All posts tagged computer forensics

How the Internet of Things has Changed Computer Forensics

More and more, Internet of Things (IoT) devices have been entering the market recently, with the most prominent product being Amazon’s Echo and its smaller counterpart, the Echo Dot, along with Google Home.

What do these devices do?

The Echo and Echo Dot are pretty straight-forward. Users can play music, set an alarm and manage calendars. The user can also activate “skills,” as extensions, in order to add more functions to the Alexa app.

In contrast to other IoT devices, the Amazon Echo does not save data on the device. Instead, it transfers all voice recordings to Amazon’s data center.

Although the recorded data is not saved on the device itself, users are still concerned as to what rights to privacy they have. Trigger words are used to prompt the attention of the device. For the Echo, it is, “Alexa” and for Google Home, it is, “O.K. Google.” Every word spoken after that trigger word is recorded and transferred to the provider’s data center. The recorded data is then stored by Amazon or Google and it is somewhat of a mystery as to what happens to the data from there.

Computer Forensics: Can recorded data solve crimes?

In some cases, the data is used for much more serious situations than one might think. Earlier this year, data from an Echo device was used in a murder investigation. An individual was found dead after a house party in Bentonville, Arkansas, and criminal charges were brought against the owner of the home. Investigators demanded the Echo recordings, and data from the Echo inside the home was used as evidence in the case.

This case demonstrates the impact that IoT devices will have on computer forensic investigations. Investigators are now able to utilize data stored on devices, the cloud and external data centers. When data becomes available to computer forensics specialists, the work becomes the same as any other ordinary case. After forensic investigators create a 1:1 image of the original storage media – a hard disk drive, an SSD, a removable FLASH card, a data tape or any other storage media – they begin to analyze the data. When this assessment is completed, investigators use specialized software tools to search through the data, looking for evidence that can be used in a trial.

Can I stop sharing my data?

While this is a beneficial tool for some criminal investigations, users have the power to turn this feature off. If a user does not want their recordings to be stored, there is a way to delete them. Inside the Alexa app on your smartphone, there is a possibility to delete your voice requests one by one. If you do want to bulk delete, you can do that by signing into your Amazon Account and check out your devices under this link

At KrolLDiscovery, computer forensics is in our DNA. Our analysts have years of experience investigating real cases and obtaining real results in both civil and criminal contexts, and our analysts are recognized experts in the field. If you have an IoT device, or any media type, that needs investigating, we are here to work with your team.

What’s the Deal with WhatsApp? Investigating and Discovering Mobile Device Data

Julian Sheppard and Michele C.S. Lange, KrolLDiscovery, Legaltech News

Editor’s note: this article appeared in Legaltech News.

Analyzing data from mobile devices is still uncharted territory for many in Legal and IT. Accordingly, today’s modern legal and technology professionals need to brush up on all things mobile. This includes understanding where applicable data resides in a mobile device and what common challenges are associated with accessing, preserving and extracting this data.

To make things complicated, mobile devices contain more than just email, text messages and photos — all fully discoverable in litigation and ripe for investigation. Legal teams cannot forget that inter-application (“app”) chat communications may also contain relevant information. Each of these apps store content on the mobile device and function in slightly different manners, creating myriad data preservation, collection and privacy issues.

One such app taking the mobile device world by storm is WhatsApp. This article explores what legal teams need to know about accessing, preserving and extracting mobile data from WhatsApp, in light of recent news and privacy concerns.

The History of WhatsApp

WhatsApp is a stand-alone, cross-platform messaging service for mobile phones. It is marketed as being an inexpensive alternative to carrier-billed text messaging. WhatsApp functions by utilizing a mobile phone’s Internet or Wi-Fi connection. Through this connection, the WhatsApp user can send and receive text, pictures, audio or video.

WhatsApp was created in 2009 and since then has made international headlines by becoming one of the most popular standalone messaging platforms. In June 2013, WhatsApp had 250 million users and its user base keeps growing. WhatsApp’s popularity attracted the social media giant Facebook, which acquired WhatsApp in February 2014, to play a bigger role in the rapidly growing messaging market. At the time that this deal was announced, WhatsApp had 450 million users worldwide.

