All posts tagged computer forensics

Using Cellebrite in Mobile Phone Investigations

What happens when your company is facing probable litigation and key evidence is located on a smart phone? Demand for mobile device data is increasing in litigation and investigations and it presents a complex, new playing field for legal professionals and computer forensics experts.

New Tools Specifically for Cell Phone Forensics

Drilling into a phone’s memory requires a certain level of process and technology expertise and if the technology product Cellebrite is not currently on your radar, it will likely surface soon. Cellebrite is a widely used mobile device forensics tool for data extraction and analysis. The combination of Cellebrite software and hardware helps the investigator delve into the messages, phones calls, voicemails, images, browsing history and more contained on a smart phone chip.

KrolLDiscovery on the ILTA Blog

KrolLDiscovery computer forensic expert Jason Bergerson recently explained how Cellebrite assists in mobile device examinations. Appearing on the International Legal Technology Association (ILTA) blog, Mobile Phone Forensics: Understanding Cellebrite Extraction Reports answers these questions:

  • What processes and tools are used to investigate mobile devices?
  • What limitations exist when extracting data from a mobile device?
  • What are the common reports generated by Cellebrite?
  • How are these reports leveraged by a forensic investigator?

To shine light on mobile device discovery and view a sample Cellebrite report, read Jason Bergerson’s ILTA blog post: Mobile Phone Forensics: Understanding Cellebrite Extraction Reports.

#WaybackWednesday: Mobile Device Investigations Webinar

A smartphone from a key employee lands on your desk, what next? From employment matters and IP theft cases to Foreign Corrupt Practices Act violations and corporate fraud, mobile devices are the modern reservoir for key data in litigation and investigations. However, this new data source is still uncharted territory for many legal and technology professionals working in law departments and law firms.

Last month, Kroll Ontrack’s own Jason Bergerson presented a useful webinar, Mobile Device Investigations: From Android to iPhone and Back, that provided an introduction to the world of mobile device investigations.

The Complex World of Mobile Data

The webinar began with an introduction to the world of mobile data and it was highlighted that there are many different types of data on mobile phones, each one needing a certain process to identify and extract data properly. While smart phones have been equated to computers, it is important to remember that they are not computers and to treat them the same can be a sanctions-worthy mistake.

The webinar walked through the computer forensic investigative process and provided helpful tips to keep in mind regarding the content in various apps and which data might be the most useful in litigation. The webinar highlighted the complexity of the varieties of data and things to consider when pursuing a forensics investigation.

Not All Phones Are the Same

This webinar also discussed at length the fact that cell phones themselves are a diverse category. Modern smart phones, burner phones, older flip phones and international models each have their own systems and methods of storing data. Furthermore, it needs to be considered where the data is physically located. Is it in the cloud? Or in the device in-hand? Each of these impacts the forensic method and the likelihood of success. The webinar provided various considerations for practitioners, depending on the sort of device at issue in their case.

It Was Deleted; Is It Gone?

In this webinar, various scenarios were explained in which mobile device data might be seemingly lost, but could still be recovered. Also, it was shown how some deleted data can be recovered, but there is a very short time frame in which to do so. The webinar provided guidance for practitioners on how to proceed, so that investigative team can have the best odds of successfully obtaining the needed data.

We at Kroll Ontrack know that time demands and schedules make it difficult to attend webinars. Therefore, we have all our webinars online to view on demand, so that you won’t miss out on information that matters.

Embracing New Computer Forensics Paradigms

computer forensics

Computer forensics is a fast-changing industry. New mobile devices, increased use of the cloud to store data and social media all present new challenges to collecting data. It’s not enough to limit a data collection to files and emails anymore. Smartphones, tablets, email, instant messaging platforms, traditional file shares and more all need to be included in a collection. And computer forensics experts must keep up-to-date on industry-accepted practices for collecting each type of data.

  • How does each technology work?
  • How do users interact with said technology?
  • Where is the data stored?
  • And how is the data stored?

Those are all questions a computer forensics expert needs to be prepared to answer when investigating a cyber security event or preparing for litigation.

Check out ‘Data Collection: Embracing New Technology and Abandoning Old Paradigms‘ in this issue of Peer to Peer Magazine to understand more about changing trends in computer forensics and collections.

The Deep Web: Into the Deep End of the Dark Side of the Web

Deep Web. Hidden Web. Invisible Web.

