In Yoder & Frey Auctioneers v. EquipmentFacts, No. 3:10-cv-0159 DAK, 2013 U.S. Dist. LEXIS 50345 (N.D. Ohio April 8, 2013), the district court denied the defendant’s motions both for summary judgment and in limine. Key to the summary judgment motion was the defendant’s claim that by introducing, through a witness who did not offer an expert opinion, a log that purportedly showed the defendant had committed the computer intrusion at the heart of the matter, the plaintiffs had not made out their case.

Key to the spoliation motion was the defendant’s assertion that said evidence of intrusion came solely from the unauthenticated log, while the plaintiffs destroyed the server and software that were in place at the time of the acts at issue and which generated the log, thus making verification of the log impossible. The opinion fundamentally misunderstands what digital forensic evidence is and when it is required.

Background

The plaintiffs claimed that the defendant, inter alia, violated the Computer Fraud and Abuse Act, a federal criminal statute that, under certain circumstances, allows for a civil cause of action to be brought for violations of the act. The plaintiff, Yoder & Frey, is a heavy equipment auction company that holds an annual auction online as well as an in-person auction in Florida. Until early 2008, the defendant was a technology provider for Y&F’s online bidding system; by February 2010, plaintiff RealTimeBid.com had taken on that role. The plaintiffs claimed that during the February 2010 online auction, the defendant created and accessed fictitious accounts, bid on many items, was the high bidder for 20 items totaling more than $1.2 million and failed to pay for those items.

In support of its claim, the plaintiffs offered three sources of proof discussed by the court. First, an employee of the defendant testified that she registered to be an online bidder for the auction "using the name and banking information of an equipment buyer she had encountered" when the defendant was Y&F’s vendor, "without that buyer’s consent."

Second, the defendant’s owner testified that during the online auction, he logged in with both an old administrative account and various equipment buyers" accounts to ascertain, on behalf of the buyers, whether the new system was having technical difficulties.

Finally, the defendant’s controller offered, as proof of the improper transactions, text-based log files (approximately 30 million lines) generated by the auction software and the server on which it resided. The logs purported to record transactions where the bidder used the defendant’s unique Internet protocol (IP) address, i.e., the address assigned to access the Internet and send and receive messages on it. The defendant, however, did not offer the actual auction software or the server for inspection to the plaintiffs, as their outside consultant had destroyed the server and software as it had existed in February 2010. Thus, the defendant moved for summary judgment on the CFAA count, reasoning that without this evidence, the plaintiffs could not make their claim, and that by destroying it, Y&F had committed spoliation.

The Court’s Reasoning

The court began by noting that to prevail in its motion for relief on the ground of spoliation, the defendant would have to show that Y&F had an obligation to preserve the destroyed server and auction software, such duty arising from its known relevance to the plaintiff. The court denied relief to the defendant because it found that the defendant had not "demonstrated the relevance of the server system [preserved] in its February 2010 running state."

The court noted that central to the defendant’s argument was that the sole manner of determining whether it accessed the online bidding system and placed the specific bids was through examination of the software and server, which Y&F had destroyed. The court, however, disagreed, finding that because the aforementioned testimony of the Y&F employee and owner "provided evidence of the system’s access and the bid placement without the live running system," it somehow proved the plaintiffs’ claim.

This evidence, coupled with the testimony from Y&F’s controller that its bidding software tracked the winning bidders and was able to trace the bids to the defendant’s IP address, allowed the court to conclude that the defendant’s argument that Y&F lacked "evidence on its claims without the live running 2010 system" was "without merit."

More importantly, the court also rejected the defendant’s claim that having the running system and software, or a forensic image thereof, was "essential to its defenses" (against the allegation that in digital terms, it broke into the system), "’including whether the software and hardware worked correctly, produced reliable data, was inappropriately accessed by a third party, or simply analyzed incorrectly by plaintiffs.’"

Concluding that the defendant had not shown that "the hardware and software running at the time of the 2010 auction" was "evidence relevant to either Y&F’s claims or its defenses," the court denied the defendant’s motion to sanction the plaintiffs for not preserving the server and its software.

The Court’s Reconsideration

The defendant moved for reconsideration. In denying that motion, the court applied the same reasoning it had used to deny relief initially.

