The computer case that got lost The stories are true, names and places have been changed to protect the guilty in power.
A few years ago, Debby Johnson, an advocate of a large company based in Kansas City, contacted me about a relatively simple matter. I had to travel to offices in Sacramento from my laboratory near San Francisco, a copy of a computer disk, and locate emails sent by the plaintiff to his brothers and sisters, he was nine. The case was a product liability lawsuit for an amount of several tens of millions of dollars. The plaintiff argued that his health had been damaged by a defective product a global company, although he was symptom free for the moment. What was the outcome? Let's say it was coffee.
From the cool Bay Area in summer, I traveled to downtown Sacramento, where she was balmy 106 degrees. I knew I was sweating, but inside I was cool. I was wondering if anyone else would be in hot water soon.
It is not uncommon for me to never meet my client, for computers can be shipped to me in my lab, but Debby was there in the office of counsel for the plaintiff. In a conference room with oak panels, we met with the lawyer of the "other side" and the complainant himself. He sat complacently with his shiny computer on the conference table, friendly enough in spite of his assertion that I would never find the e-mails offenses allegedly sent years before. My client believes that he had sent emails to his brothers and sisters who refute his thesis - which show him to make a cool case to get a few tens of millions.
I removed the hard drive of our system who can make a legal copy to work with and analyze. I was surprised that the drive was 100 GB in size. A disk of this capacity is relatively new and rare to see in this case shortly after he came on the market. I was ready for a much smaller disk, as I said I would see a 20% size. Fortunately, there was a big box store near the electronics, so I took off my suit jacket, elbow to the air conditioning on my minivan family lab (that beauty comes from having over 200,000 miles the day I write this), and headed over a few new weapons. Forty-five minutes and a bit of melted rubber later I arrived at the scene to clean up the judicial the new disk by writing zeros to each sector ..
Once authorized, to my great satisfaction, I set up the copy process. In those days, while I was gone on the record Diskology Jockey, the version I then do not seem to be able to handle what was such a high capacity drive yet. I probably used Byte Back on a forensic Intel box I had brought just in case. I started the copy process and it went smoothly. But while the copy was proceeding, I began to wonder - was it not a big enough player to have been around both of the alleged emails? And besides, was not this computer pretty fast for his age. And Windows XP has really come on the market before these emails were to have been written? I began to suspect that the game was rigged, and that I would never find messages deleted from the plaintiff on this computer.
I talked with Debby. I guessed that the plaintiff was right on the futile task - because I guess the e-mails have never been delinquent on this computer. I said I'd be willing to seek them, but I do not want to waste my client's cash. Debby asked me to consider the question of the age of the components when I got back to HQ. Some issues with the manufacturer and a couple of Google searches later, I was pretty well convinced that the boy had never written those emails on this computer. Windows XP was almost too new, the disc was a couple of weeks too modern, and the computer was a month or two younger than those emails.
Debby called opposing counsel - who had no idea why this is not the original systemuntil he checked with his man. It turns out that he had "put on the curb for garbage collection" because it "did not work." Lawyers are not happy. The court was not happy. The only solution is for me to go to the nine brothers and sisters in four states to copy their personal computers and sift through e-mails and delinquency.
Do you think they were happy to hear from me? Would you if you put your brother on the spot like that? Each of them had to accept that a perfect stranger - one who worked against their beloved brother - could come to their house and look through everything on their personal computers. The most telling example of their discontent was a brother, a former Viet Name era Green Beret, who - in response to my phone call asking what would be a good time to introduce himself - said: " I did not spend two years running up and down the God m Ho Chi Minh Trail for this s t! "I understand.
It turns out that opposing counsel had never had to tell around this group a type of computer evidence is to call them and they needed to cooperate. I found that when I said Debby resistance just that I had come to face. She sat up with a lawyer and the next round of phone calls I made to the siblings have been much more enjoyable.
The next day, traveling from state to state, town to town, brother to sister to brother and so on to copy the private data of nine innocent family members had its challenges. But it is a story itselfI'll to save you the most details. Upon my return, the protocol came to fetch me all the data for any correspondence from - let's call him "Brother" that referenced his struggles with us call coffee. I then print out the references I found, and send a copy to both the judge and opposing counsel for privilege and relevance review. Debby and her firm were not seeing the data until anything either private or irrelevant has been selected, and the remaining product.
What did I find? At the time of the alleged emails, behold, I found actual emails. The whole family spoke struggle Brother's Coffee, individual investigations into Coffee, and the upcoming trial on coffee. At one point, an e-mail said that this type Burgess would be looking at e-mail everyone and would not it make sense not to talk about coffee? They agreed. They now spoke only of "C-Word."
What I find when I performed my electronic discovery and digital forensics? Well, for the most part, I can not talk. There are some things on your computer you do not want to talk to me, I'm sure. There are things on my computer I would not want to talk about either! E-discovery often be a fairly private.
But there was a particularly interesting result. When I called the Green Beret Brother (GBB) from his sister's place across town, and asked permission to head on over to the copy of his computer, he obligingly told me it was ok . When I arrived, he first asked me to read and sign a statement that I would not hold him responsible for any damage to me or my equipment - intended or unintended. Well that's a little scary coming from a guy trained in the arts of stealth, war, and probably the withers. But the paper does not seem like a legal document I signed, if that's what I take to my work. It was quite nice, the music he had on the property, and the copy went without a hitch. And I left alive and undamaged - a plus, indeed!
Once in my lab, I discovered the last thing that had happened on his computer. Approximately one minute after my call for permission to go over, GBB had sent himself an e-mail and immediately deleted. The subject, all caps, was "coffee!" No. C-Word "nonsense for him. The message in the body was simple and concise: "If you see this message, F YOU !!!!!" It's nice when someone knows how it feels and is able to express it freely. It also removed a picture attached to e-mail deleted. Returning Similarly, it proved to be a very recent photo of a Middle finger extended - presumably GBB's finger. Visual aids are always helpful in understanding the topic, do not you think?
Ultimately, I produced about 75 pages of documentation I thought. Of course, I had to include GBB's missive. As the opposing counsel should just called irrelevant or privileged. Also as expected, the judge allowed all the documents I had produced - with a number of lines redacted - to be delivered to my client. Everyone preferred the low literacy produced by GBB.
As for the brother - the Court decided that not only was he not very honest, because of the destruction of important data in the case - his original computer - but the evidence and relevant e-mail him appeared to be in apparent good condition by the coffee. The case was defeated, Debby and her firm were happy, and GBB became a legend.
This is just one of many "CSI - Computer Forensics Files: Real Cases from Burgess Forensics". Stay tuned for more stories of deceit uncovered by computer forensics.
The Free Dictionary lists more than 160 definitions of CSI acronyms.thefreedictionary.com. We choose Computer Scene Investigation.
Steve Burgess is a freelance writer technology, a computer forensic practice as the main expert of Burgess Forensics, Expert Witness highly regarded and a contributor to the scientific evidence which has just appeared in civil and criminal, 5th Edition by Moenssens, et al. Mr. Burgess may be reached at http:www.burgessforensics.com - email: steveburgessforensics.com