e-Discovery Team ®

This is another summer rerun and update to one of my favorite sanctions opinions involving disk-wiping software and a lawyer representing himself. The lawyer in question, Krause, was a debtor in bankruptcy who was caught destroying evidence. United States v. Krause (In re Krause), 2007 WL 1597937, 2007 Bankr. LEXIS 1937 (Bankr. D. Kan. June 4, 2007). He used a popular software program called GhostSurf to wipe his drives. The case proves the old adage that “a lawyer who represents himself has a fool for a client.” The lawyer used GhostSurf to try to destroy all incriminating evidence from his computers before producing them to the government. His GhostSurf wipeout failed, and he was ordered to jail as a result. This blog concludes by reporting on the opinion of the Tenth Circuit Court of Appeals that came out four years later, on April 1, 2011, and finally put this puppy to rest. United States v. Krause (In re: Krause), No. 10-3012 (10th Cir. 2011).

News Flash to Smart-Alecky Litigants:
Don’t Piss Off a Federal Judge

The bankruptcy opinion in 2007 shows that Judge Grimm was certainly not the first judge to use jail time as a sanction threat in Victor Stanley II. Strong federal judges have been doing this for years in discovery matters. Don’t piss them off.

I saw the jail-threat done quite effectively in a copyright case in the early nineties. It was at the end of an evidentiary hearing on my motion to compel production of paper documents and some other issues. Magistrate Judge David Baker in Orlando concluded the hearing by ordering the production we wanted. Judge Baker is a pretty laid-back kind of guy. A real scholar who used to be at Foley. So the next thing he did caught me by surprise. He added some comments about severe sanctions against defendants if they did not comply with his ore tenus order. I think his words to the opposing party  were something to the effect that if he they did not make the production in three days as ordered, and he had to hear the matter again, that they had better bring their bags with them next time because they could end up spending the night in jail. He meant it too. It was not a joke and the defendants turned pale. Comments like that tend to have a salutary effect on people. In my case the documents were, after months of battle and lame excuses, produced the very next day.

Lawyer Krause Learns to Use GhostSurf

The lawyer-debtor in the instant case owed over three million dollars in back taxes and claimed poverty. He resisted e-discovery at first, but was eventually ordered to produce his computers for imaging and inspection by the government’s forensic experts. Immediately after the court order, the lawyer installed GhostSurf on his computers and used it to super-delete (wipe) thousands of files from his hard drives. This software is designed to allow anonymous internet surfing. It includes an application called “Tracks Cleaner,” which tracks and cleans files in all applications. It is similar in operation to another well-known file shredding program called “Evidence Eliminator” discussed in Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605 (N.D. Ill. 2003).

The bankruptcy court’s description of GhostSurf’s “super-deletion” functions is very informative. It makes it easier to understand the differences between: (1) simple deletion, where you just delete a file or email one time; (2) “double deletion” where you delete a file, and then also empty the trash; and, (3) “super-deletion”, the method employed by GhostSurfer and other software like it. Super-deletion is designed to meet Department of Defense specifications for total file shredding, beyond the reach of forensic experts. The different types of file deletions and data remanence can be very confusing. The following excerpt from Judge Nugent’s 30-page opinion sheds some needed light on the subject:

GhostSurf is designed to wipe or eradicate data and files as part of its protective and security functions. . . . in such a way that the data is actually overwritten, precluding the ability to recover or restore the files and data. Both experts agreed that when a user “deletes” files from a hard drive, the data remains intact. The act of deletion merely eliminates the “pointer” that allows the computer to locate the data on the hard drive. By using data recovery software, that data may be extracted (as, indeed, some has been in this case). An additional step is necessary to eradicate this data entirely. GhostSurf performs this function by overwriting the file with a new file that contains no bytes of data and is named in a manner inconsistent with Windows operating system naming conventions. Rather than simply eliminating the pointer to the data, the actual recording of the data on the hard disk is erased (like taping over an existing tape recording).

Deleted e-mail leaves a different set of tracks. When a user “deletes” an e-mail in Outlook Express, the “fields” are deleted and sent to the trash or recycle bin. What remains on the hard drive are the HTML internet codes that define the fields, font, graphics, etc. of each message. What also remains is the actual e-mail message. When the trash bin is emptied, the matter itself is deleted. Because e-mail files are internet files, each time they are accessed, a temporary internet file (“temp file”) is created. Thus, even though the e-mail itself is deleted, the temp file remains on the hard drive, unless it is wiped. . . .

