Monday, December 14, 2009

Ghost v. EnCase

I could have entitled this post “battling computer forensic software programs.” It’s about a discovery dispute in a criminal case that centered around two such programs: EnCase and Ghost.


The case is State v. Dingman, 149 Wash.App. 648, 202 P.3d 388 (Washington Court of Appeals 2009), and it arose when Robert Dingman was charged with 21 counts of theft and 33 counts of money laundering in violation of Washington state law. I’m not going to summarize the facts that supported each count, because they’re redundant. Instead, I’m going to summarize the facts and charges in a few representative counts:

Dingman owned a business called Quality Home Enclosures (QHE), which installed residential sunroom additions. Starting in March 2001, he distributed sunrooms manufactured by Four Seasons. . . .


On June 6, 2001, Kent and Joyce Sharpe entered into a contract with QHE for a Four Seasons sunroom. They gave Dingman a $15,000 deposit. . . . On February 27, 2002, they paid him $7,652.75 for materials. In March, Dingman began preparing the site for the sunroom, and he poured a concrete slab by April 18. QHE did no further work. Four Seasons ultimately installed the sunroom. Count I, theft. . . .


Georgia and Louis Murphy entered into a contract for a sunroom on September 21, 2001. They gave Dingman a $10,000 deposit. On October 13, they gave him an additional check for materials. QHE did limited work at the site by August 2002, but then its work ceased. Count VII, theft. . . .


June and Wilford Gosnell entered into a contract with QHE for a sunroom in July 2002. On July 20, they paid Dingman $13,600. Count XLVIII, money laundering. . . .


Dree Snider and Liesl Bohn contracted for a sunroom in July 2002. They . . . Count LI, money laundering. . . .

State v. Dingman, supra. You get the idea. Dingman went to trial and was convicted of 16 counts of theft and 11 counts of money laundering, after which he appealed. State v. Dingman, supra.


His primary argument on appeal was that the “trial court erred in ruling on his discovery motions” and therefore “denied him an opportunity to prepare his defense.” State v. Dingman, supra. As I noted in an earlier post, the purpose of discovery is to make the trial as fair and efficient as possible; in criminal cases, discovery is designed to give the defense access to the information it needs to rebut the prosecution’s case. If you’re interested, you can read more about criminal discovery here.


Here is how the discovery issue Dingman raised on appeal came up during the pretrial process: Dingman moved for access to

his seized computers' hard drives to create his own mirror images, or receive mirror images of the drives in a readable format. . . . [T]he State created mirror image copies of the drives using the EnCase program.


At argument on the motion, Dingman asserted that neither his computer forensic expert nor defense counsel had access to the EnCase program. His expert, Larry Karstetter, testified that a copy of the program cost $3,607. Karstetter said that he did not use the program because it was created for use by law enforcement, and he expressed concern that its search function could contain inherent bias against the defense. He added that in all other cases in which he needed hard drive copies, the State provided the copies to him in a readable (non-EnCase) format.


The State's witnesses included Detective Gregory Dawson, who created the EnCase mirror image file for the State. He expressed two reservations about providing Dingman with the hard drives: the program, Ghost, used by Dingman's expert, could produce an inaccurate copy of the drives and the hard drives could be damaged because they had not been used for some time. Dawson stated that his office had a license to use Ghost but that he did not use it for forensic investigations.


In summarizing Dingman's request to the trial court, defense counsel stated that he merely wanted the discovery in a format that the defense and its expert could use. He gave this example:


`The State has translated the computers into Farsi, a foreign language that we don't speak, and asked us to take Farsi because that's what they decided to do and it was convenient and maybe very wise on their part. Well, we don't want it in their language, your Honor. We want the discovery as it existed in Mr. Dingman's computers and as it still exists in Mr. Dingman's computers.’


He added that the State already had an exact copy of the files . . . so it could easily detect if either
Ghost or the age of the computers somehow altered the evidence.


The State countered that it did `not need to conform its investigation . . . to the whims . . . of the defense.’ . . . It added it had never had a problem with providing the copies of the files -- in EnCase format - to the defense. . . .

State v. Dingman, supra. The trial judge denied Dingman’s motion and ordered the prosecution to give EnCase copies to the defense. State v. Dingman, supra. He found

that the Ghost program would not provide an accurate image of files contained in the single Redundant Array of Independent Disks (RAID)-configured computer. It also noted that the EnCase search function, criticized by the defense, was not the only search program available.

State v. Dingman, supra. Dingman sought, and was given, a continuance to allow his experts to analyze the EnCase copies; when he needed more time, his attorney asked for another continuance, submitting an affidavit from two experts as providing support for the motion:

Dingman's expert submitted an affidavit stating he was only able to review two of nine drives and, for the two examined, he encountered files that he could not yet open.


The Department of Assigned Counsel's Information Technology Specialist, Kathleen LaCoste, submitted an affidavit stating defense counsel had purchased a new hard drive, submitted it to the State, and received 77 folders and 4,868 files on the drive from the State. She also said the EnCase program is `not usable without program specific training.’ . . . She told the trial court no one in her office or the entire Pierce County computer support office was trained to use EnCase. She stated that the office had not purchased EnCase and that she had viewed some of the EnCase files using a 30-day trial version of another program, Mount Image Pro Software. This software could support the EnCase images, but it did `not substitute as an operating system that will actually run any of the associated programs required to open a specific file.’. . .

State v. Dingman, supra. The trial court denied the motion for another continuance and Dingman went to trial. On appeal, he relied on the rule I discussed in that earlier post: the prosecution’s obligation to give the defend access to documents, data and other tangible evidence that is within its possession.


In ruling on his argument, the Court of Appeals cited a federal district court decision which held that to satisfy this discovery requirement, a defense expert should be able to “`utilize his or her hardware or software.’” State v. Dingman, supra (quoting United States v. Flinn, 521 F.Supp.2d 1097, 1101 (U.S. District Court for the Eastern District of California 2007)). The Dingman court concluded that under the Washington Supreme Court’s interpretation of Washington criminal discovery law, the state was required to show “a need for appropriate restrictions before the trial court can limit a computer forensic expert’s analysis of a defendant’s hard drive to only the State’s chosen software format.” State v. Dingman, supra.


The court ultimately found that the prosecution had not done that in this case:

[A]ny potential alteration to the hard drives’ original condition that the Ghost software might cause can be detected because the State has the EnCase mirror image copies. Moreover, the State has a license to use Ghost. The State's remaining related objections, that the conversion to Ghost would be time consuming and that it need not conform discovery to Dingman's whims, are insufficient to overcome the goal of open discovery set out in [State v. Boyd, 160 Wash.2d 424, 158 P.3d 54 (Washington Supreme Court 2007)].

State v. Dingman, supra. The Court of Appeals therefore held that the trial court “erred by requiring that the State provide only an EnCase mirror image of Dingman’s hard drives to the defense.” State v. Dingman, supra. It found that the remedy for the error was “to reverse and remand for a new trial”, which is exactly what it did. State v. Dingman, supra. Since the Washington Supreme Court declined to review the propriety of this decision, it stands as final. See State v. Dingman, 166 Wash. 2d 1037, 217 P.ed. 783 (Washington Supreme Court 2009).


I wasn’t able to find any news stories about what happened next. I assume the state is either going to try Dingman again on similar charges or maybe they’ve worked out some kind of plea bargain.

1 comment:

Susan Brenner said...

Thanks for the link. I heard about the decision yesterday and did a post, which I'll going to put up shortly.

I'll work on the links. I've been having trouble with Blogger . . . links are SUPPOSED to be light yellow.