I'm putting together a course and I'm looking for some CF cases gone bad. I'll be searching for some, but I figured I would pick your brains if you had some off the top of your head.
Thanks
Please define "bad". Bad for whom?
One of my first cases involved being called by the defense attorneys for a man accused of rape. They wanted me to try to recover Instant Message chat transcripts that would prove their client innocent ("Hey, it was 'consensual,' ya know!")
I ended up finding evidence proving their client was absolutely guilty. Two weeks later *another* victim came forward and accused this perp of the same thing.
I informed the attorneys that they probably needed to rethink their defense strategy on this case.
Bad for client!
I've sent you a PM…
In the Corporate world - investigations in to one allegation often produce evidence of other employee behavor. For example, an allegation of sexual harassment via email often results in a time and attendance investigation based on the level of internet surfing etc.
Thanks for the posts. I guess I would be interested in cases like you stated above, but also cases where an officer sat in front of a computer and started looking around without consulting with a CF specialist and it resulted in the case being thrown out or at least a good faith exception. Or a case where someone was searching outside the scope of the warrent and it got throw out. Or where evidence was not stored properly and got damaged or misplaced prior to trial leading to the evidence getting thrown out. Or where there were gaps in the chain of custody, etc.
I know it is a lot, but I would really like to show the participants of this course that if you do not follow proper procedures, your case could get thown out just like in XXXX v. XXXXX.
Feel free to PM me if you do not want to post your response.
How about imaging your own hard drive instead of the custodians? I'm just saying.. it happens -)
How about imaging your own hard drive instead of the custodians? I'm just saying.. it happens -)
How about using dd and ZEROING your own hard drive. It happened. oops (Where's the palm-smack-to-the-forehead-and-say-"DOH" emoticon?)
I know it is a lot, but I would really like to show the participants of this course that if you do not follow proper procedures, your case could get thown out just like in XXXX v. XXXXX.
Well, I didn't have a case thrown out, but I did have an adverse inference instruction issued against my client on the basis of the following facts
1) He had a reasonable expectation of being sued.
2) He had been issued a preservation order which instructed him not to take any steps which would "delete or alter the contents of files on his computer".
3) He continued to use his computer for 21 days after #1, above, and 9 days after #2.
4) He had experienced performance problems with his computer PRIOR to either 1 or 2, above but two days before the plaintiff obtained a court order to examine his computer it crashed. In response, he contacted his MIS department and asked them to look at it. As part of their "recovery" they
5) Downloaded a freeware antivirus program which included a few megabytes of virus definitions and ran it.
6) Backed up his roaming profile, then deleted it and restored it from the server.
In addition
7) The system ran a boot optimization prefetch.
The Court ordered that even though he complied with the poorly worded etter of the preservation order (it was granted, ex parte, so they had little probability of actually getting him to surrender the computer without a formal hearing), his continued use of the computer and the intervention of the MIS staff were sufficient to compromise the recovery of any forensic data, even though he had not been instructed not to use his computer nor to preserve unallocated space (as if that were possible with continued use).
Ironically, the Court based its opinion on the 2006 Revisions to the Federal Rules of Evidence even though the events had occurred before the revisions had been approved.
Sadly, I was not consulted until after all of these events had occurred or I would have recommended to my client that they hold the computer and give him another one.
Craig Ball makes an interesting point in one of his postings that preservation orders don't always go to the right people. In this case, the problem was, in part, that their MIS department did not really understand what forensic capabilities existed to recover data from the system and even though they were aware of the order, they didn't think that what they were doing was non-compliant.
A case that I use when teaching as an example of something you do not want to happen is the CD Universe case.
See 'CD Universe evidence compromised'
http//
Google
+cd universe +chain +custody
to see other related articles
Almost Forgot!
The Julie Amero case is probably the best (and most widely published) cases in which the forensics were found to be flawed; see
http//
Another case that I have covered in the past is was the case of Larry Benedict. An entire series of articles was online at one time that highlighted some of the mishandlings in this case; see
http//
Best,
Christine
PM sent.