In 2014, WhatsApp implemented end-to-end 256-bit encryption on Android mobile phones, making it possible for secure communications. When a message is sent through WhatsApp, the messages are automatically “locked” once the user sends the message to the receiver. The message will not be “unlocked” until the receiver opens the message. This type of encryption — where the communication from sender to receiver cannot be decrypted during transit, making interception by a “middle man” virtually impossible — makes it unique from other messaging apps.

WhatsApp stresses in a statement from 2014 that not even the best hacker or the WhatsApp company itself can access and read users’ messages. In 2016, WhatsApp expanded its end-to-end encryption to other types of mobile phones beyond Android. That same year, WhatsApp decided to make a bold change to its privacy policy by modifying its terms and conditions. Unless the user does not agree to the terms and conditions, users will immediately start sharing their data with Facebook and its affiliated companies, such as Instagram. Shared data will consist of users’ phone numbers and the last time they logged onto WhatsApp. The interplay between WhatsApp’s end-to-end encryption and these new privacy terms are leaving many users wondering if WhatsApp communications are truly secure and private.

Despite the change in policy, WhatsApp remains very popular. It is particularly popular in Europe, where unlimited texting mobile plans are less common. Further, WhatsApp is seeking to shift from personal to professional use. Initially designed for personal communications, WhatsApp is trying to acquire a new user base, by having companies adopt the platform, especially if the company has BYOD (bring your own device) or COPE (corporate-owned personally-enabled) policies. Particularly, in some Eastern European countries, WhatsApp has become especially popular for secure business communications because users know it is difficult to access.

WhatsApp Data in Mobile Discovery and Investigations

Drilling into a phone’s memory to attain information, such as WhatsApp communications, requires an advanced level of expertise. This is especially true given the intricacy of the phone and the growing ecosystem of device types. Further, mobile device extraction attempts, including attempts to recover data from WhatsApp, typically require phone passwords, PINs (Personal Identification Numbers) or swipe patterns to gain access to the device. Yet, even with this information, and depending on the mobile device itself, if the message data from WhatsApp is encrypted, it may not be possible to extract the data. Thus, even though mobile phone forensics is a fairly new discipline, an investigator needs a firm grasp on both the diversity of devices available on the market and the security measures used specifically on phones if any data is to be forensically retrieved.

While WhatsApp data may be retrievable from a user’s laptop or a cloud account, these possibilities are rare. As such, it is important to understand how the data may be extracted from the mobile device itself. In any forensic investigation of a mobile device, there are factors that influence what and how much data is retrievable. These factors include: the type of mobile device; the operating system version; the version of the specific app being used; and the type of encryption.

When it comes to retrieving WhatsApp communications on mobile devices, all these factors are intertwined. For instance, extracting WhatsApp data is not the same across all devices, as there are a variety of operating systems and versions of WhatsApp. To further complicate matters, WhatsApp’s messaging options store content in different locations on different mobile devices and each device functions in a different manner.

This lack of standardization is confounding for forensic investigators and case teams involved in the matter. As such, documenting the time and date of the extraction, as well as the operating system and app versions, is critical. Finally, investigators will need the key associated with the local database, which is often inaccessible without special software, in order to decrypt WhatsApp data.

The Debate of the Backdoor and WhatsApp

Currently, there is a major debate among legal and technology professionals about whether or not WhatsApp should have a “backdoor,” likely weakening WhatsApp’s encryption. When a message is transmitted, a backdoor could be used to circumvent the need for a specific encryption key and convert the message into plain text for it to be read by a third party. Discussed below are the viewpoints of both sides discussing whether there should be a backdoor within WhatsApp.

Some security and intelligence agencies prefer WhatsApp to be modified by implementing a backdoor. They argue that this would benefit not only them, but also the public. They claim that by monitoring WhatsApp messages through the backdoor they can detect criminal and terrorist activity.

