Professional Documents
Culture Documents
Legal Disclaimer
This presentation shall not be considered legal advice and is only provided as an informational resource All cited authorities should be verified, updated, and interpreted by your attorney
Digital Non-Digital
E-Discovery
Discovery Requests Internal Investigations Incident Response Compliance / Risk Auditing Due Diligence Data Recovery
Fax Servers
Computer Workstations Printers Laptops File Server Routers and Firewalls Cell Phones and Hybrids Hand Held Devices Copy / Scanner Machines Internet Service Provider Remote Workstations Voice Message Centers
Data Storage
Hard drives Back up media Zip,Jaz,Floppies CDs / DVDs PDAs Laptops Thumb drives Network Folders Personal / Corporate Web Storage
Evidence Sources
Email
Databases File header information Alterations Hidden comments File fragments File properties OS, application or network logs Temporary files Relationship/arrangement of files Deleted data Metadata Web activity logs
Data Types
Less Data & More Useful 1. Active 2. Embedded Metadata 3. Archival Individual and Enterprise 4. Residual More Data & Less Useful
Timed backup copies and slack Temp copies and slack Print temp files and slack Swap files Meta Data
E-Discovery E-Discovery
Electronic Data and Documents Are Discoverable
Deleted and Residual Data are Discoverable. See Antioch Co. v. Scrapbook Borders, Inc., 210 F.R.D. 645, 652 (D. Minn. 2002) ([I]t is a well accepted proposition that deleted computer files, whether they be emails or otherwise, are discoverable); Simon Prop. Group L.P. v. mySimon, Inc., 194 F.R.D. 639, 640 (S.D. Ind. 2000) ([C]omputer records, including records that have been deleted, are documents discoverable under [Rule] 34) Metadata are also Discoverable. See, e.g., the ABAs Proposed Civil Discovery Standard 29(b)(ii) (A party requesting information in electronic form should also consider . . . asking for the production of metadata associated with the responsive data)
Volume of Data. Multiple Copies Multiple Locations Review Time Cost Overruns Easily Abused
Is it reasonably obtainable? How specific is the request? What is the likelihood of success? Availability of other sources? Does the benefit outweigh the burden? Purpose of the data (day to day vs. emergency backup)? Cost to gather the data? Resources available to requesting party
80 hours of formalized forensic training Ence certified or comparable Number of cases Investigated and frequency Type of cases Times testified Investigation training Background
Do hire an unbiased expert Do check out your experts credentials Dont put off hiring your expert Dont censor or omit information from your expert Dont unnecessarily limit the scope of your experts work Dont try to control your experts opinion Dont wait for the opposition to bring out weak points in your experts report Do prepare your expert for testimony Do know exactly what you are looking for Do learn about the Computer Forensic profession
Best Evidence Rule Physical Image = Best Evidence Broderick v. Texas, 35 S.W.3d 67, 79 (2000) United States v. Naphorst, (Dist. Ct. NH)
Best Evidence Rule Under the Federal Rules of Evidence, there is a specific exemption for computer evidence: If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original See Federal Rule of Evidence 1001(3) Other jurisdictions may have statutory exceptions as well See, for example, South Africas Electronic
Communications and Transactions Act 25 of 2002, Section 14
Recover Deleted files (overwritten) Copied Files (last access date and time) Web Activity User Activity Key Word Search Email Use View User Created Files and Databases Evidence of File Destruction or Hiding
Computer Forensics
The Two Methods For Conducting Computer Forensic Investigations 1.Stand Alone Static Forensics using EnCase 2.Network Based Forensics using EnCase Enterprise
Static Forensics
Power off computer and image from DOS Remove the hard drive and image with the
Windows version of EnCase utilizing a hardware write blocking device Image removable media with a Windows version of EnCase and a write protecting device
Network Forensics
Allow access to data without physical entry into a
location Computer can remain on and in use Preserve and record volatile data Easily conduct covert operations Avoid power down encryption lock of the entire drive, folders, removable media, etc. Quickly preview and acquire a computer over the network from any location. Easily isolate individual computers from a large network and remotely image computers with a high target value Can use scripts to automate the investigation process Ability to trace linked events Establish a time line of events
Pane 2 Pane 1 Shows you the media. Groups files by Table, Gallery, Timeline or Report views .
Pane 3 Select a file in pane 2 and results are displayed by Text, Hex, Report, Picture, Disk or Evidence view in pane 3.
Summary
Litigators practicing in today's digital environment must understand the various ways information can be stored and retrieved not only to ensure compliance with discovery rules, but also to build the best possible case strategy. Failing to do so may not only prejudice their case, but may be malpractice.
Handouts 1. PSD Brochure 2. M&A Data Collection 3. Laying the Foundation of the expert witness 4. Electronic Discovery Checklist 5. Forensic Facts
Further Resources
Guidance Software White Papers and Recorded Webinars:
www.GuidanceSoftware.com
EnCase Legal Journal: Other Resources: www.kenwithers.com ABAs Proposed Civil Discovery Standards:
www.abanet.org/litigation/documents/home.html
www.GuidanceSoftware.com/corporate/whitepapers/downloads/LegalJournal.pdf
Questions?
Albert Barsocchini Director - Professional Services NW PSD Counsel Guidance Software 2100 Powell Street, Suite 100 Emeryville CA 94608-1803 415.760.0154 albert.barsocchini@guidancesoftware.com
PSD Services: Forensic Investigations; Incident Response; Compliance and Risk Auditing; Due Diligence; and Data Collection and Recovery