214-988-9240

214-988-9240

Toggle Nav

Policeman holding gun in an evidence bag, young police officer standing in the background

Description: Jane Doe and Richard Roe are divorcing, and both desire custody of their two boys. Jane Doe had possession of a laptop computer shared between Richard Roe and her during their marriage. A computer forensics investigation of the laptop revealed some out-of-the-ordinary activity. Armed with this information, an order was granted for an additional investigation of Richard Roe’s work computer.

Type of Case: Family Law
County: Rockwall
Plaintiff: Jane Doe
Defendant: Richard Roe

Description: Jane Doe and Richard Roe are divorcing, and both desire custody of their two boys. Jane Doe had possession of a laptop computer shared between Richard Roe and her during their marriage. A computer forensics investigation of the laptop revealed some out-of-the-ordinary activity. Armed with this information, an order was granted for an additional investigation of Richard Roe’s work computer.

Complication: Someone installed and executed a software product called Evidence Eliminator™ on Richard Roe’s work computer.

Summary

Timeline
Investigation on shared laptop: June 7, 2006 through June 18, 2006
Judge orders “No Changes to work computer:” July 7, 2006
Judge also orders “Agreement to view work computer:” July 7, 2006
Mr. Y’s employer sent subpoena for computer: July 14, 2006
Judge “Again” orders “Access to work computer:” August 9, 2006
Protegga imaged Mr. Y’s work computer: August 26, 2006
Completed analysis of Mr. Y’s work computer: September 18, 2006
Hearing to discuss the issue of Spoliation: November 20, 2006

Defendant’s Response
“It’s company policy to run Evidence Eliminator™. I didn’t do it.”

Computer Forensic Evidence Recovered

NOTE: Protegga LLC will not release any information that may assist anyone attempting to hide their computer activities. Additionally, Protegga LLC will not provide data to software developers that will enable them to more efficiently remove evidence from computer systems. These policies may limit the amount of information included in this document.

Here are three quotes from the website for Evidence Eliminator™, http://www.evidence-eliminator.com:

  1. “Robin Hood Software Ltd. is a privately-held UK Limited company specializing in providing complete, one-click anti-forensic software solutions for end-user Microsoft Windows installations. We are based in Nottingham, England, the land of Robin Hood.”
  2. “Evidence Eliminator™ is simply the first and only top-quality professional PC cleaning program that is capable of defeating all known investigative Forensic Software!”
  3. “Evidence Eliminator™ is proven to defeat the exact same forensic software as used by the US Secret Service, Customs Department and Los Angeles Police Department (LAPD), and the UK Metropolitan Police Scotland Yard.”

Numerous companies boast of the ability to clean data permanently from a computer system, but few are as blatant in their intent to hide legally discoverable information. Fortunately for everyone seeking justice, this software company makes many claims that it simply cannot fulfill.

Richard Roe worked for a company comprised of three employees, including himself. There existed a contract IT person, who had not visited the office in more than three months. Evidence Eliminator™ did permanently remove more than 16 months of activity from Richard Roe’s computer.

Some of what was found:

  • On July 28, 2006, three weeks after the judge’s first order, Evidence Eliminator™ is purchased, downloaded, and burned to CD.
  • During the weekend following the download, Evidence Eliminator™ was installed on Richard Roe’s work computer using Richard Roe’s computer account.
  • On July 31, 2006, the Evidence Eliminator™ wipe utility was executed for the first time.
  • On August 1, 2006, the Evidence Eliminator™ wipe utility was executed for the second time.
  • On August 7, 2006, the Evidence Eliminator™ software was uninstalled.
  • Evidence Eliminator™ was licensed to RK208747 with serial number EE50-2480000F0004.
  • Dates, times, and time zones were altered on four different occasions in an apparent attempt to disguise the installation and execution of Evidence Eliminator™.
  • Emails (sent and received), websites (visited), movies (downloaded and viewed), pictures (downloaded and viewed), and 1,000’s of files were retrieved

Conclusion

There was a plethora of data left behind on Richard Roe’s work computer exhibiting almost identical activity from that located in the original investigation of the shared laptop. This similarity was the stated purpose in investigating the work computer. In addition to finding substantial evidence of spoliation, evidence was also discovered confirming multiple occurrences of perjury and witness tampering.

If Evidence Eliminator™ can beat any computer forensic tool, how did Protegga manage to find so much digital evidence? The key to this is in “the analysis.” As stated elsewhere on the Protegga website, “Computer Forensic examinations are an investigative process, and data recovery is only a very small part of that process.” What Evidence Eliminator™ attempted to do was beat the data recovery tool, not the computer forensic investigator.

Once a final ruling is made, another case study – Child Custody – will be created containing any final decisions. At this point, the judge has already stated, “If you show me spoliation occurred, I will order a judgment against the defendant.” While every detail is not provided in this document, proof beyond any reasonable doubt will be presented.

NOTE: Protegga LLC respects the privacy of all parties involved in each of our computer forensics investigation cases and, therefore, will not disclose cause numbers, company or individual credentials, or other items that may lead to identification.