Computer User Activity Can Help Tell the Story in Many Cases

A Case Study in Re-Creating a Computer User’s Actvity

The Background
The client was a large multi-national technology company with a billion dollar household brand. They had been recently shaken by the departure of a number of key wireless software engineers, all of whom went to work for a competing start-up. When it became obvious that three departed employees were in violation of their non-compete agreements, the tech giant sued the former employees and the new company they had gone to work for. The company’s motion to compel the three former employees to produce their home computers for computer forensics examinations was granted. (internal company server logs showed the employees had sent emails to their home computers with confidential files attached, but that is the subject of another advisory). Computer analysis was performed

Bait and Switch
The initial examination revealed a troubling discovery; two of the three computers were not the home computers used by the employees. In fact, they had only recently been put into service by the employees, and the employees had re-named the computers (within the computer’s operating system). Providing further evidence of deceptive intent, one of the former employees had “re-set” the computer’s calendar and clock, in a fairly effective attempt to make the “decoy” computer appear to be the computer being requested for examination, based on the time frame it now appeared to have been operational.

The Result
Computer forensics analysis demonstrated that the users had entered the computer’s internal systems and altered its settings. The users denied these misdeeds, but the judge found the expert’s report far more credible than the statements made by a defendant with a lot to lose. The judge ordered the defendants to produce the real computers and threatened sanctions. The defendants were off to a very rocky start, and the judges opinion of the integrity of the defendants and their potential guilt was now firmly established.

The Take-Aways

  1. Remember, it’s not always just about the electronic documents. Careful and thorough analysis of a computer can often “tell the story” of what a user was doing around the critical time of an important event. This “story” can help you prove the elements of your case, with minimal cost of document production and review.
  2. Digital fingerprints left behind by a user can be a rich source of electronically stored information (ESI). Critical user activity can include…
    • is the current hard drive in the computer the factory original or has it been “swapped”?
    • websites visited and frequency and duration of the visits
    • when a computer was purchased or put into service
    • if file deletion software was installed
    • instant message conversations
    • recently installed software (yes, even if it was “uninstalled”)
    • contents of documents recently printed
    • list of applications recently ran
    • when CDs or DVDs were copied
    • a record of every device ever plugged into the computer

3. The application of this technology is wide and varied. Getting a clear picture of a computer user’s behavior has broad applications to a wide-array of cases.

    • Fraud / Fidelity Claims (did the fraudster use wiping software to delete fraudulent entries in an accounting software application?)
    • Business Disputes (did the defendant alter key documents in a contract after it was signed?)
    • Employment, (did the user send his co-worker that inappropriate photograph?)
    • Collections (has the debtor visited on-line banking websites that could lead you to unknown bank accounts?)
    • Trade Secret (did the former employee upload files to a third party “cloud” computing site in order to misappropriate confidential data?)
    • Medical Malpractice / Insurance (did the physician alter electronic medical records to cover his tracks once he became aware of a law suit?)
    • Product Liability (did automotive company executives manipulate databases containing reports of product failures or vehicle “black box” data once they discovered a glaring deficiency?)
    • Securities (did the broker send erroneous text message rumors about a stock in order to artificially inflate its value after making a sizable purchase of the stock?)

Seasoned E-Discovery professionals will always take a look at user activity BEFORE launching into a detailed search for relevant or responsive documents. The user activity can help tell the story…don’t ignore this rich source of ESI.

And finally, an examination of user activity that proves your case and requires perhaps 20 or 30 hours of examination time could save you tens of thousands of dollars in unnecessary electronic document production and review – resulting in a very happy client. Let user activity help you discover the truth.