Wednesday, March 23, 2011

Fraud, Economic Espionage and the Company Laptop

Charges are currently pending in the U.S. District Court for the District of Oregon against Hock Chee Khoo, Thongsouk Soutavong and Shengbao Wu. U.S. v. Hock Chee Koo (sic), __ F.Supp.2d __, 2011 WL 777965 (U.S. District Court for the District of Oregon 2011).


More precisely, all three are charged with conspiring to commit wire fraud in violation of 18 U.S. Code § 1343, economic espionage in violation of 18 U.S. Code § 1832 and computer fraud in violation of 18 U.S. Code § 1030(a)(4). U.S. v. Koo, supra. The conspiracy charge is brought under 18 U.S. Code § 371, which makes it a federal crime to conspire “to commit any offense against the United States.” In addition, Khoo and Soutavong are charged with 3 counts of wire fraud and Soutavong is also charged with 3 counts of economic espionage. U.S. v. Koo, supra. And Wu is also charged with 6 counts of economic espionage and 2 counts of computer fraud. U.S. v. Koo, supra.


Two of the defendants – Khoo and Soutavong – filed a motion to exclude images taken from a laptop and an external hard drive. U.S. v. Koo, supra. Before we can address the motion and the legal issues it raises, I need to outline how the case arose. Here is how the federal district judge who has this case did that in this opinion, based on evidence presented at a hearing:


In September of 2006, Lawrence Hoffman, owner of The Hoffman Group, [a manufacturer and distributor of after-market auto parts], discovered a product for sale on eBay that looked like a type of part his company sold. The product was a vertical door lift. The eBay part was offered under the brand name `Cleanline Motor Sports,’ which was registered by a company called `JES Suppliers, LLC.’ The Hoffman Group's part was called the `130 Degree Lambo Vertical Door Kit.’


Hoffman alerted his company's attorney, John Ramig, and began investigating JES Suppliers. He learned it had been incorporated in Oregon on May 18, 2006 by Wu, Soutavong, and Khoo. Soutavong worked for Hoffman's company in sales and Wu worked for a subsidiary in China, managing the design and manufacture of products there. Khoo was a former employee, who worked in warehouse and shipping.


On September 12, Ramig and Hoffman reported what they knew to the FBI's [Special Agent] Slinkard. Hoffman hired a private investigator who purchased the JES part and learned it was identical to The Hoffman Group's part. The investigator also emailed Wu and Khoo acting as a potential business partner. Hoffman later testified (in a civil action brought by his company) that Wu sent images to the private investigator of products and parts The Hoffman Group had not yet released.


On October 16, The Hoffman Group filed a civil complaint against Wu, Soutavong, Khoo and [Doe] . . . in Multnomah County Circuit Court. Until August 5, [Doe] had operated The Hoffman Group's computer system, with administrator privileges on the computer network. Hoffman believed [Doe] had given the other defendants access to The Hoffman Group's computer data management application, Platipus. The Hoffman Group alleged in the lawsuit that the defendants had obtained and used confidential information and trade secrets to divert business from The Hoffman Group.


On October 17, at Hoffman's request, Wu traveled from China to the United States. Hoffman met Wu at the airport, took him back to the office, and asked Wu to leave his laptop computer (company-owned) with Mark Hansen. Hoffman told Wu Hansen was a company employee who would upgrade Wu's computer.


In fact, Hansen worked for Northwest Countermeasures as a computer analyst whom Hoffman had hired to examine Wu's laptop. When Hoffman and Wu had left the room, Hansen opened a folder named `private’ and moved it to the laptop desktop. Hansen then copied selected parts of the `private’ folder onto a USB external hard drive device using Acronis software (the `Acronis Backup’). This `private’ folder purportedly contained documents relating to JES Suppliers, LLC.


Hoffman took the laptop home and, over the course of two days, periodically booted it up and looked around. He testified he `could have’ moved files, but did not delete files and did not run the defragmentation utility. He made `screen shots’ of a chat program contact list, which he saved to a subfolder in the `private folder he named `QQ.’


U.S. v. Koo, supra. On October 18, Hoffman “terminated Wu and Soutavong’s employment” and two days later he took Wu’s laptop to the FBI. U.S. v. Koo, supra.


[T]he FBI had no idea [he] had seized Wu's laptop. . . . Hoffman told Slinkard he booted the laptop up and looked through files while he had [it] at home. With Slinkard watching, Hoffman turned the computer on and copied the `private’ folder to a . . . USB drive. Hoffman gave the computer and the Acronis Backup to Slinkard, [who] checked both into the evidence system on October 20, after which he submitted them to the Northwest Regional Computer Forensic Laboratory (`NWRCFL’) for examination. . . . Between November 3 and November 6, FBI Special Agent Brillhart made an image of the laptop using Forensic Tool Kit software (the `Laptop Image’) and an image of the Acronis Backup (the `Acronis Backup Image’). The FBI kept these images, but returned the actual laptop and the Acronis Backup to Hoffman on November 20, 2006.


U.S. v. Koo, supra (emphasis in original). The defendants were indicted on August 19, 2009, and as noted above, Khoo and Soutavong moved to exclude the Acronis Backup Image and the Laptop Image. U.S. v. Koo, supra.


They claimed neither image was an accurate copy of “Wu’s computer before it was seized.U.S. v. Koo, supra (emphasis in original). They therefore argued that the images should be excluded for lack of authentication, as required by Rule 901 of the Federal Rules of Evidence. U.S. v. Koo, supra. In response, the prosecution said it intends “to offer the images as duplicates of what the FBI took into custody, and does not intend to offer” them “as proof of what was on Wu’s computer before it was taken by Hoffman and Hansen.” U.S. v. Koo, supra (emphasis in original).


