Friday, December 14, 2012

The Perils of Using the Local Computer Shop for Computer Forensics

In a recent article posted by the Association of Certified E-Discovery Professionals, Robert Hilson writes about the loss of priveledge documents due to the Attorneys' "absent" supervision.

"It is a familiar story. A client discloses thousands of privileged documents from an electronic universe of many millions due to alleged failures to supervise a computer consultant. The mistaken production results in a heated clawback motion, in which a judge finds that the attorneys did not take the “reasonable steps” required by law to prevent the disclosure.

Those are the facts arising from Blythe v. Bell, a little-reported lawsuit over the control of a sportswear manufacturer in Hickory, North Carolina. The case, in a state business court in Catawba County, bears uncanny resemblance to the high profile J-M Manufacturing skirmish and countless more suits that are either unreported or have yet to happen."
"Hickory Brands hired a service provider called Computer Ants, whose owner and operator, Thomas Scott, testified to never having performed forensic services in the context of a lawsuit.  Scott, who the defendants tasked with producing documents responsive to search terms from a total of 308 million potentially relevant files on 35 computers and six servers, had previously worked as a truck driver and a security manager for Bass Pro Shop."
The result was the delivery of 1,700 sensitive documents to the opposing counsel that resulted in a heated clawback motion, in which the judge found that the attorneys did not take the "reasonable steps" required by law to prevent the disclosure.
This case highlights what I wrote about in "Digital Forensics for Legal Professionals" on selecting an expert and the difference between a computer expert and a forensic examiner.
I cannot express strongly enough the risk associated with picking a computer for digital forensics contractor to use in civil and criminal cases. 
A recent experience helps to illustrate this:
I recently testified in a military court where the government was offering an expert for a fraud case and I was asked to explain the difference between hiring someone with my background versus the alternative expert, a government employee, who had a Masters Degree in Network Security, but did not have any forensic training or experience.
To his credit, he freely expressed that he did not know anything about forensic examinations, how to craft language to get information from ISPs or how to find the custodian of records for same.
I explained for the court, specifically the military judge, prosecutor and defense counsel how to go about tracking an IP address from the service provider and connect it to a particular subscriber.  As well and the process for locating information regarding on-line fraud on a computer.
The result was that the court approved me as the expert for the defense, however, the prosecutor immediately withdrew the charges.  So I did not get hired.  But the important thing is that I got a chance to educate a judge and some attorneys on the difference between a qualifed examiner and a network security administrator.
While he had tons of expertise in what he does, it is not what we do as forensic examiners.  As the case I mentioned above points out, failing to hire the right kind of expertise is risky for clients and attorneys.
And while it can be an expensive mistake in a civil case, it can be devasting in a criminal case where a person's freedom and perhaps even their life is in the balance.

Monday, November 26, 2012

Casey Anthony - Detectives Miss Google Searches

Apparently, this is the case that will never be resolved, in spite of the fact that the case has been tried and the defendant acquitted.

When I located these searches on the computer in January of 2009, I brought them to Jose's attention so he would be aware of them.  I gave Jose anlaysis of the searches in February of 2009 at the AAFS conference in Denver, CO.

While I am not going to re-hash the computer forensics, nor will I get into a debate with other people who have examined the evidence after the trial, I will say that I verified the time stamps based on the evidence I had, which was the forensic images of the Anthony's computers, all of the OCSO computer forensic reports and supplemental or derivative data and I am confident in my analysis.

I watched Nancy Grace last night that made me reflect on this case a bit more.  First of all, if you watched Nancy Grace, and other media outlets for that matter, a lot was made of this missed evidence. 

What bothers me the most about the media reports, is that they are reporting on unverified results of an analysis done by someone far after the fact.  One of the major points that Nancy Grace spent a lot of time harping on was the time stamps.  Since she did not like the time stamp being an hour eariler than reported, she ignored it and kept showing the later time stamp in her program.  With comments, that of course, lead to the only possible conclusion, that Casey Anthony did these searches and she has to be guilty.  She had to be at the computer because of such and such. She opines that if only the OCSO had found the searches, the case would have concluded differently.

Then, later on she reports that "According to one expert, there were 84 chloroform hits".  Well, I addressed this eariler as did several other people in the forensic community.  The "other expert" was wrong.  This was verified by me personally before and during the trial,  as well as others who had the evidence after the trial.  But, those little "facts" don't seem to deter people like Nancy Grace and other media outlets from spouting all kinds of stuff, without verification.