These are names for the underbelly of the Internet that most of us know nothing about. If you’re in that camp, below you will find a few deep Web facts that every legal professional should consider as the lines between security, privacy, data breach, fraud, computer forensics and ediscovery blur.

9 Deep Web Facts

  1. Underneath the World Wide Web lies a whole other Internet where sites are hidden unless you know how to use them and exactly what to look for.
  2. This underside of the web is known as the deep Web, and it contains many, many layers of content. (See an infographic explaining the layers of the deep Web.)
  3. Ninety-nine percent of all the data on the Internet is stored in the deep Web.
  4. The deep Web is a place on the Internet where search engines have not indexed the information.
  5. The deep Web is “invisible” to the mainstream public – especially sites behind private networks, archived sites or standalone pages that connect to nothing at all.
  6. The vast majority of the deep Web holds pages with valuable information – databases, internal corporate websites, government documents, academic journals, etc.
  7. Some parts of the deep Web are associated with illegal or black market transactions – drugs, fake identifications, stolen credit card numbers, counterfeit cash and weapons.
  8. The anonymous nature of the deep Web makes it a breeding ground for unconventional conduct, such as: geeky or esoteric forums, information sharing in censored or turbulent political environments and leakages of confidential documents by whistleblowers or intellectual property (IP) thieves.
  9. The deep Web holds future potential as a place to securely communicate, especially for individuals deeply concerned about privacy or security.

What do the Impacts of the Deep Web mean for Lawyers?

One of my Kroll Ontrack colleagues, Michele Lange, recently sat down with Inside Counsel to explain the deep Web and when it can be a valuable source of evidence in litigation. To learn more about the deep Web, read Michele’s full Inside Counsel interview, “The source that ESI lawyers need to stop overlooking.”

Case Law: E.I. Du Pont De Nemours & Co. v. Kolon Indus., Inc.

Case Law

Court Imposes Adverse Inference Sanction for Bad Faith Spoliation

E.I. Du Pont De Nemours & Co. v. Kolon Indus., Inc., 2011 WL 2966862 (E.D. Va. July 21, 2011).
In this ongoing trade secrets litigation, the plaintiff sought sanctions alleging the defendant spoliated evidence by deliberately destroying relevant ESI and engaged in prolonged efforts to conceal misconduct. Offering a “no harm, no foul” defense, the defendant claimed that because many of the deleted files were recovered, no spoliation occurred and the plaintiff suffered no prejudice. Finding the defendant did not engage in a widespread effort to delete relevant information, the court however determined the litigation hold notices were inadequate and, according to forensic analysis, several key employees intentionally and in bad faith destroyed approximately 12,836 e-mails and 4,975 electronic files. Declaring these deletions significant in substance and number, the court imposed an adverse inference instruction and ordered payment of attorney fees and costs incurred as a result of the spoliation.


This case highlights an issue that unfortunately is no longer an anomaly in the world of ediscovery. Parties continue deleting information and failing to adhere to a proper preservation and litigation hold protocol. In this case, the defendant attempted to avoid blame by noting that numerous documents were recovered – a hard sell to judges that continue to grow wearier of parties skirting their ediscovery obligations. Further, this case demonstrates the power of forensics. Professionals trained in the art of computer forensics are invaluable to investigations and uncovering the truth about data. However, unlike the portrayals in popular primetime dramas, forensics is a delicate art that requires diligence, proper chain of custody protocols and experience.

Curious to learn more?  Read our recent article: Computer Forensics – Not As Seen on TV.

Pioneering industry leader, Kroll Ontrack, partners with ACEDS to certify its staff as CEDS, serve as Premier Sponsor of ACEDS 2012 Conference and become ACEDS Affiliate Member

Pioneering industry leader, Kroll Ontrack, partners with ACEDS to certify its staff as CEDS, serve as Premier Sponsor of ACEDS 2012 Conference and become ACEDS Affiliate Member

Legendary leader in legal technologies and services brings its quarter-century of experience in ediscovery and data recovery to growing ACEDS audience

Miami — The Association of Certified EDiscovery Specialists today announced that Kroll Ontrack, a pioneering service provider in ediscovery, document review and data recovery, is partnering with ACEDS to obtain Certified EDiscovery Specialist certifications for its staff and is serving as Premier Sponsor of the ACEDS 2012 Annual EDiscovery Conference at the Westin Diplomat in Hollywood, Florida. It will also join ACEDS as an Affiliate Member.

