When Electronically Stored Information Reveals You’re a Horrible Human Being or a Halfwit
When my son was eight- and nine-years-old, our Friday nights were spent eating pizza and watching WWE SmackDown. By the grace of God, it was a relatively short-lived period for him and not a life’s calling.
Yet, for all the exaggerated theatrics and “Hero v. Villain” grudge matches, professional wrestling pales in comparison to the astounding performances that play out in some court cases – the one’s where you ask, “What were they thinking?!”
The following three examples are cases where electronically stored information (ESI) was used as evidence. These are simplified recounts and I’ve focused on the details of each case that describe the baffling conduct of the party that fell victim to the “ESI SmackDown.”
Now entering the ring…
Breach of Contract case: ComLab Corp. v. Kal Tire
In this case, ComLab claimed to have entered into an intranet service contract with Kal Tire.
As evidence, ComLab produced 20 printed invoices. However, Kal Tire denied ever entering into an agreement with ComLab or receiving any services from them. Kal Tire did acknowledge receipt of four invoices from ComLab, leaving 16 “Contested Invoices.”
Doubting the authenticity of the Contested Invoices, Kal Tire requested to receive the invoices in their digital native format. In response, ComLab produced 13 paper hard copies of the emails it used to send the invoices (essentially printouts, not the digital originals).
Why hard copies? Well, the original emails were destroyed when the computer they were stored on was wiped after allegedly becoming infected with a virus. Luckily, ComLab’s president had the good judgement to save the emails as PDFs before they were gone for good.
Kal Tire’s expert witness testified that the metadata from several of the invoices attached to the e-mails contained “Last modified” dates and times that followed their “Date last saved,” suggesting something shady was going on.
The Court determined ComLab “fabricated and spoliated evidence” and “that these acts were egregious, intentiona, and outrageous.” Ouch!
ComLab’s case was dismissed with prejudice and the company was ordered to pay all of Kal Tire’s fees and costs, which came to $313,138.67.
Breach of Contract, Trade Secret Misappropriation and Unfair Competition: OmniGen Research v. Wang
In February 2016, OmniGen sued its former employee Dr. Yongqiang Wang, as well as his wife Ms. Yan Zheng and their company, Bioshen. OmniGen alleged that while still in its employ, Wang stole trade secrets and used them to secretly create two rival businesses.
Earlier in July 2015, OmniGen sent a cease-and-desist letter to Wang claiming breach of contract and misappropriation of trade secrets. OmniGen also demanded that Wang make available to them all electronically stored information contained on his devices and the Court agreed.
Instead, he travelled to China without producing his laptop, as required, to present at a scientific conference sponsored by Bioshen, Mirigen (Wang’s other company) and others.
At the conference, Wang presented from an existing (and copyrighted) OmniGen slide deck on feed additive research, though he altered the slides to replace OmniGen’s logo with Mirigen’s. It would have been a clever deception, except Wang got sloppy and gave an electronic version of the slides to the conference organizers and attendees, which revealed OmniGen’s confidential notes that were not visible in the projected slides.
While Wang was in China, another hearing was held and the Court ordered him to make a copy of the contents of his computer and mail it to his counsel. He was also ordered to make available any computer and portable storage data within seven days.
When OmniGen finally received Wang’s laptop data and had it inspected, the expert discovered more than 4,000 files had been deleted. Likewise, emails were deleted on the iPad used by Wang’s wife.
Zheng’s iPad was carelessly left in airplane mode when delivered to OmniGen, with her downloaded Yahoo emails still visible. Attachments in download emails can only be opened with an internet connection, which then removes the emails. In one email from Zheng to Wang, the attachment was inconspicuously named “feed additive.docx.”
In his defense, Wang claimed that the deleted files were not relevant to the case. What’s more, he shamelessly asserted he was tricked by OmniGen into signing a much more restrictive employee agreement than what he initially reviewed. Wang’s proof was a version of the original agreement he saved to a thumb drive before deleting this significant document from his laptop.
