In October 2007, Thomas was found guilty of distributing copyrighted songs and ordered to pay a fine of $222,000 ($9,250 for each of the 24 songs involved in the case).  A year later the verdict was thrown out because of faulty jury instructions.  Last week I followed the Ars Technica coverage in the retrial of Capitol Records vs. Jammie Thomas-Rasset.

Scratch almost everything I said about Thomas-Rasset needing to hire a qualified computer forensics expert.  She did hire a computer forensics expert, however, she neglected to tell the expert that the hard drive she gave him to examine was installed AFTER she was notified about infringing on copyrights.  She neglected to tell everyone this fact instead saying the hard drive was replaced a year before.  The expert found a sticker on the drive indicating that it was manufactured in 2005 when Thomas-Rasset claimed it was installed in 2004.  (Even without this it would have been easy to determine when the hard drive was installed from artifacts on the hard drive.)  It’s obvious to me what she was trying to do.  MediaSentry reported seeing that she had songs being shared on her PC and she gave everyone a brand new drive to examine because they would find no traces of KaZaA installed on it.

The difference between civil cases and criminal cases is that in a civil case a conviction is based on the preponderance of evidence not beyond a reasonable doubt like in criminal cases.  The moment she was notified that she was infringing on copyrights she was required to preserve evidence (believe it or not).  Her story about one of the kids hitting the tower simply does not fly.  It takes more than that to kill a hard drive.  In many cases, the defense could have been sanctioned for spoliation [PDF] meaning the jury could assume that the missing evidence would have been unfavorable to Thomas-Rasset.

The lack of evidence explains why her defense did not choose to counter the evidence from the plaintiff’s experts with their own physical evidence.  Instead they countered with wild scenarios of what could have happened and almost outright pleas for sympathy.  She was found guilty again.  I have to admit that if I was on that jury, I probably would have found her guilty as well given what I read on the case.

With this new $1.9 million verdict, I’m thinking she should have settled.  I wonder what the defense’s strategy was given that they could not counter the plaintiff’s evidence with any evidence of their own.  I’m sure no one expected such an excessive award for the plaintiff.

Disclaimer: Opinions expressed here are my own and not the opinions of any employer or organization of which I am a member.

You might also be interested in:

• Capitol Records, et. al. v. Jammie Thomas

The case involving Julie Amero was decided the day after Thanksgiving. For those that are not familiar, Amero is the substitute teacher in Connecticut that was convicted last year of 4 felony counts of “Risk of Injury to a Child” stemming from a 2004 incident involving porn popups displaying on a classroom computer while students were present.

During the trial witnesses for the State of Connecticut testified that evidence showed that Amero had to have purposely clicked on the linked for the porn sites. The defense’s expert was not given the opportunity to testify but it was his theory that the computer was infected with malware from a hair website that caused the porn popups. Both theories were wrong. According to a report released by Alex Eckelberry, et. al., who examined the computer’s hard drive after the conviction, the computer was infected with newdotnet, spyware that was installed one week prior to the instance bundled with a Halloween screensaver.

This conviction was thrown out but this has proven all for naught though as Amero has accepted a plea agreement for her new trial due to health problems related to stress. The plea agreement resulted in a $100 fine and revocation of her teaching credentials. So she is essentially being punished though she is clearly innocent. This case drives home something that is of the utmost importance in cases involving electronic evidence – both the prosecution and the defense must utilize qualified experts do a thorough examination of the evidence. Had the prosecution thoroughly examined the drive in a forensically sound manner, they would have no doubt found exculpatory evidence related to this case. Had the defense thoroughly examined the drive, they would have been able to defend against the prosecution presenting actual evidence instead of theories. The best way to counter electronic evidence is not with testimony, demonstrations and shaky theories but with electronic evidence.

In addition to having qualified computer forensic experts, it’s also important to have counsel that is not only computer-literate but also understands electronic evidence. Such counsel on either side would be able to recognize misleading testimony.

With Jammie Thomas’ copyright infringement case, I originally felt that qualified experts were not used because of cost but in both cases, it seems that the reason was more likely lack of awareness of computer forensic experts. In the case of Julie Amero, help from computer forensic experts was received after the case was already in full swing when it was too late. The experts became involved because of the media coverage of the case. How many other cases are involving electronic evidence are going on that aren’t receiving media coverage?

Not only is it a lack of awareness on the part of people who need computer forensic experts but also we (computer forensic experts) don’t seem to make our existence known. To that end, here are some places to find computer forensic experts. Looking at the websites, some don’t seem to focus on people who need to find an expert. The HTCIA, however, has recently created a Computer Forensic Examiner locator.

• International Society of Forensic Computer Examiners
• International High Technology Crime Investigation Association (members are not allowed to work on criminal defense cases unless approved and on a pro-bono basis)
• SANS Institute – Certified Computer Forensics Analysts
• International Association of Computer Investigative Specialists (members are law enforcement)
• High-Tech Crime Cops (mostly law enforcement)

It is important to note that members of some of these organizations don’t do criminal defense work but that does not mean that they wouldn’t given the right case. Nevertheless these organizations are a good starting point for looking for qualified computer forensic services.

