Lessons Learned: How Not to Handle an Employee's Laptop That May Contain Evidence
Click here for a copy of the decision.
United States v. Hock Chee Koo, 2011 U.S. Dist. LEXIS 20905 (D. Or. Mar. 1, 2011). In this criminal conspiracy and fraud case, the employer of two employees, who were allegedly stealing trade secrets, took the employees' computers, turned them on and started to rummage through the computer files. The employer also had a consultant make an Acronis Backup of computer files. After the FBI became involved they took an image of the Acronis Backup file. In addition, the FBI took a "Laptop Image" of the computer. The defendants filed motions to exclude any evidence obtained from these backups and images.
By failing to initially make a forensic image of the hard drive, the defendants argued that the "'[employer and consultant] . . . could have uploaded incriminating information onto [defendant's] . . . computer, altered the dates associated with that information's uploading, installed Acronis to overwrite the data associated with that change, and then made a selective digital image of the hard drive to turn over to the FBI."
In addition, the defendants argued that the Acronis backups only copied logical or active files and did not copy a bit-by-bit data from the unallocated space of the computer.
One of the experts provided evidence that "from his forensic examination of the two Images, between the time the Acronis Backup was made and the time the FBI took possession of the laptop, over 1,000 files or folders were accessed, altered, or deleted. He also found 285 files on the Acronis Backup Image that were absent from the Laptop Image [made by the FBI]." In addition, evidence was provided that the employer defragmented the hard drive.
The Court, subject to relevancy objections, in an extensive decision ruled that authentication of the Acronis Backup Image was shown, but the weight that would be given the evidence could be argued before a jury. Finally, the Court found that the FBI's Laptop Image was not authenticated and was not admissible.