Upload
julian-parker
View
217
Download
2
Embed Size (px)
Citation preview
As a result I have talked to litigatorswho lament that fact that there are not asmany Search Orders as there were in thegood old days. I can add that we have notfound this to be the case. It seems, rather,that some firms are regularly using theSearch Orders to great effect, often onspecific instances of data theft, whilstother are allowing it to wither on the vinein favour of other, less onerous and dra-conian remedies.
Despite Lord Woolf ’s laudable effortsto speed up and simplify the civil litiga-tion process, it is our experience that cer-tain types of problem can only sensibly besolved by resorting to the extreme optionof the Search Order. As computer foren-sic investigators, we are regularly involvedin the investigation of data theft. Therecent changes in civil procedures haveencouraged the parties to consider care-fully the aspect of proportionality in theirstrategies and therefore applications tothe court. As a result, we have seen a risein consent orders, whereby the computersof those suspected of data/confidentialinformation theft, are delivered up to the claimants with the consent of therespondents. Whilst this may be deemed perfectly proportional by the claimants,and therefore, they hope, the court, such orders do not come without theirdrawbacks.
The key strength of the Search Order isthat it is a bolt from the blue. Applied forex-parte, or without notice, it gives theclaimants the key element of surprise.Indeed, the entire reason for applying for
such an order is that the claimants willargue that, given notice of intended pro-ceedings, the respondents would certainlydestroy any evidence. If the court agreeswith the respondents, the Search Orderwill be granted allowing no chance forkey evidence in the possession of therespondents to be destroyed.
Consent orders, on the other hand,are exactly the opposite. The key weak-ness of such an order, despite the factthat it will contain a Penal Notice warn-ing of the dangers of interfering withthe data to be delivered, is that it allowsthe respondents time to do exactly that.On a number of the data theft cases wehave investigated recently, there is eitherthe strong suspicion that the data setsdelivered up have either been cleaned,or are not the full sets, or, as happens inthe worst cases, that data has been delib-erately destroyed.
Depending on the types of destructionundertaken, there is certainly the likeli-hood of demonstrating that such destruc-tion has occurred; but to say data hasbeen destroyed is one thing – to statewhat has been destroyed is another mat-ter. True, most litigators will assert to thecourt that positive overwriting of data onmachines the court has instructed therespondents not to tamper with is goingto reflect badly on the respondents, andmust surely point to their having tried tocover up material they were not meant tohave. But consent orders normally dealwith material relevant to the claimant’sbusiness. A respondent will certainly try
and claim that the destruction was ofmaterial not relevant to the order, andwill probably try and further confuse theissue with spurious technical argumentsabout housekeeping and improved per-formance. Such problems may be avoid-ed by careful wording of any order, butagain, proportionality will come intoplay. Businesses will be extremely unwill-ing to allow a competitor (for such is theclaimant in most instances of data theft)to examine data on their computers thatdoes not relate directly to the areas incontention, and drafting orders in whichno data may be screened or deleted maynot be practicable.
All this, of course, depends on beingable to determine that data has beenerased. There are some software mecha-nisms that leave no trail behind them. Insuch cases, as with those where it is feltthat the respondents have cleaned updata, or are presenting a “stunt set”, theinvestigators and litigators have to workon the inference of omission – i.e. thatwhat is being presented cannot be truebased on what is not present (for exam-ple, the sheer lack of e-mail, or of otherbusiness documentation), but this is, bynature, a difficult argument to prove.
Without doubt, the preferred optionfor investigators and in most cases liti-gators (although I do not pretend tospeak for them in general) to preserveevidence is to catch the respondents inpossession of it.
Such is the extreme nature of theSearch Order that many litigators havenever executed one. Sometimes, howev-er, they will find themselves beingpushed into it by a client eager for such aremedy, and they will have to learn onthe job. It is almost certain that anySearch Order will include a specificorder allowing for the imaging of com-puters and other digital media. Mostcomputer forensic investigators haveexecuted a number of Search Orders,and they will always be more than will-ing to add their store of knowledge on
4
Cry WoolfJulian Parker
The Woolf Reforms, recently instituted to make civil litigation more user friendly,targeted, amongst other things, the investigator’s best friend, the Anton Piller Order(AP). The Order was targeted directly, by having its name changed to the SearchOrder, and indirectly, in that Woolf aimed to make claimants expend more effort infinding solutions before resorting to the “nuclear option” of the AP.
