Presentation is loading. Please wait.

Presentation is loading. Please wait.

THE POWER TO PROVE 1 New Advances in Spoliation Detection and Remediation David Cowen Rafael Gorgal.

Published byWilliam Jackson Modified over 8 years ago

Similar presentations

Presentation on theme: "THE POWER TO PROVE 1 New Advances in Spoliation Detection and Remediation David Cowen Rafael Gorgal."— Presentation transcript:

1 THE POWER TO PROVE 1 New Advances in Spoliation Detection and Remediation David Cowen Rafael Gorgal

2 THE POWER TO PROVE 2 Introduction Who are we? Things We’ve written you might have seen –Hacking Exposed: Computer Forensics, currently working the third edition –Infosec Pro Guide to Computer Forensics –Anti Hacker Toolkit, Third edition –Hacking Exposed Computer Forensics Blog –This presentation

3 THE POWER TO PROVE 3 Spoliation Case law presenters involved with Super Future Equities Inc v. Wells Fargo Bank NA et al (Texas Case No. 3:06-cv- 00271) Stille Sonesta v Tara Woodruff Buxton v David Cavin

4 THE POWER TO PROVE 4 Current state of spoliation detection Data destruction programs are noisy Most change timestamps to invalid dates (e.g. 1/1/1970) Deleted file records with invalid dates and random file names remain Counting the number of files remaining that match this criteria makes a base level total of spoliated files

5 THE POWER TO PROVE 5 Current defense arguments The files destroyed were personal The files destroyed were not relevant The files destroyed were part of a system process

6 THE POWER TO PROVE 6 New advances in spoliation detection Transaction Logging Decoded Change Logging added since Windows Vista

7 THE POWER TO PROVE 7 How the new artifacts are created XP – Transactional logging from interaction with the file system, may last 24 hours on a system drive Vista/7/8 – Change logging from interaction with the file system, may go back months

8 THE POWER TO PROVE 8 What can now be determined Ability to recover: –Pre wiped file name –Directory where wiped data existed –Metadata of file –Scope of total files wiped –Linkage to program execution –Determination of destruction time

9 THE POWER TO PROVE 9 What still cannot be determined Contents of the wiped files –Unless backups exist –Shadow Copies –Temp/Autorecovery files –Carved files

10 THE POWER TO PROVE 10 New arguments and defense presented Parties affected by spoliation can now show what was being destroyed, when and the context. Parties defending spoliation can now show that files wiped were in fact innocuous or non relevant

11 THE POWER TO PROVE 11 Impact of research on existing case law Ability to determine actual file names helps towards showing bad faith For some cases where the spoliating party was in fact telling the truth sanctions can be reduced or waived

12 THE POWER TO PROVE 12 Adverse Inference versus summary judgment Most common instruction we see is adverse inference to the judge or jury when determining the usage of the spoliated data. Now judge and juries can infer the content and usage of known files With the veil of mystery as to what was destroyed removed we may see more summary judgement

13 THE POWER TO PROVE 13 Role of an expert in a spoliation motion Prove what was done Determine if it was automatic or manual Validate the methods used to destroy Estimate the totality of the destruction Testify to the impact on the experts analysis Explain to the judge and jury what is determinable and what is recoverable

14 THE POWER TO PROVE 14 Standard of proof from prior cases Prove spoliation occurred Show that it occurred after notice or expectation of litigation Show scope of spoliation Show relevancy of spoliated data and how it prejudices the affected party

15 THE POWER TO PROVE 15 Questions? David Cowen dcowen@g-cpartners.comdcowen@g-cpartners.com Rafael Gorgal rgorgal@g-cpartners.comrgorgal@g-cpartners.com Twitter @hecfblog Blog - http://hackingexposedcomputerforensicsbl og.blogspot.com/

Download ppt "THE POWER TO PROVE 1 New Advances in Spoliation Detection and Remediation David Cowen Rafael Gorgal."

Similar presentations

Electronic Discovery Guidelines Meet and Confer - General definition. a requirement of courts that before certain types of motions and/or petitions will.

