1 / 34

Lecture 5: Disclosure and Production of Electronic Records

Lecture 5: Disclosure and Production of Electronic Records. 6/9/2003 CSCE 590 Summer 2003. Initial Disclosure.

shubha
Télécharger la présentation

Lecture 5: Disclosure and Production of Electronic Records

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 5: Disclosure and Production of Electronic Records 6/9/2003 CSCE 590 Summer 2003

  2. Initial Disclosure • Amendments to the Federal Rules of Civil Procedures have established mandatory initial disclosure in which all parties have to provide, early in litigation, a copy of, or a description by category or location of, all documents, data compilations, and tangible things that are in the possession, custody, or control of the party and any evidence that the disclosing party may use to support its claims or defense.

  3. Civil Discovery • Civil discovery is the formal means by which parties in a lawsuit gather arguably relevant information from other parties in the lawsuit. Litigants can also obtain information from parties who are not litigants.

  4. Discovery • Can be expensive • Information does not have to be admissible as evidence • Could be for the purpose of leading to admissible evidence • Don't have to prove in court that you need it • Just request it • No 'probable cause' like in criminal cases

  5. Discovery Vehicles • Depositions: taking sworn testimony outside of court, in front of court reporter • Interrogatories: written questions soliciting specific written answers • Request for production of written documents: used to inspect things in custody or control of another party • Subpoenas duces tecum: compels non-parties to make their stuff available for inspection

  6. Four Phases to Producing • Identification: identify all pertinent records • Preservation: take affirmative steps to preserve the records and avoid spoliation • Filtering: review the records to determine what is responsive and must be identified or produced • Production: finally makes the records available, or produces them

  7. Identification:Determine What is Needed • Preparation for initial disclosure • Determine what records the producing party might use to support its case or defense • Break down claims and defenses into their legal elements • Determine what facts they must prove to prevail • In responding to discovery requests: • Requests are usually very broad (sometimes to drive up your cost of producing) • Determine the precise records that would satisfy the requests

  8. Identification: Determine What the Producing Party Has • Electronic evidence consultant helps by asking producing party questions that make it consider: • All categories of records the producing party generates or maintains in the course of business • Kinds of records its IT is intended to generate or store • Interviews of management, computer staff, and key individuals to get this info • Sample questions pages 24-25

  9. Cast Your Net Widely During Identification • Do not limit the scope of your investigation • May miss something they are requesting • Or miss something that could help your case • Don't forget computer generated evidence • Logs, registry files, config files • Can corroborate user generated records (emails, documents, etc) • In the end, attorney must sign the initial disclosure or discovery response to certify • She thinks it is complete (disclosure) • Or consistent with court rules (discovery)

  10. Anticipate Problems Producing Data • Discovery rules allow parties to withhold records containing privileged communications • HR records, customer info, trade secrets, proprietary info licensed form 3rd parties,etc • Also trial preparation materials • Don't want these to get into public record or even to be revealed at all in some cases

  11. Anticipate Problems Gaining Access to Data • Data stored off-site • Employees using home computers and employer may not even know about it • Encryption • Someone forgets password or leaves company • Obsolete or missing hardware or software • Reading old backup tapes

  12. Consider Costs of Producing • Estimate probable costs of preserving, reviewing, and producing • Helps producing party better mange discovery and the litigation • Excessive cost - can motion to limit discovery or shift costs onto party seeking the discovery • Consultant can state estimated cost in an affidavit or declaration • Could be used to help decide a settlement value of the case

  13. Consider the Cost of Failure • Monetary sanctions • May not allow offending party to enter certain evidence • May allow certain factual issues to be presumed against the offending party • Court can dismiss claims or defenses • Enter a default judgment against a party failing to comply • Spoliation of evidence: the destruction or significant alteration of evidence - not just intentional, but includes failure to preserve also • Spoliation is a big problem with electronic evidence

  14. Preservation • Preserve media rather than files • Helps preserve files that may be of later interest • Preserves time stamps • Preserves residual or deleted data • Preserves corroborating evidence • First order of business - prevent harm • Immediately take media out of service • Backup media in backup pools to prevent re-use • Hard drives - bit by bit copy, put copy back into production to avoid business interruption, keep original

  15. Evidentiary Images • Evidentiary duplicate - exact bit for bit copy of media onto like media • Evidentiary image - bit for bit image of original media into one or more files • Use the images or duplicates for analysis, examinations, or data recovery efforts • Normal disk copying or backup programs only copy files the file system recognizes • Physically write protect media (like tapes and floppies) when possible

  16. Survey the Terrain • Connect information collected in identification stage with the specific hardware to which it applies • Helps identify what needs to be imaged - which of the mail server's disks, etc • Sample questions to develop a detailed catalogue to link sources of data to specific hardware to be examined on pages 34-35

  17. Preparing Evidentiary Images • Make sure where you are placing duplicate is forensically cleaned • Imaging process should not change the original evidence • Process used to create the evidentiary image must result in an image or duplicate that allows an accurate and complete review of everything that existed, in the way it existed, on the original medium • Chain of custody still applies • Store where there is no unauthorized access