I also find it interesting, that in all of this, Nancy Grace's opinion is that the way the defense team knew about the internet searches was probably because Casey told them about it.  Or, maybe the evidence just magically appeared, hovering in the air in front of the defense team lawyers.  All they have to do is read a little more of Jose's book to determine the source of the evidence provided to the defense team.  Or, they could simply take a look at the defense witness list that included only three names and was made public months before trial.  But, I suppose that is a little too much work to do.

It is funny in a morbid sort of way that Nancy Grace talks about how she cares about the truth, but apparently in her world, the truth has  nothing to do with facts.  Especially if the facts are an "inconvenient truth".

Probably the most disturbing thing I saw was Sandra Cawn-Osborne's response; "I wasn't told to search for suffocation."  One thing I will say to that is that she was not alone in the analysis of the computer forensics, she had help from her supervisor, who was a teacher in the Digital Forensics Master's program at the University of Central Florida.  Ponder that one.

That leads to what I really want to point out in this post;  It does not matter what "side" you are on in a case, what matters is that you understand what is at stake and act accordingly. 

This was a death penalty case and the stakes were the highest they can be: Taking a person's life. 
In the Anthony case, like many death penalty cases I have done, we have to ignore the media, the pundits and the arm chair experts and do our jobs without making any judgements about the defendant or anyone else in the case.  As a forensic examiner, our job is to find everything that may be of use in the case; good, bad or indifferent, and properly interpret that for the legal team.  Not to make moral judgements or drink the media coolaid.

That means that you have to be extremely thorough and that you have to keep asking yourself, "Did I miss anything?  Could I have looked elsewhere?  Did I follow good procedure to make sure I covered all the potential bases for evidence that may exist?"

What makes murder cases harder to do than some other types of cases is that your examination is not limited to a specific type of evidence artifact.

For instance, in child pornography cases, you are looking for a specific set of artifacts to support or attack a charge.  In financial cases, your focus will be on financial records, email between participants and so on.  In an alleged rape case you may be looking for text messages, videos, voicemails and email as well as internet history.

But in a murder case, you will be looking a much wider range of potential evidence, including evidence about timelines, computer activity, conversations, communications, and so on.  You may need to examine evidence involving witnesses and the victim.  All of this is to make sure that the legal team has everything that is related to the case, but not just a data dump.  Whatever you find and produce has to be properly presented and interpreted so the legal team can understand it in the framework of the case. And it must be checked and double checked for accuracy.  Is that time stamp what it appears to be? (See my recent post on computer time.)

The other thing we have to keep in mind, at least I do, is I always operate on the belief that anything I can find, they can find, and I conduct my examinations accordingly.

The media is acting like this is the first time someone has missed some critical piece of digital evidence in case.  Let me assure you, that is not the case.  What makes this such a huge deal is that it is an extremely high profile case that the media just loves to beat like a dead horse since it has a very large following of people who are invested in the case, for what ever their reason may be.  It's good TV and drives ratings.

For us as forensic examiners, this case should be studied as a cautionary tale.  Be thorough, verify, verify again, get help if you need it.

Wednesday, August 15, 2012

A Brief History of Time : Forensic Time

Time.  It is so embedded in our lives that we cannot even think without thinking of it as it forms the context within which we live.  And it would be fun to ramble on about time, from Einstein's concept of Space-Time to the neurologists' discovery that time is "perceived" to even the current thinking that time, if it had a beginning, must have an end, which drives the physics people a little nuts since they can't use the infinity symbol in their calculations.  At least at the quantum level. Plus it puts a bit of a pinch in the whole "Diamonds are forever" thing.

Anyway, since I am sitting in my hotel in Kansas City unable to get some sleep before I catch a ridiculously early flight to Chicago in the morning,  I was thinking about time in forensics and it occurred to me, which sometimes I can be Captain Obvious,  that forensics is all about time; specifically about the past time.  Forensics is a backward looking discipline, and unless you are in a science fiction novel or movie, it is never predictive from a time standpoint.

How many times, (see what I mean?), have you heard some TV detective ask the coroner or forensic pathologist about the "time of death"?  He or she never answers with, "Tomorrow about 5 PM."

In the world of digital forensics, time is a factor in just about every case.  It is inescapable, since when something occurred is critical to knowing if it is relative or not.

Did that phone call happen before or after the car accident?  What about the text message?  Were the computer files downloaded on a particular date?  Did the user modify the times to cover up their tracks when editing that contract?

