AAR Investigation Of Electronic Evidence


Published on

AAR presentation - 2007

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

AAR Investigation Of Electronic Evidence

  1. 1. Investigation of Electronically Stored Information John J. Jablonski www.goldbergsegalla.com
  2. 2. ESI is EVERYWHERE ! Laptop hard drives Desktop hard drives Floppy discs CDs/DVDs PDAs Backup tapes Pagers Cell phones And Smart Phones Network servers
  3. 5. DATA On Computer Hard Drives <ul><li>Data on a computer hard drive looks the same whether part of an active file or “deleted” file – it’s all just ones and zeros. </li></ul><ul><li>Deleted files are no longer accessible by Windows, but the data for the file will remain on the computer hard drive until overwritten by new data. </li></ul>ACTIVE Deleted
  4. 6. <ul><li>Data is NOT deleted when you hit the delete key </li></ul><ul><li>Data is NOT deleted when you empty the recycle bin </li></ul><ul><li>Data is ONLY deleted when the “area” on the media that contained that file/data is overwritten or purposely “wiped” </li></ul>Recoverable (If Not Overwritten!)
  5. 7. Real Life Ghost Busters!
  6. 8. Recoverable (If Not Overwritten!) <ul><li>Forensics Uses specialized software to recover deleted data </li></ul><ul><li>Internet history and “cache” files </li></ul><ul><li>ICQ “conversations” </li></ul><ul><li>Temporary and backup versions of documents </li></ul><ul><li>E-mail, </li></ul><ul><li>Instant messages </li></ul><ul><li>Images </li></ul><ul><li>Installed applications and data </li></ul><ul><li>Computer activity timeline </li></ul><ul><li>Files where extensions are intentionally modified </li></ul><ul><li>PDA data </li></ul><ul><li>Digital media cards </li></ul>
  7. 10. Check List - IT Interview / Custodian Interview (Some Sample Questions) <ul><li>Where do you normally store your electronic work documents? (My Documents folder, network, floppy disk, thumb drive, other devices). </li></ul><ul><li>Do you store files on home or internet storage site? Where are those files located? Provide IP address, link, path. </li></ul><ul><li>Do you have any electronic documents that you believe are relevant to this matter? (Word, Excel, PowerPoint, Digital Images, Scanned Images). Where are those files stored? </li></ul><ul><li>Are your e-mails subject to any retention/deletion period? If so, how do you preserve e-mails that must be maintained for longer than the retention period? </li></ul><ul><li>Do you use any “work around” or trick to preserve e-mail or data? </li></ul><ul><li>Do you send work e-mail to your home or internet based e-mail accounts? </li></ul><ul><li>Do you have any e-mails that you believe are relevant to this matter? Where are those stored? Separate folders within Outlook? Printed? </li></ul><ul><li>What do you do with e-mail attachments that you want to keep? Any relevant attachments? </li></ul>
  8. 11. Vehicle Data Recorder (aka “black box”)
  9. 12. Truck Computers / Electronic Control Modules <ul><li>Trip recorders : These low-end devices serve as a truck's black box, and allow dispatchers to monitor how drivers operate trucks-providing information such as when trucks were turned on and off, and whether drivers were speeding. </li></ul><ul><li>Electronic vehicle management systems : These high-end devices contain all the capabilities of trip recorders, but also provide dispatchers real-time information about a truck's location via satellite tracking. </li></ul>
  10. 13. Digital Switch Inspection Easy setup memory module with basic device. The measuring device can communicate with a PDA or a PC.
  11. 14. Railroad Electronic Devices Carborne: Digitrac Train Location System EOT That Transmits to the Locomotive Cab                                 Wabtec TRAIN TRAX® Event Recorder
  12. 15. Electronically Controlled Pneumatic (ECP) braking systems ECP uses microprocessor and networking technologies to apply the brakes to each car in the train simultaneously.
  13. 16. Locomotive and Rail Car Tracking Devices
