What Every Attorney Needs to Know About Computer Forensics: Changes to the System Clock, Windows Event Logs, and Proving Spoliation

March 27, 2017 - from DisputeSoft's Nick Ferrara

From time to time, a party to a lawsuit may attempt to delete or overwrite relevant files from a computer system in its custody before producing that system to an opposing party. Such an attempt can lead a court to infer spoliation of evidence if a producing party’s destructive intentions can be reasonably established.

Forensic computer examiners often address this issue in the course of their investigations and can typically identify techniques commonly used to compromise digital evidence. While there are a variety of ways that a user can compromise digital evidence, one technique on Windows computer systems that is within the reach of even unsophisticated users is to manually change the computer’s time and date settings.

Most Windows computers allow users to manually change the system’s time and date settings. By changing these settings before compromising key files, a user might hope to create the appearance that these files were deleted or overwritten as part of normal computer usage prior to a court’s preservation order.

Fortunately, a number of Windows artifacts make this technique relatively easy to detect. The Windows Event Log, for example, includes log entries that concretely identify any manual changes made to a computer’s date and time settings through the user interface. Expert examination can easily distinguish these log entries from other normal modifications made to a computer’s date and time settings and can yield the evidence necessary to support (or, as applicable, refute) an inference of spoliation. These types of analyses are typical of the work that DisputeSoft’s forensic investigators perform for clients.

If you are involved in a matter where you suspect that the date and time that files were deleted or last modified have been manipulated, or if you are defending against such an assertion, give us a call to see if we can assist you in establishing or refuting an inference of spoliation.

Warner Bros. Mistake Highlights Opportunity for DMCA Improvement

February 7, 2017 - from DisputeSoft

The film and entertainment industry has long been a popular target for intellectual property pirates.  Misappropriation of in-demand films began during the silent era as early as 1895, when film exhibitors screened movies beyond the dates agreed upon by exhibitors and film producers.1 While piracy of film and entertainment is not a new phenomenon, the Internet has provided pirates with an ideal platform through which to distribute misappropriated entertainment.

One of the film industry’s largest companies, Warner Bros., has earned a reputation for using the Digital Millennium Copyright Act (DMCA) to protect its intellectual property on the web. However, the motion picture giant recently found itself in an awkward situation after its anti-piracy partner, Vobile, Inc., flagged for copyright infringement under Section 512 of the DMCA Google search results that linked to Warner Bros.’ own website. Vobile uses a program called VideoTracker to identify, track, and flag infringing copyrighted video content online. However, VideoTracker mistakenly flagged Google search result links to several Warner Bros. websites, including the official pages for The Dark Knight and The Matrix, as well as legitimate movie links on Amazon, Sky Cinema, and IMDb. After investigating the allegedly infringing URLs, Google decided not to remove the links.2

Mounting evidence suggests that robo or bot based solutions for identifying infringements, like Vobile’s VideoTracker, have substantially increased rates of questionable takedown requests. However, studies also suggest that bots identify infringing content more accurately than do humans. Researchers performing an independent study examined a random sample of over 100 million takedown requests made over a six month period and found that 32.6% of takedown requests made by bots raised questions of validity. the researchers found that 4.2% of the material targeted for takedown by bots did not match the copyrighted material, and that 28.4% raised other validity questions, “ranging from failure to identify the materials in dispute to targeting potentially legal uses.” 3 While the bots submitted invalid requests less frequently than humans, the massive number of requests submitted by bots prompted the researchers to conclude that “These percentages translate to many millions of notices in the entire set—for example, the 4.2% translates to about 4.5 million notices.”3

Due to issues regarding substantial resource commitment validating takedown requests, and the likely rate of false positives, copyright holders and ISPs alike have expressed dissatisfaction with the DMCA process for flagging and removing allegedly infringing content. Companies that operate in the entertainment industry must commit substantial resources to staying ahead of the rampant misappropriation of their intellectual property via the internet, and they often turn to companies like Vobile that use automated copyright monitoring programs such as VideoTracker to locate and remove infringing content. On the other hand, ISPs devote substantial resources to dealing with the massive amount of removal requests issued by copyright holders.4 After receiving a 60% increase in removal requests from 2015 to 2016, Google found itself with more than 558 million DMCA takedown requests to review.2 If the rate of invalid requests is anything like those found in the study noted above, then Google would potentially be reviewing and reversing upward to 200 million invalid requests.

The DMCA’s failure to substantially reduce online piracy despite the considerable resources devoted to the removal process by both copyright holders and ISPs has caused both groups to call for a revision of the law that takes into account the unpredicted scope of the internet today. The US Copyright Office has responded by requesting input from video copyright owners for a study that will evaluate how effective DMCA Section 512 has been in addressing online piracy and in reducing the number of illegitimate takedown notices. In the first phase of the study, conducted between December 31, 2015 and April 1, 2016, the Office received over 92,000 comments regarding the DMCA. Using this feedback as a guide, the Copyright Office hopes to find common ground among the interests of internet users, ISPs, and copyright holders and to reduce the cost and effort expended by companies and ISPs to protect intellectual property.5



1 Piracy in the Motion Picture IndustryFilm & History Journal Vol. 34, No 1., 2004

2 Warner Bros. flags own site for piracy, orders Google to censor pagesArs Technica, 2016

3 Notice and Takedown in Everyday PracticeUC Berkeley Public Law Research Paper No. 2755628, 2016

4 Lenz v. Universal: A Call to Reform Section 512(f) of the DMCA and to Strengthen Fair Use  – Vanderbilt Journal of Entertainment & Technology Law, Vol. 18, No. 3, 2016

5 US Copyright Office Section 512 Study – U.S. Copyright Office, 2017


What Every Medical Malpractice Attorney Needs To Know About Computer Forensics

December 13, 2016 - from DisputeSoft's G. Hunter Jones

Medical mistakes not only may put a patient’s life or health at risk but also lead to an investigation of the practice and, depending on the evidence, potential litigation.

Evidence of mistakes or unethical behavior by medical professionals can often be found only deep within the metadata of a computer system, a medical record, or a medical image. A computer forensics expert can follow the trail of technological breadcrumbs to uncover factual information that exposes medical mistakes or even their cover-ups. The following real-world scenarios illustrate how the work of a computer forensics expert can help counsel to ferret out critical facts of a case:

1. A doctor fails to detect a severe birth defect in an ultrasound image. By examining computerized medical records, a computer forensics expert can uncover evidence that indicates which radiologist examined the image and when each examination was conducted. If the ultrasound image has been deleted, the expert can determine when the image was deleted and may be able to recover the lost image.

2. A patient fails to show up for a follow-up appointment, claiming that the practice never scheduled such an appointment. An investigation determines that the practice changed the computer system it uses to manage its electronic health records, and the record of the appointment cannot be recovered using the practice’s new system. A computer forensics expert can stand up the old system to inspect the order and appointment history to determine whether the patient’s missed appointment was actually scheduled.

3. A physician fails to produce a patient’s medical records upon request. A contractor handles the medical records for the practice, and the practice’s staff is unfamiliar with the computer system used to manage the records. As a result, the staff’s efforts to produce a patient’s medical records fail, and the patient claims that his/her records were altered and inadequate. A computer forensics expert can determine whether the patient’s electronic health records were altered or improperly maintained.

The above scenarios are just a few of the many kinds of disputes that may arise from allegations of medical malpractice.  In any case that involves digitally stored files, computerized images, or medical software, a computer forensic expert may have the skills to gather crucial evidence that could help to decide a case.

For more information regarding DisputeSoft’s experience in medical malpractice disputes, please click here.