Spokane7
34°
May 8, 2011 in City
Software helps lawyers mine data users thought they’d deleted
Josiah Roloff, a vice president and investigator for Spokane computer forensics company Global CompuSearch, explains how deleted files and chats can be retrieved from computers and phones.
(Full-size photo)
In 2009, Peter Moesslang, a 68-year-old Spokane-area businessman, was sued by a woman who said she had been his companion for nearly 20 years.
The former companion, Bette Lyn Kelly, filed suit in Spokane County Superior Court, saying she and Moesslang had a steady relationship from the mid-1980s. She said their relationship was meretricious – legally viewed in Washington as similar to a marriage.
Kelly, who’s 64, sued for a portion of Moesslang’s assets, even though she acknowledged they no longer lived together and had broken off the relationship well before 2009.
Moesslang’s attorney, Jane Brown, of Spokane law firm Paine Hamblen LLP, obtained a copy of email files on a computer Kelly used while working for Moesslang. Brown wasn’t sure what they might contain, but like many lawyers Brown now makes that request as standard practice.
Last year a Spokane judge dismissed Kelly’s suit. Some of the emails recovered from her computer – even those thought to be deleted – played a key role in that decision.
That tactic – asking for digital copies of messages, photos, voicemail or chat transcripts found on computers or cellphones – is now widely accepted by attorneys.
Where it used to be found only in corporate law or commercial disputes, it’s now seen across the board, especially in employment- and family-law matters, said Greg Johnson, another Paine Hamblen lawyer and the firm’s technology specialist.
Lawyers routinely make court-approved searches of smartphones, computers and iPads, and, in the past two years, have broadened their investigations to social media sites like Facebook and Twitter.
In a society saturated with electronic communications, all those digital traces and records have made being a lawyer much easier, said Michael Church, a Spokane employment-law attorney.
“People don’t realize this stuff lives forever,” Church said. Even when people delete information, those messages, photos and browsing records on computers or phones can be easily retrieved, he said.
In fact, Paine Hamblen’s Brown and Johnson suspected some of the key messages needed to defend Moesslang would be found in deleted email form.
When she made the claim on Moesslang’s property and assets, Kelly tried to establish she was in an exclusive, committed relationship with him during the period within the law’s statute of limitations.
Instead of making her case, many of Kelly’s emails showed she had formed another romantic relationship while still living in one of Moesslang’s homes.
Brown was able to cite those messages in convincing the court that Kelly and Moesslang had both ended their romantic relationship during the time Kelly said they were together.
After Kelly’s claim in Superior Court was dismissed, her lawyer, Spokane attorney Al Gauper, appealed the decision. The appeals court has not yet set an oral argument on that case.
Gauper, a veteran Spokane family-law attorney, understands the value of electronic evidence. He has used it himself in other cases, such as a divorce and support-payment dispute he handled two years ago.
His client, a Spokane woman, said her ex-spouse insisted he no longer had the income to pay alimony.
Gauper visited Facebook and started copying down the ex-husband’s messages and updates. Many were about locations he visited or events he attended in different cities.
“The messages there, saying ‘I’ve been to Las Vegas’ or other glamorous places, didn’t seem to bear out his statement that times were hard and he needed to adjust his lifestyle,” Gauper said.
The judge agreed on that matter.
Publicly available Facebook messages are almost too simple a source of information. It’s harder – but possible – for attorneys to find ways to get copies of chats and instant messages Facebook users engage in, and which typically are not kept in permanent form.
But computer forensic experts have found Facebook instant chats are saved in deleted form on a person’s computer.
“People who use instant messaging in Facebook assume those conversations are gone,” said Josiah Roloff, a vice president and investigator with Spokane computer forensics company Global CompuSearch.
“Those conversations are there on the hard drive in what’s called unallocated file space,” Roloff said. To find them, investigators use software tools, such as EnCase, a product that finds and restores deleted computer data. As long as the deleted files sit on parts of the hard drive that are not overwritten with new data, EnCase can retrieve messages and chats.
EnCase is also used, among other tools, to dig through deleted messages on smartphones, including the popular Apple iPhone.
Not long ago Global CompuSearch was asked by a Spokane man to look through his wife’s iPhone to determine if she was having an affair.
Using EnCase, Global CompuSearch investigators sifted through the wife’s iPhone data. Even though many of the recorded voice messages were deleted, EnCase was able to recover roughly 1,000 of them, and the husband learned she was seeing another man, Roloff said.
