Anton Piller Orders have been available as an option for litigators for quite some time (the first such order was issued in the case of Anton Piller KG vs Manufacturing Processes Limited in 1976). However, until lately, the issuance of an Anton Piller Order was quite rare. The relatively recent introduction of digital evidence into litigation, combined with digital data’s volatile nature, has led to a significant increase in motions for Anton Piller Orders.

Introduction

An Anton Piller order is an order made by the court to search and seize in a civil action, and is used by a would be plaintiff as a precursor to instituting proceedings. Anton Piller applications are made ex parte, which means the are made on behalf of only one party, without notice to any other party. The purpose of an Anton Piller Order is to seize property before there is an opportunity to alter or destroy it. It should be noted that given the significant intrusion these ex parte court orders authorize, they are granted with great caution and must be executed with the utmost care.

Electronic evidence involved in a typical Anton Piller Order can include single personal computers, laptop computers, workstations, servers, Personal Data Assistants (PDAs) and any other type of device that can store digital information. The proliferation of low cost, high capacity removable storage devices means that nothing should be overlooked in regards to what might contain relevant electronic evidence.These are considerations that a computer forensic examiner must be keenly aware of when assisting bailiffs, Court Appointed Inspectors, or Independent Supervising Solicitors (ISS) in the execution of these orders.

Unlike computer technicians, most seasoned computer forensic examiners have been in many different situations and have faced a multitude of media types, PC configurations and network layouts. They can count on their expertise, equipment and proven methodology to get through even the toughest assignments.

Once the groundwork has been laid and the premises secured, the computer forensic examiner will work in tandem with the Court Appointed Inspector, ISS, or bailiff to ensure that the identification, collection, preservation and ultimately, if needed, analysis of the evidence, is performed in a forensically sound manner that will stand up to scrutiny in court.

Identifying Relevant Electronic Evidence

Prior to execution of the Anton Piller Order, the examiner should meet with the Plaintiff’s counsel, Court Appointed Inspector, ISS, and/or Bailiff in order to define the scope. Ideally, a written plan of action should be produced, listing the contact information of all parties, the responsibility of each member of the team, and guidelines as to what can be considered relevant.

On the day of the execution, the team will typically meet near the address of the Defendant. The ISS, Court Appointed Inspector, or Bailiff will serve the order. Most Anton Piller Orders have a provision to allow the Defendant time to consultant with counsel before the seizure begins. The Defendant does not usually have the right to refuse the seizure, and can only delay it for a specified period of time while consulting with his counsel. During this time, the Court Appointed Inspector, ISS or Bailiff will remain on the premises to ensure that no alteration or destruction of the evidence is performed.

Once admitted onto the premises by Court Appointed Inspector, ISS or Bailiff, the computer forensic examiner will begin identifying and documenting the electronic evidence deemed relevant by the Order and defined at the pre-execution meeting. If the examiner encounters an electronic device and is not sure if it meets the requirements to be deemed relevant, he will consult with the Court Appointed Inspector, ISS or Bailiff, who will make the final determination.

The examiner must use a method that ensures that each piece of evidence is uniquely identified. Photographs of the evidence, both in situ and after seizure, should be taken. All available details identifying the device, such as the manufacturer, model, serial number, and any other identifying marks, must be noted. All connections between the device and other devices must be recorded, along with any other notable observations.

A typical Anton Piller action may involve multiple locations. In these cases, care must be taken to ensure that the location of the evidence, both its address and its location within that address, is recorded.

Digital evidence is not limited to personal computers. Other media, such as floppy diskettes, CDs, DVDs, USB thumb drives, IPods, MP3 digital music players, as well as any other digital storage device considered relevant, should be identified and catalogued as part of the collection process. The Court Appointed Inspector, ISS or Bailiff will typically rely on the computer forensic examiner to identify all sources of relevant electronic evidence, within the requirements of the Anton Piller Order. For instance, video game consoles can be modified to act as data repositories or servers. A Court Appointed Inspector, ISS or Bailiff might not necessarily associate this kind of device with digital evidence. The computer forensic examiner must “think outside the box”, to ensure that the identification and collection is comprehensive and thorough.

Forensic Acquisition

Depending on the requirements of the Anton Piller Order, the Computer Forensic examiner may be required to forensically acquire all digital evidence to ensure that it is preserved in a state that will not allow unintentional alteration, ensuring that the evidence can later be authenticated as a true and accurate copy of the original. The acquisition process must be performed in a forensically sound manner. Digital data, by its very nature, is volatile and easily altered. Simply turning on a computer can alter its digital data, possibly rendering that evidence inadmissible in court. Because of this fact, the Computer Forensic Examiner will employ specialized hardware and software, combined with a detailed and proven methodology, to ensure that NO data is altered during the forensic acquisition process.

Regardless of the original source device, digital data is typically acquired to a forensic image stored on a hard drive. The contents of the forensic image can be authenticated as an exact copy of the original through a method known as MD5 Hash comparison. MD5 Hash is a publicly available algorithm that produces a unique signature based on the contents of the raw data contained on a digital media device. The data in the forensic image can be validated by simply comparing the MD5 Hash of the original device to the MD Hash of the data contained in the forensic image.

Dates and times are often an issue when it comes to digital evidence. As such, the computer forensic examiner should record the date and time setting of the device’s internal clock. Care must be taken to ensure that this is done in a manner that will not alter the data on the original device.

In most cases, the requirements of the Anton Piller Order will necessitate that the Court Appointed Inspector, ISS or Bailiff take possession of all seized evidence. This would include any hard drives containing forensic images acquired on site. The computer forensic examiner should ensure that proper chain of custody documentation is filled out, so that possession of the evidence can be traced.

Chain of Custody

Being able to determine who had access to evidence is always important in Anton Piller Orders. However, chain of custody takes on a whole new dimension when electronic evidence is involved. Typically, an Anton Piller order will specify the type of evidence to be collected. This could include data stored in digital form. Rarely will an Anton Piller Order specify that all data stored in digital form is relevant. The forensic imaging process can not image a portion of a hard drive – in order to ensure integrity and authenticity, entire hard drives (or any media device, for that matter), must be imaged. Since the imposition of a forensic image forces the collection of potentially non-relevant, or even privileged information, it is of paramount importance that a clear chain of custody be maintained.

This is no more clearly demonstrated than in Celanese Canada Inc. v. Murray Demolition Corp ((2004), 244 D.L.R (4th) 33). After the Anton Piller Order was executed, the plaintiff and their solicitors viewed many of the electronic documents on the hard drives. Since privileged communications between the Defendant and their counsel were read by the Plaintiff’s counsel, the court ended up dismissing the Plaintiff/s counsel (this is under appeal at the moment).A clear chain of custody, backed by appropriate documentation, will ensure that the integrity of the evidence is maintained, and avoid any claims of going beyond the scope of the Anton Piller Order.

Conclusion

Digital evidence imposes special conditions upon the execution of an Anton Piller order. The collection and preservation of digital evidence needs to be carried out in a forensically sound manner that ensures that the original evidence remains unchanged. It is not enough to start a computer and copy relevant files to a separate disk, or to simply “Ghost” a machine hoping to get all the data needed. Since the nature of digital evidence collection can result in the acquisition of non-relevant and/or privileged information, proper chain of custody documentation is a necessity. The volatile nature of digital data requires that the handling of the evidence, both before and after it has been acquired, should be left to experienced computer forensic professionals.

Back to Publications