  14. 17. Locomotive Computers <ul><li>The computer – with the aid of an onboard geographic database and global positioning system – continuously calculates warning and braking curves based on all relevant train and track information, including speed, location, movement authority, speed restrictions, work zones and consist restrictions. The onboard computer also queries wayside devices for broken rails, proper switch alignment and signal aspects. All of this information is combined and analyzed in real time to provide a “safety net” for improved train operation. </li></ul>
  15. 18. Digital Video Monitoring Systems (Crossings/Switches/Yards)
  16. 20. Track Control Systems
  17. 21. Track Control Systems
  18. 22. The Future: Positive Train Control
  19. 23. Hump Yard Control Systems
  20. 24. Train Scheduling Systems
  21. 25. Duty To Preserve <ul><li>When a company reasonably anticipates litigation, it has a common law duty to preserve relevant information. Zubulake v. UBS Warburg LLC , 229 F.R.D. 422, 433-35 (S.D.N.Y., July 20, 2004). </li></ul><ul><li>The obligation to avoid spoliation of evidence applies to electronically stored information and electronic records as well. Id. </li></ul><ul><li>A company’s duty to preserve relevant documents arises when the company knows, or should know , through notice that the documents will become material to litigation or an investigation at some point in the future. </li></ul><ul><li>Under the Supreme Court’s formulation in Arthur Andersen LLP v. U.S. , 125 S.Ct 2129, 2131 (2005) “[c]ircumstances constituting such notice may include, but are not limited to: </li></ul><ul><ul><ul><li>an inquiry from the government, </li></ul></ul></ul><ul><ul><ul><li>service of a complaint or petition commencing litigation, or </li></ul></ul></ul><ul><ul><ul><li>a third-party request for documents.” </li></ul></ul></ul><ul><li>Courts consider the “totality of the circumstances” when determining if a reasonable person or company would have anticipated the litigation based on the information available. Dillon v. Nissan Mot. Co. , 986 F.2d 263, 267 (8th Cir. 1993). </li></ul>
  22. 26. <ul><li>There are dire consequences for failing to reasonably discharge your duty: </li></ul><ul><ul><ul><li>Monetary sanctions </li></ul></ul></ul><ul><ul><ul><li>Issue preclusion </li></ul></ul></ul><ul><ul><ul><li>Adverse inference charge </li></ul></ul></ul><ul><ul><ul><li>Costs: </li></ul></ul></ul><ul><ul><ul><ul><li>Motion costs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Forensic analysis </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Retrieval and review </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Re-depose witnesses </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Depose additional witnesses </li></ul></ul></ul></ul><ul><ul><ul><li>Intangible costs </li></ul></ul></ul><ul><ul><ul><li>Lawyer Malpractice? </li></ul></ul></ul>
  23. 27. Spoliation / Preservation Letter
  24. 28. Stevenson v. Union Pac. R.R. , 354 F.3d 739 (8th Cir. 2004) <ul><li>The court held that: </li></ul><ul><li> ● Union Pacific destroyed evidence in bad faith before the lawsuit was filed. </li></ul><ul><li> ● Union Pacific knew that fatal accidents were likely to lead to lawsuits and that audio tapes were the only source of certain “highly” relevant information. Further, Union Pacific preserved voice tapes in other cases. </li></ul><ul><li> ● It was bad faith for Union Pacific to destroy audio tapes after learning that this type of accident had occurred, even though no lawsuit had been filed. </li></ul><ul><li> ● Bad faith can be implied by a party’s behavior. </li></ul><ul><li>Key : In Stevenson , the court inferred bad faith by Union Pacific’s prompt decision to selectively preserve some evidence while advantageously failing to retain other evidence . The court explained that this fact created a “ sufficiently strong inference of an intent to destroy [the tape] for the purpose of suppressing evidence of the facts surrounding the operation of the train at the time of the accident .” </li></ul>