Those and dozens of other questions about time are posed in almost every case I know of.  But, how reliable are those times?

You see, we tend to think in general that the time on the computer is correct, or the time on the cell phone is right on.  But can those times be relied upon to "prove" that such and such occurred when we think it did?

The answer is yes and no.  In fact, getting the times right is one of the most critical and difficult parts of any digital forensics case. 

MAC Times:

Modified, Accessed and Created dates and times in computer forensics are highly relied upon in many examinations.  And they are one of the most common to get wrong.  But, how can it be that an examiner would get the times wrong?

Point 1: One of the fundamental aspects of examining digital evidence is to check the time on the device from which the evidence is collected.  Yet, I am reading forensic reports every day that do not have the time of the device in the report.  If you don't get the time from the device, how do you have any idea that the time on the hard drive, cell phone, GPS device, or video unit are correct?  Well, to put it simply, you don't.

Now you may be thinking, "Wait just a darn minute here. Cell phones always have the correct time because they get their time from the cellular system."  And my reply would be, "Not so my forensic friend.  You can set your phone to stop syncing with the network for its time and set it to what ever you please.  You could take some pictures, send some texts, make some calls and the phone would stamp them with the date and time it thinks it is."  And of course I have to qualify that statement with, "It depends on the phone of course."  But off hand, try it with your iPhone and you will see what I mean.

Point 2: Are you in the zone?  It can be a little embarrassing for a forensic examiner to make a big deal out of the time stamps occurring before or after the incident happened, only to find out on the witness stand he forgot to adjust his forensic software for the time zone of the device. Oops.

Or to not realize that some parts of the country have no respect for that pesky daylight savings time and therefore don't change with the rest of us "normal" people.

Or to not notice that the time stamps for a piece of evidence are in GMT or UMT depending on your preference and don't calculate the offset for that GPS record.

What about call detail records?  Is the time of the phone call based on the time at the local switch, or it is based on the time at the data center for the phone's carrier?

Point 3: Are you sure?  One of the simplest mistakes to make as a forensic examiner is to assume that you are correct without checking your facts.  What's the expression? Check yourself before you wreck yourself?  We should all print that out in big letters and staple it up over our forensic work areas.

MAC times on computers are not always what they seem.  In fact, they are rarely what they seem to the point that you should be suspicious if any date and time stamp unless you know for sure why and how it was recorded.  The thing is, MAC times on computers are recorded based on the function or activity that is occurring that causes the time stamp to change.

And since different operating systems also treat time stamping differently, it can be even more confusing.  For instance, Windows NT and Windows XP have different delays before they will create a new time stamp.  Windows Vista and forward don't even bother to update the last accessed date any more, so that time stamp becomes moot from a forensic standpoint.

And, to make it even more fun, different operating systems use different date formats, such as Epoch time, absolute time and so forth.

Does the MAC OS record time stamps like Windows? Of course not.  Nor does Linux or Unix.

Does an activity on a MAC cause time stamps to be recorded the same as the corresponding activity on a Windows computer.  Nope.

How about that thumb drive you have there.  Is it formatted FAT32? Then it will handle time stamps differently from your Windows computer that is formatted NTFS.

Time is embedded all over the place.  It's in the file systems of computers and media storage devices, embedded inside pictures and documents and PDF files.  How about that facsimile machine's transaction log?  Its in the header of emails.

So when you are doing an examination, what kinds of things should you always be asking yourself about a date and time stamp?

Do I know what the time was on the device that stamped the time on the evidence?
Do I know what time zone applies?
Did I set the offset in my forensic software correctly?
Do I know what caused the stamp to be created and or changed and why?
Did I get the offset or conversion right from UMT, EPOCH or Absolute time right?

You could write a whole book just on computer time stamps. I'm not, but you could if you wanted to.

Just remember as you are writing that forensic report: Check yourself before you wreck yourself.

Thursday, August 9, 2012

Experts and Expertise

Cindy Murphy wrote an excellent blog post over at the CDFS (Consortium for Digital Forensics Specialists) blog titled, "Experts and Expertise" on the subject of experts and expertise.  She related her recent experience in a trial of a woman for Homicide by Negligent Usage of a Motor Vehicle.

One of the key points that stood out for me was her comment about the defense expert's testimony in court, " He made this determination because he observed an out of sequence SMS text record with ‘mysterious’ extra content following the message."