One major concern of these agencies is the fear that terrorist organizations will use WhatsApp to communicate with each other, because of the security with end-to-end encryption. As a result of WhatApp’s encryption, there has been a recent trend of terrorist organizations using WhatsApp to communicate. In March 2017, a terrorist used WhatsApp moments before carrying out on attack in Westminster, London. This recent attack, and other uses of WhatsApp, has continued to worry these agencies.

Agencies advocate that a backdoor within WhatsApp can have many benefits toward making the public feel more secure. If agencies had access to the messages within WhatsApp, it would give them an advantage to combat criminal activity and terrorist attacks. For example, British Intelligence claimed if they had the ability to read messages communicated by the terrorist back in March 2017, the attack might have been less severe. Thus, if agencies are allowed to monitor messages through WhatsApp, it may help prevent WhatsApp from becoming a safe harbor for terrorist communication.

Weakening End-to-End Encryption

Some security and intelligence agencies believe that modifying WhatsApp by creating a backdoor would be a mistake. Specifically, organizations and individuals will not know in advance whom the government will spy on when they have access to all users’ decrypted WhatsApp messages. This could impact how organizations and individuals communicate with each other.

It has been argued that implementing a backdoor will not help, but only weaken WhatsApp’s end-to-end encryption. There are other ways that agencies may be able to gain intelligence without the expense of sacrificing security, such as bugging rooms, infiltrating surveillance software, etc. Although having a backdoor is easier, it will sacrifice the security of the end-to-end encryption in WhatsApp and could become a slippery slope to backdoors in other apps.

Lastly, some analysts claim that security and intelligence agencies may have trouble monitoring WhatsApp through the backdoor. Malicious conduct may be hard to detect because of WhatsApp’s large user base and the chance of detecting criminal and terrorist activity is minimal. Further, once the public becomes suspicious that backdoors are in place, they are more likely to abandon WhatsApp for a different messaging app that does not have backdoors in place. Thus, by security and intelligence agencies diverting their attention to monitoring WhatsApp, they could lose the public’s confidence in the safety net that end-to-end encryption provides.

WhatsApp’s controversial end-to-end encryption has affected the ways legal and technology professionals access, preserve and extract this data from mobile devices. Although end-to-end encryption is complex, with help from a seasoned forensics investigator, valuable information on WhatsApp may be just a click, swipe or post beneath your fingertips.

Julian Sheppard ( is the Director of Computer Forensics for the EMEA region of KrolLDiscovery, based in London, United Kingdom. Michele C.S. Lange, Esq. ( is the Director of Thought Leadership for KrolLDiscovery, based in Minneapolis, Minn. The authors acknowledge the assistance of Christine Barry, KrolLDiscovery law clerk, for her assistance in researching and writing this article.

Using Cellebrite in Mobile Phone Investigations

What happens when your company is facing probable litigation and key evidence is located on a smart phone? Demand for mobile device data is increasing in litigation and investigations and it presents a complex, new playing field for legal professionals and computer forensics experts.

New Tools Specifically for Cell Phone Forensics

Drilling into a phone’s memory requires a certain level of process and technology expertise and if the technology product Cellebrite is not currently on your radar, it will likely surface soon. Cellebrite is a widely used mobile device forensics tool for data extraction and analysis. The combination of Cellebrite software and hardware helps the investigator delve into the messages, phones calls, voicemails, images, browsing history and more contained on a smart phone chip.

KrolLDiscovery on the ILTA Blog

KrolLDiscovery computer forensic expert Jason Bergerson recently explained how Cellebrite assists in mobile device examinations. Appearing on the International Legal Technology Association (ILTA) blog, Mobile Phone Forensics: Understanding Cellebrite Extraction Reports answers these questions:

  • What processes and tools are used to investigate mobile devices?
  • What limitations exist when extracting data from a mobile device?
  • What are the common reports generated by Cellebrite?
  • How are these reports leveraged by a forensic investigator?

To shine light on mobile device discovery and view a sample Cellebrite report, read Jason Bergerson’s ILTA blog post: Mobile Phone Forensics: Understanding Cellebrite Extraction Reports.

