Information Technology & Computer Science E-Discovery Lab Identification and Collection Seminar on E-Discovery, February 9th, 2012, College of Information.

Slides:



Advertisements
Similar presentations
Litigation Holds: Don’t Live in Fear of Spoliation Jason CISO – University of Connecticut October 30, 2014 Information Security Office.
Advertisements

Gathering digital evidence by the EU Commission in inspections
INFORMATION WITHOUT BORDERS CONFERENCE February 7, 2013 e-DISCOVERY AND INFORMATION MANAGEMENT.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
COEN 252 Computer Forensics
Pinpoint Labs Software Presented by: Jonathan P. Rowe President and CEO Certified Computer Examiner Member: The International Society of Forensic Computer.
5 Vital Components of Every Custodian Interview David Meadows, PMP, Managing Director – Discovery Consulting, Kroll Ontrack Dave Canfield, EJD, Managing.
E-Discovery for System Administrators Russell M. Shumway.
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
Project Planning and Management in E-Discovery DAVID A. ELLIS – MAYER BROWN BROWNING E. MAREAN – DLA PIPER.
Evidence Collection & Admissibility Computer Forensics BACS 371.
W W W. D I N S L A W. C O M E-Discovery and Document Retention Patrick W. Michael, Esq. Dinsmore & Shohl LLP 101 South Fifth Street Louisville, KY
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.
Defensible Client File Collections 6 Common Roadblocks and Obstacles.
Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
EDiscovery and Records Management. Records Management- Historical Perspective- Paper Historically- Paper was the “Corporate Memory” – a physical entity.
© 2008 Kroll Ontrack Inc.| Ontrack PowerControls 5.1 The ultimate “power tool” for SharePoint administrators.
Developing a Records & Information Retention & Disposition Program:
Forensic and Investigative Accounting
1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
© 2009 Kroll Ontrack Inc.| Ontrack PowerControls 6.0 for SharePoint™ A Better Way to Search and Restore.
Electronic Discovery (eDiscovery) Chad Meyer & John Vyhlidal ConAgra Foods.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Created May 2, Division of Public Health Managing Records What is a Record? What is a Records Retention & Disposition Schedule? Why is this Important?
By Drudeisha Madhub Data Protection Commissioner Date:
Data Acquisition Chao-Hsien Chu, Ph.D.
Electronic Record Retention and eDiscovery Peter Pepiton eDiscovery Product Manager CA Information Governance.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Avoiding the Iceberg Sean Regan October 2008.
* 07/16/96 The production of ESI continues to present challenges in the discovery process even though specific rules have been drafted, commented on, redrafted.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Visual Evidence / E-Discovery LLC Visual Evidence / E-Discovery LLC 60th Annual Meeting of the Ohio Regional Association of Law Libraries E-Discovery &
Preserving Evidence ● Number one priority ● Must also find incriminating evidence ● Must search the contents of the hard drive ● Can not change the hard.
Digital Crime Scene Investigative Process
Data Integrity Lesson 12. Skills Matrix Maintaining Data Integrity Maintaining data integrity is your most important responsibility. –Performing backups.
Nathan Walker building an ediscovery framework. armasv.org Objective Present an IT-centric perspective to consider when building an eDiscovery framework.
Barracuda Message Archiver. Integrated hardware and software Archiving and policy management Search and retrieval Internal storage and support for external.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Against: The Liberal Definition and use of Litigation Holds Team 9.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Information and Records Management INFM 718X/LBSC 708X Seminar on E-Discovery.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Digital Government Summit
Network Security & Accounting
Records Management for Paper and ESI Document Retention Policies addressing creation, management and disposition Minimize the risk and exposure Information.
E-discovery Discussion. 2 Policies and Procedures Do you have a set of e-discovery policies and procedures? – Who is the lead for e-discovery efforts.
Archiving for E-Discovery and Retention Management Theodore S. Barassi, Esq. Group Product Manager E-Discovery and Information Risk.
Forensics Jeff Wang Code Mentor: John Zhu (IT Support)
Legal Holds Department of State Division of Records Management Kevin Callaghan, Director.
E-Discovery And why it matters to a SSA. What is E-Discovery? E-Discovery is the process during litigation of discovering information relevant to litigation.
Preserving Electronic Mailing Lists as Scholarly Resources: The H-Net Archives Lisa M. Schmidt
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
U.S. Department of the Interior U.S. Geological Survey Records Management Practices: Doing Right by the Records John Faundeen ASPRS May 1, 2008 Portland,
Document Management
By: Jeremy Henry. Road Map  What is a cybercrime?  Statistics.  Tools used by an investigator.  Techniques and procedures used.  Specific case.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
University of Kentucky Records Management Tutorial Taking responsibility for the records you create and managing their life-cycles.
10. Mobile Device Forensics Part 2. Topics Collecting and Handling Cell Phones as Evidence Cell Phone Forensic Tools GPS (Global Positioning System)
Leveraging the Data Map – A Case Study November 15, 2016
Reducing Cost and Risk During an Investigation
Guide to Computer Forensics and Investigations Fifth Edition
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Get the Data that Cures Your Headache
Presentation transcript:

