What the case is about

Suni Munshani v. Signal Lake Venture Fund II, LP et al. involves Suni Munshani who filed a lawsuit against Signal Lake Venture Fund hereafter called Signal Lake for $25 million for services rendered in raising venture capital for the firm. Mr. Munshani alleges Signal Lake made oral promises for favorable pricing options in Terago Communications stock in return for his raising venture capital for Signal Lake. Mr. Munshani produced a copy of an email sent 08/03/2000 from Mr. Trivedi, CEO of Terago Communications, which supported Mr. Munshani's claim that there was an agreement. Signal Lake claimed the email was forged, and filed an affidavit stating so. Mr. Munshani filed his own affidavit with he court claiming the email to be genuine. The court hired a neutral expert to sort out the truth as to whether the disputed email was forged as Signal Lake claimed, or genuine as Mr. Munshani claimed. After a seven month investigation Mr. Shear, the independent expert hired by the court filed a 147 page report that covered in detail the reason why he believed the email to be forged.

The defendant's position

Believing the disputed email to be forged Signal Lake conducted their own internal investigation into the authenticity of the email and found that an email on a different subject was sent from Mr. Trivedi to Mr. Munshani on the same day as the disputed email. To support their finding that there was no email sent Signal Lake hired the forensic team of Deloitte & Touche to conduct a forensic investigation into the matter. When the forensic investigation of Deloitte & Touche also turned up no indication that an email was sent by Mr. Trivedi, the defendants Mr. Trivedi, and Signal Lake filed an affidavit claiming the disputed email was forged, filed a motion for expedited discovery, and sought an order to preserve all electronic evidence.

The plaintiff's position

Mr. Munshani claims Signal Lake offered favorable stock pricing in Terago Communications in return for his services in raising venture capital for Signal Lake, and filed a lawsuit seeking damages of $25 million for services rendered in raising money for a venture capital fund. Contrary to Signal Lake's position that the disputed email was forged, Mr. Munshani filed an affidavit claiming that he did receive an email from Mr. Trivedi and that the email was "genuine and not altered in any way". As a response to the defendants' motion for expedited discovery Mr. Munshani suggested the court, hire a neutral expert to determine the truth between the conflicting claims.

The computer forensic analyst's findings and methods

The court agreed to Mr. Munshani's recommendation and hired Kenneth Shear of Electronic Evidence Discovery. After an investigation that took seven months, Mr. Shear filed a 147 page report on 09/12/2001 detailing the reasons why, and stating his opinion that the email was "clearly not authentic". The investigation conducted by Mr. Shear examined 33 different pieces of evidence consisting of backup tapes, hard drive images from laptops, servers, external drives, and PCs (personal computers). In the 147 page report submitted to the court, Mr. Shear covered in detail his findings from the evidence at hand that led him to the conclusion that the disputed email was indeed forged. In his report, Mr. Shear pointed to five reasons to support his conclusion that the disputed email that Mr. Munshani provided to the court was forged. Posted below are the reasons.

1. The header information (which every email contains but is unique between emails) from the disputed email matched header information from another message Mr. Trivedi sent on the same day about an entirely different subject. The matching of the header information between the disputed email and the email Mr. Trivedi sent to Mr. Munshani on the same day implied Mr. Munshani copied the header information from genuine email to the disputed email in an effort to make the disputed email appear to be genuine. 2. The message ID on the disputed email (a message ID contains a coded time stamp that each individual email server will place on an email message as it passes through the server on its way to its destination) was inconsistent with what was listed in the message header of the disputed email. 3. The sent and received dates of the disputed email conflicted with the created and modified times of the disputed email as it existed in the Outlook PST file on Mr. Munshani's computer. (An Outlook PST file is an archive on a PC of the sent and received email messages.) 4. There was no evidence in the Terago Communications email server logs that the disputed email was ever sent. 5. There was no evidence that the disputed email was ever sent, or created, on any of the computers Mr. Trivedi used.

