jump to navigation

Computer Forensics Case Analysis: Kucala Enterprises, Ltd. v. Auto Wax Co., Inc. February 21, 2008

Posted by timsteiner in Research.
Tags: , , , , , ,
add a comment

Tim Steiner

SEC 220

02/15/08

Computer Forensics Case Analysis: Kucala Enterprises, Ltd. v. Auto Wax Co., Inc.

INTRODUCTION

There are many computer forensics products on the market today claiming the ability to recover lost/deleted files and obtain electronic evidence (e-evidence) to be used in court. Encase is a popular tool used by many law enforcement agencies to conduct electronic discovery (e-discovery) (EnCase, 2008). Technology is often defined as a double-edged sword. It can be used for great good but also can be used for great harm. Computer forensics is no exception and for every forensics tool there is an anti-forensics tool (EnCase, 2008). Evidence Eliminator is one such tool claiming the ability to defeat the Encase tool (Keys, A. 2003, p.4). What happens when e-evidence in a case is destroyed? What prevents defendants from eliminating all traces of incriminating evidence in an attempt to evade justice? These and other issues are addressed in the case of Kucala Enterprises, Ltd. v. Auto Wax Co., Inc.

OVERVIEW

The two auto care companies, “Kucala” and “Auto Wax,” both manufacture and sell a similar auto clay wax product. In 2001 Auto Wax sent Kucala a letter which stated that Kucala was selling a product that infringed the patent owned by Auto Wax (Keys, A. 2003, p.2). Kucala proceeded to file a complaint, “seeking a declaratory judgment against Auto Wax, which would declare the Auto Wax Patent invalid, and thereby allow Kucala to continue to manufacture and sell its own clay without fear of prosecution by Auto Wax.” (Keys, A. 2003, p.2). On December 13, 2002, the court granted Auto Wax’s discovery request and Kucala was ordered to produce computer files pertaining to the case. Upon forensic inspection of Kucala’s desktop computer, it became apparent that Kucala had used the computer program Evidence Eliminator on the desktop (Keys, A. 2003, p.3).

ANALYSIS

Legal Issue

The legal issue is whether or not Kucala’s actions were unreasonable. Furthermore, whether the actions were done in disregard of the court order, by deleting the files that could be used as evidence(Keys, A. 2003, p.18).

Holding

The district court concluded that Kucala’s disregard of court orders showed an utter lack of respect for the litigation process. The use of Evidence Eliminator software resulted in loss of data relevant to the case. The court found that Kucala had a duty to maintain evidence that was under their control. They were at fault for not preserving it (Keys, A. 2003, p.19).

Decision

The court recommends that Kucala’s suit against Auto Wax be dismissed. Additionally, Kucala is responsible for paying Auto Wax’s attorney fees and costs (Keys, A. 2003, p.20).

CLOSING REMARKS

In this case, any reasonable person can see that justice was clearly served. Kucala’s use of the Evidence Eliminator software seems to be a willful act to circumvent justice. There is no way of telling how much evidence was or was not destroyed by the Evidence Eliminator software. Thus, Kucala’s egregious conduct is rightfully rewarded by dismissing their claim. This a great precedent for subsequent computer forensics cases. As the use of electronic information increases, it is important to ensure that the integrity of that data is maintained. Just as there are penalties for destroying physical evidence, there must be penalties for destroying e-evidence. This will deter the use of tools such as Evidence Eliminator and ensure that computer forensics investigations can be successfully accomplished.

