e-Discovery Team ®

A debtor in a bankruptcy was recently caught destroying evidence using a popular software program called GhostSurf.  United States v. Krause (In re Krause), 2007 WL 1597937, 2007 Bankr. LEXIS 1937 (Bankr. D. Kan. June 4, 2007).  The debtor was an attorney representing himself.  The case proves the old adage that “a lawyer who represents himself has a fool for a client.”  The lawyer used GhostSurf to try to wipe all incriminating evidence from his computers before producing them to the government.  His GhostSurf wipeout failed, and he was ordered to jail as a result.

The lawyer-debtor owed over three million dollars in back taxes and claimed poverty. He resisted e-discovery at first, but was eventually ordered to produce his computers for imaging and inspection by the government’s forensic experts. Immediately after the court order, the lawyer installed GhostSurf on his computers and used it to super-delete thousands of files from his hard drives. This software is designed to allow anonymous internet surfing.  It includes an application called “Tracks Cleaner,” which tracks and cleans files in all applications. It is similar in operation to another well known file shredding  program called “Evidence Eliminator” discussed in Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605 (N.D. Ill. 2003).

The bankruptcy court’s description of GhostSurf’s “super-deletion” functions is very informative.  It makes it easier to understand the differences between: (1) simple deletion, where you just delete a file or email one time; (2) “double deletion” where you delete a file, and then also empty the trash; and, (3) “super-deletion”, the method employed by GhostSurfer and other software like it.  Super-deletion is designed to meet Department of Defense specifications for total file shredding, beyond the reach of forensic experts.  The different types of file deletions and data remanence can be very confusing. The following excerpt from Judge Nugent’s 30-page opinion sheds some needed light on the subject:

GhostSurf is designed to wipe or eradicate data and files as part of its protective and security functions.  . . . in such a way that the data is actually overwritten, precluding the ability to recover or restore the files and data. Both experts agreed that when a user “deletes” files from a hard drive, the data remains intact. The act of deletion merely eliminates the “pointer” that allows the computer to locate the data on the hard drive. By using data recovery software, that data may be extracted (as, indeed, some has been in this case). An additional step is necessary to eradicate this data entirely. GhostSurf performs this function by overwriting the file with a new file that contains no bytes of data and is named in a manner inconsistent with Windows operating system naming conventions. Rather than simply eliminating the pointer to the data, the actual recording of the data on the hard disk is erased (like taping over an existing tape recording).

Deleted e-mail leaves a different set of tracks. When a user “deletes” an e-mail in Outlook Express, the “fields” are deleted and sent to the trash or recycle bin. What remains on the hard drive are the HTML internet codes that define the fields, font, graphics, etc. of each message. What also remains is the actual e-mail message. When the trash bin is emptied, the matter itself is deleted. Because e-mail files are internet files, each time they are accessed, a temporary internet file (“temp file”) is created. Thus, even though the e-mail itself is deleted, the temp file remains on the hard drive, unless it is wiped.  . . .

Taylor testified that GhostSurf wipes files by searching the hard drive for files that Windows “no longer knows about” because they have been previously deleted, and writing data over those locations with random data to obscure it from undeleting. Once the files are overwritten in this fashion, an undelete utility cannot recover them.  . . .  According to the GhostSurf User’s Manual, the application may be set to erase files using different strength algorithms. If the weaker algorithms are used, the manual suggests “nearly all” of the targeted files will be erased. In short, GhostSurf is a very powerful tool that Krause could easily have used to purge files and data from his computers before turning them over to the Trustee.

Id. at *5, *7

The popular file wiping program did its job effectively.  Following Department of Defense computer file erasure protocols, it erased the files multiple times, rewrote the affected hard drive space with zeros, and set up fake file names.  Bottom line, there was no way to recover these files.  They were super-erased, and the forensic experts could not restore them.

But, the lawyer slipped up in at least two ways, and his scheme to destroy evidence was exposed.  First, he did not hide his use of the GhostSurf software very well.  It was easy for the forensic experts to see how many files were deleted and when (right after the order).  Second, a few of the files were not visible to GhostSurf, probably because they were “orphan files,” and so they were not super-deleted by GhostSurf.  Id. at *9.  As a consequence a few temporary internet email and web browser files were not wiped from on the hard drives. These files showed that the bankrupt debtor had recently traveled to Zurich, Switzerland to pursue investment opportunities, and suggested that he had substantial, secret offshore assets.