Taylor testified that GhostSurf wipes files by searching the hard drive for files that Windows “no longer knows about” because they have been previously deleted, and writing data over those locations with random data to obscure it from undeleting. Once the files are overwritten in this fashion, an undelete utility cannot recover them. . . . According to the GhostSurf User’s Manual, the application may be set to erase files using different strength algorithms. If the weaker algorithms are used, the manual suggests “nearly all” of the targeted files will be erased. In short, GhostSurf is a very powerful tool that Krause could easily have used to purge files and data from his computers before turning them over to the Trustee.

Id. at *5, *7

The popular file wiping program did its job effectively. Following Department of Defense computer file erasure protocols, it erased the files multiple times, rewrote the affected hard drive space with zeros, and set up fake file names. Bottom line, there was no way to recover these files. They were super-erased, and the forensic experts could not restore them. By the way, do you know what well-known computer forensic expert thinks the DOD guidelines are a bunch of malarkey? That once you write over with zeros, or ones, that is enough. It can’t be recovered and there is no point in doing it again, and again. Hint, the expert lives in the city where the next annual Sedona Conference will be held (By the way, if you are going, I’ll see you there. Please grab me and say hello.)

The lawyer here, Mr. Krause, slipped up in at least two ways, and his scheme to destroy evidence was exposed. First, he did not hide his use of the GhostSurf software very well. It was easy for the forensic experts to see how many files were deleted and when (right after the order). Second, a few of the files were not visible to GhostSurf, probably because they were “orphan files,” and so they were not super-deleted by GhostSurf. Id. at *9. As a consequence a few temporary internet email and web browser files were not wiped from on the hard drives. These files showed that the bankrupt debtor had recently traveled to Zurich, Switzerland to pursue investment opportunities, and suggested that he had substantial, secret offshore assets. My, my ….  and we wonder why lawyers have a bad name.

Antivirus Software Histories Sealed the Deal

It is interesting to note that even though the metadata showing dates had been deleted along with the files, the forensic experts were still able to prove that they were very recent, and thus very relevant. They used an ingenious method to date these files. The debtor’s computers used Norton Antivirus software. It keeps its own log of all files checked for viruses when downloaded from the Internet. The Norton logs they located did not have download time information, but the forensic experts were still able to prove that the erased files had been recently downloaded. They could do that because the logs showed that a recent version of the software had been used to inspect these files. Id.

Lawyer Was Given a Choice:
Turn Over the Computer Backups or Go To Jail

When a motion for sanctions for spoliation brought all of this to the attention of the bankruptcy court, the judge gave the lawyer-debtor a choice. He could either turn in backups of his computers that contained the deleted files, or go to jail. Either way the judge also ordered him to turn in his passport, entered a partial default judgment, ordered the repayment of $59,710 to the estate, and entered other sanctions.

To reach this result, the court had to consider and reject a series of excuses offered by the debtor to try to explain the wipe-out of so much evidence from his computers. He offered the classic hard drive crash excuse, and also claimed that he only used GhostSurf for legitimate purposes, a type of routine, good faith destruction argument under Rule 37(e). Here is the actual language of Chief Bankruptcy Judge Robert Nugent in Kansas City disposing of these arguments:

Based upon the evidence presented here, it is clear that Krause (a licensed Kansas lawyer) violated his duty to preserve electronic evidence. He candidly admitted that he never reviewed his hard drives to determine if he had electronic evidence that was responsive to the Government’s RFP. In fact he took the belated and frivolous position that the RFP did not encompass electronic evidence. He continued his routine practice of deleting e-mails. Finally, he made no claim that he deactivated or uninstalled the GhostSurf wiping software program upon service of the Government’s adversary complaint or RFP. Nor is Krause saved by his alleged computer crashes. One, those crashes occurred several months after the adversary was commenced and the Government’s document requests were served. If he had backed-up his computers, he has not been forthcoming with the back-up data or files. Two, once Krause restored the computers, he again installed GhostSurf and ran the wiping program on both computers.

Id. at *20.

