Difference between pages "Famous Cases Involving Digital Forensics" and "Caselaw"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added Cooper section)
 
(Court Decisions)
 
Line 1: Line 1:
===2000 Michelle Theer===
+
The legal information below is not legal advice. You should consult a lawyer if you want professional assurance that this information, and your interpretation of it, is appropriate to your situation.
''E-mails document the conspiracy to murder her husband''
+
  
On Dec. 17, 2000, John Diamond shot and killed Air Force Capt. Marty Theer. "There [was] no direct evidence, no eyewitness evidence. There is no physical evidence. There is no confusion," said Theer's attorney Daniel Pollitt<ref>http://www.wral.com/news/local/story/1061742/ </ref> after the conviction. But what prosecutors did have was 88,000 e-mails and instant messages on Theer's computer, including personal ads that Theer had written in 1999, web-mail that she had written in response to those ads, clear evidence of a sexual relationship between Theer and Diamond, and messages documenting the conspiracy to murder Theer's husband. Theer was found guilty on December 3, 2004 of murder and conspiracy and sentenced to life in prison<ref>http://www.wral.com/news/local/story/114276/</ref>.
+
The following are highlights of important cases to digital forensics and electronic discovery.
  
===2002 [http://en.wikipedia.org/wiki/Scott_Tyree Scott Tyree]===
+
==Court Decisions==
''Postings on Yahoo reveal a kidnapping''
+
  
On January 1st, 2002, Scott Tyree kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. That night Tyree sent an instant message of a photograph of Kozakiewicz bound in his basement to another man in Tampa, FL. The second man checked the Pit tsburgh Post-Gazette website and saw that a girl was in fact missing from her parent's home. The man contacted the FBI on January 3rd and provided the Yahoo screen name of the person who had sent the IM: "masterforteenslavegirls". FBI investigators contacted Yahoo to obtained the IP address for the person who had used the screen name, then contacted Verizon to learn the name and physical address of the Verizon subscriber to whom that IP address had been assigned. It was Scott William Tyree.
+
'''United States v. Warshak, 631 F.3d 266 (6th Cir. Dec. 14, 2010)'''<br />
 +
The Sixth Circuit Court of Appeals ruled that the government must have a search warrant before it can seize and search emails held by email service providers. "Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection..." [https://www.eff.org/files/warshak_opinion_121410.pdf]
  
* [http://www.covenanteyes.com/2012/01/13/caught-by-a-predator-10-years-after-her-abduction/ article on the abduction]
+
'''Binary Semantics Ltd. v. Minitab, Inc., Case No. 07‐1750 (M.D. Pa. May 5, 2008)'''<br />
* [http://www.popularmechanics.com/technology/how-to/computer-security/2672751 Popular Mechanics article]
+
In 2008, a district court agreed that a forensic image of an entire FTP server was "overly‐broad and intrusive,” allowing the defendants only authorization for “a forensic copy of the relevant folders on [the] FTP server."
* [http://notonemorechild.org/map/9 Congressional testimony of Alicia Kozakiewicz]
+
  
===2005 [http://en.wikipedia.org/wiki/Dennis_Rader Dennis Rader] --- The "BTK" Serial Killer===
+
'''Harkabi v. Sandisk Corp., 2010 U.S. Dist. LEXIS 87843 (S.D.N.Y. Aug. 23, 2010)'''<br />
After eluding police for more than 30 years, a serial killer in Kansas re-emerged, took another victim, and then sent police a floppy disk with a letter on it. On the disk forensic investigators found a deleted Microsoft Word file. Inside that file's metadata was metadata containing the name "Dennis" as the last person to modify the deleted file and a link to the Lutheran Church, where  Rader was a Deacon. (Ironically, Rader had sent a floppy disk to the police because he had been previously told, by the police themselves, that letters on floppy disks could not be traced.)
+
Electronic discovery requires litigants to scour disparate data storage mediums and formats for potentially relevant documents. That undertaking involves dueling considerations: thoroughness and cost.
  