Electronic Discovery Guidelines Meet and Confer - General definition. a requirement of courts that before certain types of motions and/or petitions will.
Zubulake v. UBS Warburg LLC “Zubulake IV”

Zubulake v. UBS Warburg LLC “Zubulake IV”
The Evolving Law of E-Discovery Joseph J. Ortego, Esq. Nixon Peabody LLP New York, NY Jericho, NY.

The Evolving Law of E-Discovery Joseph J. Ortego, Esq. Nixon Peabody LLP New York, NY Jericho, NY.
Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.

Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.
Considerations for Records and Information Management Programs in Light of the Pension Committee and Rimkus Consulting 2010 Decisions.

Considerations for Records and Information Management Programs in Light of the Pension Committee and Rimkus Consulting 2010 Decisions.
248 F.R.D. 372 (D. Conn. 2007) Doe v. Norwalk Community College.

248 F.R.D. 372 (D. Conn. 2007) Doe v. Norwalk Community College.
© 2007 Morrison & Foerster LLP All Rights Reserved Attorney Advertising The Global Law Firm for Israeli Companies Dispute Resolution in the United States.

© 2007 Morrison & Foerster LLP All Rights Reserved Attorney Advertising The Global Law Firm for Israeli Companies Dispute Resolution in the United States.
The Process of Litigation. What is the first stage in a civil lawsuit ?  Service of Process (the summons)

The Process of Litigation. What is the first stage in a civil lawsuit ?  Service of Process (the summons)
Ronald J. Shaffer, Esq. Beth L. Weisser, Esq. Lorraine K. Koc, Esq., Vice President and General Counsel, Deb Shops, Inc. © 2010 Fox Rothschild DELVACCA.

Ronald J. Shaffer, Esq. Beth L. Weisser, Esq. Lorraine K. Koc, Esq., Vice President and General Counsel, Deb Shops, Inc. © 2010 Fox Rothschild DELVACCA.
Cache La Poudre Feeds, LLC v. Land O’Lakes, Inc.  Motion Hearing before a Magistrate Judge in Federal Court  District of Colorado  Decided in 2007.

Cache La Poudre Feeds, LLC v. Land O’Lakes, Inc.  Motion Hearing before a Magistrate Judge in Federal Court  District of Colorado  Decided in 2007.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Www.frostbrowntodd.com Ethical Issues in the Electronic Age Ethical Issues in the Electronic Age Frost Brown Todd LLC Seminar May 24, 2007 Frost Brown.

Ethical Issues in the Electronic Age Ethical Issues in the Electronic Age Frost Brown Todd LLC Seminar May 24, 2007 Frost Brown.
How the heck do they know that? The state of Computer and Cell Phone Forensics Ralph Gorgal, G-C Partners, LLC David Cowen, G-C Partners, LLC Ralph Gorgal,

How the heck do they know that? The state of Computer and Cell Phone Forensics Ralph Gorgal, G-C Partners, LLC David Cowen, G-C Partners, LLC Ralph Gorgal,
Triton Construction Co, Inc. v. Eastern Shore Electrical Services, Inc. Eastern Shore Services, LLC, George Elliot, Teresa Elliot, Tom Kirk and Kirk’s.

Triton Construction Co, Inc. v. Eastern Shore Electrical Services, Inc. Eastern Shore Services, LLC, George Elliot, Teresa Elliot, Tom Kirk and Kirk’s.
E -nuff! : Practical Tips For Keeping Emails From Derailing Your Case Presented by Jerry L. Mitchell.

E -nuff! : Practical Tips For Keeping s From Derailing Your Case Presented by Jerry L. Mitchell.
CJ227 Criminal Procedure Welcome to our Seminar!!! (We will begin shortly) Tonight – Unit 4 (Chapter 9 – Pretrial Motions, Hearings and Pleas) (Chapter.

CJ227 Criminal Procedure Welcome to our Seminar!!! (We will begin shortly) Tonight – Unit 4 (Chapter 9 – Pretrial Motions, Hearings and Pleas) (Chapter.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Electronic Communication “ Litigation Holds” Steven Raskovich University Counsel California State University PSSOA Conference – March 23, 2006.

Electronic Communication “ Litigation Holds” Steven Raskovich University Counsel California State University PSSOA Conference – March 23, 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Similar presentations

Ads by Google