CAUGHT RED HANDED
caught red handed
5
the practicalities of executing suchorders whenever asked, and of ensuringthe order is correctly drafted to allow forthe collection of all digital evidence.Executing a Search Order is a lot likeexecuting a criminal Search Warrant,and a little like undertaking a militaryoperation. The more planning andpreparation that goes into it, the betterthe result is likely to be.
Basic rules to prepare for aSearch Order:Select the right target
The investigation and litigation teamshould be careful to ensure the targetsselected are those directly relevant toproving the case, and are proven or are orlikely to be in possession of evidence.Further targets can be added as thesearches progress, but the courts will bemore prepared to grant an order that ishighly targeted with reliable evidencerather than one which is trying to catchall-comers. Search Orders should never beconsidered a “fishing expedition”.
Engage the relevant expertise
In most cases the target premises,whether business or residential, are verylikely to contain computers or other dig-ital processing equipment. Here it isworth noting that rarely does any mem-ber of the forensic team get the opportu-nity of finding out exactly what and howmuch processing power will be encoun-tered in any target location. The onlysensible approach is to take maximumfirepower (forensic imaging capability).Furthermore, the order will often stipu-late that two copies of any devices are tobe made, one being left with the respon-dents. It is not advisable to engage acomputer forensic specialist who onlyhas the capability of imaging onemachine at a time – whatever amount ofdigital media is encountered, theclaimant’s solicitors and the court willstill want to be out of the target premisesas quickly as possible.
Specialist assistance is often requiredin other fields, most notably surveillance
– once an order is granted, the claimants’solicitors will undertake to the court toexecute it as soon as practicable.Surveillance is often required to ensurethat the targets will be at their resi-dences/offices on the day chosen for thesearch (I could at this point tell the storyof the surveillance team which gave theOK to the search team, who duly arrivedafter a journey of many miles and severalhotel bills. On the morning of execu-tion, however, no-one was home. Thesurveillance team’s confident assertionsof occupancy were undermined by theobvious presence of an anti-burglardevice, which switched on the houselights every night at 10.00pm thus fool-ing them – but I digress).
Build redundancy into the executionteam
It goes without saying that there shouldbe enough people on hand to do the job.But Search Orders can be unpredictable– new targets and/or premises canemerge as the search gets underway, andit is never advisable to have the mini-mum number of people on hand.Likewise, do ensure that the executionteam has sufficient transport to meet anyeventualities (sounds obvious, I know,but we have known teams unable tocommence their search as they have beenstuck waiting for a train). Members ofthe search teams should also have testedmeans of communicating with eachother, and mobile telephone batteriesshould be fully charged.
Ensure the forensic team is wellbriefed and forewarned
It is not unknown for the forensic inves-tigators to be asked to execute a SearchOrder the next day in some remote loca-tion without any prior warning. There isno excuse for such lack of forethought.Search Orders take time to put togetherand apply for, and ideally the forensicteam should be involved in drafting orat least checking the technical aspects ofthe order. Likewise, the forensic teamwill suffer if not adequately briefed as tothe evidence being looked for. Search
criteria such as “all e-mails please” indi-cate a fundamental lack of awareness ofthe potential capabilities of forensicinvestigation, and can lead to needlesshours taken up producing irrelevantmaterial.
In the post Woolf era, many litigatorserr on the side of caution when tacklingfraud or data theft. With the watchwordof “proportionality” ringing in their earsthey shy away from aggressive tacticssuch as the Search Order. Indeed, manylitigators had never executed the oldAnton Piller Order in the pre Woolfdays, and would feel even less inclinedto try for the new Search Order. Asforensic investigators we have a differentperspective, of course. Our role is tosearch for evidence. In a previous issue,Data Genetics International reviewedour cases for the year of April 2002-2003. During this period a trendemerged which has continued apaceduring the first half of this year andshows no signs of abating, namely thegrowing problem of data theft. In mostcases the data in question has been inelectronic format. It is our direct experi-ence that the Search Order is, and willlikely remain, the most effective legaltool for breaking open such cases.Certainly it is more costly to apply forand execute a Search Order than to gofor a number of Consent or Disclosureorders, but it must be remembered thatthe Search Order is decisive and overquickly, whereas the other options candrag on in wrangles and argumentsabout what should or should not appear.We have always found digital evidenceto be of supreme value for the “knock-out blow” that most litigators wouldwish for in a case – and the most conciseand incontrovertible way to get suchevidence will always be from the repson-dents’ computers before they have timeto do anything about it.
Contacts:
Data Genetics InternationalTel: 0044 2075209384Email: [email protected]