===2005 Corey Beantee Melton===
+
'''United States v. Scott‐Emuakpor, 2000 U.S. Dist. LEXIS 3118 (W.D. Mich. 2000)'''<br />
''Caught up in child pornography''
+
The court was satisfied with a third‐party collecting the forensic data as long as it was accompanied by "the testimony of a witness who was present and observed the procedure by which the documents were obtained from Defendant's computers."
  
Melton brought his malfunctioning home computer to Best Buy's Geek Squad. The Squad found numerous computer viruses on the system. Melton left his computer with the store. Subsequent analysis by the store found that some of the viruses kept re-attaching themselves to movies. When the squad looked at the videos they determined that they were child pornography and contacted the police.
+
'''Griffin v. State, 2010 Md. App. LEXIS 87 (Md. Ct. Spec. App. May 27, 2010)'''<br />
* http://www.forbes.com/sites/kashmirhill/2010/10/12/the-geek-squad-becomes-the-porn-squad/
+
Social media profiles on MySpace or Facebook could be authenticated circumstantially by their content and context in the same manner as other forms of electronic communications.
* http://law.justia.com/cases/alabama/court-of-appeals-criminal/2010/08-1767.html
+
  
===2007 James Kent===
+
'''State v. Rivas, 2007 Ohio App. LEXIS 3299 (Ohio Ct. App. Jul. 13, 2007)'''<br />
''University Professor caught up in child pornography''
+
The court overturned the conviction of the defendant due to the fact that an ''[http://en.wikipedia.org/wiki/In_camera in camera]'' review of the police department's computer was not performed, which would have verified that accuracy of the transcripts that were recorded from a chat room and subsequently used against the defendant.
  
In 1999, James Kent, a professor of public administration at Maris College in Poughkeepsie, NY, started a researching child pornography for a book that he was planning on the topic. In June 2000 he abandoned the project and deleted his copies of the files. In 2005 his computer was replaced by the college, but the files from his old computer were copied to the new computer. In 2007 Kent, now 63, complained to his school's IT department that his college-provided computer not functioning properly. In the course of running a virus scan the school's IT department discovered a large number of pictures of "of very young girls, some scantily dressed in sexually suggestive poses." Kent maintained that the photos were left over from his research efforts and that he did not have access to the files. Kent is charged with 141 counts of possession in child pornography. In the appeal the court throws out one count, arguing that Kent did not know that viewing child pornography online made a copy of the pornography in his web browser's cache.
+
'''Fenje v. Feld, 2003 U.S. Dist. LEXIS 24387 (N.D. Ill., Dec. 8, 2003)'''<br />
* http://www.dailyfreeman.com/articles/2010/10/20/blotter/doc4cbe74442fd0d812453451.txt
+
The authentication of email messages presented in support of a summary judgement motion was at the core of this wrongful termination case. The court found that email messages may be authenticated as being from the suspected author based on the following factors:
* http://usnews.nbcnews.com/_news/2012/05/08/11602955-viewing-child-porn-on-the-web-legal-in-new-york-state-appeals-court-finds?lite
+
* The email address from which it was sent
* [http://msnbcmedia.msn.com/i/MSNBC/Sections/NEWS/120508_NY_ChildPorn_Ruling.pdf Opinion]
+
* An affidavit of the recipient
* http://www.forbes.com/sites/kashmirhill/2010/10/15/i-was-doing-academic-research-not-an-adequate-defense-for-child-porn-possession/
+
* Comparison of the content of the email with other evidence
 +
* Other communication from the suspected author acknowledging the email message in question
  