While I use computer forensics to identify unethical and illegal behavior, I don’t think anyone should be punished due to misinterpretation of evidence or because a thorough examination of that evidence was not done.

You might also be interested in:

• Koobface Comes to Twitter: Are You Protecting Yourself?
• CheckFree: A Case of Phishing, Pharming and Drive-Bys
• Capitol Records, et. al. v. Jammie Thomas

I’ve been trying to find the facts in the case of Capitol Records, et. al. vs. Jammie Thomas where Thomas was found guilty of distributing copyrighted songs and ordered to pay a fine of $222,000 ($9,250 for each of the 24 songs involved in the case). From what I have gathered, Thomas ripped her own CDs. The ripped music files were found in a KaZaA share on her PC. The evidence against Thomas included the use of her ubiquitous user id “tereastarr” as the id for the Kazaa account and that a computer with her IP address was where Media Sentry found the shared files. While this information seems pretty damning, it is not the slam dunk that it seems.

I don’t know whether Thomas did what she was accused of but something obviously went wrong in this case. Even the guilty are entitled to a proper legal defense and in my opinion Thomas did not receive one. She went into that courtroom with an “I’m innocent and the jury should figure that out” defense which doesn’t work even when you are innocent. Her counsel introduced something about IP spoofing as a possible defense as well although this proved ineffective as a forensic examination was done of Thomas’ PC that found that the music files were in fact in a shared folder in “My Music”.

What went wrong? Forget the jury instructions and all the other things I’ve read all over the place. It doesn’t seem that Thomas’ counsel Brian Toder had an adequate grasp of electronic evidence. You don’t counter electronic evidence with testimony, demonstrations and shaky theories. You counter electronic evidence with electronic evidence. Did the defense have a forensic expert of their own?

Typically in cases involving electronic evidence, a forensic (not security) expert in brought in to do a forensic examination of the defendant’s computers and electronic media. Both plaintiff and defendant will hire their own experts to do separate examinations.

Things that I didn’t see mentioned in anything I read about the case that a forensic expert (on either side) should have brought up include:

• Was KaZaA installed on the computer? When?
• When was it last used?
• What other evidence of use of the KaZaA account existed? (email, etc.)
• When KaZaA is installed does it automatically create an account with the same user id as that used on the PC?
• What software was used to rip the CDs?
• Were the ripped songs automatically placed in the KaZaA directory when ripped?
• Were the songs placed on a portable device?
• Was there any spyware/trojans on her computer that would have caused files to be shared?
• Did the music files contain metadata that can be used to determine what user and software ripped the songs?
• The creation dates were very close in time but what about the modified dates?
• Many other questions …

It might very well be that Thomas lost on a fluke. The plaintiff was attempting to settle with Thomas before going to trial. It could be that they knew that their evidence was not “all there”. It is reported that Thomas will appeal her conviction on the basis of the jury instructions. I hope that her defense hires a forensic expert to examine her computer to answer at least these questions.

UPDATE: While continuing to read articles on this topic I ran across this. There was no electronic evidence other than the name of the account, the IP address, and screenshots of the shared folder Media Sentry discovered on KaZaA. Apparently, Thomas had her hard drive replaced at Best Buy after receiving settlement letters from the record labels. So it turns out that the “forensic examination” that was done was done only on the new hard drive which did not contain any traces of KaZaA but did contain music files. So they had almost no real evidence. The replaced hard drive looks suspicious and explains why the questions that I would expect to be answered by a forensic expert were not answered. However, that still does not prove the case. And the Geek Squad supervisor testified that her hard drive was replaced for legitimate reasons.

In addition it turns out that the defense had originally retained a computer forensics expert. What happened with that? The plaintiff called him as a witness but apparently he didn’t say much. It could be that the old hard drive was trashed or destroyed and that there was no way for the forensic expert to examine anything that would find anything that could help (or hurt) Thomas.

Does the old hard drive exist? Did the plaintiff try to compel it from the defendant? Without it, especially since it was proven that it was replaced for legitimate reasons, I don’t see how they could win. But then juries are unpredictable.

In the end, I think that Jammie Thomas got the best defense that her money could buy. A legal defense is expensive (even a bad one) and computer forensic experts are even more expensive. Thorough forensic analysis of electronic evidence was not done and the defense put the defendant up against the plaintiff’s expert to refute his findings instead of an expert. The defense proposed possible scenarios that the jury probably didn’t even understand instead of at least demonstrating that the scenarios are possible. A computer forensic expert’s findings early on could have provided the defense with enough information to decide whether to settle or to go to trial. Instead, they relied on the “I’m innocent – do the math” defense and it didn’t work.

I think that this a sign of bad things to come especially for innocent people that can’t afford a proper defense.

It is important to mention that opinions expressed in this blog are in no way the opinions of my employer.

You might also be interested in:

• Capitol Records vs. Jammie Thomas Revisited
• The Curious Case of Julie Amero