Tomorrow afternoon, I am taking the CHFI exam.  While studying through the official 2,721 page exam courseware, I encountered a “case study” that was laughable.  Let me share it with you

TargetMac and OneMac are two magazines that cater to the growing Ipod users. The CEO of TargetMac is Bryan Smith and the CEO of OneMac is John Beetlesman.  Bryan  calls John one day and convinces him to purchase TargetMac.  The lawyers of both companies were called in to finalize the deal.  The lawyers draft the sale contract, which restricts removal of sensitive and confidential information and non solicitation of TargetMac customers and working staff. A non compete clause was also added in the agreement.

It has been two years and John Beetlesman is suspicious about Bryan’s activities.  John suspects Bryan has breached the contract.  John knows that you are a CHFI professional and provide computer forensics services to his clients.  John’s company lawyer, Smith Franklyn, contacts you to investigate and provide evidence to support the breach of contract so that John can file a lawsuit against Bryan at local civil court in San Francisco, California.

How do you investigate this incident?


1. You want to examine hard disk and laptop computers of Bryan’s home and office for evidence.
2. You ask the lawyer Smith Franklyn to obtain a search and seizure warrant at Bryan’s home located at 37 Albert Avenue, San Jose and his office located at 46, Mathew Street, Santa Monica.
3. Smith Franklyn works with the local District Attorney to obtain the required search warrant.
4. Smith Franklyn and you visit Bryan’s home and seize his computer which is a HP Pavilion Model 1172.
5. You later visit Bryan’s office and seize his laptop, floppy disks and CD-ROMS.
6. You place the devices carefully in anti-static bags and transport it to the forensics laboratory.
7. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd commands.
8. Generate MD5 or SHA-l hashes of the bit stream images.
9. Prepare the chain of custody and store the original hard disk in a secure location. You would be investigating the bit stream image copy.
10. You are ready for investigation.
11. You are asked to retrieve: a. Any document in the computer which shows proof for breach of contract.
12. You load the bit stream image in AccessData Forensic Tool Kit (FI’K) and browse every single file in the file system.
13. You also read every single email displayed in FTK.
14. After many days/nights of investigation you retrieve the following crucial evidence:

a. Encrypted file titled “Business Plan AppleMac Magazine”
b. Excel spreadsheet “revenuestreams.xls”
c. Numerous email messages back and forth with his investors.

15. You run a password cracking utility to crack the encrypted file “Business Plan AppleMac Magazine.doc” and the password was “planapple”.
16. These above documents clearly indicate that his new business would compete with TargetOnes’s business.
17. You copy these files to a CD-ROM.
18. You use FTK report facility feature and produce a professional report.
19. You deliver the report to the company along with the fee for the forensics service you rendered.

Based on your submitted report the lawyer, Smith Franklyn initiates a $20 million lawsuit against Bryan. After two weeks the court of law holds Smith Franklyn Bryan guilty and asks to pay the amount.

In my judgment, this portion of the courseware was not written with the aid of an attorney.  First, in a civil matter –contract breach– one doesn’t obtain a “search and seizure warrant” with the aid of the district attorney.  A plaintiff first files suit, then issues a narrowly tailored request for production (or subpoena, if it is third-party property) and then awaits opposing counsel’s Motion to Quash and for Protective Order.

Second, assuming the Court finds that the suit is not a fishing expedition (which this fact situation appears to be), an adverse would never be entitled to “visit Bryan’s home and seize his computer . . . and later visit Bryan’s office and seize his laptop, floppy disks and CD-ROMS.”  Instead, one would expect to retain a third-party vendor to search for potentially-responsive ESI or the court would appoint a special master for that same purpose.

This calls to mind a recent decision by the Colorado Supreme Court in November in the case of Cantrell v. Cameron, 195 P.3d 659 (Colo. 2008) (en banc).  The case arose from a traffic accident in which the allegedly negligent party (Cameron) was accused of using his laptop computer while driving.  Cantrell asked to inspect Cameron’s laptop for evidence that it was in use at the time of the accident.  Cameron agreed to a limited inspection, but wouldn’t produce the laptop without a written agreement limiting the scope of the inspection.  Whereas Cameron insisted the scope be limited “to the time of the accident,” Cantrell understandably wanted a broader search to confirm that there had been no subsequent manipulation of the hard drive.  Cantrell sought an order to compel, which the trial court granted.  Cameron then filed for a writ of prohibition with the state’s Supreme Court.

In its ruling, the Colorado Supreme Court noted:

personal computers may contain a great deal of confidential data.  Computers today touch on all aspects of daily life . . . they are postal services, playgrounds, jukeboxes, dating services, movie theaters, daily planners, shopping malls, personal secretaries, virtual diaries, and more. Very often, computers contain intimate, confidential information about a person. When the right to confidentiality is invoked, discovery of personal computer information thus requires serious consideration of a person’s privacy interests.

195 P.3d at 661. (quotations and citations omitted).As a result of these findings, the court concluded that the trial court abused its discretion in issuing an unqualified order directing Cameron to produce his laptop for inspection and without establishing parameters to balance the truth-seeking purpose of discovery with the privacy interests at stake.

In my opinion, Cantrell had a right to ascertain that the hard-drive had not been tampered with, which required inspection of the entire drive. In most cases, I would argue that the entire hard drive is certainly needed, although a very small fraction of ESI on the drive will be relevant.

By way of example, I was very recently involved in a case where I obtained the entire hard-drive for inspection.  All the data sought resided in slack-file space, deleted files and printer spool files (documents drafted in MS-Word and sent to the printer, but never saved, probably in an effort to leave no record).  Obviously, opposing counsel would not have been able to direct his client to extract that information (let alone produce it in a readily usable form).

The answer to this dilemma, which would not have conflicted with the Colorado Supreme Court’s ruling, is: (a) to craft a narrowly-tailored discover request that is limited in relevance to the case but specific enough to overcome efforts to conceal data; and (b) to retain an third-party vendor (or ask the court to appoint a special master); and (c) to provide the forensic analyst with as much specific guidance as possible to discover potentially responsive data.  When questions arise as to whether data discovered is relevant or privileged, they may be resolved by an in camera review or the special master, if applicable, will make that call.