eDISCOVERY AND FORENSICS

Intel CorporationSteve Watson

DISCLAIMER

The opinions expressed and materials shared in this presentationare my own and may not reflect the opinions, policies, norprocedures of my employer.

2

BACKGROUND

Current industry practitioner with 7 years of experience related to these topics.

PhD research student of Digital Forensics focused on new and emerging technologies.

3

ODCA WHITEPAPER

Session will review some key concepts of the whitepaper.

Explore some specific challenges with an industry practitioner.

Q/A of how we might address the challenges.

4

WHY ARE WE TALKING ABOUT THIS?

eDiscovery and forensics affects all of our companies –subscribers and providers.

Industry, academia and regulators are struggling with these challenges.

New ideas in this space will be needed to solve the challenges.

5

DEFINITION OF TERMS

eDiscovery • aka electronic discovery,

e-disclosure, and electronic disclosure• ESI – electronically stored

information (data)

6

Forensics• forensic science

• digital forensics• investigations

• digital evidence (data)

It’s all about the

data!

EDISCOVERY

What is “Discovery”?

When does “eDiscovery” occur?

What do I need to know as a cloud provider or subscriber?

7

SUBPROCESSES TO HIGHLIGHT

Preservation and Collection sub-process

• Keep the data from going away (preservation).• Collect a copy of the data to provide for the matter (collection).

Search and Review sub-process

• Narrowing the data down to the data relevant to the legal matter.• Legal directed activity.• Even if completed by technical individuals (subscriber or provider), this

is directed by legal teams.

8

EDBP MODEL

9

Electronic Discovery Best Practice work flow model

10

WHAT ABOUT FORENSICS?

There may be data about the incident unavailable to the cloud subscriber.

The cloud provider may need to assist in accessing and collecting the data relevant to user or administrative activity.

11

INVESTIGATIONS REQUIRING FORENSICS

12

Subscriber:Accessible data limited to what provider has granted access to.

1. Subset of full data related to subscriber account.

2. User created data.3. User activity data

(limited).4. User social media data.5. Limited access to

preserve or collect.

Provider:All of the subscriber accessible data.Plus…

1. Subscriber account information.

2. Full user created data.

3. Administrative data.4. Provider access

data.5. Malware activity.

BIGGEST CHALLENGE

The gap between data accessible to the subscriber and data accessible to the provider is the biggest challenge for investigations.

How do we close the gap without revealing provider’s intellectual property, other subscribers or compromising their security and

networks?

13

TAKEAWAYS

It’s not if, it’s when.

Remember the preservation piece of eDiscovery.

Contractual agreement between provider and subscriber.

How do we close the gap for forensic investigations?

14

15

16

© 2 0 1 4 O p e n D a t a C e n t e r A l l i a n c e , I n c . A L L R I G H T S R E S E R V E D .

ADDITIONAL RESOURCESDraft NIST IR 8006, “NIST Cloud Computing Forensic Science Challenges” The Sedona Conference, Commentary on Cloud Computing (DRAFT)

17

ATTRIBUTION:

Slide 9. EDBP model image courtesy Ralph Losey, www.edbp.com.Slide 10. EDRM model image provided by EDRM.net.

18