It is interesting to note that even though the metadata showing dates had been deleted along with the files, the forensic experts were still able to prove that they were very recent, and thus very relevant. They used an ingenious method to date these files.  The debtor’s computers used Norton Antivirus software.  It keeps its own log of all files checked for viruses when downloaded from the Internet.  The Norton logs they located did not have download time information, but the forensic experts were still able to prove that the erased files had been recently downloaded.  They could do that because the logs showed that a recent version of the software had been used to inspect these files. Id.

When a motion for sanctions for spoliation brought all of this to the attention of the bankruptcy court, the judge gave the lawyer-debtor a choice. He could either turn in backups of his computers that contained the deleted files, or go to jail. Either way the judge also ordered him to turn in his passport, entered a partial default judgment, ordered the repayment of $59,710 to the estate, and entered other sanctions.

To reach this result, the court had to consider and reject a series of excuses offered by the debtor to try to explain the wipe-out of so much evidence from his computers.  He offered the classic hard drive crash excuse, and also claimed that he only used GhostSurf for legitimate purposes, a type of routine, good faith destruction argument under Rule 37(f).  Here is the actual language of Chief Bankruptcy Judge Robery Nugent in Kansas City disposing of these arguments:

Based upon the evidence presented here, it is clear that Krause (a licensed Kansas lawyer) violated his duty to preserve electronic evidence. He candidly admitted that he never reviewed his hard drives to determine if he had electronic evidence that was responsive to the Government’s RFP. In fact he took the belated and frivolous position that the RFP did not encompass electronic evidence. He continued his routine practice of deleting e-mails. Finally, he made no claim that he deactivated or uninstalled the GhostSurf wiping software program upon service of the Government’s adversary complaint or RFP. Nor is Krause saved by his alleged computer crashes. One, those crashes occurred several months after the adversary was commenced and the Government’s document requests were served. If he had backed-up his computers, he has not been forthcoming with the back-up data or files. Two, once Krause restored the computers, he again installed GhostSurf and ran the wiping program on both computers.

id. at *20. 

When a litigant responds to an e-discovery request by installing and using a super-deletion type of software program such as GhostSurf for the first time, they will probably be hoisted by their own petard.  Once uncovered, such actions provide compelling proof of intentional destruction of evidence.  In the words of the court:

The deliberate and intentional use of a wiping software program such as GhostSurf and the timing of its use further leads the Court to the inescapable conclusion here that Krause willfully and intentionally destroyed electronically stored evidence. Although Krause professed earnest concern for the protection and security of his computer files and personal and financial information, he testified to no incidents where his computer or internet security had been previously compromised while using other standard security software or protective measures (e.g. Norton Antivirus) that were also loaded on his computers. No evidence was presented that these standard non-wiping security protections were inadequate for Krause’s use of his computers. Apparently, no previous experience or incident prompted him to go out and buy a software wiping program such as GhostSurf 2006. Nor was any credible evidence presented that Krause had run GhostSurf or any other wiping software program on his computers at any period of time prior to the commencement of the adversary complaint in November 2005. The Court concludes that Krause purchased the GhostSurf 2006 wiping program after the adversary complaint was filed and after the duty to preserve attached. He installed and ran it. This constitutes a willful or intentional spoliation of evidence.

Id. at *21. 

The producing party here argued that new Rule 37(f) provided him protection from sanctions because he claimed that his use of GhostSurf was routine, and made in good faith to try and protect his privacy.  The lawyer-debtor argued that he always super-deleted his files in this way.  The evidence on this was weak at best.  The defense was obviously a ruse, as the software was never even installed until after the order compelling discovery.  In any event, even assuming he had routinely used GhostSurf before the order, the Rule 37(f) safe harbor would still not apply.  In these circumstances, after the Order to produce is entered, and probably well before then, when suit is filed, or even contemplated, the producing party is obliged to suspend such file deletion.  In Judge Nugent’s words:

Nor can Krause claim that his use of GhostSurf 2006 was a good faith “routine operation” of his computers. With the 2006 amendments to the Federal Rules of Civil Procedure, a party enjoys a safe harbor from sanctions where electronic evidence is “lost as a result of the routine, good-faith operation of an electronic information system.” Fed.R.Civ.P. 37(f). . . . . . 