#WaybackWednesday: Mobile Device Investigations Webinar

A smartphone from a key employee lands on your desk, what next? From employment matters and IP theft cases to Foreign Corrupt Practices Act violations and corporate fraud, mobile devices are the modern reservoir for key data in litigation and investigations. However, this new data source is still uncharted territory for many legal and technology professionals working in law departments and law firms.

Last month, Kroll Ontrack’s own Jason Bergerson presented a useful webinar, Mobile Device Investigations: From Android to iPhone and Back, that provided an introduction to the world of mobile device investigations.

The Complex World of Mobile Data

The webinar began with an introduction to the world of mobile data and it was highlighted that there are many different types of data on mobile phones, each one needing a certain process to identify and extract data properly. While smart phones have been equated to computers, it is important to remember that they are not computers and to treat them the same can be a sanctions-worthy mistake.

The webinar walked through the computer forensic investigative process and provided helpful tips to keep in mind regarding the content in various apps and which data might be the most useful in litigation. The webinar highlighted the complexity of the varieties of data and things to consider when pursuing a forensics investigation.

Not All Phones Are the Same

This webinar also discussed at length the fact that cell phones themselves are a diverse category. Modern smart phones, burner phones, older flip phones and international models each have their own systems and methods of storing data. Furthermore, it needs to be considered where the data is physically located. Is it in the cloud? Or in the device in-hand? Each of these impacts the forensic method and the likelihood of success. The webinar provided various considerations for practitioners, depending on the sort of device at issue in their case.

It Was Deleted; Is It Gone?

In this webinar, various scenarios were explained in which mobile device data might be seemingly lost, but could still be recovered. Also, it was shown how some deleted data can be recovered, but there is a very short time frame in which to do so. The webinar provided guidance for practitioners on how to proceed, so that investigative team can have the best odds of successfully obtaining the needed data.

We at Kroll Ontrack know that time demands and schedules make it difficult to attend webinars. Therefore, we have all our webinars online to view on demand, so that you won’t miss out on information that matters.

Embracing New Computer Forensics Paradigms

computer forensics

Computer forensics is a fast-changing industry. New mobile devices, increased use of the cloud to store data and social media all present new challenges to collecting data. It’s not enough to limit a data collection to files and emails anymore. Smartphones, tablets, email, instant messaging platforms, traditional file shares and more all need to be included in a collection. And computer forensics experts must keep up-to-date on industry-accepted practices for collecting each type of data.

  • How does each technology work?
  • How do users interact with said technology?
  • Where is the data stored?
  • And how is the data stored?

Those are all questions a computer forensics expert needs to be prepared to answer when investigating a cyber security event or preparing for litigation.

Check out ‘Data Collection: Embracing New Technology and Abandoning Old Paradigms‘ in this issue of Peer to Peer Magazine to understand more about changing trends in computer forensics and collections.

The Deep Web: Into the Deep End of the Dark Side of the Web

Deep Web. Hidden Web. Invisible Web.

These are names for the underbelly of the Internet that most of us know nothing about. If you’re in that camp, below you will find a few deep Web facts that every legal professional should consider as the lines between security, privacy, data breach, fraud, computer forensics and ediscovery blur.

9 Deep Web Facts

  1. Underneath the World Wide Web lies a whole other Internet where sites are hidden unless you know how to use them and exactly what to look for.
  2. This underside of the web is known as the deep Web, and it contains many, many layers of content. (See an infographic explaining the layers of the deep Web.)
  3. Ninety-nine percent of all the data on the Internet is stored in the deep Web.
  4. The deep Web is a place on the Internet where search engines have not indexed the information.
  5. The deep Web is “invisible” to the mainstream public – especially sites behind private networks, archived sites or standalone pages that connect to nothing at all.
  6. The vast majority of the deep Web holds pages with valuable information – databases, internal corporate websites, government documents, academic journals, etc.
  7. Some parts of the deep Web are associated with illegal or black market transactions – drugs, fake identifications, stolen credit card numbers, counterfeit cash and weapons.
  8. The anonymous nature of the deep Web makes it a breeding ground for unconventional conduct, such as: geeky or esoteric forums, information sharing in censored or turbulent political environments and leakages of confidential documents by whistleblowers or intellectual property (IP) thieves.
  9. The deep Web holds future potential as a place to securely communicate, especially for individuals deeply concerned about privacy or security.

