Data Collection and Forensics

February 23, 2009

Complaint

Document Acquisition DepositionsReview

DiscoveryBegins

PhotocopyDiscovery

ClosesProduce &

Share

95% Settle

Electronic Discovery

Trial

Coding &Scanning

Electronic Discovery Legal IssuesChain of Custody/Data Integrity

– “Chain of Custody”• Requires that “the one who offers real evidence…must account

for the custody of the evidence from the moment in which it reaches his custody until the moment in which it is offered in evidence.” Black’s Law Dictionary, page 156 (6th ed. Abr. 1991)

– Inexpert handling of electronic media (e.g., open, print, & scan) has serious drawbacks

• Human error• Missing data or inadvertent changes • Time to produce• No detailed audits

Electronic Discovery Legal IssuesElectronic Marginalia

– Simple spreadsheets and word processing files contain an array of formatting elements including:

• comments, headers, hidden rows/columns

– Counsel should proactively ensure the process used provides at a minimum:

• hidden rows and columns uncovered• comments exposed and converted• passwords broken• blank pages eliminated

Electronic Discovery Terms

Metadata

Media

Tape Restoration

Text Extraction

Forensics/Collection

De-duplication

Data Culling

Electronic Discovery Process

Receive Data

Index

Reduce

Search

Convert

Package

Burn

1 - Receive Data

Identify locations of all data and prescribe systematic uniform collection of data

Media is sent in many formats– CD– DVD– DLT– DAT Tape

Media is signed in and a strict chain of custody process begins

2 - Index DataExtractUnzip IndexCopyRename (uniform fashion – while

maintaining data integrity)Capture valuable info. (metadata)Each file is examined to detect any

changes to file extension – possible smoking gun/file – another reason why you cannot “just print

them”

3 - Reduce the Data Set

De-duplication option– Our process ensures accuracy and integrity

• MD5 Hash – “bit” level count

• Bit Level most accurate!!

Filtering Data– Narrow by a specific “date range”

– Uses metadata to eliminate files outside of the

discoverable date range

4 - Keyword Searching

Select keywords or phrases to narrow your search/discovery

Advanced searching using Boolean, proximity, etc.

Responsive files are flagged and continue through the process

Non-responsive files are still preserved

Saves Hours Saves $s

5 - Convert the Data

Full Text of files is extracted

Hidden information is uncovered– rows, columns, changes (if enabled)

– embedded comments exposed

– “electronic marginalia”

Files converted to Tiff or PDF images

6 - Package the Data

Batchload Application Begins

Images bundled and a customized load

file is created for uploading to client

document management system

– e.g., Summation, Concordance, etc.

7 - Burn & Return

Final (of several) quality checks

performed

CDs Burned

Data Integrity still intact

CDs are shipped to client

Data remains on system

Key ConsiderationsAutomation = Integrity & Speed

– Provides Data Integrity – Chain of Custody – Cannot “Just Print Them Out”

– Allows De-duping, Filtering, & Searching to Reduce Data Set

– Uncovers Hidden & Meaningful Data• Examines all files for hidden file types• Hidden Rows/Columns Uncovered• Comments are Exposed• Metadata Uncovered & Searchable• Electronic Marginalia

What is Computer Forensics?

Forensics: Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law.

Computer Forensics: The scientific examination and analysis of data held on, or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.

What can be found as digital evidence?

Correspondence (electronic mail, Instant Messages)

Graphic Files (Child pornography, scanned prescriptions)

Audio Files (voicemail, recorded messages)

Financial Data (Excel spreadsheets, Access databases)

Video Files (home video, web cam, internet videos)

Locations of Digital EvidenceEvidence may be found on the Victim’s computer, as well as the Suspect’s computer.

May be found at the Internet Service Provider (ISP) server level.

The ISP server may be a web server or an email server

The target server(s) may be located in another state or another country.

How Digital Evidence Is ExaminedAn exact, bit-by-bit, copy of the target media is created

After verification, original is placed back into evidence

A variety of forensic software is utilized, which is determined by the scope of the search (i.e. mp3 downloads, emails, digital photographs)

Areas Searched:Files in directories in which the suspect had accessInternet files (TIFs, History, .HTMLs)Registry, which holds programs, names, online links, Operating SystemAnd specific files within the scope of search (i.e. Excel spreadsheets, Word documents)Unallocated Space of the media

Erased Files:A file “deleted” or “erased” is not actually removed from the media

Recycle Bin: file is only renamed

Operating System “sees” the file’s space as available. Pointer to file is removedData may remain is File Slack for yearsOften fully or partially recoverable

Allocated Space vs. Unallocated SpaceAllocated Space: files and data recognized and utilized by the operating system

Unallocated Space: area of the media read as “available space” by the operating system

Allocated SpaceOperating System

Directories, programs, files

Names, dates and times

Easily viewable by most users

Unallocated Space Raw Data

No longer has names, dates or times

Partial or complete files may be recovered

Forensic Computer ExaminationAverage Volume: 12GbGigabyte: 1,073,741,824 bytesSubtotal: 12,884,901,888 bytesPage size: 3000 bytesPages: 4,294,967Ream: 500 pagesReam height: 2”Total Height: 17,180”Total Height in feet: 1431’ 8”Sears Tower (Chicago): 1450’

Recovery from Damaged CD/DVDs

Before After

Recovery from Fire

Recovery from Submersion

Video Forensics