Upload
seth-row
View
2.512
Download
0
Embed Size (px)
DESCRIPTION
Presentation given May 6, 2010 by Seth Row, Esq. and Michael Bean, EnCE on sound collection practices in e-discovery.
Citation preview
04/09/23 2
• Emails • Web pages• Social media postings• Text messages• Digital voice recordings• Database compilations
• (including accounting)• Digital photographs• Computer logs
ESI Comes in Numerous Flavors
04/09/23 3
Handling “Not Reasonably Accessible” Electronically Stored Information Before you decide how to collect – decide
what to collect Investigation – readily accessible v.
potentially “not reasonably accessible” Fed. R. Civ. P. 26(a) conference
Disclose potential sources of information Including those that are not reasonably
accessible Careful: duty to preserve broader than
duty to produce
04/09/23 4
Defining “Not Reasonably Accessible” Rule 26(b)(2)(B): “A party need not provide
discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost.”
Type of storage media ≠ not reasonably accessible – no presumption (anymore) W.E. Aubuchon Co. v. BeneFirst LLC, 245 F.R.D.
38 (D. Mass. 2007)
04/09/23 5
“Not Reasonably Accessible” - Fact-Intensive Analysis Producing party’s burden, initially
“Forensic costs” – converting data from a format that is difficult or impossible to search or review to another format
Cost to review (usually based on volume) Business disruption and “internal” costs
The Sedona Principles (Sedona Conference WG 2d ed. June 2007) cmt 13a.
How is data source actually used? Is your vendor inflating costs?
04/09/23 6
Custodian Interviews Use a checklist – systematic
Alter on the fly Go back if new information comes to light
Verification from custodians Signed, sealed, delivered
Policies in place are a good first step, but Assume nothing Be prepared to show compliance
04/09/23 8
Forensic Collection: AdmissibilityThe Five Hurdles
Relevance Authenticity Hearsay Original Writing Rule Unfair Prejudice
Lorraine v. Markel, 241 F.R.D. 534 (D. Md., 2007) (federal rule)
04/09/23 9
ESI InauthenticWhat is Real?
Sources Altered Websites – home page
hijacked Photos – cosmetic
adjustments or more…. Software bugs and
application failures Programmed
incorrectly Calculated incorrectly
BASICS
Stretching the Truth Just Became Easier (and Cheaper)
Digital pictures can be stretched without distorting a subject's face. Above, an altered photo.
By PETER WAYNER Published: January 31, 2008
WHEN Carlo Baldassi came home from vacation and looked at a picture he took of his
girlfriend on the Charles Bridge in Prague, he was torn. She looked beautiful, but the
proportions of the picture were all wrong. It seemed tight and constrained, and it would
not fill his widescreen monitor.
An artist is never satisfied.
Mr. Baldassi may not have an official title of an artist
— he studies computational neuroscience at the
Institute for Scientific Interchange Foundation in Turin,
Italy. But he could fix the problem with some automatic
The original photo of a dog photo-editing software he was writing with several swimming in a lake. Friends. With one click, the tool stretched the
uninteresting parts of the landscape – the water and the
hills – while leaving the face of his girlfriend just as it
was. The result was, he thought, more open and
panoramic.
04/09/23 10
Authentication of ESI: Rule 901(1) • Provides that the authentication of a document is "satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims."
• Rule 901 requires a “foundation from which a jury could reasonably find that the evidence is what the proponent says it is...”
United States v. Safavian, 435 F. Supp. 2d 36 (D.D.C. 2006).
04/09/23 11
Authentication of ESI: Rule 901(2) Rule 901(2)(a)-testimony by a witness with knowledge
that a matter is what it is claimed to be
Rule 901(2)(c)-comparisons by the trier of fact or expert witnesses with specimens which have been authenticated. Safavian, 435 F. Supp. 2d at 40 (federal rule)
Rule 901(2)(d)-identified by “appearance, contents, substance, internal pattern, or other distinctive characteristics, taken in conjunction with the circumstance.” United States v. Siddiqui, 235 F.3rd 1318 (11th Cir. 2000) (federal rule)
04/09/23 12
Authentication of ESI: Typical Challenges
• Challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created.