Information Technology & Computer Science E-Discovery Lab Identification and Collection Seminar on E-Discovery, February 9th, 2012, College of Information Studies, University of Maryland Dr. Hans Henseler Amsterdam University of Applied Sciences, The Netherlands

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab HvA -Kaart van Nederland

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab HvA -Kaart van Nederland

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Dr. Hans Henseler -Ph.D. computer science (1993) -Netherlands Forensic Institute ( ) -Netherland Institute of Applied Research ( ) -CTO at ZyLAB ( ) -Director at Pricewaterhouse Coopers ( ) -Adjunct Professor HvA (2009-) -Partner at Fox-IT (2011-)

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab 1. Recap: EDRM Incident T1T2 T3a T3b T4 T5a T5b T6aT6b

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab 1. Recap: Track 1: Information Management GOAL: Develop defensible retention policies and e- discovery processes HOW: By managing all information sources: - Complete information lifecycle: From creation, through using to archival and destruction.

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Track 2: Identification GOAL: Determine what should be preserved and collected HOW: By identifying and localising potential sources of information: - what kind of information is required? - relevant time period?

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Track 3a: Preservation GOAL: Preserve data to avoid spoliation claims/sanction HOW: By securing information that may potentially be relevant - By ensuring that information can not be altered or destroyed.

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Track 3b: Collection GOAL: Retrieve forensically sound copies of critical data HOW: By making digitale copies of electronic stored information and related meta data (information context) - In such a way that the integrity and authenticity of the information can be verified

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab E-Discovery and Archeology

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Identification Identification is the first reactive step in response to an E- Discovery request. Identification involves: -Localisation of potential sources of electronic information. -Determine the scope of the investigation - Which data (i.e. projects, employees, departments) - Which periods Forensic Technology: -Mapping the information landscape -Identifying relevant sources

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab IT Infrastructure: Example 1

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab IT Infrastructure: Example 2

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab IT Infrastructure: Example 3

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab IT Infrastructure: Example 4

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Systems: Accounting

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Page 17 Identifications of backups Typical company (1800 employees) had the following backups available in July 2007: -12x Backup July 2006 /June x Backup Friday 29/12/ x Backup Friday 30/12/ x Backup Friday 31/12/2004 Total 15 backups per custodian!

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Data preservation Goal: Preserve data to avoid spoliation claims/sanction Measures: Issue a legal hold by sending out an internal company memo Secure data to prevent it from being changed or destroyed (avoid data spoliation), for instance stop backup tapes from being recycled Freeze records so they can not be destroyed

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Collection Relevant electronicalle stored information is copied in a forensically sound way. Forensic technology: -Maintain original meta data of electronic information (i.e. filename, path, dates etc) -Forensic computer image versus logical file copy -Maintaining chain of custody -Calculate secure hash values of collected data

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Collection: File Servers What to expect: Files Personal archives (pst, nsf etc.) Long and deep file paths Forensic tools: Encase (Guidance Software) Forensic Toolkit - FTK (AccessData) Evidence Mover (Micro Forensics) Robocopy (Microsoft)

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Collection: Mobile Phones What to expect: Mobile/Smart phones Android Tablets, iPad Forensic Tools: XRY (MicroSystemation)  Device Seizure (Paraben) UFED (Cellebrite) FTK Mobile Phone Examiner (AccessData) Encase Smartphone Examiner (Guidance Software)

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Collection: Databases What to expect: Financial databases (SAP, Oracle Financials etc) Firewall databases SQL databases (MsSQL, Oracle, MySQL, Progress etc) Best practices Use SQL queries Exports vs. Dumps SAP abap scripts vs. Oracle database dumps (depends on size and available time)

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Collection: Servers What to expect: Lotus Notes (nsf) Microsoft Exchange (edb) Groupware Connect to life server (why?) Exchange Server (2010 has interesting E-Discovery capabilities) Encase Enterprise Process message store Network Examiner (Paraben), PowerControls (Kroll Ontrack)

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Secure Hash: MD5 and SHA1 -Goal: to provide a unique “fingerprint” of the message. -How? Must demonstrate 3 properties: 1.Fast to compute y from m. 2.One-way: given y = h(m), can’t find any m’ satisfying h(m’) = y easily. 3.Secure Hash: Strongly collision-free, i.e. can’t find any m 1 != m 2 such that h(m 1 )=h(m 2 ) easily Message m (long) Message digest, y (Shorter fixed length) Cryptographic hash Function, h Shrinks data, so 2 messages can have the same digest: m 1 != m 2, but h(m 1 ) = h(m 2 )

E-Discovery Seminar: Identification and Collection Information Technology & Computer Science E-Discovery Lab Procedures, Forms and Logs 1.Data freeze directive 2.Data request 3.Letter of consent 4.IT inventory template 5.Encase acquisition form 6.Chain of custody form 7.Evidence log for tracking collected electronic data 8.Physical document collection sheets and scanning log 9.Standard Operation Procedure for Data Collection

Information Technology & Computer Science E-Discovery Lab

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.