Data Collection and Forensics February 23, 2009

Complaint Document Acquisition DepositionsReview Discovery Begins Photocopy Discovery Closes Produce & Share 95% Settle Electronic Discovery Trial Coding & Scanning

Electronic Discovery Legal Issues Chain of Custody/Data Integrity –“Chain of Custody” Requires that “the one who offers real evidence…must account for the custody of the evidence from the moment in which it reaches his custody until the moment in which it is offered in evidence.” Black’s Law Dictionary, page 156 (6 th ed. Abr. 1991) –Inexpert handling of electronic media (e.g., open, print, & scan) has serious drawbacks Human error Missing data or inadvertent changes Time to produce No detailed audits

Electronic Discovery Legal Issues Electronic Marginalia –Simple spreadsheets and word processing files contain an array of formatting elements including: comments, headers, hidden rows/columns –Counsel should proactively ensure the process used provides at a minimum: hidden rows and columns uncovered comments exposed and converted passwords broken blank pages eliminated

Electronic Discovery Terms Metadata Media Tape Restoration Text Extraction Forensics/Collection De-duplication Data Culling

Electronic Discovery Process Receive Data Index Reduce Search Convert Package Burn

1 - Receive Data Identify locations of all data and prescribe systematic uniform collection of data Media is sent in many formats –CD –DVD –DLT –DAT Tape Media is signed in and a strict chain of custody process begins

2 - Index Data Extract Unzip Index Copy Rename (uniform fashion – while maintaining data integrity) Capture valuable info. (metadata) Each file is examined to detect any changes to file extension – possible smoking gun/file –another reason why you cannot “just print them”

3 - Reduce the Data Set De-duplication option –Our process ensures accuracy and integrity MD5 Hash – “bit” level count Bit Level most accurate!! Filtering Data –Narrow by a specific “date range” –Uses metadata to eliminate files outside of the discoverable date range

4 - Keyword Searching Select keywords or phrases to narrow your search/discovery Advanced searching using Boolean, proximity, etc. Responsive files are flagged and continue through the process Non-responsive files are still preserved Saves Hours Saves $s

5 - Convert the Data Full Text of files is extracted Hidden information is uncovered –rows, columns, changes (if enabled) –embedded comments exposed –“electronic marginalia” Files converted to Tiff or PDF images

6 - Package the Data Batchload Application Begins Images bundled and a customized load file is created for uploading to client document management system –e.g., Summation, Concordance, etc.

7 - Burn & Return Final (of several) quality checks performed CDs Burned Data Integrity still intact CDs are shipped to client Data remains on system

Key Considerations Automation = Integrity & Speed –Provides Data Integrity – Chain of Custody – Cannot “Just Print Them Out” –Allows De-duping, Filtering, & Searching to Reduce Data Set –Uncovers Hidden & Meaningful Data Examines all files for hidden file types Hidden Rows/Columns Uncovered Comments are Exposed Metadata Uncovered & Searchable Electronic Marginalia

What is Computer Forensics? Forensics: Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law. Computer Forensics: The scientific examination and analysis of data held on, or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.

What can be found as digital evidence? Correspondence (electronic mail, Instant Messages) Graphic Files (Child pornography, scanned prescriptions) Audio Files (voic , recorded messages) Financial Data (Excel spreadsheets, Access databases) Video Files (home video, web cam, internet videos)

Locations of Digital Evidence Evidence may be found on the Victim’s computer, as well as the Suspect’s computer. May be found at the Internet Service Provider (ISP) server level. The ISP server may be a web server or an server The target server(s) may be located in another state or another country.

How Digital Evidence Is Examined An exact, bit-by-bit, copy of the target media is created After verification, original is placed back into evidence A variety of forensic software is utilized, which is determined by the scope of the search (i.e. mp3 downloads, s, digital photographs)

Areas Searched: Files in directories in which the suspect had access Internet files (TIFs, History,.HTMLs) Registry, which holds programs, names, online links, Operating System And specific files within the scope of search (i.e. Excel spreadsheets, Word documents) Unallocated Space of the media

Erased Files: A file “deleted” or “erased” is not actually removed from the media Recycle Bin: file is only renamed Operating System “sees” the file’s space as available. Pointer to file is removed Data may remain is File Slack for years Often fully or partially recoverable

Allocated Space vs. Unallocated Space Allocated Space: files and data recognized and utilized by the operating system Unallocated Space: area of the media read as “available space” by the operating system

Allocated Space Operating System Directories, programs, files Names, dates and times Easily viewable by most users

Unallocated Space Raw Data No longer has names, dates or times Partial or complete files may be recovered

Forensic Computer Examination Average Volume: 12Gb Gigabyte: 1,073,741,824 bytes Subtotal: 12,884,901,888 bytes Page size: 3000 bytes Pages: 4,294,967 Ream: 500 pages Ream height: 2” Total Height: 17,180” Total Height in feet: 1431’ 8” Sears Tower (Chicago): 1450’

Recovery from Damaged CD/DVDs Before After

Recovery from Fire

Recovery from Submersion

Video Forensics