Software CSI -- Effects of Computer-Resident Evidence September 12, 2008 Southern California...

Software CSI--

Effects of Computer-Resident Evidence

September 12, 2008Southern California Software Process

Improvement Network (SCSPIN)

John Cosgrove, P.E., Fellow NAFECosgrove Computer Systems Inc.

[email protected], www.CosgroveComputer.com

Cosgrove Computer Systems Inc. 2

Outline

Part I - Computer Issues 3 Part II – Doing the Work 8 Example Case

13 Summary

14


Part I – Computer Issues

Computer Issues Impacts on Litigation E-Discovery & New Federal Rules ESI Evidence - Software CSI


Computer Issues

Most evidence is computer resident Volume of billions & trillions (GB & TB) common Automated assistance required

Computer Forensics Computer evidence handling

Chain of custody CSI-type bag & tag – ESI version

Data recovery - deleted and archived Establishing authenticity - Metadata

Electronic discovery – new Federal Rules Electronically Stored Information (ESI) defined


Impacts on Litigation Most cases involve ESI in some way Electronic discovery standards

New Federal Rules for E-discovery – 12/1/06 May need to help counsel write subpoena for

discovery of evidentiary data Standard-of-Care not yet established

Legal name for process maturity Projects with computer components

E.g., Water system SCADA Computer-aided-design


E-Discovery New Fed Rules -12/1/06

“…most court battles … some electronically-stored information.“ (ESI)

Includes electronic documents as discoverable Recognizes need for special guidance for e-

documents E-documents often exponentially larger in

magnitude Context, environment, collateral content, etc.,

often critical Special rules for non-active (i.e., deleted) files


ESI Evidence – Software CSI

Computer evidence handling Separate issue from E-discovery Chain-of-custody rules for electronic data

E.G., ESI version of “bag and tag” Rules for computer evidence

Forensic software at work – why Encase? Inherently invisible evidence Protect integrity of evidence

Adapt legal precedents for authenticity Avoiding being challenged -- reproducibility

Added Issues in Criminal Proceedings Establish reliable common evidence baseline


Part II -- Doing the Work

Litigation Fact Finding Finding the Critical Facts in Gigabytes Making Technical Issues

Understandable Subpoena wording Example case


OpinionMyselfMyself

Tech↔ Legal Translator

Tech↔ Legal Translator

Issues, Timelines, Narratives

Domain

Expert

Domain

Expert

Data

ExpertD

ata

Expert

Data

ExpertData

Expert

Allegations, counterclaimsAllegations,

counterclaims“Crushing” amounts of Emails, Documents,

Records

“Crushing” amounts of Emails, Documents,

RecordsE

xtra

ctio

n E

xper

t

Ext

ract

ion

Exp

ert

Data, deleted and otherwiseData, deleted and otherwise

Source – M Chock

Litigation Fact-finding


Finding the Critical Facts in Gigabytes

Size matters Tools and techniques must match size Analogy with foundation of multi-story building

Information may be buried in GB of unsearchable print-image files Common tactic by opposition

Document “provenance” lost Metadata is electronic provenance Subtle modifications can occur

Organizing data and extracting meaning 10s of Ks of project emails, status, etc Use appropriate tools – SSs, character analysis, etc.


Making Technical Issues Understandable

Legal concept of “Teaching the court” Insist on foundation building with technical issues

Problem is magnified for jury trials Creative use of analogies is effective

Example of analogy to explain buffering Show complex event interactions in timelines - SS

Make explanation separate from proof Avoid MEGO (My Eyes Glaze Over) Separate Summary opinion from fully substantiated Analysis

with references Plausible explanation section often useful for counsel


Subpoena wording

All information for Project #x, dates 12/0x - 3/0y.

Any form such as paper, scanned images or ESI files. ESI form preferred (Fed. Rule)

If Electronic Media - disk drives or tape storage Attributes - “metadata” must be included Database (e.g. emails) or log-file entry – entire file

with context Custom Application (e.g. AutoCAD) issues


3rd Party interactions

Reverse engineering

Misuse of names

Discouraging customers

WorkaroundsDelayed

developmentSlow paymentsAgreement

Anderson, Smith, Henry, Garcia, Harper, Levy

12/02

Owens

Email April 25, 2002 Re Notes.tif

Conference Call March 13, 2003.tif

Missing: dates

customers bought product

validation process.tif

Levy, England, Green, Day, others

Undated

Owens

8/02

Development Analysis Log.tif

Exhibit 39.tif

Delivery of beta product

4/02

11/02Missing:

any agreed schedule

Customer Support.tif

Implenentation Guide.tif

Haney, Rodriguez

Missing: Dates for ß these à documents

3/03

Owens; 3rd party: Singh

Agreement.tif

Missing: product

relationship other

products

Rodriguez

Implenentation Guide.tif

Example Case – Show Chronology of Issues


Summary

Computer Technology is involved in most litigation Trend is for this to increase

Some computer skills needed in most technical cases: Find the relevant evidence Organize the complexity Interpret the meaning

Software CSI -- Effects of Computer-Resident Evidence September 12, 2008 Southern California...

Documents

Transcript of Software CSI -- Effects of Computer-Resident Evidence September 12, 2008 Southern California...