Kroll Ontrack provides technology-driven services and software to help legal, corporate and government entities manage, recover, search, analyze, produce and present data efficiently and cost-effectively. A recognized leader in legal technologies and services, Kroll Ontrack provides electronic discovery, document review, data recovery and data destruction, information management, computer forensics and discovery consulting. It employs approximately 1,600 employees in 30 offices worldwide.

Partnering to drive high-quality ediscovery education

ACEDS president Charles Intriago, an attorney and former federal prosecutor, said, “Driven by the outstanding services Kroll Ontrack provides to its ediscovery and data recovery clients, I have witnessed the birth and rise of Kroll Ontrack over the years and the expansion of its clientele to all corners of the globe.”

“We are very proud that this renowned ediscovery service provider, which offers multitudes of excellent thought leadership and educational events each year, has chosen to certify members of its staff as Certified EDiscovery Specialists and help ACEDS continue its charter of uniting professionals within the ediscovery community,” Intriago continued.

Joel Vogel, Kroll Ontrack vice president of discovery products and services, added, “As the demand for cost-effective, efficient legal discovery continues to rise, so does the need for knowledgeable ediscovery experts. Kroll Ontrack is enthusiastic to work with ACEDS to equip professionals, both legal and technical, with the essential education and training to effectively manage today’s multifaceted legal discovery challenges.”

Kroll Ontrack will host EDiscovery Knowledge Breakfast at ACEDS conference

Kroll Ontrack is a Premier Sponsor of the ACEDS Second Annual Conference, April 2-4, 2012, at the Westin Diplomat in Hollywood, Fla. The company is also sponsoring an Ediscovery Knowledge Breakfast for conference attendees on April 2 at 8:00 a.m., prior to the start of the regular program.

Kroll Ontrack will also join ACEDS committees that are planning to launch chapters in New York and London.

ACEDS Affiliate Members show commitment to excellence

As an ACEDS Affiliate Member, Kroll Ontrack will receive various special benefits, including access to ACEDS members, sustained presence on the ACEDS website, as well as references in external communications and ACEDS seminars, podcasts and live chats. ACEDS provides Affiliate Members with efficient access to ACEDS members and visitors to who are ultimately looking to acquire software, services and products of ediscovery and related providers.

“We are proud to add Kroll Ontrack as an Affiliate Member,” said Gregory Calpakis, ACEDS Executive Director.   “The Affiliate Membership of such distinguished companies like Kroll Ontrack is a sign that ACEDS is synonymous with competence, effectiveness, efficiency and risk control,” he added.

ACEDS offers the Certified EDiscovery Specialist certification to candidates who meet specified qualifications and pass a rigorous examination that is offered at some 600 ACEDS-Kryterion Testing Centers worldwide, including more than 300 testing centers in the U.S. and 30 in Canada.

ACEDS provides certification, training, news, information and networking

ACEDS, a membership organization devoted to the professional interests of the ediscovery community, seeks to enhance competence through certification, conferences, online and live training, community-building through forums and other live and electronic events that foster the exchange of ideas and solutions, and news, information and guidance.

For information about ACEDS Affiliate Membership, contact: Lanny Morris, ACEDS Senior Account Executive, at 305-490-2933 or e-mail

(Accredited members of the media may obtain access to the news portion of, and credentials to cover the ACEDS Annual Conference, on April 2-4, 2012, by contacting Robert Hilson, Editorial Director, at 786-517-2714 or

Association of Certified EDiscovery Specialists
444 Brickell Ave., Suite 250
Miami, FL 33131 USA

Preserve Electronic Evidence, Preserve Justice

For the last decade, electronically stored information (ESI) has been an increasingly dominant source of evidence in civil litigation as business communication has shifted to electronic media. But the as the heart-wrenching investigation into the death of Caylee Anthony continues to unfold, it demonstrates that the value of ESI is no longer relegated to the world of civil litigation.

In any investigation, evidence is collected wherever human interaction occurs. As electronic communication has become increasingly personalized, intimately personal conversations now commonly take place over once highly impersonal media such as text messages and social media networks. For criminal investigators, this makes the preservation and collection of evidence from electronic media as critical as that of physical evidence from the crime scene itself.

