Computer Forensics and Legal Technology Blog

Between law school and the CISSP, CSOXP and CHFI exams, I guess I must not be doing a good job keeping up with current events.  If I had, I would’ve known about this November decision from the the U.S. Court for the Middle District of Pennsylvania, where a judge is characterized in an article by Dan Goodin as saying, “a hard drive is comprised of many platters, or magnetic data storage units, mounted together,” and, therefore each platter constitutes its own separate container and the lawful acquisition of one didn’t breach the others.” What?!

Indeed, that genius bit of reasoning was the basis of a suppression order, finding that a landlord’s eviction of a tenant and subsequent discovery of child pornography would have given way to a valid gov’t seizure under the private search doctrine if prosecutors had limited their activities to the same file search employed by the landlord rather than a file-signature inventory.

I’m all for the Exclusionary Rule –which is on the brink of abolishment– as a deterrent for police misconduct, but the problem with this reasoning is that the separate internal platters of a hard-drive are certainly not separate containers.  Individual files are stored in sectors and often span across several platters.  A Windows file search would access the same sectors that an EnCase hashing routine (discussed in the opinion) would access.  The judge’s reasoning would have been valid if there was more than one hard-drive in the computer and the landlord’s search was confined to one, but the Government had accessed the others [without a warrant].

Whereas Goodin didn’t pick up on this, I was relieved to discover that another blogger, Rich Cannata did. In his December 11, 2008 post, Rich wrote:

Wow.  While the Judge deserves some recognition for an attempt at technical savvy, this analogy falls quite short.  Under the guise of this analogy, the geometry of the hard drives platter’s determined what is searchable and what is not.  If the target is a 500GB Seagate drive with four platters and eight read/write heads, is less data is to be considered within the scope of the search than if the exact same information were stored on a 500GB Samsung drive with one platter and two read write heads? If the data is stored on a RAID array, how do you determine which platters in which drives are within the scope of the search?  The judge also skips over the fact that even in the Runyan case, there were two recording surfaces for each floppy disk.  Since the introduction of MS-DOS 1.1, the Microsoft operating system has used both sides of a diskette, these are distinctly two separate recording surfaces of a floppy disk, yet it appears to the computer user as a single “container”.  Using the single platter logic, in the Runyan case, they would have only been within bounds to search the side of the floppy disk that contained the file that the third party found/viewed.  In this context, it appears that a logical volume should be the boundary for a container, but, with the advances in drive density, considering this as a boundary is disconcerting.

Tomorrow afternoon, I am taking the CHFI exam.  While studying through the official 2,721 page exam courseware, I encountered a “case study” that was laughable.  Let me share it with you

TargetMac and OneMac are two magazines that cater to the growing Ipod users. The CEO of TargetMac is Bryan Smith and the CEO of OneMac is John Beetlesman.  Bryan  calls John one day and convinces him to purchase TargetMac.  The lawyers of both companies were called in to finalize the deal.  The lawyers draft the sale contract, which restricts removal of sensitive and confidential information and non solicitation of TargetMac customers and working staff. A non compete clause was also added in the agreement.

It has been two years and John Beetlesman is suspicious about Bryan’s activities.  John suspects Bryan has breached the contract.  John knows that you are a CHFI professional and provide computer forensics services to his clients.  John’s company lawyer, Smith Franklyn, contacts you to investigate and provide evidence to support the breach of contract so that John can file a lawsuit against Bryan at local civil court in San Francisco, California.

How do you investigate this incident?

Answer:

1. You want to examine hard disk and laptop computers of Bryan’s home and office for evidence.
2. You ask the lawyer Smith Franklyn to obtain a search and seizure warrant at Bryan’s home located at 37 Albert Avenue, San Jose and his office located at 46, Mathew Street, Santa Monica.
3. Smith Franklyn works with the local District Attorney to obtain the required search warrant.
4. Smith Franklyn and you visit Bryan’s home and seize his computer which is a HP Pavilion Model 1172.
5. You later visit Bryan’s office and seize his laptop, floppy disks and CD-ROMS.
6. You place the devices carefully in anti-static bags and transport it to the forensics laboratory.
7. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd commands.
8. Generate MD5 or SHA-l hashes of the bit stream images.
9. Prepare the chain of custody and store the original hard disk in a secure location. You would be investigating the bit stream image copy.
10. You are ready for investigation.
11. You are asked to retrieve: a. Any document in the computer which shows proof for breach of contract.
12. You load the bit stream image in AccessData Forensic Tool Kit (FI’K) and browse every single file in the file system.
13. You also read every single email displayed in FTK.
14. After many days/nights of investigation you retrieve the following crucial evidence:

15. You run a password cracking utility to crack the encrypted file “Business Plan AppleMac Magazine.doc” and the password was “planapple”.
16. These above documents clearly indicate that his new business would compete with TargetOnes’s business.
17. You copy these files to a CD-ROM.
18. You use FTK report facility feature and produce a professional report.
19. You deliver the report to the company along with the fee for the forensics service you rendered.