In the world of digital forensics, the word "mysterious" should never be used in the context of digital data, no matter where is comes from.  If he did not know the reason for the data being present and the source for that data, then testifying about the data is going to be and was in this case, problematic.

While it is okay, in some limited circumstances for an expert to say they don't know something, the practice should be to always know the answer when it comes to evidence examined and reported on in a forensic report.

One of the things I emphasize at all times with my examiners is that they better know the correct answer for any thing that put in a report.

What I mean is this:  Writing an expert report for the purpose of testimony requires that the examiner know what every item in the report means and that they have the ability to explain it in a way a trier of fact can understand.

I have read hundreds of expert reports from examiners in civil and criminal cases.  One of the most perplexing things to me is an expert who gets on the stand and cannot answer the questions about the information they put in their own report.

Perhaps there was a time when an expert could expect that their report would not be challenged by someone who does know the answer.  That situation is still all too common where an expert can get on the stand and go unchallenged as to the content of their report, whether they are presenting a "fact" report or an "expert" report.

One of the issues is that many experts do not understand the difference between a fact statement and an opinion.  And that their report is not necessarily their opinion.  Those of us to work in the digital forensics field on a daily basis know all about meta data, or data about data, but we rarely think about meta facts, or facts about facts.  Some times, in an effort to explain things in their report, they inadvertently express opinions rather than state facts and an explanation of those facts, or "facts about facts".

It is a difficult line to understand and requires that the expert be cognizant of the fact that every word in an expert report is subject to cross examination, and in some cases, that cross examination is going to be guided by an expert with a deeper knowledge of the subject matter than they currently possess.

This appears to be the case in the testimony that Cindy shared in her blog post.

Cindy goes on to talk about lessons learned in this case,

"What are the lessons here? Digital forensics is a specialized field and mobile device forensics is an even more specialized subfield. It is a field in a state of constant forward change and complex content. No expert, whatever their level of knowledge, longevity, experience, specialized expertise or training, should ever assume those qualities truly prepare them for court—or even a case."

I would clarify Cindy's statement by saying that preparation for court, regardless of your previous experience or training as Cindy points out, should keep you from deeply investigating every fact in your report to make sure you absolutely understand it and can explain it to the triers of fact.

Cindy also writes in her blog post about some of the things that can be done to make this less of an issue in the future.

I would add to her comments the following:

While we see the results of not properly preparing for court in this particular case, there are some root cause issues that must be addressed to make this less of an occurrence.  Enumerating and addressing those root cause issues are an important part of making the field of digital forensics less of a mine field for attorneys and clients alike.

1. Selecting the right expert.  While this seems like a "no brainer" is it probably one of the biggest issues in the field when it comes to an attorney or client having an expert who can actually help them. 

But, selecting just the right expert is not always an option for an attorney or client for the following reasons:

  • The expert is a staff expert and the option to use a different expert is not available.
  • The expert is the only one the client can afford.  Selecting an expert based on price alone is usually a bad criteria.
  • Experts may not exercise self-deselection.  In others words, an expert who fails to stop a client from hiring them for a case outside their expertise.
  • Fundamental lack of knowledge about the selection process and how to vet an expert.
2. Keeping Secrets.  One of the interesting idiosyncrasies about the field of digital forensics is the tendency to want to keep secret "knowledge" or perceived weaknesses,  from falling into the hands of other examiners.

  • It is an interesting dichotomy that forensic experts, who are supposed to be independent in their reviews and opinions, believe that sharing knowledge with the other side might expose them to critical review in their cases if they ask for help in understanding something where the "other side" might see the question.

    If you work on a case where another expert is present, I promise you are already under critical review.  We are not advocates like an attorney, so asking a technical question should not be considered an exposure of tactics or strategy.  And to be quite frank, failing to ask the question and leaving your client exposed is not a good strategy in any case.
3. Failing to use available resources.  It is really incumbent on examiners to constantly improve their knowledge based in the digital forensics field.  Cindy made it clear and I agree that this is an ever changing environment we work in and the need to constantly seek new learning is a critical factor for all forensic examiners.  The question is, why is this not part of every examiners "to do" list.