===2008 Brad Cooper===
+
'''U.S. v. Cameron, 2010 WL 3238326 (U.S. District Court for the District of Maine 2010)''' (on-going)<br />
Brad Cooper was arrested for the murder of his wife Nancy Cooper. At Cooper's murder trial, Det. Jim Young described how he had attempted to access text messages on the phone but instead wiped the phone's memory by repeatedly entering incorrect SIM lock codes and PUK codes. The defense team argued that an "inept" police investigation ignored and destroyed important evidence that would have shown Cooper's innocence.  
+
Yahoo! detected child pornography and reported it to the NCMEC, and Cameron expected the Government to produce as witnesses the Yahoo! technician who collected the evidence. The judge noted that at trial the "Government need not call each of the technicians who did the search so long as it" presented a witness who can "explain and be cross-examined concerning the manner in which the records are made and kept." Further, the Judge ordered that the Government is not obligated to turn over evidence that it does not possess (e.g. "the original or a copy of the Yahoo! photo server and server files" or "the physical location of the original server files")
  
* http://www.newsobserver.com/2011/03/30/1092850/detective-in-cooper-trial-accidentally.html
+
'''Krumwiede v. Brighton Associates, LLC, 2006 WL 1308629 (N.D. Ill. May 8, 2006)'''
* http://www.newsobserver.com/2011/04/07/1111094/coopers-phone-use-under-scrutiny.html
+
Default judgment granted for deleting, altering and accessing electronic data despite litigation hold. Plaintiff deleted file with a combination of "deliberate movement of file data, admitted deletion activities, multiple use of defrag, use of ZIP file to conceal or transport [the defendants'] data, [and use of] multiple USB devices [to] intend to destroy evidence." Summary judgment against plaintiff for interfering with the discovery process.
* http://www.newsobserver.com/2011/04/13/1127823/investigator-brad-cooper.html
+
* http://www.newsobserver.com/2011/04/14/1128603/computer-shows-where-body-found.html
+
* http://www.newsobserver.com/2011/04/14/1130231/brad-coopers-lawyers-challenge.html
+
* http://www.newsobserver.com/2011/04/15/1130823/computer-time-at-issue-in-cooper.html
+
* http://www.newsobserver.com/2011/04/21/1144184/focus-falls-on-coopers-laptop.html
+
* http://www.newsobserver.com/2011/04/25/1153613/coopers-defense-witnesses-question.html
+
  
===2009 James M. Cameron===
+
== Further Information ==
''Assistant attorney general for Maine caught up in child pornography''
+
* [http://www.setecinvestigations.com/resources/casesummaries.php http://www.setecinvestigations.com/resources/casesummaries.php]
 +
* [http://www.iediscovery.com/resources/lawlibrary http://www.iediscovery.com/resources/lawlibrary]
 +
* [https://extranet1.klgates.com/ediscovery/Search.aspx https://extranet1.klgates.com/ediscovery/Search.aspx]
  
On February 17, 2009, James M. Cameron was indicated on 16 charges of trafficking in child pornography. Prosecutors alleged that between July 2006 and January 2008 Cameron had uploaded child pornography to a Yahoo photo album using five different aliases. According to an order by a federal judge dated Sept. 28, 2009, ""It begins with two referrals from the (National Center for Missing and Exploited Children) to the Maine State Police on August 3, 2007, and September 6, 2007, which itself had been triggered by a report from the Internet Service Provider Yahoo. Yahoo reported locating numerous images of child pornography in the photos section of a Yahoo! account.
 
 
"The Maine State Police Computer Crimes Unit undertook an investigation and ultimately identified the owner of the account to be Barbara Cameron, the defendant's wife. Further investigation confirmed that Mr. Cameron was an assistant attorney general for the state of Maine, and that some of the pornography involved children as young as 4 to 6 years old engaging in sexual conduct....On December 21, 2007, the state executed a search warrant and seized four computers. When the computers were examined, there was evidence of Internet chat between two users about sex with children, images of child pornography and related topics....In one of those conversations, the person identified himself as a married 45-year-old man with a daughter, a description that fits Mr. Cameron."
 
 
* http://www.pressherald.com/news/Cameron-sentenced-to-16-years-in-prison.html
 
* http://www.mahalo.com/james-m-cameron/
 
 
==See Also==
 
 
* [http://groups.google.com/group/alt.comp.virus/browse_frm/thread/f5d9d7c71c6fb540/e0e9a7986d4df76b?tvc=1 Tracking down the author of the Melissa virus] - Usenet discussion which revealed lots of information about the author of the [http://en.wikipedia.org/wiki/Melissa_%28computer_worm%29 Melissa worm/virus].
 