As a result, his attorney was able to negotiate a divorce settlement in the man’s favor, Roloff said.
“The iPhone is one of the most insecure phones you can have” if you’re trying to hide or protect personal information, Roloff said.
That opinion has nothing to do with the recently divulged feature of many iPhones, which can keep a location history going back many months. Apple has modified that feature and told users how to disable that option.
“What makes an iPhone so insecure is that it can hold so much information, including photos that may be deleted but can also be recovered,” he said. Older or plain-feature phones don’t hold that volume of personal information, he added.
At other times attorneys try to determine not what’s on a computer, but how it got there.
Roloff’s boss, Global CompuSearch CEO Marcus Lawson, was involved in a major child-custody case in Connecticut that involved allegations that a husband was downloading child pornography.
The wife said she found the porn on one of the couple’s home computers. She cited that as the reason she deserved sole custody of their three children.
The husband’s attorneys asked Lawson to examine a number of computers the couple used. The husband insisted he had nothing to do with them.
Lawson discovered he couldn’t establish who downloaded the porn, but he made a strong case it wasn’t the husband.
Using time-stamp information associated with browser files on the computer, Lawson showed that whoever visited the porn sites did so when the husband was far from home on business trips.
The wife’s attorneys tried to argue the husband might have downloaded the porn while taking one of the home computers on a trip.
Lawson used a website feature to show that the porn had to have been downloaded by someone living in Connecticut. “Porn sites do something that’s very specific to their geographic location. They load ads for adult friend-finder sites,” Lawson said.
Those “find-a-friend” ads are delivered with a reference to a specific geographic location to better appeal to the person visiting the website. The ads in this case offered to “find a date” with someone located in the city where the couple lived.
Lawson retrieved and reproduced as evidence the porn pages with the accompanying “friend” ads to show the computer wasn’t with the husband in another city.
Lawson testified for more than two days, dealing with challenges to that evidence from the wife’s attorneys. In the end, the judge ruled in favor of the husband.
Digital evidence does more than incriminate, of course. It also helps people, said Hector Quiroga, a Spokane Valley attorney.
“Social media evidence can show innocence. An email, a Tweet or a Facebook update can show that you were not present at the place you are accused to be, and save the day for you,” Quiroga said.
But he also foresees negative consequences of the spread of digital records through the legal system.
Because people post messages quickly, sometimes less than thoughtfully, comments can be taken as attacks, defamation or even cyberstalking, he said.
“Those will become more common and this will create another burden in our courts,” Quiroga said.
Recent stories by Tom Sowa
Gonzaga to build parking structure, replace COG February 22, 2012
- Buyer plans to improve Bing Crosby Theater February 17, 2012 1
- Bing Crosby Theater sold to Spokane businessman Dicker February 16, 2012 6
- Itron CEO says its losses eclipsed by record revenue February 16, 2012
- Scouts board OKs swap of Camp Easton land February 16, 2012 1
Enter to win tickets to see Adam Carolla at the Knitting Factory 
WSU Text-to-Win Contest 
EWU Text-to-Win Contest 
opiemuyo on May 08 at 8:07 a.m.
Or, stay out of trouble, do no wrong, and your iPhone will be a better alibi than your mother.
eagleproducer on May 08 at 8:28 a.m.
opie: Why didn’t I think of that? You’re right, I’d probably just waste all that privacy I’m supposedly guaranteed.
I can’t believe how cowed most people are to “authority”. Why don’t you just grow a queue and get it over with?
DickAdams on May 08 at 8:43 a.m.
Leave it to low life attorneys. These scum bags will stoop to, and look into stuff that invades ones privacy even if its illegal then continue court appeals regardless if they are right or not. They have no shame. They should also be arrested for following to close to ambulances.
Ninch on May 08 at 8:57 a.m.
Good info to know in case one is involved in a case where one needs an attorney, which happens to ordinary people more often than one would like. BTW: Hating the attorneys does not make sense, because these law suits are instigated by other ordinary people and not lawyers.
DickAdams on May 08 at 9:12 a.m.
One call that`s all !!
Albert on May 08 at 10:27 a.m.
Here’s a good suggestion….own nothing, but control everything. Utilizing an Irrevocable Blind Trust for your home, blind C Corps out of Wyoming for your business(es), and a standard asset check by the bottom feeders will always come up zero. If you own nothing, the bottom feeders will demand a “retainer” from the blood suckers, who of course are broke, and thus the lawsuit never happens. Only those with “obtainable assets” are targets. Just a thought for your day.