Based on your submitted report the lawyer, Smith Franklyn initiates a $20 million lawsuit against Bryan. After two weeks the court of law holds Smith Franklyn Bryan guilty and asks to pay the amount.

In my judgment, this portion of the courseware was not written with the aid of an attorney.  First, in a civil matter –contract breach– one doesn’t obtain a “search and seizure warrant” with the aid of the district attorney.  A plaintiff first files suit, then issues a narrowly tailored request for production (or subpoena, if it is third-party property) and then awaits opposing counsel’s Motion to Quash and for Protective Order.

Second, assuming the Court finds that the suit is not a fishing expedition (which this fact situation appears to be), an adverse would never be entitled to “visit Bryan’s home and seize his computer . . . and later visit Bryan’s office and seize his laptop, floppy disks and CD-ROMS.”  Instead, one would expect to retain a third-party vendor to search for potentially-responsive ESI or the court would appoint a special master for that same purpose.

This calls to mind a recent decision by the Colorado Supreme Court in November in the case of Cantrell v. Cameron, 195 P.3d 659 (Colo. 2008) (en banc).  The case arose from a traffic accident in which the allegedly negligent party (Cameron) was accused of using his laptop computer while driving.  Cantrell asked to inspect Cameron’s laptop for evidence that it was in use at the time of the accident.  Cameron agreed to a limited inspection, but wouldn’t produce the laptop without a written agreement limiting the scope of the inspection.  Whereas Cameron insisted the scope be limited “to the time of the accident,” Cantrell understandably wanted a broader search to confirm that there had been no subsequent manipulation of the hard drive.  Cantrell sought an order to compel, which the trial court granted.  Cameron then filed for a writ of prohibition with the state’s Supreme Court.

In its ruling, the Colorado Supreme Court noted:

personal computers may contain a great deal of confidential data.  Computers today touch on all aspects of daily life . . . they are postal services, playgrounds, jukeboxes, dating services, movie theaters, daily planners, shopping malls, personal secretaries, virtual diaries, and more. Very often, computers contain intimate, confidential information about a person. When the right to confidentiality is invoked, discovery of personal computer information thus requires serious consideration of a person’s privacy interests.

195 P.3d at 661. (quotations and citations omitted).As a result of these findings, the court concluded that the trial court abused its discretion in issuing an unqualified order directing Cameron to produce his laptop for inspection and without establishing parameters to balance the truth-seeking purpose of discovery with the privacy interests at stake.

In my opinion, Cantrell had a right to ascertain that the hard-drive had not been tampered with, which required inspection of the entire drive. In most cases, I would argue that the entire hard drive is certainly needed, although a very small fraction of ESI on the drive will be relevant.

By way of example, I was very recently involved in a case where I obtained the entire hard-drive for inspection.  All the data sought resided in slack-file space, deleted files and printer spool files (documents drafted in MS-Word and sent to the printer, but never saved, probably in an effort to leave no record).  Obviously, opposing counsel would not have been able to direct his client to extract that information (let alone produce it in a readily usable form).

The answer to this dilemma, which would not have conflicted with the Colorado Supreme Court’s ruling, is: (a) to craft a narrowly-tailored discover request that is limited in relevance to the case but specific enough to overcome efforts to conceal data; and (b) to retain an third-party vendor (or ask the court to appoint a special master); and (c) to provide the forensic analyst with as much specific guidance as possible to discover potentially responsive data.  When questions arise as to whether data discovered is relevant or privileged, they may be resolved by an in camera review or the special master, if applicable, will make that call.

•Require that plaintiffs notify anonymous parties that their identities are sought.•Give the posters time to reply with reasons why they should remain nameless.

•Require plaintiffs to identify the defamatory statements and who made them.

•Determine whether the complaint has set forth a prima facie defamation, where the words are obviously libelous, or a per quod action, meaning it requires outside evidence.

•Weigh the poster’s right to free speech against the strength of the case and the necessity of identity disclosure.