In the course of the investigation, Mr. Shear compared the header information between the known genuine email and the disputed email. Mr. Shear examined Mr. Munshani's Outlook PST file and the messages within, he reviewed the email server logs of Terago communications, he examined the forensic images created by Deloitte and Touche, he created forensic images and examined them, and he examined the backup tapes of Mr. Munshani's and those of the email server of Terago Communications. Emails contain more information than just the text of the message; emails also contain the aforementioned header that is unique to each message sent. The email header contains information about addressing, transmission times, information about the servers the email passed through on its way to its destination, and a message ID also unique to every email message and each email server the message passes through. As indicated before in the reasons for Mr. Shear's conclusion that the disputed email was forged, Mr. Shear discovered that the email header of the disputed email was identical to the email header information from another message sent by Mr. Trivedi on the same day. The fact that the disputed email header matched a genuine message indicated in all likelihood that at least one of the messages was forged. That the message IDs on the disputed message were exactly the same as the message IDs of the genuine message for each server that the message passed through was especially telling as there is no way that could happen making it highly likely that the header was copied from one message to the other. Mr. Munshani's Outlook was configured to save both sent and received messages to the Outlook PST file. The message in question was found in the Outlook PST file on one of Mr. Munshani's laptops. An examination of the other messages contained in the Outlook PST file from Mr. Munshani's laptop revealed that the forged message had a creation date of 12/19/2000 as compared to the creation date of 08/03/2000 for another message received on the same day. Additionally the modified date and time of the message was the same as the created date, the only time such a thing would happen would be if Mr. Munshani had never opened the email message. All of the other messages in Mr. Munshani's Outlook PST file show modified times consistent with being read after they were received. An examination of the email transmission logs which were obtained from the backup tapes of the Terago Communications email server through which the alleged message would have gone through showed only the transmission of the message from which the header information was copied and no trace of any other message to Mr. Munshani. On Mr. Trivedi's computer's, the examination turned up no trace of the forged message as ever having been emailed to Mr. Munshani. An examination of Mr. Munshani's email servers revealed that no one preserved the log files, so there was no record that the disputed email ever traversed through Mr. Munshani's own servers. Mr. Shear and his team examined 33 systems total. The systems examined were imaged via both SafeBack and EnCase; the images created via EnCase were done by Deloitte & Touche the firm hired by Signal Lake to conduct their own internal investigation. Mr. Shear and his team placed all of the images on forensically clean drives, and examined them with EnCase. Mr. Shear and his team used text searches consisting of snippets of text from the disputed email and another text search containing the message ID of the disputed message to search the images. The results of the text searches of the images of the remaining equipment turn up hits but none were of evidentiary value, as the hits were in files created or modified before the date of the disputed email. Files that could not be searched using text strings were searched manually and they returned nothing of evidentiary value. Considering the scope of the search the most damning evidence that led Mr. Shear to conclude the disputed email was not genuine was the fact that the disputed email header was identical to that of the genuine message sent by Mr. Trivedi on the same day. Also significant is the fact that there was no trace of the message ever having gone through the email servers of Terago Communications. Mr. Munshani did not dispute the validity of the report and because of his fraudulence, his lawsuit against Signal Lake was dismissed with prejudice and he was forced to pay all legal fees of Signal Lake and the full cost of the forensic investigation.

Lessons learned by the parties (including you!)

Mr. Munshani an obviously educated individual who is technology aware thought he could get away with forging an email, no doubt he has learned otherwise. I imagine that Mr. Munshani has also learned that there is little to hide from a forensic investigator, he may not have tried to hide anything but he certainly saw the lengths that a forensic investigator will go to, to uncover the truth. Additionally sufficient logging or up to date back up tapes would not have helped Mr. Munshani but he certainly saw the value in the practice since Terago Communications practice of logging and keeping good backups contributed a great deal, to their proving the disputed email was forged. Mr. Munshani also knows even if he had been successful in creating a header that looked authentic, they still would have found him out, not only because of the logging of the email as it travels to its destination but also because the sent created and modified times would have been inconsistent with the other emails in his inbox. Terago Communications practice of keeping sufficient logs and a good backup plan was put to the test in this investigation, and they ought to know that if it were not for their practices it would have been more difficult for them to prove the disputed email was forged. Signal Lake learned but admittedly likely already knew that hiring a forensic examiner to conduct their own investigation into the matter was certainly to their benefit, as they would have had proof if requested to backup the claim in their affidavit that the disputed email was forged. If anything, their own investigation gave them the proof to go forward with confidence in their position. In short, they learned that investigating the situation before making a possibly unfounded claim to the court only strengthened their case. Imagine how it would have turned out for Signal Lake had they made the claim the disputed email was forged without checking the facts only to find out they were wrong, it would have turned out very differently for them. Mr. Munshani on the other hand knew he was lying yet persisted in his false claims and we know how it turned out for him. I have reaffirmed my commitment to keep every email I have ever received; this has served me well on more than one occasion because when a person denies having sent you an email you only have to fish the email out of your inbox. I bring up keeping emails because depending on how long the email transmission logs are kept it may be the only proof you have that the email was ever sent. Maintaining a good backup and logging policy on all servers, not just email will serve you well in my opinion because you just never know when you might get called on to produce backup tapes or server logs in relation to a forensic investigation. Also an electronic or handwritten journal maintained for each of your servers will help you recall what work you might have performed on a server if you are ever called on to explain the work you've done and how it might have affected the server. In regards to actual forensics work I have learned that something that seems as innocuous as checking whether an email was actually sent or not can become a pretty large investigation with a very wide scope and will take the efforts of more than one person to complete. I have also noticed that you can work with images that you have not created which places very high importance on documenting the chain of custody because I for one would not want to base my professional opinion on images with a shaky chain of custody. Lastly being able to articulate your findings to non-technical persons is extremely important for a forensic investigator because a clear easily understandable report or testimony will lend credibility your investigation.