently delete data off of a computer, making it unrecoverable? What kind of tools do this?

In the last article of Computer Forensics for Attorneys, we discussed deleted files on hard drives and how the data is recoverable in most cases.  We explained that deleted files are just like any other file on the hard drive; however, the file has been marked as available to be overwritten.  Until that file has been overwritten, the file is still recoverable.

It is possible to permanently delete files off a computer, effectively making them unrecoverable.  However, software tools must be used to facilitate this process.  There are a number of commercial and free wiping tools available including Drive Scrubber, Active@ Kill Disk, Eraser, Summit Hard Disk Scrubber, and Darik’s Boot & Nuke also known as “DBAN”.  These utilities work by writing either random data or strings of zeroes and/or ones to every sector of the hard drive that is marked as available to be overwritten.  In addition, a number of whole disk encryption utilities will also include this capability and allow for wiping of individual files.

If files have been wiped from a hard drive, they become unrecoverable during a computer forensic investigation.  Though the files and the information held within the files are unrecoverable, evidence of the above mentioned wiping tools can usually still be found.

Posted in Computer Forensics. Tagged with .

By Perry-Smith LLP