What do the Impacts of the Deep Web mean for Lawyers?

One of my Kroll Ontrack colleagues, Michele Lange, recently sat down with Inside Counsel to explain the deep Web and when it can be a valuable source of evidence in litigation. To learn more about the deep Web, read Michele’s full Inside Counsel interview, “The source that ESI lawyers need to stop overlooking.”

Case Law: E.I. Du Pont De Nemours & Co. v. Kolon Indus., Inc.

Case Law

Court Imposes Adverse Inference Sanction for Bad Faith Spoliation

E.I. Du Pont De Nemours & Co. v. Kolon Indus., Inc., 2011 WL 2966862 (E.D. Va. July 21, 2011).
In this ongoing trade secrets litigation, the plaintiff sought sanctions alleging the defendant spoliated evidence by deliberately destroying relevant ESI and engaged in prolonged efforts to conceal misconduct. Offering a “no harm, no foul” defense, the defendant claimed that because many of the deleted files were recovered, no spoliation occurred and the plaintiff suffered no prejudice. Finding the defendant did not engage in a widespread effort to delete relevant information, the court however determined the litigation hold notices were inadequate and, according to forensic analysis, several key employees intentionally and in bad faith destroyed approximately 12,836 e-mails and 4,975 electronic files. Declaring these deletions significant in substance and number, the court imposed an adverse inference instruction and ordered payment of attorney fees and costs incurred as a result of the spoliation.


This case highlights an issue that unfortunately is no longer an anomaly in the world of ediscovery. Parties continue deleting information and failing to adhere to a proper preservation and litigation hold protocol. In this case, the defendant attempted to avoid blame by noting that numerous documents were recovered – a hard sell to judges that continue to grow wearier of parties skirting their ediscovery obligations. Further, this case demonstrates the power of forensics. Professionals trained in the art of computer forensics are invaluable to investigations and uncovering the truth about data. However, unlike the portrayals in popular primetime dramas, forensics is a delicate art that requires diligence, proper chain of custody protocols and experience.

Curious to learn more?  Read our recent article: Computer Forensics – Not As Seen on TV.

Pioneering industry leader, Kroll Ontrack, partners with ACEDS to certify its staff as CEDS, serve as Premier Sponsor of ACEDS 2012 Conference and become ACEDS Affiliate Member

Pioneering industry leader, Kroll Ontrack, partners with ACEDS to certify its staff as CEDS, serve as Premier Sponsor of ACEDS 2012 Conference and become ACEDS Affiliate Member

Legendary leader in legal technologies and services brings its quarter-century of experience in ediscovery and data recovery to growing ACEDS audience

Miami — The Association of Certified EDiscovery Specialists today announced that Kroll Ontrack, a pioneering service provider in ediscovery, document review and data recovery, is partnering with ACEDS to obtain Certified EDiscovery Specialist certifications for its staff and is serving as Premier Sponsor of the ACEDS 2012 Annual EDiscovery Conference at the Westin Diplomat in Hollywood, Florida. It will also join ACEDS as an Affiliate Member.

Kroll Ontrack provides technology-driven services and software to help legal, corporate and government entities manage, recover, search, analyze, produce and present data efficiently and cost-effectively. A recognized leader in legal technologies and services, Kroll Ontrack provides electronic discovery, document review, data recovery and data destruction, information management, computer forensics and discovery consulting. It employs approximately 1,600 employees in 30 offices worldwide.

Partnering to drive high-quality ediscovery education

ACEDS president Charles Intriago, an attorney and former federal prosecutor, said, “Driven by the outstanding services Kroll Ontrack provides to its ediscovery and data recovery clients, I have witnessed the birth and rise of Kroll Ontrack over the years and the expansion of its clientele to all corners of the globe.”

