e-Discovery

Agenda

• Computer Forensics Vs e-Discovery • Case-studies • Terminology • EDRM ( Electronic Discovery Reference Model)

Speaker’s Profile

MALLA REDDY DONAPATI Security Enthusiast, Forensicator and Trainer M.Sc Information Security & Computer Forensics dmred1 http://infoseclabs.blogspot.in/

e-Discovery

“ Electronic discovery (also called e-discovery or ediscovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case”

Data are identified as potentially relevant by attorneys and placed on legal hold. Evidence is then extracted and analyzed using digital forensic procedures, and is reviewed using a document review platform. Documents can be reviewed either as native files or after a conversion to PDF or TIFF form. A document review platform is useful for its ability to aggregate and search large quantities of ESI.

Why e-Discovery ?• 90 % documents created today are in electronic format • 90 billion or above the number of business emails sent and received each day • majority of information these days is electronic and can potentially be sought as

evidence in a court of law• Additionally, with the sheer amount of data available and regulatory and legal

compliance requirements continuing to evolve, organizations face new challenges when it comes to information retention and governance.

e-Discovery

• The primary focus of standard e-discovery is the collection of active data and metadata from multiple hard drives and other storage media. Litigation can be supported by active data (information readily available to the user, such as e-mail, electronic calendars, word processing files, and databases), or by metadata (that which tells us about the document’s author, time of creation, source, and history)

Computer Forensics • The goal of computer forensics is to

conduct an autopsy of a computer hard drive – searching hidden folders and unallocated disk space to identify the who, what, where, when, and why from a computer. A significant amount of evidence is not readily accessible on a computer; when this occurs, a computer forensic examination is necessary

Bank of America fined $10 million, 2004Following an investigation into trading by Bank of America and a former employee, the SEC (Securities and Exchange Commission) ordered Bank of America to pay a fine of $10 million after they “repeatedly failed to promptly furnish” email and gave “misinformation”

Coleman Holdings v. Morgan Stanley, 2005Morgan Stanley was ordered to pay over $800 million in damages when they repeatedly failed to produce emails in a timely manner. The judge in this case stated that “efforts to hide its emails” were evidence of “guilt”.

Terminology

• ESI (Electronically Stored Information)• Custodian• Harvesting• De-duplication• Metadata • Spoliation• Legal Hold • Document Retention Policy

ESI – Electronically Stored Information

What forms ESI Take ? • Text based - .doc .pdf .txt .wpd .xls .ppt .html • Images - .bpm .gif .jpg .tiff • Moving Images - .avi .mov .flv .mpeg .swf .wmv • Sound - .au .mp3 .mp4 .ra .wav .wma • Web Archive - .ar .mhtml .warc • Email - .pst .ost .msg .dbx .eml .mht

Data and Metadata • Data – content of an email or document • Metadata – encompasses all the information about a document that is not visible to

the user • ESI Created• ESI modified • Custodian • To, From, CC, BCC• Date & Time email was sent • Subject • Date or Time received

EDRM

EDRM .. • Identification • Locating potential sources of ESI & determining it’s scope, breadth and depth

• Preservation • Ensuring that ESI is protected against inappropriate alteration & destruction

• Collection • Acquisition of ESI from computers, servers, etc. for further processing and reviewing it for

anticipated litigation or government investigation

EDRM . .• Processing • Involves pre-processing to reduce large sets of collected ESI for further review, production

and subsequent use• DNISTing • De-duplication (removing duplicate ESI)• Filtering by key word • Data or metadata extraction

• Reducing the volume of ESI and converting it, if necessary, to forms more suitable for review & analysis.

• Review • Evaluating ESI for further relevance and privilege

• Review • Evaluating ESI for further relevance and

privilege with or without technology assisted review platforms

EDRM. .

• Analysis • Evaluating ESI for content, context including

patterns, topics people and discussion • Production • Delivering ESI to others in appropriate forms

& using appropriate delivery mechanisms

Presentation

• Displaying ESI before audiences (at depositions, hearings, trials, etc.), especially in native & near-native forms, to elicit further information, validate existing facts or positions, or persuade an audience.