* [http://www.securityfocus.com/infocus/1676 IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot]
 
 
[[Category:Investigations]]
 
 
[[Category:Law]]
 
[[Category:Law]]

Revision as of 08:04, 5 August 2013

The legal information below is not legal advice. You should consult a lawyer if you want professional assurance that this information, and your interpretation of it, is appropriate to your situation.

The following are highlights of important cases to digital forensics and electronic discovery.

Court Decisions

United States v. Warshak, 631 F.3d 266 (6th Cir. Dec. 14, 2010)
The Sixth Circuit Court of Appeals ruled that the government must have a search warrant before it can seize and search emails held by email service providers. "Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection..." [1]

Binary Semantics Ltd. v. Minitab, Inc., Case No. 07‐1750 (M.D. Pa. May 5, 2008)
In 2008, a district court agreed that a forensic image of an entire FTP server was "overly‐broad and intrusive,” allowing the defendants only authorization for “a forensic copy of the relevant folders on [the] FTP server."

Harkabi v. Sandisk Corp., 2010 U.S. Dist. LEXIS 87843 (S.D.N.Y. Aug. 23, 2010)
Electronic discovery requires litigants to scour disparate data storage mediums and formats for potentially relevant documents. That undertaking involves dueling considerations: thoroughness and cost.

United States v. Scott‐Emuakpor, 2000 U.S. Dist. LEXIS 3118 (W.D. Mich. 2000)
The court was satisfied with a third‐party collecting the forensic data as long as it was accompanied by "the testimony of a witness who was present and observed the procedure by which the documents were obtained from Defendant's computers."

Griffin v. State, 2010 Md. App. LEXIS 87 (Md. Ct. Spec. App. May 27, 2010)
Social media profiles on MySpace or Facebook could be authenticated circumstantially by their content and context in the same manner as other forms of electronic communications.

State v. Rivas, 2007 Ohio App. LEXIS 3299 (Ohio Ct. App. Jul. 13, 2007)
The court overturned the conviction of the defendant due to the fact that an in camera review of the police department's computer was not performed, which would have verified that accuracy of the transcripts that were recorded from a chat room and subsequently used against the defendant.

Fenje v. Feld, 2003 U.S. Dist. LEXIS 24387 (N.D. Ill., Dec. 8, 2003)
The authentication of email messages presented in support of a summary judgement motion was at the core of this wrongful termination case. The court found that email messages may be authenticated as being from the suspected author based on the following factors:

  • The email address from which it was sent
  • An affidavit of the recipient
  • Comparison of the content of the email with other evidence
  • Other communication from the suspected author acknowledging the email message in question

U.S. v. Cameron, 2010 WL 3238326 (U.S. District Court for the District of Maine 2010) (on-going)
Yahoo! detected child pornography and reported it to the NCMEC, and Cameron expected the Government to produce as witnesses the Yahoo! technician who collected the evidence. The judge noted that at trial the "Government need not call each of the technicians who did the search so long as it" presented a witness who can "explain and be cross-examined concerning the manner in which the records are made and kept." Further, the Judge ordered that the Government is not obligated to turn over evidence that it does not possess (e.g. "the original or a copy of the Yahoo! photo server and server files" or "the physical location of the original server files")

Krumwiede v. Brighton Associates, LLC, 2006 WL 1308629 (N.D. Ill. May 8, 2006) Default judgment granted for deleting, altering and accessing electronic data despite litigation hold. Plaintiff deleted file with a combination of "deliberate movement of file data, admitted deletion activities, multiple use of defrag, use of ZIP file to conceal or transport [the defendants'] data, [and use of] multiple USB devices [to] intend to destroy evidence." Summary judgment against plaintiff for interfering with the discovery process.

Further Information