  • Experts come in all shapes and sizes when it comes to learning.  There are those who are constantly seeking a new tidbit to add to their arsenal of knowledge.  And then there are those who passively wait for the next training session so they can sit in a classroom and be fed information.  It this an indictment of people because of their approach to gaining new knowledge. Partially yes, but in general, no.  And here are the reasons why:
    • People having different learning styles.  Some people learn from reading and study in books, some people learn by asking questions on forums, and some learn best in a classroom setting.  I would not pick out any of those styles as being better or worse than another.  But if you understand your learning style, and your organization understands your learning style, maybe a plan can be created that will best benefit you and the organization.
    • Some people just don't have the motivation to seek learning due to any number of factors personal to them.  Perhaps they are burnt out, perhaps they took the job because no one else wanted it and it is not their passion. 
    • And some people simply do not know how to figure out what they need to learn, i.e. without a mentor, it can be difficult to develop a plan to augment skills because you may simply not know what you don't know.
  • The missing link, networking.  I hear this most often from my law enforcement colleagues and from solo practitioners, that they don't have someone they stay in contact with who can help them with questions or who can spend time with them to share knowledge.  Being the lone ranger can make it hard to now only gain new skills, it also makes it hard when you don't have a go to person or a mentor you can call on.  What are some possible solutions to this?
    • Join organizations that exist to share knowledge, like CDFS.
    •  Work within your particular area to establish a mentoring program.   In my humble opinion, this would be a great asset for law enforcement examiners to have a mentoring program where they would have someone to call on and to guide them along their professional path.
4. Failing to critically vet training.  There are a lot of organizations that provide training for the field, some better than others. 
  • I think it would be of great value for training organizations to ask veteran examiners to come and attend their classes from time to time and give feedback on the functional, real world impact of the training class.  Anyone providing training should be on a constant quest to continuously improve the content and relevancy of their training programs.
  • Some of the best feedback a training program could have would be to have examiners who have used the training to prepare for and testify in court where they have had an opposing expert who challenged their results.  This would be a good litmus test for how well the training served the expert in preparing for that case.
5. Failing to develop new talent for the field.
  • I think if you ask very many people trying to enter this field that they are stymied in many cases by either the lack of a certification or the lack of experience as a barrier to entry.  To be true, both of these are valid barriers to entry into the field if one is expecting to be a full fledged, case handling, independent examiner.  How could this be addressed?
    • Internships with organizations who can apprentice these newcomers to the field to prepare them for entry level positions.
    • Internal internships in law enforcement for examiners new to the position who are getting trained, but are not given the opportunity to work under experienced examiners for a period of time to get the benefit of the "road time" the experienced examiner has.  They don't put rookies on patrol day one out of the academy and new examiners should be considered "rookies" in their own way.  At the very least, the new examiner should be connected to a mentor.

This post is already way too long, so I will stop here and say that there are numerous other areas that could be addressed to improve the overall expertise in the field.  I am not saying I have all or any of the answers, and I am glad that there are groups out there like CDFS dedicated to this purpose. 

For me, I am always asking "What's missing."  And I am sad to say that what's missing at this point is a comprehensive action plan by an organization or group to address the issues brought up by Cindy and hopefully, in this blog post.

Saturday, July 14, 2012

A Quality Expert Makes a Huge Difference

I went to the local bookstore this weekend and picked up the new book by Jose Baez, "Presumed Guilty : Casey Anthony: The inside Story."

Baez mentions in his book on page 370 how much of an impact having a quality digital forensics expert makes on a case.  As an expert, I may be biased toward that opinion as well, but I know that the work that our examiners do on a day to day basis, whether in a criminal defense or civil case, can have a tremendous impact.

But my interest in this book and this particular case go much deeper.  My Father, Larry Daniel, was the digital forensics expert on this case.  I got to see firsthand his experience, knowledge, and unrelenting diligence worked out on this case for over two years.  

Baez mentions my father numerous times throughout the book, and his description of my father is no surprise to me.  On page 370 Baez writes:  
“And I have to say, this is where having a quality expert makes a huge difference.  Larry Daniel was the one who found the discrepancy and he was nothing short of spectacular in his knowledge of what was on the Anthony’s computer.  He knew it ten times better than the state.”  
I have had the privilege of working with my father going on four years now and co-authoring the book “Digital Forensics for Legal Professionals” with him, and I can tell you that what Baez calls spectacular is simply what my father expects of himself, of me, and of all of our examiners for every single case we work on.  For this, I know I owe my Dad, my hero, an incredible debt.   

Thursday, March 15, 2012

Employment Opportunity with Guardian Digital Forensics

We are currently seeking applicants for either a Digital Forensics Examiner or Digital Forensics Technician position.