Hoist With Own Petard

When a litigant responds to an e-discovery request by installing and using a super-deletion type of software program such as GhostSurf for the first time, they will probably be hoisted by their own petard. An old saying as true today as when it was used by Shakespeare in Hamlet. Once uncovered, this attempt to harm others will instead do great harm to yourself. It will provide compelling proof of intentional destruction of evidence. In the words of the court:

The deliberate and intentional use of a wiping software program such as GhostSurf and the timing of its use further leads the Court to the inescapable conclusion here that Krause willfully and intentionally destroyed electronically stored evidence. Although Krause professed earnest concern for the protection and security of his computer files and personal and financial information, he testified to no incidents where his computer or internet security had been previously compromised while using other standard security software or protective measures (e.g. Norton Antivirus) that were also loaded on his computers. No evidence was presented that these standard non-wiping security protections were inadequate for Krause’s use of his computers. Apparently, no previous experience or incident prompted him to go out and buy a software wiping program such as GhostSurf 2006. Nor was any credible evidence presented that Krause had run GhostSurf or any other wiping software program on his computers at any period of time prior to the commencement of the adversary complaint in November 2005. The Court concludes that Krause purchased the GhostSurf 2006 wiping program after the adversary complaint was filed and after the duty to preserve attached. He installed and ran it. This constitutes a willful or intentional spoliation of evidence.

Id. at *21.

Rule 37(e) Did Not Apply

The producing party here argued that then new Rule 37(e) provided him protection from sanctions because he claimed that his use of GhostSurf was routine, and made in good faith to try and protect his privacy. The lawyer-debtor argued that he always super-deleted his files in this way. The evidence on this was weak at best. The defense was obviously a ruse, as the software was never even installed until after the order compelling discovery. In any event, even assuming he had routinely used GhostSurf before the order, the Rule 37(f) safe harbor would still not apply. In these circumstances, after the Order to produce is entered, and probably well before then, when suit is filed, or even contemplated, the producing party is obliged to suspend such file deletion. In Judge Nugent’s words:

Nor can Krause claim that his use of GhostSurf 2006 was a good faith “routine operation” of his computers. With the 2006 amendments to the Federal Rules of Civil Procedure, a party enjoys a safe harbor from sanctions where electronic evidence is “lost as a result of the routine, good-faith operation of an electronic information system.” Fed.R.Civ.P. 37(f). . . . . .

The undisputed evidence established that Krause’s hard drives were far from being at full capacity thus making it improbable that electronic information was being overwritten or deleted by routine operation of his computers. Just as a litigant may have an obligation to suspend certain features of a “routine operation,” the Court concludes that a litigant has an obligation to suspend features of a computer’s operation that are not routine if those features will result in destroying evidence. Here, that obligation required Krause to disable the running of the wiping feature of GhostSurf as soon as the preservation duty attached. And it certainly obligated Krause to refrain from reinstalling GhostSurf when his computers crashed and he restored them.

Id.

Why Severe Sanctions Were Appropriate

In this case there was strong evidence of bad faith, intentional destruction of evidence, and that the files deleted were crucial to the case. In these circumstances, a court will usually impose severe sanctions on the spoliating party. The reasoning is well explained in this case:

Because no one will ever know what was on those computers before they were wiped and purged with GhostSurf, the Trustee and the Government have been severely prejudiced in the prosecution of their claims against Krause. It may have irretrievably lost relevant and probative evidence that supports their case against Krause. A sampling of some of the orphan files and temporary internet files that the Trustee was able to salvage from Krause’s hard drives suggest that Krause has been engaged in significant internet activity during the pendency of this case related to investments, more involvement with additional entities, use of off-shore contacts and conduits to conduct business and financial activities and trafficking in frozen assets. Because the computers appear to be the “nerve center” of Krause’s business interests, including all of the alleged “sham” entities of which he denies ownership, their alteration significantly harms the Trustee’s and the Government’s ability to go forward and show Krause’s connection. The Trustee has shown enough from the salvaged e-mails and temporary internet files, however, to persuade this Court that the electronic evidence purged by Krause would have been relevant to these proceedings. The Court infers that the lost electronic evidence is relevant, as it is entitled to do, because of Krause’s willful and intentional destruction of it.

Id. at *22.