“We are very proud that this renowned ediscovery service provider, which offers multitudes of excellent thought leadership and educational events each year, has chosen to certify members of its staff as Certified EDiscovery Specialists and help ACEDS continue its charter of uniting professionals within the ediscovery community,” Intriago continued.

Joel Vogel, Kroll Ontrack vice president of discovery products and services, added, “As the demand for cost-effective, efficient legal discovery continues to rise, so does the need for knowledgeable ediscovery experts. Kroll Ontrack is enthusiastic to work with ACEDS to equip professionals, both legal and technical, with the essential education and training to effectively manage today’s multifaceted legal discovery challenges.”

Kroll Ontrack will host EDiscovery Knowledge Breakfast at ACEDS conference

Kroll Ontrack is a Premier Sponsor of the ACEDS Second Annual Conference, April 2-4, 2012, at the Westin Diplomat in Hollywood, Fla. The company is also sponsoring an Ediscovery Knowledge Breakfast for conference attendees on April 2 at 8:00 a.m., prior to the start of the regular program.

Kroll Ontrack will also join ACEDS committees that are planning to launch chapters in New York and London.

ACEDS Affiliate Members show commitment to excellence

As an ACEDS Affiliate Member, Kroll Ontrack will receive various special benefits, including access to ACEDS members, sustained presence on the ACEDS website, as well as references in external communications and ACEDS seminars, podcasts and live chats. ACEDS provides Affiliate Members with efficient access to ACEDS members and visitors to who are ultimately looking to acquire software, services and products of ediscovery and related providers.

“We are proud to add Kroll Ontrack as an Affiliate Member,” said Gregory Calpakis, ACEDS Executive Director.   “The Affiliate Membership of such distinguished companies like Kroll Ontrack is a sign that ACEDS is synonymous with competence, effectiveness, efficiency and risk control,” he added.

ACEDS offers the Certified EDiscovery Specialist certification to candidates who meet specified qualifications and pass a rigorous examination that is offered at some 600 ACEDS-Kryterion Testing Centers worldwide, including more than 300 testing centers in the U.S. and 30 in Canada.

ACEDS provides certification, training, news, information and networking

ACEDS, a membership organization devoted to the professional interests of the ediscovery community, seeks to enhance competence through certification, conferences, online and live training, community-building through forums and other live and electronic events that foster the exchange of ideas and solutions, and news, information and guidance.

For information about ACEDS Affiliate Membership, contact: Lanny Morris, ACEDS Senior Account Executive, at 305-490-2933 or e-mail

(Accredited members of the media may obtain access to the news portion of, and credentials to cover the ACEDS Annual Conference, on April 2-4, 2012, by contacting Robert Hilson, Editorial Director, at 786-517-2714 or

Association of Certified EDiscovery Specialists
444 Brickell Ave., Suite 250
Miami, FL 33131 USA

Preserve Electronic Evidence, Preserve Justice

For the last decade, electronically stored information (ESI) has been an increasingly dominant source of evidence in civil litigation as business communication has shifted to electronic media. But the as the heart-wrenching investigation into the death of Caylee Anthony continues to unfold, it demonstrates that the value of ESI is no longer relegated to the world of civil litigation.

In any investigation, evidence is collected wherever human interaction occurs. As electronic communication has become increasingly personalized, intimately personal conversations now commonly take place over once highly impersonal media such as text messages and social media networks. For criminal investigators, this makes the preservation and collection of evidence from electronic media as critical as that of physical evidence from the crime scene itself.

In the ongoing, highly sensationalized trial of Casey Anthony, investigators and criminal prosecutors are using ESI to demonstrate everything from event timelines to intent and motive. Following the arrest of Casey Anthony in the investigation into her daughter’s disappearance, law enforcement in central Florida seized and forensically searched electronic devices ranging from cell phones to digital cameras. The investigation revealed a trove of electronic evidence that has proved vital to the prosecution’s case.

