Computer Forensics

What Every Lawyer Should Know

Presenter: Albert Barsocchini, Esq. Email: Albert.Barsocchini@guidancesoftware.com Phone: 415.760.0154

Legal Disclaimer

This presentation shall not be considered legal advice and is only provided as an informational resource All cited authorities should be verified, updated, and interpreted by your attorney

Data = Digital Data

Digital vs. Non-Digital

Digital Non-Digital

Over 93 percent of all information generated in 1999 was in digital format.

(In Re Bristol-Myers Squibb Securities Litigation, 205 F.R.D. 437, 440, fn2 (2002) [citing UC Berkeley Study])

E-Discovery

Electronic Data and Documents Are Discoverable

Electronic data and documents are potentially discoverable . . . Organizations must properly preserve electronic data and documents that can reasonably be anticipated to be relevant to litigation The Sedona Principles, Principle 1 The discovery of electronic data . . . in todays world . . . includes virtually all cases Zubulake v. UBS Warburg, 217 F.R.D. 309, 317 (S.D.N.Y. 2003)

Where Computer Forensics is Used

Defamation Computer Crimes Wrongful Termination Trade Secret Theft Intellectual Property Theft Sexual Harassment Fraud and Misrepresentation Breach of Contract Divorce Proceedings Misuse of Email Spoliation of Evidence

Discovery Requests Internal Investigations Incident Response Compliance / Risk Auditing Due Diligence Data Recovery

The Digital Office

Fax Servers

Computer Workstations Printers Laptops File Server Routers and Firewalls Cell Phones and Hybrids Hand Held Devices Copy / Scanner Machines Internet Service Provider Remote Workstations Voice Message Centers

Data Storage
Hard drives Back up media Zip,Jaz,Floppies CDs / DVDs PDAs Laptops Thumb drives Network Folders Personal / Corporate Web Storage

Evidence Sources
Email

Databases File header information Alterations Hidden comments File fragments File properties OS, application or network logs Temporary files Relationship/arrangement of files Deleted data Metadata Web activity logs

Data Types
Less Data & More Useful 1. Active 2. Embedded Metadata 3. Archival Individual and Enterprise 4. Residual More Data & Less Useful

Archival Data Accessible vs. Inaccessible

A seven-factor test to determine whether cost shifting should occur. The factors are: 1. The extent to which the request is specifically tailored; 2. The availability of such information from other sources; 3. The total cost of production, compared to the amount in controversy; 4. The total cost of production, compared to the resources available to each party; 5. The relative ability of each party to control costs and its incentive to do so; 6. The importance of the issues at stake in the litigation; and 7. The relative benefits to the parties of obtaining the information * See Zubulake v. UBS Warburg, No. 02 Civ. 1243 (S.D. N.Y. 2003)
Rationale: It is expensive and time consuming to restore archival media. Should be for emergency use only. No absolute duty to preserve backup media. Should be a last resort after a showing of likelihood of discovering relevant information.

Electronic Data The Hidden Story

Timed backup copies and slack Temp copies and slack Print temp files and slack Swap files Meta Data

E-Discovery E-Discovery
Electronic Data and Documents Are Discoverable
Deleted and Residual Data are Discoverable. See Antioch Co. v. Scrapbook Borders, Inc., 210 F.R.D. 645, 652 (D. Minn. 2002) ([I]t is a well accepted proposition that deleted computer files, whether they be emails or otherwise, are discoverable); Simon Prop. Group L.P. v. mySimon, Inc., 194 F.R.D. 639, 640 (S.D. Ind. 2000) ([C]omputer records, including records that have been deleted, are documents discoverable under [Rule] 34) Metadata are also Discoverable. See, e.g., the ABAs Proposed Civil Discovery Standard 29(b)(ii) (A party requesting information in electronic form should also consider . . . asking for the production of metadata associated with the responsive data)

Problems With Electronic Data

Volume of Data. Multiple Copies Multiple Locations Review Time Cost Overruns Easily Abused

Accessibility Informality Invisibility Durability Retention Cost Meta Data

Will you get the Data?

Is it reasonably obtainable? How specific is the request? What is the likelihood of success? Availability of other sources? Does the benefit outweigh the burden? Purpose of the data (day to day vs. emergency backup)? Cost to gather the data? Resources available to requesting party

Best Practices Electronic Discovery

Send Preservation Letter Do an Initial Discovery flyover Appoint Neutral Forensic Expert Agree on Inspection Protocols Forensic Analysis, Documentation and Reporting
*If opposing party does its own in-house search, ask for specific instructions on how they complied with the discovery request.

Tips For The Asking Party

Expressly Request Electronic Documents Narrow the Request Focus on the Benefit of the Information Specify the Production Format Know the Technology or the Technician

How to Respond to a Electronic Discovery Request?