• Question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records.
• Challenge the authenticity of computer-stored records by questioning the identity of their author.
04/09/23 13
Authentication of ESI:Record a Chain of CustodyShows data was not changed. The less susceptible an exhibit is to alteration or tampering, the less strictly the chain of custody rule is applied
Needed when:1. Evidence is not readily identifiable, 2. No witness with personal knowledge to identify, or3. Evidence susceptible to alteration by tampering or
contamination.
Particularly important when:1. Preserving/storing data 2. Searching for creation/alteration data (e.g., date created),or3. Searching for any evidence of fabrication.
United States v. Howard-Arias, 679 F.2d. 363,366 (4th Cir. 1982)
04/09/23 14
Authentication of ESI: experts under Rule 901(2)(c) Expert Qualification – "a person who
generally understands the system's operation and possesses sufficient knowledge and skill to properly use the system and explain the resulting data" is a "qualified witness" and may need to authenticate data or interpret recovered data.
04/09/23 15
Authentication of ESI: Expert Questions What is the evidence, or what does it purport to be?
Forensics Expert: "This is a printout of data that I recovered on 4/26/07 from the hard disk drive primarily used by John Doe of the Acme Corporation."
Where did it allegedly come from?Forensics Expert: "The hard drive was taken from the office of John Doe on 1/1/07. It was contained within a Generic PC bearing model XXXX and S/N YYYY."
Who created, discovered, or recovered it?Forensics Expert: "The data appears to have been created by John Doe. I discovered and recovered it from his hard disk drive using computer forensic techniques."
How was it created, discovered, or recovered?Forensics Expert: "I made an image of the hard disk drive using a forensic imaging device. This device is designed to make a perfect copy of a disk and does not alter the data on the disk being copied."
04/09/23 16
Authentication of ESI: Ubiquitous Email Direct knowledge of
participant in exchange is best- 901(2)(a)
Circumstantial evidence (Rule 901(2)(d)): “contents” and “circumstances” -901(2)(d)
Circumstantial evidence: markings, addresses, logos- 901(2)(d)
Expert testimony and comparison- 901(2)(c)
04/09/23 17
Authentication of ESI: WebsitesHutchens v. Hutchens-Collins, 2006 WL 3490999 (D.Or.
2006)
Defendant hired forensic vendor to download content of website pages to “write-only” CD-ROM’s.
Website freely available on internet. Vendor tracked registered domain name to
plaintiff’s corporation through publicly available WHOIS system.
Court held that totality of circumstances sufficient to authenticate website documents.
04/09/23 18
Authentication of ESI: Chat RoomsMost commonly utilized:
901(2) (a)-witness with personal knowledge 901(2)(d)-circumstantial evidence of distinctive
characteristics
04/09/23 19
Authentication of ESI: Chat RoomsUnited States v. Tank, 200 F.3rd 627 (9th Cir. 2000) • Gov’t adequately authenticated chat room log printouts
maintained by a co-defendant • Evidence included testimony from co-defendant about the
procedure he used to create logs and his recollection that logs appeared to be accurate representation of conversations among members
• Despite co-defendant’s deletion of portion of log to free up space, log was authenticated. Deletions would go to weight of evidence, not admissibility.
04/09/23 21
Disk Area of Concentration
Allocated SpaceAllocated by operating system for active user files, system files, all
space available to user
Unallocated SpaceSpace that is recognized by the operating system but not currently assigned. Area for deleted files, temp files used
by programs, etc..
04/09/23 22
Other Areas of Concentration
Dear Byron and Don, please accept my resignation because you work me too hard, don’t pay me enough and by the way I am taking my clients with me, sincerely yours, The disgruntled employee. Customer Lists: Aon, Symantek $%#*&^%Jack Walker is a January 1, 2001..This letter will serve as an agreement between Jack in the box and Deloitte
Dear Byron and Don, I love my job and want to stay here forever!