  25. 29. Holding Plaintiff To The Same Standard <ul><li>During investigation of a personal injury incident ask plaintiff about electronic devices: </li></ul><ul><ul><ul><li>Use of home computer for work (visit company website, download safety materials or rule books, e-mail to supervision or co-workers), </li></ul></ul></ul><ul><ul><ul><li>Use of cell phones, smart phones or PDAs (generally while at work or during the incident), </li></ul></ul></ul><ul><ul><ul><li>Internet storage of work related data or files, </li></ul></ul></ul><ul><ul><ul><li>Did claimant complete any online incident reports, </li></ul></ul></ul><ul><ul><ul><li>Did claimant e-mail anyone about the incident, and </li></ul></ul></ul><ul><ul><ul><li>What electronically stored information does the claimant use each day? </li></ul></ul></ul>
  26. 30. Holding Plaintiff To The Same Standard <ul><li>During discovery of a personal injury incident ask plaintiff about electronic devices: </li></ul><ul><ul><ul><li>Use of home computers to look for work, </li></ul></ul></ul><ul><ul><ul><li>Exchange of e-mail with plaintiff’s union, </li></ul></ul></ul><ul><ul><ul><li>Exchange of e-mail with the railroad (human resources, medical, vocational rehabilitation, supervisors or other employees), </li></ul></ul></ul><ul><ul><ul><li>Use of cell phones, smart phones or PDAs, and </li></ul></ul></ul><ul><ul><ul><li>Internet storage of work related data or files. </li></ul></ul></ul>
  27. 31. Holding Plaintiff To The Same Standard <ul><li>● Work to establish relevancy of home computer, internet accounts or other electronic devices. </li></ul><ul><li>● Once relevant, push for forensic analysis of plaintiff’s home computer or electronic devices. </li></ul><ul><li>● Cry foul should forensic analysis turn up any evidence of evidence tampering (such as use of evidence wiping programs, excessive defragging of the hard drive, reformatting of the hard drive, replacement of the hard drive, loss or destruction of the hard drive or computer, and specific files being deleted.) </li></ul><ul><li>● Plaintiff has the same duty to preserve evidence post incident. </li></ul><ul><li>● Move for dismissal/sanctions. </li></ul><ul><li>● Must be prepared to look in the mirror (aka, people who live in glass houses should not throw stones). </li></ul>
  28. 33. Holding Plaintiff To The Same Standard <ul><li>Teague v. Target Corp. , 2007 WL 1041191 (W.D.N.C. Apr. 4, 2007) (granted adverse inference instruction against plaintiff in this employment discrimination case for discarding her personal computer one year after litigation commenced – despite testimony that she used her computer to conduct post termination job search in mitigation of her damages.) </li></ul><ul><li>Covucci v. Keane Consulting Group , 2006 WL 20004215 (Sup. Ct. Ma. May 31, 2006) (dismissed plaintiff’s age discrimination complaint for use of electronic evidence “wiping” programs called “ BC Wipe ” and “ Incinerator ” on unallocated drive space and to target specific programs – among other conduct.) </li></ul><ul><li>Foust v. McFarland , 698 N.W.2d 24 (Minn. 2005) (affirmed trial court’s adverse inference charge against plaintiffs in auto accident personal injury action for use of “ WipeInfo ” program to permanently delete data from plaintiffs’ computer hard drive.) </li></ul><ul><li>Anderson v. Crossroads Capital Partners , 2004 WL 256512 (D. Minn. Feb. 10, 2004) (granted adverse inference charge in this sexual harassment case, where two days after motion to compel production of plaintiff’s computer she used “ Cyberscrub ” program to permanently delete data from her hard drive.) </li></ul><ul><li>Leon v. IDX Systems , 464 F.3d 951 (9th Cir. 2006) (court affirmed dismissal of complaint and $65,000.00 sanction for plaintiff’s use of “ wiping ” program to delete over 2,200 files from company laptop following initiation of employment discrimination lawsuit.) </li></ul>
  29. 34. “ We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten. Don’t let yourself be lulled into inaction.” — Bill Gates, The Road Ahead