Intentional, bad faith spoliation misconduct should never be tolerated in any court, but it is especially harmful in bankruptcy proceedings. In my opinion Judge Nugent was correct to react in a strong and forceful manner to protect the integrity of the system. As he explained:

Krause’s willful misconduct with respect to the spoliation of electronic evidence and turnover of his computers cuts to the heart of a chapter 7 bankruptcy debtor’s duties, far more onerous than those of a litigant involuntarily snarled in civil litigation. The Bankruptcy Code and Rules are designed to prevent, not foster, a game of “hide the pea” with the Trustee. The Court has repeatedly warned Krause about the repercussions of not making full, complete, and accurate disclosure and not cooperating with the Trustee. [FN88] The Court has progressively conditioned Krause’s conduct, without success. There is nothing left for the Court to do now but administer sanctions that mirror the egregiousness of his conduct. . . . . The willful destruction of electronic evidence has supported the most severe of sanctions, including entry of judgment against a defendant and dismissal of a plaintiff’s case. [FN89]

Krause’s running of the GhostSurf wiping program after being ordered to produce electronic evidence and before turnover of his computers is simply inexcusable.

Id. at *23.

The bankruptcy court then entered a whole series of sanctions against the debtor-attorney, including an order to turn over information and computers, and gave him ten days to comply. To make it clear that he meant business, Judge Nugent included the promise of jail should the lawyer-debtor fail to full comply:

3. If after a period of ten (10) days Krause has not satisfied the foregoing sanctions:

(a) default judgment will be entered against Krause declaring that the Krause Children’s Trusts I, II, III, IV and V are his nominees and property of the estate subject to turnover; and

(b) a bench warrant will issue for Krause’s apprehension and he will be incarcerated until he complies with these orders.

Id. *25.

After imposing sanctions for spoliation, the court went on to find that the debtor was also in contempt for violation of the court’s original discovery order, and other violations. For this reason, the court also entered essentially the same sanctions based on contempt. Id. at *26-28. Smart move. Makes the order even harder to reverse on appeal.

Conclusion on Appeal

I checked the docket sheet after the entry of this order. It appears that the lawyer-client after that gave himself better advice. The docket indicates that he turned in his passport, produced computers and backups as ordered, and filed an appeal. Then this case entered the world of the Tenth Circuit Court of Appeals. The court eventually issued an opinion in 2011 that is known in tax circles, but escaped the radar of e-discovery law (until now). United States v. Krause (In re: Krause), No. 10-3012 (10th Cir. 2011). On appeal Mr. Krause had some good lawyers representing him, but even the best lawyer can’t make a silk purse out of a sow’s ear. Krause lost again in a lively, well-written opinion by Tenth Circuit star, Judge Neil Gorsuch.

I love how this opinion by Judge Gorsuch (shown right) begins:

Can a taxpayer avoid the IRS by moving money to a “diet cookie” company and then destroying records that might show the company to be a sham? Or by transferring assets to his “children’s trusts” only to use the trusts to pay for his country club membership, buy cars, and fund his lifestyle? The answer, of course, is no. Why this is so takes a bit more explanation.

By the time this case reached the appeals court all issues were joined and the focus was on tax and fraud, with the e-discovery issues only providing background color. I’ll skip over the merits to the only e-discovery mention:

What was clear, however, was this. During discovery Mr. Krause intentionally erased computer hard drives containing the records of both companies. And in the process he violated court orders compelling production of the materials. For this misconduct and after an exhaustive three-day evidentiary hearing, the court entered a sanctions order declaring that it would treat PHR and Drake Enterprises as the “nominees or the alter ego[s] of Krause and . . . thus [the] property of [Mr. Krauses’s bankruptcy] estate and subject to turnover” to the IRS. Aplt’s App. vol. 1, at 176.

After that passing reference to erasure of computer hard drives, the destruction of evidence aspects of the case get lost in the shuffle. The Tenth Circuit focuses instead on the actual merits (gasp) and the complex web of fraud spun by attorney Krause and his family. Bottom line, Krause loses, multiple fraudulent transfers are set aside, and the orders of the bankruptcy judge are affirmed. I’m still not sure if Mr. Krause ever actually went to jail, or even lost all of his money, but I kind of doubt it. If you happen to be in the great state of Kansas or otherwise know the answer, please let us know.

This entry was posted on Thursday, August 25th, 2011 at 8:00 pm and is filed under Forensic Exam, Lawyers Duties, Metadata, New Rules, Spoliation/Sanctions, Technology. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.