Computer Forensics Docket Sheet

Alleging that a former employee misappropriated confidential company information, the plaintiff hired a computer forensics expert to analyze the employee's hard drive. The plaintiff's expert concluded that: “[T[here was an attempt to overwrite data through a selective restoration from previous backup session or a reinstallation of Microsoft Windows 2000.” In defending the action, the employee hired a Kroll Ontrack computer forensics expert to examine the plaintiff expert's report. The Kroll Ontrack expert discovered a Dell computer support Web site listing the laptop as having been shipped to the plaintiff after the date the plaintiff's expert concluded that the restoration activity might have taken place. The Kroll Ontrack expert also concluded that any deletions or overwrites resulted from normal processes, not efforts by a user to delete information. Finally, the Kroll Ontrack expert noted that the laptop had been imaged by the plaintiff's expert after at least two sessions of non-forensic access while the plaintiff's lawyers had control of the laptop. A magistrate judge proposed that the plaintiff and its counsel pay Kroll Ontrack's costs as a sanction for failing to make reasonable inquiries into the reliability of their own expert's report. Although the court found no error with the magistrate's factual findings, it declined to award costs and concluded that attorneys should not be sanctioned for deficiencies or errors in an expert's report. MMI Prods., Inc. v. Long, 2005 WL 757073 (D.Md. Apr. 1, 2005), rev'd, 231 F.R.D. 215 (D.Md. 2005).

In a lawsuit involving various business-tort claims, the defendants appealed a default judgment and argued that the trial court abused its discretion. During discovery, the plaintiffs' computer forensics expert discovered that four of the defendants' hard drives had been “wiped” after the date the court ordered their production. The expert further concluded that data had been copied from the hard drives before the wiping and that selected data was reinstalled after the wiping. On one of the computers, the defendants appeared to have aborted the data-wiping program minutes before they were required to turn it over to the plaintiffs' expert. Based on the defendants' intentional data destruction, the court entered a terminating sanction and awarded a default judgment of $24 million in punitive and compensatory damages in favor of the plaintiffs. On appeal, the court upheld the terminating sanctions in light of the “defendants' brazen violation of a discovery order in the face of an express warning.” The court stated that the “Plaintiffs recovered e-mails from the computer only because defendants had not run the program properly … defendants' actions have made it virtually impossible to determine what items defendants destroyed.” The court remanded the case, finding the damage award inconsistent with the amount sought in the complaint. Electronic Funds Solutions v. Murphy, 36 Cal.Rptr.3d 663 (Cal. Ct. App. 2005).

The defendant appealed an extortion conviction related to an attempt to extort $2.5 million from a company by sending e-mails threatening to exploit a breach in the company's computer security. Arguing insufficiency of the evidence, the defendant contended that the government had not established who actually sent the e-mails. During the government's investigation, a computer forensics expert had examined the defendant's hard drive and found three threatening e-mails and other incriminating evidence. The expert testified that the e-mails and documents were created by someone typing on the computer. The expert also stated that someone had logged onto the Internet from the computer using the screen name and password used to send the e-mails. The expert also found no evidence of remote access or hacking into the computer. Based on this evidence, as well as the defendant's admission that he logged onto his computer and the Internet several times a day, the appellate court upheld the conviction. United States v. Ray, 428 F.3d 1172 (8th Cir. 2005).

No Sanction for Computer
Forensic Expert's Erroneous Report