The court characterized the defendant’s argument as "stress[ing] a number of weaknesses in the plaintiffs’ evidence," instead of pointing to "some specific piece of evidence that the plaintiffs should have preserved but actually destroyed." The defendant should have pointed to "a particular log file or a specific dataset as relevant to its defenses," while, instead, it argued that "plaintiffs should have preserved the running computer system, including the hardware and software (or, at least, a forensic image of that)."

The defendant’s proffered reason for such preservation was that its expert needed "a forensic image of the system to extract the full log files, look for evidence of tampering, determine whether the software creates accurate log files and look for viruses," i.e., to look for the very "specific piece of evidence" the court faulted it for failing to produce.

While crediting this argument as "not entirely without merit," as the defendant could have shown, through "its analysis of the running system," that the "system was prone to keep inaccurate records," the court nevertheless rejected it as being speculative at best. Likewise, it downplayed the defendant’s objection that the logs were admitted through Y&F’s controller, who neither could nor did supply the expert testimony needed to show the reliability of this evidence.

Analysis

The court’s initial mistake was in failing to appreciate the nature of the evidence presented. The 30 million lines of text-based log files that purportedly recorded the transactions were just that: text-based files, i.e., files that could be easily altered, such as Word or .TXT files, with no way of tracing their alterations.

Unlike other log files, these were not generated in a way so that a common user could not alter them. Thus, their authenticity, and not just their accuracy, was always an important issue that the court did not require the plaintiffs to address. Readers of this column who send files via the Internet that they do not want altered (who does not do this?) will electronically "print" such files as PDFs or similar files before sending, so as to guard against the recipient altering them. That same concern, so obvious in everyone’s usage of text-based files, was of no concern to the court.

Furthermore, the court mistakenly separated the log from the application that generated it and the server environment in which the application resided, because that log is simply not "evidence" unless it is understood within the context of that application and server. Absent someone who can explain what the log is, how it was generated, what steps were taken in its generation to guarantee accuracy and what steps were taken post-generation to maintain its integrity — i.e., who can explain the application used to generate the log and has the expertise to provide that explanation — the log is just a series of symbols.

Yet the plaintiffs’ failure to offer, in the testimony of the controller or elsewhere, an expert opinion as to the authenticity of the log and the reliability of the software that generated it did not trouble the court, as it well should have. As well, the evidence presented by the other witnesses did not make up for the lack of authentication of the log. At best, it simply established that one of the defendant’s employees had registered for the auction under the name of another bidder and that the defendant’s owner had accessed the online bidding system at the time of the auction — evidence that the defendant was in the neighborhood (the court favored analogies to criminal investigations), but hardly evidence that it was the burglar.

Given, then, that the log’s authenticity could be established only within the context of the software that generated it, and that Y&F had destroyed the software and the server in which it resided, the court’s assertion that it could not find spoliation because it did not "find some specific piece of evidence that the plaintiffs should have preserved but actually destroyed" is, to put it politely, hard to fathom. By destroying the software application and server and not preserving a forensic image prior to destruction, Y&F deprived the defendant of any means of testing the accuracy and authenticity of the logs.

The logs, to be of any value, had to have been offered as forensically sound evidence. It is the hallmark of forensic evidence, of any scientific evidence (if the logs were not offered as "scientific" evidence, they would be worthless ab initio), that such results can be verified and replicated; ask anyone who claims to have solved the riddle of "cold fusion."

The plaintiffs’ failure to offer such evidence should have resulted in summary judgment and their destruction of the purported source of the very evidence needed should have resulted in their being sanctioned for spoliation.

Conclusion

Most matters involving ESI do not raise forensic issues. Most e-discovery matters concern themselves with what the emails and e-docs said, as the issue in pre-computer days was what the paper documents said. The sole reason forensic imaging arises in such cases is when there is a strong claim that the producing party did not preserve and collect its ESI properly.

In the instant matter, however, forensic evidences was at the heart of the plaintiffs’ claims — hardly a surprise when the claim is, in lay terms, that the defendant hacked into the plaintiffs’ online bidding system.

In such a case, it is obvious that the plaintiffs must prove the authenticity of their forensic evidence and the defendant must be able to test that evidence forensically. The court’s inability or refusal to see these basic points is, at best, confounding, and marks an unfortunate step backward in the progress the courts and the bar have made in understanding what is at stake with regard to digital evidence. •

Leonard Deutchman is general counsel and administrative partner of LDiscovery LLC, a firm with offices in New York City, Fort Washington, Pa., McLean, Va., Chicago, San Francisco and London that specializes in electronic digital discovery and digital forensics.