Computer Forensic - Computer Forensic Case Studies – ACE Data Group

Computer Forensic Case Studies

ACE Data Group, Inc. Cited as Expert in Residential Funding Corp. v. DeGeorge

This litigation involved cross-claims for breach of contract, with the parties' dispute centered principally on events in the latter part of 1998. RFC was asked to retrieve and produce relevant emails from their backup tapes for the period covering October, 1998 through December, 1998. RFC's in-house legal counsel determined that RFC did not have the internal resources necessary to retrieve the emails from the backup tapes in the permitted time frame. So, RFC retained the services of Electronic Evidence Discovery, Inc., to assist RFC in the email retrieval project.

After several weeks using standard recovery techniques, RFC produced 126 emails dating from January, 1998 through early August, 1998, and 2 emails from September, 1998. There were no emails produced from October to December, 1998-the critical factual time period. RFC claimed that the lack of responsive emails from the relevant time period was either because there were no responsive emails from that date or because they did not exist on the accessible backup tapes.

DeGeorge then asked RFC for a copy of the backup tapes so they could have their own vendor attempt to retrieve the emails. That vendor was the ACE Data Group. Within four days of obtaining the tapes, ACE Data Group had located 950,000 emails on the November and December, 1998 tapes. They began forwarding printed emails to RFC's counsel for review and production. Because of time pressure, the parties agreed that RFC would produce all of the 4,000 emails that De-George had been able to print out, which they did so later in court.

Due to RFC’s significant delay in producing emails and the conspicuous lack of emails from the critical time period, DeGeorge moved for sanctions against RFC. The district court denied DeGeorge’s motion, concluding that it had not established that RFC had acted with bad faith or gross negligence. On appeal, the higher court vacated the order denying DeGeorge’s motion for sanctions. It remanded with instructions for a renewed hearing on the matter.

Despite the fact that none of the emails produced by ACE Data Group appeared to be relevant to the case, it strengthens the claim that off the shelf recovery and e-discovery tools are not the best way to retrieve data for litigation. Furthermore, even though RFC did not maliciously withhold or delay releasing emails, by not using advanced recovery techniques such as the ones employed by the ACE Data Group, they opened themselves up to sanctions by the court.

Computer Forensics Int. in Action

With help from ACE Data Group, Inkjet International, a high quality large format imaging firm, recently won its case against a former Inkjet general manager and an investment banker. Prior to leaving Inkjet to form his own digital imaging company with his co-defendant, the defendant emailed Inkjet's customer database to his home computer in an attempt to steal intellectual property from Inkjet. They firmly denied the allegations put forth by Inkjet believing that no one would find out since they had deleted the email and the attachment containing the customer database from their home computer. Larry Thomasson COO of ACE Data Group explained, "Our forensic specialists were able to recover the email and the database for Inkjet and subsequently testified to the findings of our forensic analysis." The defendants lost their credibility and the case.

After a three-week trial, a Dallas jury rendered a $1.87 million verdict in favor of Inkjet International. The jury of seven women and five men heard the evidence in two phases. In the first phase, among other things, the jury found that Inkjet's former general manager breached his fiduciary duties, misappropriated trade secrets, and engaged in fraud. In the second phase, the jury found that the defendants acted with malice.

Mr. Thomasson explained that many lawyers, judges and even would-be criminals incorrectly assume that deleted or corrupted files are irretrievable. However, with the forensic technology we have available to us no computer crime can go unsolved.

Found Innocent

In the preliminary stages of an employment dispute case, ACE Data Group was brought in by a large computer services corporation to perform a forensic recovery on an employee's desktop computer. Our client suspected the employee, who was also a foreign national, of hacking into other classified computer systems due to information generated by the client's external auditing software program. After performing forensic analysis, ACE Data Group could find no evidence of hacking on the employee's computer. Thus the employee was exonerated of any wrong-doing and other costly proceedings were averted.

Couldn't cover his tracks

After finding pornography downloaded on its network server and a number of individual office computers, our client began to build a case for employee dismissal. ACE Data Group was hired to locate any deleted files and verify certain illicit and non-work related contents of the hard drives in question. Forensic technicians were able to locate spy software, illegal file-sharing software, pornography, and information pertaining to a personal side business. Both the CEO and the network administrator were dismissed as a result of the investigation.

Blind Software Scam

After being sued for negligence, our client was about to settle a multi-million dollar suit and re-write their entire software package because the plaintiff was charging: installation of the software in question had permanently damaged/erased existing files, the irreplaceable data not recoverable by any means, and could not access files in a specific software application critical to running his business.

ACE Data Group was able to restructure and reformat all the files needed for the claimant's specific software application and reprogram data. Using electronic data discovery, forensic and analysis applications ACE Data Group discovered that the software installation had not caused the data loss and determined the plaintiff had manually erased the alleged lost data! When shown the evidence the plaintiff dropped the suit and was promptly counter sued.