Mr. HappyFile Slack
Disk Slack
512
byte
s51
2 by
tes
04/09/23 23
Acquisition How do I get the data on the principal
media in a state that I can examine without altering the original data?
How long does this procedure take? What are my options to Acquire the
data? What are the limitations to the
acquisition procedures? How do I know that the data acquired is
the same?
04/09/23 24
How do I get the data on the principal media in a state that I can examine without altering the original data? Create an exact bit by bit copy or a file that contains a bit
by bit copy of the principal drive on sterile media For passing as an original the two must be identical
Hard Drive
Evidence File
Segments
.E01, E02
04/09/23 25
Evidence File Construction
CRC
CRC
CRC
CRC
MD5
Header 64 Sectors
32K
64 Sectors
32K
64 Sectors
32K
MD5 Hash Value
CRC= 32 Bit Cyclical Redundancy Check
MD5= Message Digest 5, 128 Bit Algorithm
Header= Case info is stored
Data Blocks= 64 Sectors/32K data
CRC protects data block integrity
MD5 protects evidence file integrity
.E01 .E02 .E03
04/09/23 26
Once Data Is Preserved… Rebuild partitions if necessary Recover Folders Searching
BooleanGREPForeign Language/Unicode
Signature Analysis Hash Analysis Email Analysis File Review Export Functions Registry Review
04/09/23 27
Windows Artifacts Recycle Bin My Documents Recent Print Spool Internet History Temporary Internet Files
04/09/23 34
Gates Rubber Co. v. Bando Chemical Indus., Ltd., 167 F.R.D. 90, 112 (D.C. Col., 1996).
• court defined a legal duty on the part of litigants or potential litigants to perform proper computer forensic examinations.
• examiner failed to do a mirror image copy of the target hard drive and instead did a file-by-file copy resulting in the loss of data.
• evidentiary sanctions and criticized the examiner for failing to make an image copy of the hard drive finding that when processing evidence for judicial purposes a party has “a duty to utilize the method which would yield the most complete and accurate results”
Collection of Data
04/09/23 35
EnCase Recognized By Courts
State v. Morris, 2005 WL 356801 (Ohio App. 9 Dist. Feb. 16, 2005).
In this appellate case from Ohio, the original hard drive, which belonged to a third party was overwritten. 8 All that was available at the time of trial was the EnCase Evidence File containing the image of the drive. The courts decision in this case validates the MD5 hash process and considers forensic disk images to be exact copies and admissible when the “original” is no longer available.
04/09/23 36
EnCase & AuthenticationState v. Cook, 777 N.E.2d 882, 886 (Ohio App. 2002)In this case the defendant appealed his conviction of
possessing child pornography and designation as a sexual predator challenging what he claimed “the lack of reliability of processes used to create two mirror images of the hard drive. The Ohio Appellate court addressed this argument by describing in detail how the EnCase software was used to make the image of the hard drive. The court further noted that the investigator was trained in the use of EnCase and in upholding the validity of the images stated “In the present case, there is no doubt that the mirror image was an authentic copy of what was present on the computers hard drive”.
04/09/23 3737
Coleman (Parent) Holdings, Inc v. Morgan Stanley & Co., Inc., 2005 WL 679071 at *4 (Fla.Cir.Ct. Mar. 1, 2005)., subsequent decision, 2005 WL 674885 (Fla.Cir.Ct. Mar. 23, 2005).
Morgan Stanley decided to collect electronic documents themselves, using software they developed in-house.
[A Morgan Stanley employee] reported that…she and her team had discovered a flaw in the software they had written and that flaw had prevented [Morgan Stanley] from locating all responsive email attachments. [She also] reported that [Morgan Stanley] discovered…that the date-range searches for email users who had a Lotus Notes platform were flawed, so there were at least 7,000 additional e-mail messages that appeared to fall within the scope of [existing orders]...
* * * Sanctions! * * *
“DIY” Collection Programs
04/09/23 38
THANKS! Seth H. Row
[email protected] (503) 222-1812
Michael Bean [email protected] (971) 285-3408 x 201