The judge began his ruling on the defendants’ motion by noting that Federal Rule of 901(a) makes authentication a condition precedent to admitting evidence and states that the requirement of authentication is “satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” U.S. v. Koo, supra. So, under this standard, the government had to produce evidence establishing that the images were duplicates of what the FBI took into custody.


The judge then applied this standard to the Acronis Backup Image and the Laptop Image. He explained that the defendants’ challenge to this mage was based on their claim that Hansen “could have changed the data prior to making the Acronis Backup; the Acronis software that made the Backup is not a forensic tool and did not capture all the data on the laptop; and the FBI failed to follow standard practices in making an image of the Acronis Backup.” U.S. v. Koo, supra. The judge pointed out that all but one of the their arguments went to “the integrity of the Acronis Backup, not the integrity of the Acronis Backup Image.” U.S. v. Koo, supra (emphasis in original). He found that their only argument questioning the integrity of the Acronis Backup Image had to do with the FBI’s alleged failure to follow standard procedures. U.S. v. Koo, supra.


The judge then rejected the defendant’s argument that Hansen and Hoffman “`could have uploaded incriminating information onto Wu's computer, altered the dates associated with that information's uploading, installed Acronis to overwrite the data associated with that change, and then made a selective digital image of the hard drive to turn over to the FBI.’”U.S. v. Koo, supra. He found that there was no evidence that Hansen had the “desire or inclination to change the contents of the hard drive before he created the Acronis Backup and, while Hoffman may have had both the desire and the inclination, Hoffman was not in the room at the time Hansen made the Backup.” U.S. v. Koo, supra. He noted that the fact that it is possible to alter data is insufficient, standing alone, to establish untrustworthiness, i.e., to refute authenticity. U.S. v. Koo, supra.


The defendants also argued that the government could not establish that the Acronis Backup Image was an authentic copy of the Wu laptop before it was seized because the Acronis software did not capture all the data on the laptop:


Acronis captures data on the `logical’ level, as opposed to the `physical’ level. This means it does not capture unallocated space, which is the space holding deleted files and documents until new installations occupy that space. Furthermore, the Acronis Backup Image does not contain the systems files allowing for data and registry analysis and the software is not capable of capturing the `hash value’ of the file. The `hash value’ is a series of numbers that acts as a digital fingerprint; when the hash value changes it means the content of a file has changed. The government does not dispute this characterization of the Acronis software.


U.S. v. Koo, supra. The judge agreed that “Acronis is not a forensic tool” and therefore found that the government (i) “may not argue that the Acronis Backup Image `accurately reproduced the entirety of the electronic data’” on the laptop but (ii) may “argue that the Acronis software produced an accurate `snapshot’ of those files it did capture.” U.S. v. Koo, supra. The judge also noted that as to the absence of dates of creation of the


documents on the Acronis Backup Image, the fact that the Acronis Backup (and therefore the Acronis Backup Image) did not capture the `hash values,’ defendants may argue to the jury that the evidence is not the same as the content on the laptop seized from Wu on October 17, 2006. Defendants may make a similar argument with respect to the failure of the software to capture unallocated space.


U.S. v. Koo, supra. He also found “with a reasonable likelihood that there was no material change in the evidence between Hansen capturing it on the Acronis Backup and the time when it came into the FBI’s possession.” U.S. v. Koo, supra.


Finally, the judge rejected the defendants’ claim that the Acronis Backup Image should be excluded because the FBI “neglected to follow standard industry practice when they made the Acronis Backup Image.” U.S. v. Koo, supra. He explained that as “to the failure to follow . . . standard protocols, defendants have not identified any harm cause by the protocol the FBI used in making the Acronis Backup Image.” U.S. v. Koo, supra. He therefore held that the prosecution had met its burden of showing that the “Acronis Backup Image is a copy of what the FBI received when it took custody of the Acronis Backup. . . .. If the evidence is relevant, and the government introduces it with appropriate testimony or circumstantial evidence, the Acronis Backup Image will be received.” U.S. v. Koo, supra.


The judge also found that the FBI's failure to follow standard protocol did not undermine the integrity of the Laptop Image, so it can be admitted at trial “if the government is able to show its relevancy.” U.S. v. Koo, supra. He also found, however, that while the Laptop Image could be admitted as a duplicate of what the FBI took into custody, it could not be admitted as “evidence of what was on Wu’s laptop prior to its seizure by Hoffman.” U.S. v. Koo, supra. The judge explained that Hoffman’s “history” with Wu, including the


fact he had filed a civil lawsuit against Wu the day before he obtained Wu's laptop, raises a question about his motive to change the information on Wu's computer and puts the Laptop Image in a different category from the Acronis Backup Image. . . . [Hoffman admitted to booting the computer up and perusing its content over . . . two days. . . .


U.S. v. Koo, supra. The judge also relied on evidence the defendants submitted showing that Hoffman “ran the defragmentation utility” and that his “installing the Acronis software (thereby replacing content in unallocated space that could have been captured by the FBI's imaging technology) altered the `contents and data configuration of Wu's hard drive.’” U.S. v. Koo, supra. The judge therefore held that the government had failed to show the Laptop Image was authentic as required by Rule 901(a). U.S. v. Koo, supra.

No comments: