To learn more about our e-discovery,
computer forensic, forensic accounting or computer security services or
discuss a specific matter
In a Federal False Claims case involving prescription fills and refills by a pharmacy benefits manager traditional analysis methods had proved ineffective at finding instances of non-compliance. Fordham advised counsel about how computerized auditing techniques could be used to perform a hundred percent audit and find the non-compliant transactions without having to use the defendant's software or duplicate its computer systems. In the process Fordham advised counsel on the forms of ESI that would be required and how such data should be described and requested in Rule 34 production requests for electronic data.
The data that was produced as a result of the production requests, involved more than 30 database tables containing over 1 billion rows of data and representing production data for more than 100 million prescription fills and refills with their related billing data.
Fordham reviewed contract requirements to understand the performance requirements, the basis for penalties and establish an auditing baseline. As a result of his review, Fordham designed software tools to:
While the defendant had claimed its compliance errors were few and amounted to only about $8,000 in penalties, Fordham's computerized audit uncovered several hundred thousand compliance failures that resulted in a settlement of over $150 million, which, at that time, was one of the ten largest healthcare recoveries under the False Claims Act. (back to top)
In what started as a tortuous interference complaint lodged by a former employee, Fordham was provided with the former employee’s laptop computer that he improperly took with him at his departure and did not return until after the former employee's first deposition. Fordham was asked to search the computer's contents for documents meeting certain search criteria of trade secrets.
Fordham's efforts uncovered numerous deleted files and e-mails evidencing considerable usage of the machine after the former employee’s departure despite his representations to the contrary. In fact, the recovered data evidenced date markings in e-mail chains extending up to just prior to the computer's production. Interestingly, the active data and file system depicted only occasional usage of the machine over the two years prior to its production.
One of the deleted items recovered was the log file of a wiping program memorializing the names of files that were of considerable interest to the litigation. The timing of the file wiping as memorialized in the log file coincided to the submission date of the former employee's interrogatory answers claiming that those files did not exist.
Apparently, all of the evidence items that were recovered had not only been deleted prior to the computer’s production but the entire drive had been reformatted and its state returned to that captured in a system backup performed years prior. The system clock was then changed to a few different dates during the intervening period and minimal operations performed in order to provide the look of limited usage.
As a result of Fordham's findings and the former employee’s feeble explanations, like the wiped data was of no substantive value, the Court granted our client’s motion for sanctions, entered a default judgment in favor of our client’s counterclaim, and dismissed the former employees claims with prejudice. (back to top)
In a SEC investigation Fordham forensically imaged 45 computer hard drives and restored 40 backup tapes in order to locate documents and e-mails meeting keyword search terms and date limitations.
Files meeting the criteria were produced in Concordance load files containing native documents, fully extracted text and metadata as well as other attributes specified in the government’s production request.
Non searchable files were converted to searchable formats including password protected files whose protections were removed prior to searching. (back to top)
A client became suspicious that their network had been hacked and someone was accessing and reviewing confidential information. Fordham confirmed that someone was indeed accessing their network. There was no malware, however. Rather, Fordham tracked the activity to a particular user account and removed it. During subsequent activity monitoring the account came back, however. The activity monitoring revealed that the account was being created through a trust that existed between the client’s domain and another domain. The trusted access was being used to re-access the network and re-create the user account even after the account had been removed and deleted. The trust had been created during a prior period domain migration. It had never been broken and was now being used by a former employee for mischief. (back to top)
Fordham was retained to examine personal computers, network servers and other storage devices for instances of a former employer’s documents at the new employer and then remove them in accordance with a court ordered protocol.
Over a weekend Fordham examined nearly 200 devices using proprietary programs that cataloged file system metadata and file hashes of each machine's contents. Those results were then compared to a library of nearly 200,000 documents of the former employer. The process identified about 20 machines, including servers, of the new employer that contained thousands of instances of the former employer’s documents. Those machines were then imaged and subjected to more comprehensive forensic analysis.
More detailed examinations of the machines having documents with matching hashes revealed that the matches were comprised of both proprietary and non-proprietary documents of the former employer. Interestingly, even the non-proprietary documents were stored in file paths matching those of the former employer that included unique folder names like clients, completed projects and current employee names of the former employer. (back to top)
In a trade secrets case, the Court granted Fordham 90 days to access more than 13 terabytes of the defendant’s computerized data to search and produce evidence of purloined trade secrets.