The undisputed evidence established that Krause’s hard drives were far from being at full capacity thus making it improbable that electronic information was being overwritten or deleted by routine operation of his computers. Just as a litigant may have an obligation to suspend certain features of a “routine operation,” the Court concludes that a litigant has an obligation to suspend features of a computer’s operation that are not routine if those features will result in destroying evidence. Here, that obligation required Krause to disable the running of the wiping feature of GhostSurf as soon as the preservation duty attached. And it certainly obligated Krause to refrain from reinstalling GhostSurf when his computers crashed and he restored them.

Id.

In this case there was strong evidence of bad faith, intentional destruction of evidence, and that the files deleted were crucial to the case. In these circumstances, a court will usually impose severe sanctions on the spoliating party.  The reasoning is well explained in this case:

Because no one will ever know what was on those computers before they were wiped and purged with GhostSurf, the Trustee and the Government have been severely prejudiced in the prosecution of their claims against Krause. It may have irretrievably lost relevant and probative evidence that supports their case against Krause. A sampling of some of the orphan files and temporary internet files that the Trustee was able to salvage from Krause’s hard drives suggest that Krause has been engaged in significant internet activity during the pendency of this case related to investments, more involvement with additional entities, use of off-shore contacts and conduits to conduct business and financial activities and trafficking in frozen assets. Because the computers appear to be the “nerve center” of Krause’s business interests, including all of the alleged “sham” entities of which he denies ownership, their alteration significantly harms the Trustee’s and the Government’s ability to go forward and show Krause’s connection. The Trustee has shown enough from the salvaged e-mails and temporary internet files, however, to persuade this Court that the electronic evidence purged by Krause would have been relevant to these proceedings. The Court infers that the lost electronic evidence is relevant, as it is entitled to do, because of Krause’s willful and intentional destruction of it.

Id. at *22.  

Spoliation misconduct should never be tolerated in any court, but it is especially harmful in bankruptcy proceedings.  In my opinion Judge Nugent was correct to react in a strong and forceful manner to protect the integrity of the system.  As he explained:

Krause’s willful misconduct with respect to the spoliation of electronic evidence and turnover of his computers cuts to the heart of a chapter 7 bankruptcy debtor’s duties, far more onerous than those of a litigant involuntarily snarled in civil litigation. The Bankruptcy Code and Rules are designed to prevent, not foster, a game of “hide the pea” with the Trustee. The Court has repeatedly warned Krause about the repercussions of not making full, complete, and accurate disclosure and not cooperating with the Trustee. [FN88] The Court has progressively conditioned Krause’s conduct, without success. There is nothing left for the Court to do now but administer sanctions that mirror the egregiousness of his conduct. . . . . The willful destruction of electronic evidence has supported the most severe of sanctions, including entry of judgment against a defendant and dismissal of a plaintiff’s case.  [FN89]

Krause’s running of the GhostSurf wiping program after being ordered to produce electronic evidence and before turnover of his computers is simply inexcusable.

Id. at *23. 

The bankruptcy court then entered a whole series of sanctions against the debtor-attorney, including an order to turn over information and computers, and gave him ten days to comply.  To make it clear that he meant business, Judge Nugent included the promise of jail should the lawyer-debtor fail to full comply:

3. If after a period of ten (10) days Krause has not satisfied the foregoing sanctions:

(a) default judgment will be entered against Krause declaring that the Krause Children’s Trusts I, II, III, IV and V are his nominees and property of the estate subject to turnover; and

(b) a bench warrant will issue for Krause’s apprehension and he will be incarcerated until he complies with these orders.

Id. *25.

After imposing sanctions for spoliation, the court went on to find that the debtor was also in contempt for violation of the court’s original discovery order, and other violations.  For this reason, the court also entered essentially the same sanctions based on contempt.  Id. at *26-28.

I checked the docket sheet after the entry of this order.  It appears that the lawyer-client has since given himself better advice.  The docket indicates that he turned in his passport, produced computers and backups apparently as ordered, and filed an appeal.  We will wait to see how this is handled on appeal, and whether the spoliating lawyer is able to remain out of jail.

This entry was posted on Saturday, July 7th, 2007 at 9:31 pm and is filed under Forensic Exam, Metadata, New Rules, Search, Spoliation/Sanctions, Technology. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.