You already know what comes next. The metadata for the “old” agreement on the thumb drive reveals it was modified after litigation started. What’s more, the alleged original agreement on the thumb drive was generated in the newer .docx Word format, where the agreement Wang signed in July 2009 was in the older .doc format.
The judge granted OmniGen’s Motion for Terminating Spoliation Sanctions and a default judgement was entered in favor of OmniGen. OmniGen was awarded $3.85 million.
And, last up…
Title VII Gender Discrimination and State Law Claims: Lee v. Trees, Inc.
In this last case, Lee sued her employer, Trees, as well as her supervisor and former suitor, Sims, after she was terminated from her job as a flagger.
Lee claimed she wanted to end her romance with Sims in June 2013, but was forced to continue in the relationship, on threats of losing her job (as a flagger, mind you). After four months of this alleged harassment, Lee ended the relationship for good and was terminated ten days later.
Lee filed two administrative complaints with the Bureau of Labor and Industries (BOLI) and the U.S. Equal Employment Opportunity Commission in December 2013 and March 2014 alleging sexual harassment by Sims and several other co-workers, a hostile work environment, and retaliation. She also claimed to have text messages to and from Sims as evidence that she “asked [Sims] to stop the relationship” and was fired for doing so.
Lee sent printouts of her text messages to her attorney, who forwarded them to BOLI, who issued Notices of Substantial Evidence Determinations and right to sue letters.
When Trees requested the text messages in their digital native format, Lee gave them the same printouts that were forwarded to BOLI. On a second request, Lee produced only one cell phone of the “three or four” or “maybe five” she had while employed by Trees. (Seriously, FIVE?! Who does that?).
When Trees’ forensic examiner inspected Lee’s phone, he found that many of texts from the printouts were fabricated, but at least 44 of the messages on the printouts really did exist. Trouble is, they were in the phone’s “unsent” folder and were time-stamped a year after the alleged harassing.
While Lee denied fabricating the texts, the judge was unconvinced, stating, “Lee carefully and intentionally manipulated and interspersed Sims’s actual text messages with strategically crafted false text messages to lend support for her claims. She also failed to preserve her phones and withheld the native, electronic versions of the text messages, in all likelihood to conceal her wrongdoing.”
Trees’ motion for terminating sanctions was granted and Lee’s claims were dismissed with prejudice.
Electronically stored information can serve to exonerate or demonstrate guilt. These were just three of many cases where the introduction of ESI as evidence exposed wrongdoing. But, ESI can also uncover character.
Circling back to the subtitle of this post, what do you think motivated the bad behavior in these cases? Are the ESI SmackDown victims morally bankrupt or just lacking common sense? Perhaps its some combination of both, with some arrogance and delusion thrown in mix.
By: Dave Proulx, Director Digital Forensics & Training, Traversed LLC
Technology today has made it unbelievably easy to create what appear to be real text messages between two parties through the use of fake text messaging applications and spoofing services. And if you are relying on printed screenshots to “authenticate” those text conversations, you are doing a disservice to your client and your case because those screenshots can be faked just as easily. You don’t have to be a computer whiz to find these applications, they are available to anyone capable of conducting a basic internet search or cruising smart phone marketplaces.
In my experience I’ve seen three common ways a person can produce fake text messages and conversations ranging from the most basic approaches and progressing to more advanced methods. The first and easiest to detect is when the actual text message conversation is photoshopped from a screen capture. This is a rudimentary way to fake messages and is not difficult to detect.
With advances in technology and the plethora of applications available to consumers, in recent years I’ve seen cases where a fake text screenshot application is used. While these applications were initially created and marketed for novelty purposes, there are dozens of applications out there today that allow a user to create fake screen captures of fake messages. They even take it one step further and come equipped with advanced formatting options to ensure the messages match the formatting of popular applications such as Facebook Messenger, Instagram, and What’s App. The applications I’ve come across allow customization of the provider tags for ATT, Verizon, T-Mobile, battery and signal strength bars, and contact names to match real messages as they display on the phone.
The last and most advanced method uses text message spoofing services. These have been gaining in popularity and through the course of my work I’ve encountered spoofing applications which are highly complex and may even fool an unseasoned forensic examiner. One of the more sophisticated applications I’ve come across and use as an example during classes I teach, actually ingests fake messages in line with real messages. These messages are ingested into the phone’s message database by temporarily using a spoofing service. The user enters the recipient phone number and the message they wish to send, and it will appear to have come from whatever number or contact they choose.
During my time as a digital forensic investigator I’ve seen all three methods used to fake text messages and while authenticating the text message communication is the ultimate goal, there are additional steps a forensic examiner will take first to ensure the data is preserved in a forensically sound manner and will help to further validate any findings. A digital image or copy of the phone will be made and all forensics will be conducted on the image; preserving the information and ensuring none of the data on the phone is disturbed or changed. A forensic examiner will be able to verify text messages sent and/or received and substantiate these findings through multiple datasets found within the phone. If and when one of these fake messages are discovered, it may provide the forensic examiner the additional evidence needed to support a case of spoliation.
Many cases can move slowly or involve years’ worth of communication where evidence production could prove problematic due to sheer volume and/or accidental or deliberate loss of data. In these situations, a forensic examiner’s expertise and tools will not only authenticate the data but facilitate the production of evidence that may not have been possible before.
With today’s technology, in order to truly authenticate a text message was sent from one phone to another you may need the actual device, a backup of the device, phone records but certainly an experienced digital forensic examiner. Don’t put your case at risk, consult with a digital forensic expert at Traversed today.
Here at Traversed, we are excited about our new partnership with BlackBag Technologies. This new collaboration will enable both companies to address the growing challenges faced by digital forensic examiners in our ever-changing, technology-focused world.We are confident that BlackBag Technologies’s innovative forensic acquisition and analysis tools, for Windows and Mac based computers, as well as iOS and Android mobile devices, will complement the work we do here at Traversed with digital forensics in the preservation, analysis and production of electronic data.
For over a decade, Traversed’s digital forensic experts have been utilizing BlackBag’s suite of tools and performing Apple Macintosh-based forensics. While Apple forensics poses a number of unique challenges, Traversed is well equipped and able to provide the same level of expertise BlackBag has historically provided commercial customers. Our experts have worked directly with BlackBag on cases involving encrypted devices, iCloud backups, as well as investigations that go beyond Apple forensics, working on both Windows and Android devices, to collect critical evidence in a forensically sound manner. Our eDiscovery and forensic investigations have aided in cases such as: intellectual property theft, corporate investigations, business disputes, family law matters, and spoliation of ESI. Our work has played a key role in not only uncovering digital truths, but directly impacting settlement agreements, loss valuations and monetary judgements.
Fostering this long relationship with BlackBag Technologies enables us to address hurdles in today’s technology including APFS, FileVault2 and the T2 chip encryption technologies. Our years of experience and expertise in digital forensics coupled with BlackBag’s suite of tools will allow us to provide clients the best possible solutions to often complex matters.
Contact Traversed today to learn more or speak with one of our forensic and eDiscovery experts!
Traversed LLC has announced a new services partnership with BlackBag Technologies effective immediately. The partnership will enable both BlackBag and Traversed to address growing challenges faced by examiners in the digital forensics field.
Under this new partnership, BlackBag and Traversed will work together to provide examiners and investigators access to forensic services that can assist with unique cases and circumstances that require additional expertise.