In that effort Fordham forensically imaged 20 computer hard drives, restored 80 backup tapes and then searched and examined millions of documents and over 9 million e-mails with attachments for active, deleted and modified versions of trade secret documents and information that had been retained and used despite the defendant’s representations to the contrary. (back to top)
A bank employee e-mailed Personally Identifiable Information (PII) about mortgage holders to their home e-mail address just prior to their departure for a new job. Fordham reviewed their historical computer activity including e-mail, attached devices and other data transfer and storage methods and determined that this instance was the only one that had occurred and that the amount of PII that was being sent was too large for the e-mail system and that it had become hung without ever leaving the bank's network. (back to top)
In a trade secrets case Fordham was selected as the neutral e-discovery expert. In that capacity we collected, preserved and searched the ESI of both parties on about 40 machines that equaled about 6 terabytes of data.
The search was conducted in accordance with a consent order formalizing the search protocol that included active and deleted space as well as all document types. Unsearchable files were converted to a searchable format and protected files were unprotected so that they could be searched.
After filtering the search results to exclude unlikely document types, we produced over 100,000 documents and e-mails for each side. The documents converted to about 3 million TIFF image pages. The image files, native files, extracted text, extracted metadata and various other attributes were produced in Summation load files. (back to top)
As the recompetition for a large, multi-year government contract approached, an ambitious competitor enticed the incumbent's program manager to switch companies.
After leaving the incumbent for an unspecified opportunity, Fordham examined the computer of the former employee and found that four thumb drives had been used to copy pricing data along with other staffing and management plans of the incumbent for the follow-on contract.
Web based e-mail communications were also retrieved from the Windows swap file that revealed weeks of exchanges between the former employee and management at the new employer regarding the recompete and a presentation meeting about the recompete's capture strategy that was planned a few days after the departure of the former employee.
After examining imaged hard drives of the new employer's management team, Fordham determined that files of interest had been shared on several other thumb drives between the former employee and the new company management. Fordham was also able to determine that critical media such as personal computers of key personnel, external storage media like hard drives and the shared thumb drives, and network servers containing files of interest had not been preserved despite specific and expressed instructions in a preservation letter.
The jury awarded our client all of its requested trade secret damages. (back to top)
In a wrongful termination case the terminated employee developed a counter claim for uncompensated overtime for work performed at home on his personal computer. The employee was asked to deliver his computer for forensic examination in order to validate his claims.
Fordham detected numerous anomalies in the hard drive artifacts that suggested a recently constructed device with a prepared presentation.
At deposition the former employee was questioned about Fordham's findings. With each explanation subsequent anomalies became harder and harder to explain. Finally, the employee admitted that this was not the original drive on which he had performed his work. In fact, he had been so concerned about the forensic examination that the original drive had been physically mutilated, deformed and then melted with a blow torch. (back to top)
The network of a doctor’s office was left unprotected and was thought to have been hacked by an outside entity based on unusual system activity. Fordham was asked to review the network and determine whether the network had been hacked and whether Protected Health Information (PHI) had been compromised. While Fordham was able to confirm the system had been breached there was no indication that PHI had been compromised. (back to top)
In a construction claim involving power generation, the Plaintiff detected omissions in the owner’s document production. Fordham was retained by the owner to review the originally collected electronic data, the Concordance database and production efforts performed by the owner’s e-discovery vendor, including processing logic and production tools, to identify document omissions.
Any shortcomings were then cross referenced against the Plaintiff's productions as well as those by third parties in order to identify those omissions that actually could have resulted in prejudice. Hash comparisons of omitted documents to produced documents were widely used as a basis to differentiate substantive omissions from non-substantive omissions.
We even developed software that could be used by the owner to evaluate for relevance and privilege document ranges identified by the Plaintiff as containing potentially missing documents. (back to top)
In a trade secrets case the former employer's expert had opined that the former employee had created CDs of company proprietary data prior to returning the computer.
Fordham reviewed the expert's report and the evidence he had considered. Fordham determined that the expert had misinterpreted the CD drive activity and that other artifacts related to the files in question actually confirmed that the files had not been copied at all.