REFERENCES

Keys, A. (2003, May). Kucala Enterprises vs. Auto Wax Company. Retrieved February 14, 2008, from

http://www.guidancesoftware.com/downloads/KucalaVsAutoWax.pdf

EnCase. (2008, February). Wikipedia. Retrieved February 14, 2008, from

http://en.wikipedia.org/wiki/EnCase

1/4

Computer Forensic Product Analysis: HELIX February 15, 2008

Posted by timsteiner in Research.
Tags: , , , , , , , , , ,
add a comment

Tim Steiner

SEC 220

02/06/08

Computer Forensic Product Analysis: HELIX

INTRODUCTION

Computer Forensics products and methods are the keys to a successful forensic investigation. If the products used have not been fully tested, they may damage or destroy electronic evidence. Furthermore, it is very important to select good forensics tools; doing so can make or break a case. There are many choices of computer forensics tools, utilities, boot disks, and other software. Some computer forensics tools sell for thousands of dollars. While others are freely available open source software packages (Purchase, 2008). The focus of this paper is on “HELIX”, an open source forensics boot CD used for “Computer Forensics, Incident response, and Electronic discovery” (Helix, 2005, p.1).

OVERVIEW

Helix is a customized version of Knoppix, designed with many computer forensics and incident response applications. Helix is a Live Linux CD, meaning that it is booted directly from the CD and does not need to be loaded to the hard drive (Helix, 2005). By not being put on to the hard drive, Helix can ensure that the data on the host device is not compromised or damaged in any way. It is essential that the computer forensic tool not disturb or change anything on the host computer in order for the evidence obtained to be admissible in court. Helix claims to be forensically sound, meaning that it can be used to obtain reliable data as evidence (Computer Forensics, 2008).

ANALYSIS

Helix is released under the GNU General Public License (GPL) which makes the software freely available to everyone.

Strengths

Helix is free so the price is right. It includes many useful computer forensics applications such as Sleuthkit and Autopsy. Many organizations use Helix for incident response and forensics training. When Helix is loaded, it automatically detects the system’s hardware (Helix, 2005). Helix has a very good support for Windows where many of the other forensics boot disks do not. With Helix it is possible to image a running Windows system (Bejtlich, R. 2006).

Weaknesses

The major issue with Helix is the degree to which it touches the host computer’s hard drive when it boots (Bejtlich, R. 2006). Helix claims to not make any changes to the host computer’s hard drive (Helix (Linux Distribution), 2008). Although Helix is a popular forensics utility, there are no examples to be found of it being used in actual law enforcement to conduct e-discovery.

CLOSING REMARKS

Helix is a great computer forensics tool. It can be used to acquire a live image of a windows system, repair damaged files, data acquisition, recover a virus damaged system, change Windows passwords, look for rootkits, secure file deletion, and much more (Gleason, B.J. 2006). The Helix software package is a complete professional quality forensics tool. It is my opinion that Helix could be used by law enforcement to accurately obtain and document e-evidence. At this time I see no examples of Helix being used by any law enforcement agency. Thus, I have to conclude that a court might not accept e-evidence obtained via Helix because there is no precedence to follow. It would be better to spend the money on a commercial computer forensics product already used by law enforcement to ensure that the evidence obtained would be admissible. Electronic Evidence is only valuable if it is admissible as evidence in support of a case.

REFERENCES

Bejtlich, R. (2006, August). Forensically Sound Evidence. Retrieved February 4, 2008, from http://taosecurity.blogspot.com/2006/08/forensically-sound-evidence.html

Computer Forensics. (2008, February). Wikipedia. Retrieved February 4, 2008, from http://en.wikipedia.org/wiki/Digital_Forensic_Tools

Purchase. (2008). The Farmer’s Boot CD. Retrieved February 4, 2008, from http://www.forensicbootcd.com/con/pur.html

Gleason, B.J. (2006, March). Helix 1.7 for Beginners. Retrieved February 4, 2008, from

http://www.e-fense.com/helix/Docs/Helix0307.pdf

Helix. (2005). The Helix Live CD Page. Retrieved February 4, 2008, from

http://www.e-fense.com/helix/index.php

Helix (Linux Distribution). (2008, February). Wikipedia. Retrieved February 4, 2008, from http://en.wikipedia.org/wiki/Helix_%28Linux_distribution%29

1/3