• 
  • 
  • 
  • 
  • 
  • 
• 
  • 
  • 
  • 
  • 
  • 
• 
  • 
  • 
  • 
  • 
  • 
  • 
  • 
• 

PROTEGGA LLC Spoliation

NOTE: PROTEGGA LLC respects the privacy of all parties involved in each of its cases and; therefore, will not disclose cause numbers, company or individual credentials, or other items that may lead to identification.

Scenario

Type of Case: Family Law
County: Rockwall
Plaintiff: Mrs. X
Defendant: Mr. Y

Description: Mrs. X and Mr. Y are divorcing and both desire custody of their two boys. Mrs. X had possession of a laptop computer shared between her and Mr. Y during their marriage. A computer forensic investigation of the laptop revealed some out of the ordinary activity. Armed with this information, an order was granted for an additional investigation of Mr. Y’s work computer.

Complication: Someone installed and executed a software product called Evidence Eliminator™ on Mr. Y’s work computer.

Summary

Timeline
Investigation on Shared Laptop: June 7, 2006 through June 18, 2006
Judge Orders No Changes to Work Computer: July 7, 2006
Judge Also Orders Agreement to View Work Computer: July 7, 2006
Mr. Y’s Employer Sent Subpoena for Computer: July 14, 2006
Judge “Again” Orders Access to Work Computer: August 9, 2006
PROTEGGA Imaged Mr. Y’s Work Computer: August 26, 2006
Completed Analysis of Mr. Y’s Work Computer: September 18, 2006
Hearing to Discuss the Issue of Spoliation: November 20, 2006

Defendants’ Response
It’s company policy to run Evidence Eliminator™. I didn’t do it.

Computer Forensic Evidence Recovered
NOTE: PROTEGGA LLC will not release any information that may assist anyone attempting to hide their computer activities. Additionally, PROTEGGA LLC will not provide data to software developers that will enable them to more efficiently remove evidence from computer systems. These policies may limit the amount of information included in this document.

Here are three quotes from the website for Evidence Eliminator™, http://www.evidence-eliminator.com.

• “Robin Hood Software Ltd. is a privately-held UK Limited company specializing in providing complete, one-click anti-forensic software solutions for end-user Microsoft Windows installations. We are based in Nottingham, England, the land of Robin Hood.”
• “Evidence Eliminator™ is simply the first and only top-quality professional PC cleaning program that is capable of defeating all known investigative Forensic Software!”
• “Evidence Eliminator™ is proven to defeat the exact same forensic software as used by the US Secret Service, Customs Department and Los Angeles Police Department (LAPD), and the UK Metropolitan Police Scotland Yard.”

Numerous companies boast of the ability to clean data permanently from a computer system, but few are as blatant in their intent to hide legally discoverable information. Fortunately for everyone seeking justice, this software company makes many claims that it simply can not fulfill.

Mr. Y worked for a company of three employees, including himself. There existed a contract IT person, who had not visited the office in over three months. Evidence Eliminator™ did permanently remove over 16 months of activity from Mr. Y’s computer.

Here’s some of what was found:

• On July 28, 2006, three weeks after the judge’s first order, Evidence Eliminator™ is purchased, downloaded, and burned to CD.
• During the weekend following the download, Evidence Eliminator™ was installed on Mr. Y’s work computer using Mr. Y’s computer account.
• On July 31, 2006, the Evidence Eliminator™ wipe utility was executed for the first time.
• On August 1, 2006, the Evidence Eliminator™ wipe utility was executed for the second time.
• On August 7, 2006, the Evidence Eliminator™ software was uninstalled.
• Evidence Eliminator™ was licensed to RK208747 with serial number EE50-2480000F0004.
• Dates, times, and time zones were altered on four different occasions in an apparent attempt to disguise the installation and execution of Evidence Eliminator™.
• Emails (sent & received), Websites (visited), Movies (downloaded & viewed), Pictures (downloaded & viewed) 1,000’s of files were retrieved

Conclusion

There was plethora of data left behind on Mr. Y’s work computer exhibiting almost identical activity from that located in the original investigation of the shared laptop. This similarity was the stated purpose in investigating the work computer. In addition to finding substantial evidence of spoliation, evidence was also discovered confirming multiple occurrences of perjury and witness tampering.

If Evidence Eliminator™ can beat any computer forensic tool, how did PROTEGGA manage to find so much digital evidence? The key to this is “the analysis.” As stated elsewhere on the PROTEGGA website, “Computer Forensic examinations are an investigative process and data recovery is only a very small part of that process.” What Evidence Eliminator™ attempted to do was beat the data recovery tool, not the computer forensic investigator.

Once a final ruling is made, another Case Study – Child Custody will be created containing any final decisions. At this point, the judge has already stated, “If you show me spoliation occurred, I will order a judgment against the Defendant.” While every detail is not provided in this document, proof beyond any reasonable doubt will be presented.

For more information about PROTEGGA LLC or this whitepaper, feel free to contact us:
Ask The Pman
214.988.9240
[back]

---

Copyright © PROTEGGA LLC, 2003 - 2011. All Rights Reserved.

Sitemap Privacy Statement

PROTEGGA's site adheres to the strictest standards and has been validated by W3C.

For Website Problems Contact: webmaster@protegga.com