The Intersection of Forensics and eDiscovery-Part 1 of 2
Discovery Management Digest – Q1 2013
When it comes to eDiscovery, many in-house counsel may be able to relate to the famous quote by Donald Rumsfeld, former U.S. secretary of defense: “[T]here are known knowns; there are things we know that we know. There are known unknowns; that is to say there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don't know.”
Computer forensics can help pave the way through the unknown unknowns, or even known unknowns. Computer forensics, also known as digital forensics, relates to the legal evidence found in computers and digital storage media.
According to US-Cert, the U.S. Computer Readiness Emergency Team, which is part of the Dept. of Homeland Security, “We define computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.”
Through computer forensics, experts can determine something about the current state of a “digital artifact,” which can include a computer system, a storage medium such as a hard disk or CD-ROM, an electronic document such as an email message or JPEG image or even a sequence of packets moving over a computer network. Beyond that, though, computer forensics experts can provide strategic value through analyzing the data they examine and providing opinions about next steps that organizations can take.
In the first of this two-part series, we’ll explore the nuts and bolts of what is involved when computer forensics meets eDiscovery. In the second part, we’ll look at the strategic value computer forensics can provide during eDiscovery, for the matter at hand and for ongoing matters.
The practical aspects of eDiscovery and computer forensics
Computer forensics techniques and technologies can be applied to a wide range of hardware and software, such as:
- Backup Tapes
- Optical Media
- Personal Computers
- Mobile Devices
- Digital Cameras
- Voicemail and Video
- Web Email
- Cloud-Based Data Storage
- External USB Storage
Where computer forensics and eDiscovery meet
Organizations may need to conduct computer forensics for a variety of reasons. Computer forensics can be used to recover data after hardware or software fails. The techniques can be used to analyze information after a security breach to determine how a hacker gained access to servers or files and what actions the hacker took once inside. Organizations can also use computer forensics to understand how computer systems work and improve performance, debug hardware and software or to reverse engineer a product.
In the litigation context, computer forensic techniques can be used for both criminal and civil matters to analyze computer systems that belong to defendants or parties involved with a lawsuit. Using forensics as a part of eDiscovery requires a thoughtful approach, to ensure that the information recovered is not challenged by the court or the other side.
Computer forensics can be fairly straightforward or extremely complex. At the simplest level, forensic experts may search active and previously deleted file fragments for keywords stored in different formats, such as ASCII, Unicode or Hexadecimal. More complicated actions can involve searching hidden, encrypted or encoded data, such as email data, compressed or zipped files and enhanced meta files. The most challenging types of forensics may include analyzing logical and physical disk structure and fingerprinting documents and systems.
When conducting forensics during discovery, one of the most important aspects is assuring that all potentially responsive ESI has been properly collected. A clear chain of custody for all evidence must be maintained for the entire lifecycle of each piece of data. In order to avoid issues, legal departments should be sure that the experts they hire to oversee computer forensics possess the appropriate credentials and certifications.
Along with proper credentials, industry experts should also be able to provide a clear perspective on current trends, new technologies, court precedents and emerging issues, including:
- Potentially responsive voicemails on phones
- Explosive growth of smartphones, tablets and other mobile devices
- These can be company-issued or ones that employees personally own and use for work
- Employees and organizations often utilize many different models by different vendors, adding to the complexity of collection, review and production
- Different physical systems throughout locations
- Growing use of SMS messages
- Privacy Issues
- Wiretap Act, Stored Communication Act and other relevant legislation
- File encryption
- New types and versions of software, such as Microsoft Office 2010 and WinZip
Deloitte possesses the knowledge and expertise to guide companies and government agencies through computer forensic searches during eDiscovery, to provide an efficient, defensible approach. Our services include:
- High speed forensic imaging “Roadkits” that can handle approximately 3-6 gigabyte per minute, solutions for Serial ATA, PATA, SCSI, SAS and flash media drives and cell phones and smartphones
- Forensic software preservation and collection, forensic analysis and static and dynamic malware analysis
- Forensic software capabilities, including foreign language character sets, most file systems, Boolean and keyword proximity searches, compressed files and system registry files, on-the-fly decryption of files and drives, software and hardware RAID server rebuilding, large volume native email analysis and static and dynamic malware analysis
Getting discovery right the first time is critical to staying within deadlines and budgets. By bringing in qualified, experienced experts to conduct computer forensics, in-house counsel can be more confident that they will get the data they need in an efficient and defensible way.
Computer forensics reveals employee data theft
In one case, a client suspected a former employee of taking proprietary information to his new job with a competitor. Deloitte’s forensic investigators were able to recover a private email account that contained correspondence with the competitor, including copies of his resume and several of the organization’s confidential documents.
By recovering print spool files from the operating system, investigators found that more than 300 proprietary schematics were printed over the course of nine months, and 50 documents were printed the night before the employee resigned.
The team was also able to recover web pages to determine that the former employee had searched for job openings at the competitor in the nine to 10 months before quitting, when the employee was printing proprietary schematics.
Part two of this two-part series will explore the analysis and strategic value that can be mined from computer forensics approaches during eDiscovery.
As used in this document, “Deloitte” means Deloitte LLP [and its subsidiaries]. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
While the information in this article may deal with legal issues, it does not constitute legal advice. If you have specific questions related to information discussed in this article, you are encouraged to consult an attorney who can investigate the particular circumstances of your situation.