“I was originally introduced to BlackBag Technologies during my time as a law enforcement officer,” explained Dave Proulx, Director of Digital Forensic Services at Traversed. “Our lab performed countless digital forensic examinations utilizing BlackBag’s suite of software tools that were instrumental during the course of an investigation. After making the decision to leave law enforcement, I knew I would maintain the partnership I cultivated with BlackBag and take it with me to wherever I landed next, and I couldn’t have found a better home with Traversed.”
“Specializing in cyber training, digital forensics, private investigations, and the preservation, analysis, and production of electronic data, Traversed is looking forward to this new level of collaboration with BlackBag Technologies and what we can bring to the private sector together,” said Proulx.
BlackBag will work with customers to identify when cases can benefit from Traversed’s team of experts. Specialists who are formally trained and certified in computer, cell phone, and mobile forensics and advanced specialties such as vehicle infotainment and telematics, cloud system and Drone UAV (unmanned aerial vehicle) forensics will be brought in to help investigate.
“We’re excited to have a partner with the technical investigative capabilities Dave Proulx and the Traversed, LLC team possess,” BlackBag’s Chief Customer Officer, Ben Charnota explained.
“Having worked with Dave previously, I know firsthand how he’s embraced BlackBag’s mission with his extensive Law Enforcement career and has brought that knowledge and experience to Traversed”, Charnota said. “The digital investigation abilities of Dave and his team will enable a level of expertise not often found in a private service offering. We’re looking forward to our partnership’s growth and revealing the truth in data to create a safer world.”
About BlackBag Technologies:
BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com.
About Traversed, LLC:
Traversed specializes in digital forensics, incident response, and the preservation, analysis, and production of electronic data in matters involving civil litigation, regulatory matters, and corporate investigations. Traversed provides objective and comprehensive answers based upon expert analysis of electronic data while addressing challenges with simple solutions using the latest acquisition, search and forensic technologies. Learn more at www.Traversed.com .
Over the past year, Traversed, LLC has been laying the groundwork for a Cyber Solutions company built on integrity and expertise, providing services in digital forensics, eDiscovery, and cyber training.
At the helm of Traversed are Jose A. Faura, our CTO, and Dave Proulx, our Director of Digital Forensics & Training. Together, they have over 40 years of experience training government, military, law enforcement, and providing legal and judicial services.
Jose has been performing computer forensics and network security for the Intelligence Community for over two decades. He has investigated high-profile cyber security incidents, including a $2 billion credit card fraud case involving TJ Maxx. Jose also developed a program designed to extract emails and text messages which was pivotal in the recovery of emails tied to the White House.
Dave served 20 years in law enforcement, his last nine in Digital Forensics. Beyond his work on the Internet Crimes Against Children Task Force, he served as a vetted instructor for the US State Department’s ATA (Anti-Terrorism Assistance) Cyber Task Force, teaching digital forensics and online investigation to law enforcement throughout the nation, as well as abroad, in Europe, South America, and the Caribbean. An Apple Forensics expert, Dave led the forensic investigation in the Mall in Columbia shooting, and several high-profile crimes against children cases.
As the demand for cyber and digital forensic services increases, Traversed believes in a professional obligation to share knowledge, experience, and expertise with the next generation of professionals. In addition to offering commercial services, we have built a state-of-the-art training facility, Traversed’s Cyber Learning Center at our Columbia, Maryland headquarters, to further this endeavor. The Cyber Learning Center will host a range of courses, from foundational classes for those getting started in their digital forensic career to advanced courses for those with previous experience in the field.
Furthermore, we are excited to announce our partnership with Spyder Forensics, a leader in digital forensic training. Courses offered in conjunction with Spyder Forensics will equip students with the skills not only to perform computer forensics, but also to identify and extract recoverable data from Unmanned Aircraft Systems (UAS), or Drones. Additionally, Traversed will host Security Onion, SCADA/ICS (Industrial Control Systems) and malware analysis training.
For additional information on commercial services or upcoming courses offered, call us at (443) 832-4133 or visit www.traversed.com