Take Responsibility for the relevant documents Hire a Forensic Expert Locate & Preserve computer-based evidence Document evidence preservation efforts Evaluate (Jurisdiction issues, Specificity of request, Volume and location of data requested) Limit by key words, dates, active data Extract relevant data into a designated folder Object to it as burdensome, overly broad and cost prohibitive

Still Need a Reason Why to Use a Computer Forensic Expert?

Courts mandate that computer evidence be collected in a
forensically sound manner. Properly recover deleted, hidden and temporary files normally invisible to the user. Prevent data from being damaged or destroyed (computer evidence is fragile and can be easily erased or compromised). Safely extract the relevant data Preserve the chain of custody Avoid business disruption Preserve appropriate privileges

Qualifying the Forensic Expert

80 hours of formalized forensic training Ence certified or comparable Number of cases Investigated and frequency Type of cases Times testified Investigation training Background

Forensic Expert Witness Tips

Do hire an unbiased expert Do check out your experts credentials Dont put off hiring your expert Dont censor or omit information from your expert Dont unnecessarily limit the scope of your experts work Dont try to control your experts opinion Dont wait for the opposition to bring out weak points in your experts report Do prepare your expert for testimony Do know exactly what you are looking for Do learn about the Computer Forensic profession

Best Practices Forensic Investigation

Define the search (locations and specific material) Forensically acquire computer data for examination Preserve original data in exact image Validate file integrity and preserve chain of custody Examine and analyze image data files for evidence Document findings Court presentation

Best Evidence Rule Physical Image = Best Evidence Broderick v. Texas, 35 S.W.3d 67, 79 (2000) United States v. Naphorst, (Dist. Ct. NH)

Best Evidence Rule Under the Federal Rules of Evidence, there is a specific exemption for computer evidence: If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original See Federal Rule of Evidence 1001(3) Other jurisdictions may have statutory exceptions as well See, for example, South Africas Electronic
Communications and Transactions Act 25 of 2002, Section 14

Best Evidence Rule

Is a Printout an Accurate Reflection? Hard copy paper printout of an electronic

document would not necessarily include all the information held in the computer memory as part of the electronic document (Armstrong v. Executive Office of The President, 1 F.3d 1274 (D.C. Cir. 1993))

What a Forensic Examiner Needs to Know to Properly Investigate a Case

What exactly are you looking for? Case Type Names of Parties Existing Evidence to support Case Possible Evidence Location(s) Key words Events Timeline Output Format Continuous Dialog

Finding the Smoking Gun

Examples of the most common investigation requests by attorneys

Recover Deleted files (overwritten) Copied Files (last access date and time) Web Activity User Activity Key Word Search Email Use View User Created Files and Databases Evidence of File Destruction or Hiding

Computer Forensics
The Two Methods For Conducting Computer Forensic Investigations 1.Stand Alone Static Forensics using EnCase 2.Network Based Forensics using EnCase Enterprise

Static Forensics
Power off computer and image from DOS Remove the hard drive and image with the
Windows version of EnCase utilizing a hardware write blocking device Image removable media with a Windows version of EnCase and a write protecting device

Network Forensics
Allow access to data without physical entry into a
location Computer can remain on and in use Preserve and record volatile data Easily conduct covert operations Avoid power down encryption lock of the entire drive, folders, removable media, etc. Quickly preview and acquire a computer over the network from any location. Easily isolate individual computers from a large network and remotely image computers with a high target value Can use scripts to automate the investigation process Ability to trace linked events Establish a time line of events

Acquisition and Preservation

Forensic Analysis Using Encase

Pane 2 Pane 1 Shows you the media. Groups files by Table, Gallery, Timeline or Report views .

Pane 3 Select a file in pane 2 and results are displayed by Text, Hex, Report, Picture, Disk or Evidence view in pane 3.

What The User Sees

What the Forensic Examiner Sees

Documenting and Reporting

Summary
Litigators practicing in today's digital environment must understand the various ways information can be stored and retrieved not only to ensure compliance with discovery rules, but also to build the best possible case strategy. Failing to do so may not only prejudice their case, but may be malpractice.
Handouts 1. PSD Brochure 2. M&A Data Collection 3. Laying the Foundation of the expert witness 4. Electronic Discovery Checklist 5. Forensic Facts

Further Resources
Guidance Software White Papers and Recorded Webinars:
www.GuidanceSoftware.com

EnCase Legal Journal: Other Resources: www.kenwithers.com ABAs Proposed Civil Discovery Standards:
www.abanet.org/litigation/documents/home.html

www.GuidanceSoftware.com/corporate/whitepapers/downloads/LegalJournal.pdf

http://californiadiscovery.findlaw.com/electronic_data_discovery.htm The Sedona Principles: www.thesedonaconference.org/publications_html

Questions?
Albert Barsocchini Director - Professional Services NW PSD Counsel Guidance Software 2100 Powell Street, Suite 100 Emeryville CA 94608-1803 415.760.0154 albert.barsocchini@guidancesoftware.com

PSD Services: Forensic Investigations; Incident Response; Compliance and Risk Auditing; Due Diligence; and Data Collection and Recovery