At deposition and when questioned about the meaning of the other artifacts and the meaning of CD drive activity, the expert withdrew his opinions. (back to top)
After examining the hard drive of a laptop used by a former employee at its new employer, Fordham detected that a key pricing model of the former employer existed on a USB flash drive and had been viewed from the new employer's laptop.
When the flash drive was produced it was completely filled with vacation photos. Fordham was able to confirm that, while taken several years before, the photos had been placed on the flash drive in the time between the device's production request and its actual production.
In addition, when other computers were produced, Fordham was able to confirm that the same USB flash drive had been used on those computers as well and the pricing model that had existed on the drive had been viewed. Most important was that while the new employer had developed its own pricing model, the timing of the former employee's view of the former employer's pricing model was while developing bids on new projects while using the new employer's pricing model. The former employer's pricing model was being used to validate the new employer's bids on new projects. (back to top)
An opposing expert was asked by opposing counsel to examine application metadata of certain electronic documents and opine that their create dates post dated the expiration of a former employee's non-compete and intellectual property ownership agreement. While the create dates confirmed their creation after expiration of the non-compete and intellectual property ownership agreement, Fordham noticed that other metadata indicated that the documents had actually been inherited from ones covered by the non-compete and intellectual property ownership agreements. In other words, when creating the documents in question the former employee had started with these earlier documents, made changes to them and then saved the results in a new document name.
At his deposition the opposing expert was not familiar with the significance of the other application metadata that revealed the historical lineage of the documents. He had been asked by opposing counsel for an opinion with a very limited scope, which he claimed was all that he was providing.
As a result of the weaknesses in the opposing expert's findings and since the data used in his analysis was actually supportive of our client's claims, his report was never used by opposing counsel and he never testified at trial. In the end, therefore, his work did not advance their case and one could say that he cost too much. (back to top)
In a securities fraud matter, Fordham was retained to review the computer systems of the securities firm and assess those worthy of preservation and likely containing responsive data.
The secure nature of preserved data required extensive identification and decryption of encrypted files and e-mail attachments so that they could be searched for documents responsive to agreed protocol criteria. In addition, there were very tight schedule limitations that were challenged by slow performing, third party appliances on which the securities firm has stored its data to meet SEC data retention requirements. (back to top)
An AMLAW top 50 firm involved the FBI and retained West Coast forensic talent in a case portrayed as an employee theft of thousands of sensitive trade secret documents worth billions of dollars.
Based on the schedules and exhibits in the complaint alone, Fordham realized that the sensitive documents claimed to have been taken were not even available to be taken at the time and in the manner described in the complaint.
After reviewing an image of the former employee's hard drive Fordham's assessment of the Plaintiff's case was that it was severely overblown. Not only were there timing issues as initially observed, Fordham's forensic analysis determined that the method of the theft claimed by the Plaintiff's did not exist nor did other methods that they subsequently advanced. In addition, the absence of other indicators and evidential artifacts was substantial, since there was not one single artifact evidencing the existence, access or use of the sensitive documents from anywhere other than the former employee's computer. (back to top)
Prior to hiring a new employee, the Defendant took steps to have their devices cleaned of all documents related to the prior employer's business by a forensic expert. Fordham took exception to the methods and identified several flaws.
Upon review of the devices in accordance with Fordham's proposed protocol, more than 30,000 of the former employer's documents were found buried in what had been represented as personal documents like family photos and household related documents. In addition, procedures claimed to have been followed by the expert to prevent previously deleted documents from being recovered were shown not to have been performed on all devices. (back to top)
Flash drives requested by Plaintiff counsel were produced. Prior to forwarding them to their forensic expert, Plaintiff counsel spent several months examining them on their own.
After reviewing Plaintiff's expert report and copies of the device images, Fordham noticed that the devices and their contents had been significantly altered while being examined by Plaintiff's counsel but prior to imaging by the Plaintiff's forensic expert. Fordham showed where files had been altered, new files created and then copied from the flash drives, and even the file system metadata data stamps reflected dates after production of the devices on more than 99.4 percent of still active files. In short, the devices were no longer authentic and the damage so extensive that they had no evidentiary value other than for spoliation. (back to top)