Bruce (aka thatoneguy) on May 08 at 10:30 a.m.
“She said their relationship was meretricious – legally viewed in Washington as similar to a marriage.”
definition for “meretricious:” http://dictionary.reference.com/browse/meretricious
Well, I guess that does describe some marriages…
Elkay on May 08 at 12:18 p.m.
Hey thatoneguy, thanks for the link! Funny!
greenlibertarian on May 08 at 1:23 p.m.
Just an expansion of the concept of you can’t unring a bell.
AnneOminous on May 08 at 6:28 p.m.
Ninch, you CAN blame the lawyers. It is they who have pushed for information (regardless of whether it violates privacy) so hard that now it has become commonplace for privacy to be violated over a simple court case. That has to change!
The whole concept of “If you aren’t doing anything wrong you have nothing to fear” is WRONG. History has proven it wrong, time and time again. We have to exercise our rights lest we lose them altogether.
People, if you are in a lawsuit in which a lawyer “routinely” tries to access your private files or computer, object in the strongest terms. Normally they have to get probably cause or other strong legal evidence before they can go fishing through your private things. If they try, insist that they hold to those standards.
You won’t get your freedom back unless you stand up, people. Don’t be sheep. Don’t take things like this lying down.
Also, in addition to purchasing encryption software, get yourself some good utilities for “secure deletion” and wiping the free space on your disk(s). Let me explain:
When you “delete” a file, the data doesn’t actually get deleted. All that happens is that the spots on the disk that are occupied by that data get flagged as usable again. So the next program that wants to write data can write over that spot. When that happens, on today’s disks, that means the old data (in THAT spot) is pretty much gone forever. But only that spot… a single file can be spread in little bits all over the disk. One spot might get overwritten, but that still leaves the rest of the information there. Which, with the right software, can be retrieved… if only in chunks.
With older-technology hard drives, there was a lot of “slop” in where bits were physically stored on the disk. When a piece of data was overwritten, sometimes statistical analyses could be used to recover most of the older data. That is no longer true. But the data that still remains in the “empty” spaces still needs to be over-written in order to get rid of it. That is why a “free space wipe” utility is handy. Use it once a month, if not more often.
Also, programs that keep databases of information — like email programs — often keep old data, too. When you delete an email, the space in the data file that was reserved for that email is marked for re-use. But it is not deleted. This is for efficiency reasons… it is a lot faster to do it that way. So if you want to actually DELETE an email, you should make the deletions you want, then tell the email program to rebuild, or repack, the database file. A good email program should have that command somewhere in the menu.
THEN run your “free space wipe”.
It’s all very much a pain… but it could save you a lot of pain in the future. As a famous judge once said, one reason the Fifth Amendment exists, and that fishing expeditions are to be discouraged, is because even the words of an innocent person can make them appear guilty.
If you doubt that — or even if you don’t — I urge you to watch this video (49 minutes), by a law professor and former defense attorney, and a police detective. It is very enlightening: http://www.youtube.com/watch?v=6wXkI4t7nuc
AnneOminous on May 08 at 6:37 p.m.
Albert:
How does an “irrevocable blind trust” constitute money that is not “available”? Can’t a judge order you to include a trust in your list of “assets”?
Albert on May 08 at 8:37 p.m.
Good evening Anne, a friend who is really well versed in this entire matter gave me his book that explains it all in detail. Here is the link: http://www.amazon.com/dp/B004YTPA1M for details.
It all depends upon “what” you receive from the Trust. If your home is titled into the Trust, then you don’t own that home. To be sure, you pay “rent” to the Trust as you remain in the home. This recently hit home when my mom died and I became the beneficiary of her “B” Trust that includes the condo in California where my dad still resides. He now pays $500. per month (on a 800K condo) “rent” to this Trust. My folks attorney set this all up years ago and my mom’s estate never hit the probate court…save thousands. I am the Trustee of the “condo” wherein I, along with my 2 sisters, now will receive this property…outside of probate when dad dies. That part I understand…my buddy’s book has far more details. “heady” stuff, but powerful. Hope that helps? We are in the process of setting up this Trust for ourselves.
PlanB on May 08 at 10:11 p.m.
I have the utmost confidence that the information obtained by lairs, errr… I mean lawyers can be counted on as being completely accurate, analyzed with all due diligence, and obtained in accordance with all rights afforded us by the constitution of the United States of America. Or at least the best rights money can buy.