  18. Filtering • Attorneys do this, especially with privileged materials • Consultant has 3 goals in filtering • Facilitate attorney's review of records by making them readable • Reduce data attorney must review • Gather info about records that can be later used to identify and organize records

  19. Sample Filtering Process Using Following Directory Structure /prep files requiring further processing /prep/special recovered, encrypted, e-mail source files /prep/pslack extracted slack /prep/pcluster extracted unassigned clusters /review data ready to be indexed for attorney review /review/rfiles unprocessed, unaltered files after data reduction /review/rslack reduced slack, text only /review/rcluster reduced unassigned clusters, text only /review/converted recovered deleted files, encrypted files, extracted e-mail; no data in original form

  20. Standard Data Filtering Steps • Access or restore evidentiary image files and restore backup tapes • Some software will verify as it restores • May need a system configured exactly like the original to use backup software to restore backup tapes • Backup software may have changed timestamps of backed up files when they were written to tape

  21. 2. Generate file lists with hash values and other info about files • Capture this info before any filtering or access of files takes place (and changes access timestamps) to use a reference later: • Long and short file names • Extensions • Last written or modified dates and times • Created dates and times if available • Last access dates and times if available • Logical sizes • File paths • File hash values

  22. 3. Recover deleted data • Check to see if discovery includes deleted data before going to the trouble • If it does, try it early • Copy recovered file to /prep/special • Preserve directory structure when copying to /prep/special to prevent overwriting files with the same name • Do a file list with hashes on recovered files as in Step 2

  23. 4. Recover slack or unassigned clusters • Check to see if discovery includes residual data in slack and unassigned clusters • Extract all slack into /prep/pslack • Extract unassigned clusters into /prep/pclusters • Reduce them to text (remove non-text characters) • Use strings utility • Put results in /review/rslack and /review/rclusters

  24. 5. Identify and remove known files • Operating system and application files (known files) can be reduced by their hash values • Hashkeeper database from NDIC at ftp://ftp.cis.fed.gov/pub/HashKeeper/Docs/HKSum.htm • NIST’s National Software Reference Library at htttp://www.nsrl.nist.gov/ • Automated tools: • FTK and Encase can take Hashkeeper values to filter known files • Maresware has compare and hash command line tools can be used in batch files http://www.mareswares.com/

  25. 6. Remove other unnecessary file types • Often there is sufficient criteria to rule out particular file types in a case • May only need text, not executables • Run program to make sure file types match their extensions before ruling out file types • Compares file’s internal header info with extension • Save extension mismatch files into /prep/special directory

  26. 7. Remove duplicates • Removing duplicate files is called de-dupping • Attorneys must agree as to what constitutes a duplicate – may not be just identical hash values • Changes to file name or location may be important • Important pruning issue when examining several backups • All remaining files are in /review/rfiles

  27. 8. Identify and decrypt encrypted files • Encrypted data can raise spoliation issues if ignored • May not be economical to brute-force decrypt • Try to get keys from person who encrypted it • Use a password recovery tool like AccessData’s Password Recovery Tool Kit (PRT) • Tools to identify encrypted files: • Maresware’s ispgp to find PGP encrypted files, PGP keyrings, and PGP sugnature files • AccessData’s Forensic Tool Kit (FTK) and PRT identifies encrypted data • Move encrypted files to /prep/special • Put any successfully decrypted files in /review/converted

  28. 9. Extract email and attachments • Some e-mail apps use proprietary formats, non-text • E-mail should be extracted and converted to text with their native applications and put in /review/converted • Also extract any attachments and put in /prep/special

  29. 10. Index text data • The R (review) directories now contain all data to be reviewed by attorneys • Attorneys will either do string searches or index-based searches for large collections of data • Index entire review directory with a tool like dtSearch from http://www.dtsearch.com • Review indexing log after indexing to check for any files that couldn’t be indexed

  30. 11. Review for content • Attorneys review and sort files into three categories: • Non-responsive: irrelevant to discovery or not requested • Responsive: relevant to discovery or to the producing party’s case • Privileged: relevant, but fall under legal privilege and do not have to be produced

  31. Production • Organize the records for production (Step 12) • Segregate responsive from non-responsive by deleting non-responsive and move privileged to another directory • Bates numbering: sequential numbering scheme traditionally used by attorneys to uniquely label each page of paper documents and other tangible objects for identification during case preparation • Maresware has bates_no tool for files http://www.maresware.com/ • Example: • Forensics.doc  Forensics.EC001.doc • Lab Expenses.xls  Lab Expenses.EC002.xls • Big_Presentation.ppt  Big_Presentation.EC003.ppt

  32. Prepare Production and Privilege Logs • Production log: • Consultant prepares new list of responsive files with • Hash values • Bates numbers • Combines with original file list to get: • File name, Bates number, original date and time stamps, file size, path, and hash values for all produced files • Privilege log: • Similar list for privileged files with attorneys’ description for legal basis for withholding them

  33. Prepare Distribution Media • Copy to CDROM or other media: • Bates numbered files • Production logs • Privilege logs • Give to attorneys who: • Signs discovery response or initial disclosure statements • Serves it on the other parties

  34. References • Chapter Two, Handbook of Computer Crime Investigation (Eoghan Casey)

More Related