In the ongoing, highly sensationalized trial of Casey Anthony, investigators and criminal prosecutors are using ESI to demonstrate everything from event timelines to intent and motive. Following the arrest of Casey Anthony in the investigation into her daughter’s disappearance, law enforcement in central Florida seized and forensically searched electronic devices ranging from cell phones to digital cameras. The investigation revealed a trove of electronic evidence that has proved vital to the prosecution’s case.

Photographs and their metadata, extracted from seized digital cameras, have helped piece together the mysterious timeline surrounding Caylee’s disappearance, while e-mail and chat conversations have been presented to help elucidate motive and intent. Perhaps the most damning of all, forensic investigation has revealed a list of internet search terms and the web browsing history from around the time of Caylee’s disappearance. Searches for words such as “chloroform” and “head injuries” were discovered by reconstructing deleted internet history files from the hard drive of Casey Anthony’s computer. This was done by forensically imaging the computer’s hard drive, and then analyzing the unallocated, or “slack space” for information marked for deletion. Unbeknownst to the layperson, and to the dismay of the would-be spoliator in this case, simply deleting information from the operating system does not permanently remove data. Instead of actually overwriting the information, deleting data only causes the computer to designate it as overwrite-able. Furthermore, because deleted data is broken up into bits and pieces spread all across the hard drive, it can take a considerable amount of time until all of the information is completely lost. A skilled forensic investigator can quickly analyze storage media and retrieve this information from the slack space.

When collecting any ESI, and deleted data in particular, time is of the essence and the skill of the forensic investigator is critical. Like other forms of trace evidence – such as blood, fingerprints, tire tracks, etc. – electronic evidence is extremely fragile; the slightest inconsistency in the preservation and collection process can render even the proverbial “smoking gun” wholly inadmissible. Preventing this requires the use of highly skilled and experienced forensic investigators who can properly preserve ESI and collect all the relevant data while maintaining a strong chain of custody and ensuring the defensibility of the evidence at trial.

Cases like the Casey Anthony trial illustrate both the growing prevalence and vital importance of ESI in the criminal context. Every trial directly depends upon the quality of evidence presented. If justice is to be ensured as we continue moving deeper into the era of electronic evidence, criminal attorneys must quickly begin taking cues from their civil counterparts and learn how to effectively manage ESI.

Case Law: Trickey v. Kaman Indus. Techs. Corp

Case Law

Despite Inadequate Preservation Efforts, Court Declines Sanctions Based on Retention of Forensic Expert

Trickey v. Kaman Indus. Techs. Corp., 2010 WL 5067421 (E.D. Mo. Dec. 6, 2010). In this employment discrimination litigation, the plaintiff sought production of all relevant electronic communications, alleging the defendants failed to adequately preserve electronic data in anticipation of litigation. Employees of the defendants manually selected and preserved documents and e-mails contained in the live database or archive that they deemed potentially relevant instead of preserving a mirror image of the e-mail server and relevant data sets. Although concerned by the defendants’ failure to create a mirror image, the court declined to issue sanctions as the plaintiff made no spoliation claims and the defendants made considerable remedial efforts by hiring an independent forensic computer expert to examine the electronic data for relevant information. Based on this retention of the forensic IT consultant and efforts to search existing data, the court agreed that the requested documents no longer existed and denied the motion to compel unless the plaintiff could identify now-existing databases that were not previously searched.


In this case, the retention of a forensic expert was instrumental in the defendants’ ability to avoid sanctions despite the failure to adequately preserve data. As demonstrated in the 2010 Year in Review study conducted by Kroll Ontrack, 39 percent of cases addressed the issue of sanctions with almost half of those cases involving preservation and spoliation issues. Despite the increased attention the topic of preservation has received by practitioners, organizations and the industry at large, it is clear that people are still struggling to effectively manage this challenging aspect of the discovery process.

If you find yourself struggling with implementing proper information management protocols, contact an ESI Consultant. The consultant can work with your organization to assess risks and develop a repeatable and defensible ESI strategy. If it is already too late and data has been destroyed despite an existing duty to preserve, contact a reputable computer forensics professional. The computer forensic expert can attempt to recover the deleted data (after all, delete does not necessarily mean delete) and can provide other data analysis to determine the breadth of the situation. In addition, a properly trained computer forensics professional can also provide expert testimony to support the case. The expert should be able to fully articulate his/her findings to people with and without expertise to help you win your case and/or mitigate any potential losses.