Photographs and their metadata, extracted from seized digital cameras, have helped piece together the mysterious timeline surrounding Caylee’s disappearance, while e-mail and chat conversations have been presented to help elucidate motive and intent. Perhaps the most damning of all, forensic investigation has revealed a list of internet search terms and the web browsing history from around the time of Caylee’s disappearance. Searches for words such as “chloroform” and “head injuries” were discovered by reconstructing deleted internet history files from the hard drive of Casey Anthony’s computer. This was done by forensically imaging the computer’s hard drive, and then analyzing the unallocated, or “slack space” for information marked for deletion. Unbeknownst to the layperson, and to the dismay of the would-be spoliator in this case, simply deleting information from the operating system does not permanently remove data. Instead of actually overwriting the information, deleting data only causes the computer to designate it as overwrite-able. Furthermore, because deleted data is broken up into bits and pieces spread all across the hard drive, it can take a considerable amount of time until all of the information is completely lost. A skilled forensic investigator can quickly analyze storage media and retrieve this information from the slack space.

When collecting any ESI, and deleted data in particular, time is of the essence and the skill of the forensic investigator is critical. Like other forms of trace evidence – such as blood, fingerprints, tire tracks, etc. – electronic evidence is extremely fragile; the slightest inconsistency in the preservation and collection process can render even the proverbial “smoking gun” wholly inadmissible. Preventing this requires the use of highly skilled and experienced forensic investigators who can properly preserve ESI and collect all the relevant data while maintaining a strong chain of custody and ensuring the defensibility of the evidence at trial.

Cases like the Casey Anthony trial illustrate both the growing prevalence and vital importance of ESI in the criminal context. Every trial directly depends upon the quality of evidence presented. If justice is to be ensured as we continue moving deeper into the era of electronic evidence, criminal attorneys must quickly begin taking cues from their civil counterparts and learn how to effectively manage ESI.

Case Law: Trickey v. Kaman Indus. Techs. Corp

Case Law

Despite Inadequate Preservation Efforts, Court Declines Sanctions Based on Retention of Forensic Expert

Trickey v. Kaman Indus. Techs. Corp., 2010 WL 5067421 (E.D. Mo. Dec. 6, 2010). In this employment discrimination litigation, the plaintiff sought production of all relevant electronic communications, alleging the defendants failed to adequately preserve electronic data in anticipation of litigation. Employees of the defendants manually selected and preserved documents and e-mails contained in the live database or archive that they deemed potentially relevant instead of preserving a mirror image of the e-mail server and relevant data sets. Although concerned by the defendants’ failure to create a mirror image, the court declined to issue sanctions as the plaintiff made no spoliation claims and the defendants made considerable remedial efforts by hiring an independent forensic computer expert to examine the electronic data for relevant information. Based on this retention of the forensic IT consultant and efforts to search existing data, the court agreed that the requested documents no longer existed and denied the motion to compel unless the plaintiff could identify now-existing databases that were not previously searched.


In this case, the retention of a forensic expert was instrumental in the defendants’ ability to avoid sanctions despite the failure to adequately preserve data. As demonstrated in the 2010 Year in Review study conducted by Kroll Ontrack, 39 percent of cases addressed the issue of sanctions with almost half of those cases involving preservation and spoliation issues. Despite the increased attention the topic of preservation has received by practitioners, organizations and the industry at large, it is clear that people are still struggling to effectively manage this challenging aspect of the discovery process.

If you find yourself struggling with implementing proper information management protocols, contact an ESI Consultant. The consultant can work with your organization to assess risks and develop a repeatable and defensible ESI strategy. If it is already too late and data has been destroyed despite an existing duty to preserve, contact a reputable computer forensics professional. The computer forensic expert can attempt to recover the deleted data (after all, delete does not necessarily mean delete) and can provide other data analysis to determine the breadth of the situation. In addition, a properly trained computer forensics professional can also provide expert testimony to support the case. The expert should be able to fully articulate his/her findings to people with and without expertise to help you win your case and/or mitigate any potential losses.