Our requirements:

Digital Forensics Examiner:

EnCE, DFCP, ACE, IACIS or other forensic certification, or the ability to complete and pass the EnCE or DFCP within one year.  We prefer testimony experience as well as case experience.  Must be willing and able to handle cases involving both civil and criminal matters, on either side of the case.  Must also have an excellent background in installing and setup and maintenance for device support, network security, managed services, firewalls, routers, wired and wireless networks.

Experience with MAC OS is a plus but not a requirement as we will provide training in forensic examinations of MAC and 'Nix environments.

Extensive experience in examining MS Windows based operating systems, including servers and desktops is preferred.

Proficiency in complex forensic acquisitions, including servers, RAID, IDE, SATA, Mini-SATA, SCSI, and other platforms is preferred.

You must have excellent written and oral communications skills, as well as excellent public speaking and presentation skills.

Digital Forensics Technician:

We prefer 5 years minimum experience in information technology, as well as experience, education or training in computer forensics or digital forensics. 

We train our Digital Forensic Technicians in all areas prior to promotion to Examiner, including cell phone forensics, computer forensics, complex criminal and civil case examinations, and GPS forensics, case reporting, expert witness testimony, ethics, evidence handling, chain of custody and media collections.  During their training period, DF Technicians are required to contribute by performing complex IT support for Microsoft Exchange, SQL, and Terminal Servers. 

An excellent background in installing and setup and maintenance for device support, network security, managed services, firewalls, routers, wired and wireless networks is required.

You must have excellent written and oral communications skills, as well as excellent public speaking and presentation skills.

If you are interested in discussing joining the team at Guardian Digital Forensics, please contact me directly.  No recruiters or third parties.

Larry Daniel, EnCE, DFCP, BCE

Wednesday, February 29, 2012

New Spam Campaign - Spoofing Intuit

I got a couple of spam emails this morning supposedly from Intuit about a software order.  The fake email they constructed looked very good.

However, note the sending address:

Also, if you click on the links in the email, they DO NOT go to Intuit.  For the ones I received, the links were different although the email looked exactly the same.

As always, be very careful about emails regarding orders you did not place, warnings about tax issues and so forth.

Thursday, February 9, 2012

It's Tax Time and the Scams Begin

I noticed that I am getting a rash of emails trapped in my spam filter at AppRiver. (They are a third party spam filtering and store and forward service. I highly recommend them:

Here is a screenie of one of them, claiming to be an email from Intuit, the makers of Quickbooks and Turbo Tax.

Fake email claiming to be from Intuit, Inc.

Not surprisingly, if you click on the link in the email, it does not take you to Intuit.  I got three of these from different senders, all with links that go to various sites in countries other than the USA.

Any time a lot of people are going to be using web based services, and on-line tax preparation is huge these days, be aware that scammers will try to take advantage of that and entrap the unwary.

You can expect to see emails such as this claiming to be from the on-line tax services that are instead from scammers.  Always carefully read the email and look for spelling or grammer errors as they are dead giveaways for spam.

Remember, no legitimate company will ever ask you for your social security number, your username, your bank account numbers or your password in an email.

Friday, February 3, 2012

Cloud Data and E-Discovery - Pay your bill or risk sanctions.

"Plaintiff Sanctioned for Negligence after Third Party Vendor Destroys ESI" from e-Discovery Case Law Update

"In Cyntegra, Inc. v. Idexx Laboratories, Inc. [pdf], CV 06-4170 (C.D. Cal. 2006), U.S. District Court Judge Philip S. Gutierrez, granted the defendant’s motion for an adverse inference instruction as a sanction holding that the plaintiff was negligent and failed its affirmative duty to preserve electronic information in the possession of a third-party.
The plaintiff alleged that the defendant engaged in unfair trade practices by prohibiting distributors from promoting or selling competing products. The plaintiff stored a majority of its documents on third-party servers and failed to make a payment to maintain the service after March 2006. The data storage vendor destroyed all of the plaintiff’s electronically stored information a short time later. The plaintiff filed its lawsuit in June 2006. The plaintiff made no effort to back up or retrieve the files prior to their destruction and was only able to produce 1,339 pages of emails found on its laptops. The defendant filed a motion for sanctions and the plaintiff countered that the deleted information was not relevant to the litigation or within its control. The court disagreed, finding the information highly relevant to the parties’ dispute and that the plaintiff could have reasonably anticipated litigation and had a duty to make the payment and preserve the information. The court ordered an adverse inference instruction as a sanction."