TRADE SECRET THEFT LITIGATION

In a large trade secret matter, ACE Data Group captured data from 310 workstations, 100 laptops and 15 servers in 45 days – all during non-business hours. We also retrieved, copied and searched more than one million paper pages from 270 offices located in two states. After reducing and organizing the data, ACE Data Group loaded the information into an Internet deployed document management system for review by counsel. At the peak of the case, 60 attorneys in five states were simultaneously searching the repository, which contained eight million documents. We did all this work off-site, during nonworking hours, to avoid disrupting the regular business activities of the company.

Merge & Acquisition

In one merger, ACE Data Group reduced a mass of electronic data for the attorneys’ review. We cut the e-mail collection from an estimated four million pages to approximately two million pages, and we reduced the number of document files by more than half. ACE Data Group also provided and configured over 30 workstations on the client’s premises to facilitate online review through an ASP.

Merge & Acquisition

In another merger, ACE Data Group received a variety of tape media containing data from more than 100 users, located on various servers in multiple locations. We restored the tapes and reduced the data from an estimated eight million pages to three and one-half million. To assist counsel in identifying the source of the documents, we provided all directory structure and metadata for the files. Our experts then assisted our client in designing a system to review the data over their own network. All of the work was completed in fewer than 30 days.

SECOND REQUEST

For an Federal Trade Commission Second Request, we obtained data on DLT tapes, CDs, and hard drives. We applied our reduction processes, converted the data to Portable Document Format (PDF) and transmitted the information to a high-speed print shop. We produced more than 425,000 pages for the attorneys’ review in fewer than 14 days.

DOJ INVESTIGATION

The Department of Justice (DOJ) issued Grand Jury subpoenas seeking data stored on 4,000 backup tapes. ACE Data Group created a protocol designed to satisfy the government without restoring or searching any of the tapes. We started by surprising 25 top sales executives at a conference and imaging their laptops. We captured all of the contents, including the residual data. Within a 24-hour period, we also collected all of the e-mail sent to or from these 25 individuals from the company’s various servers. In performing these tasks, we identified the relevant servers and data; we captured the HDs and the PSTs, and we brought all of it back to our lab for processing. Our experts then tested our protocol using data gathered from the top five employees. As a result of test, our client successfully negotiated a massive reduction in the scope of the subpoena request and avoided having to provide data from the 4,000 backup tapes originally requested.

SEC INVESTIGATION

A United States corporation suspected that key executives in its Asia office were deleting e-mails relevant to an ongoing Securities and Exchange Commission (SEC) investigation. Just four hours after ACE Data Group was engaged, our experts were on airplanes to the client site in Beijing. To avoid an international incident, we left our specialized equipment in Hong Kong and tackled the job with cables and disk-based software. Eighteen hours later, we shipped forensic images of 26 laptops to the United States. Investigation of those images led to the recovery of critical e-mail demanded by the SEC that would otherwise have been lost forever.

FRAUD

A vendor claimed to have a binding contract with our client, a national retail company, based on an e-mail from our client. When the alleged e-mail contract became the focus of a bitter litigation between the parties, ACE Data Group was engaged to consult with outside counsel and provide evidence that the e-mail had been altered or fabricated. After obtaining an order to inspect the opponent’s relevant computer media, including two laptop computers, ACE Data Group provided evidence to the court showing that the opponent’s Chief Executive Officer had altered the document repeatedly and that he had testified falsely to cover-up his misdeeds. The court referred the Chief Executive Officer for prosecution by the local District Attorney’s office. Faced with the evidence, the Chief Executive Officer entered a guilty plea and was sentenced to a fine and five months in prison.

IP THEFT

After a group of consultants left a sports agency with a variety of proprietary documents, ACE Data Group found evidence that formed the basis of a successful preliminary injunction action and a RICO case against the renegades. A document, titled Game Plan, contained step-by-step directions to betray the company, steal its clients and trade secrets, and to blackmail the principals if the perpetrators were caught. The targets did not use their office computers to create the documents. However, Game Plan had been printed on an office computer and our experts were able to locate it in the swap file. The ringleader and several other participants in the conspiracy were later forced into bankruptcy.

CORPORATE ESPIONAGE

In a well-publicized case involving corporate espionage, ACE Data Group experts proved that the litigation opponent, a Venezuelan company, hacked into our client’s servers, stole confidential client information and then attempted to delete the evidence. ACE Data Group used a proprietary protocol to recover 92 double deleted e-mails with 38 attached encrypted spreadsheets. We then cracked the encryption and proved that these files contained our client's valuable and proprietary information. The opponent defended its possession, claiming that our client provided it on floppy disks in February 2002. However, ACE Data Group proved that the disks produced as originals from February 2002 were not manufactured until four months later. Our evidence was the basis of the court’s finding for our client on the merits and in its contempt ruling against our opponent.