Data Collection and Forensics
February 23, 2009
Complaint
Document Acquisition DepositionsReview
DiscoveryBegins
PhotocopyDiscovery
ClosesProduce &
Share
95% Settle
Electronic Discovery
Trial
Coding &Scanning
Electronic Discovery Legal IssuesChain of Custody/Data Integrity
– “Chain of Custody”• Requires that “the one who offers real evidence…must account
for the custody of the evidence from the moment in which it reaches his custody until the moment in which it is offered in evidence.” Black’s Law Dictionary, page 156 (6th ed. Abr. 1991)
– Inexpert handling of electronic media (e.g., open, print, & scan) has serious drawbacks
• Human error• Missing data or inadvertent changes • Time to produce• No detailed audits
Electronic Discovery Legal IssuesElectronic Marginalia
– Simple spreadsheets and word processing files contain an array of formatting elements including:
• comments, headers, hidden rows/columns
– Counsel should proactively ensure the process used provides at a minimum:
• hidden rows and columns uncovered• comments exposed and converted• passwords broken• blank pages eliminated
Electronic Discovery Terms
Metadata
Media
Tape Restoration
Text Extraction
Forensics/Collection
De-duplication
Data Culling
Electronic Discovery Process
Receive Data
Index
Reduce
Search
Convert
Package
Burn
1 - Receive Data
Identify locations of all data and prescribe systematic uniform collection of data
Media is sent in many formats– CD– DVD– DLT– DAT Tape
Media is signed in and a strict chain of custody process begins
2 - Index DataExtractUnzip IndexCopyRename (uniform fashion – while
maintaining data integrity)Capture valuable info. (metadata)Each file is examined to detect any
changes to file extension – possible smoking gun/file – another reason why you cannot “just print
them”
3 - Reduce the Data Set
De-duplication option– Our process ensures accuracy and integrity
• MD5 Hash – “bit” level count
• Bit Level most accurate!!
Filtering Data– Narrow by a specific “date range”
– Uses metadata to eliminate files outside of the
discoverable date range
4 - Keyword Searching
Select keywords or phrases to narrow your search/discovery
Advanced searching using Boolean, proximity, etc.
Responsive files are flagged and continue through the process
Non-responsive files are still preserved
Saves Hours Saves $s
5 - Convert the Data
Full Text of files is extracted
Hidden information is uncovered– rows, columns, changes (if enabled)
– embedded comments exposed
– “electronic marginalia”
Files converted to Tiff or PDF images
6 - Package the Data
Batchload Application Begins
Images bundled and a customized load
file is created for uploading to client
document management system
– e.g., Summation, Concordance, etc.
7 - Burn & Return
Final (of several) quality checks
performed
CDs Burned
Data Integrity still intact
CDs are shipped to client
Data remains on system
Key ConsiderationsAutomation = Integrity & Speed
– Provides Data Integrity – Chain of Custody – Cannot “Just Print Them Out”
– Allows De-duping, Filtering, & Searching to Reduce Data Set
– Uncovers Hidden & Meaningful Data• Examines all files for hidden file types• Hidden Rows/Columns Uncovered• Comments are Exposed• Metadata Uncovered & Searchable• Electronic Marginalia
What is Computer Forensics?
Forensics: Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law.
Computer Forensics: The scientific examination and analysis of data held on, or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.
What can be found as digital evidence?
Correspondence (electronic mail, Instant Messages)
Graphic Files (Child pornography, scanned prescriptions)
Audio Files (voicemail, recorded messages)
Financial Data (Excel spreadsheets, Access databases)
Video Files (home video, web cam, internet videos)
Locations of Digital EvidenceEvidence may be found on the Victim’s computer, as well as the Suspect’s computer.
May be found at the Internet Service Provider (ISP) server level.
The ISP server may be a web server or an email server
The target server(s) may be located in another state or another country.
How Digital Evidence Is ExaminedAn exact, bit-by-bit, copy of the target media is created
After verification, original is placed back into evidence
A variety of forensic software is utilized, which is determined by the scope of the search (i.e. mp3 downloads, emails, digital photographs)
Areas Searched:Files in directories in which the suspect had accessInternet files (TIFs, History, .HTMLs)Registry, which holds programs, names, online links, Operating SystemAnd specific files within the scope of search (i.e. Excel spreadsheets, Word documents)Unallocated Space of the media
Erased Files:A file “deleted” or “erased” is not actually removed from the media
Recycle Bin: file is only renamed
Operating System “sees” the file’s space as available. Pointer to file is removedData may remain is File Slack for yearsOften fully or partially recoverable
Allocated Space vs. Unallocated SpaceAllocated Space: files and data recognized and utilized by the operating system
Unallocated Space: area of the media read as “available space” by the operating system
Allocated SpaceOperating System
Directories, programs, files
Names, dates and times
Easily viewable by most users
Unallocated Space Raw Data
No longer has names, dates or times
Partial or complete files may be recovered
Forensic Computer ExaminationAverage Volume: 12GbGigabyte: 1,073,741,824 bytesSubtotal: 12,884,901,888 bytesPage size: 3000 bytesPages: 4,294,967Ream: 500 pagesReam height: 2”Total Height: 17,180”Total Height in feet: 1431’ 8”Sears Tower (Chicago): 1450’
Recovery from Damaged CD/DVDs
Before After
Recovery from Fire
Recovery from Submersion
Video Forensics
Top Related