Why E-Discovery Protocol?

Monday, April 18th, 2011

Too many Electronically Saved Information cases are left pending, without ever discovering the light of a solution in sight. The E-Discovery protocol is expected to facilitate the just, speedy, and inexpensive conduct of discovery involving Electronically Stored Information (ESI) in civil cases, and to promote, whenever possible, the resolution of disputes regarding the discovery of ESI without the intervention.

Lawyers engaged in civil litigation on smaller matters are not sure regarding the extent to which ESI must be preserved. They are worried about the costs associated with identifying, preserving, collecting, reviewing, and producing this information. This uncertainty, and a lack of understanding of the technical issues involved, forces many lawyers to choose one of the two extremes: over preservation to prevent sanctions or delegate preservation responsibilities to vendors or the clients themselves.

Without the benefit of large E-Discovery budgets, attorneys handling smaller matters may find themselves trapped. Engaging an outside expert to assess the client’s technology infrastructure and implement an appropriate E-Discovery protocol is prohibitively expensive. Clients may not be comfortable with the internal information being assessed by outside experts when their own technology personnel can handle the chunk of information. They may question the need to hire outside experts. These are, of course, reasonable arguments

Usually the time consuming collection of ESI may even go waste. Then there is the attorney review time which again takes a long time to process including the chunks of useless data that must have been collected. An E-Discovery protocol is intended to provide the parties with a comprehensive framework to address and resolve a wide range of ESI issues but it is not intended to be an inflexible checklist.

The Court expects parties to consider the nature of the claim, the amount in controversy, agreements of the parties, the relative ability of the parties to conduct discovery of ESI, and such other factors as may be relevant under the circumstances. Therefore not all aspects of this Protocol may be applicable or practical for a particular matter, and indeed, if the parties do not intend to seek discovery of ESI it may be entirely inapplicable to a particular case. The Court encourages the parties to use this Protocol in cases in which there will be discovery of ESI, and to resolve ESI issues informally and without supervision whenever possible.

The Process for Recovering Electronic Evidence

Tuesday, March 1st, 2011

There are two primary steps in the process of recovering electronic data; “acquisition” of the target medium, and a forensic byte-by-byte analysis of the data.

Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer medium.

Rather than producing interpretative conclusions, as in many forensic disciplines, computer forensic science produces direct information and data that may have some significance in a case. This type of direct data collection has wide-ranging implications for both the relationship between the investigator and the forensic scientist and the work product of the forensic computer examination.

Using customized computer forensic tools, the target medium is acquired through a non-invasive complete area-by-area bit-stream image procedure. During the imaging process, it is critical the mirror image be acquired in a DOS environment. Switching on the computer and booting into its operating system will subtly modify the file system, potentially destroying some recoverable evidence.

The resulting image becomes the “evidence file,” which is mounted as a read-only or “virtual” file, on which the forensic examiner will perform their analysis. The forensics software used by CFI creates an evidence file that will be continually verified by a Cyclical Redundancy Checksum (“CRC”) algorithm for every 64 sectors (block) of data and a by a MD5 128 bit encryption hash file for the entire image. Both steps verify the integrity of the evidence file, and confirms the image has remained unaltered and forensically intact. Using the MD5 hash encryption, changing even one bit of data will result in a notification that the evidence file data has been changed and is no longer forensically intact.

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, a federal criminal statute outlawing various computer crimes, provides a civil remedy for companies victimized by a violation of the statute.In this new digital age, the CFAA is fast becoming recognized as a proactive tool that can be used by companies to retrieve stolen data, prevent its dissemination in the marketplace and obtain compensatory damages resulting from its theft, use and malicious destruction.

Role of the Computer Forensics Expert Witness in the Litigation Process

Wednesday, September 22nd, 2010

Computer Forensics

Computer forensics are used in criminal investigation, civil litigation, hacking, embezzlement, industrial espionage, insurance fraud and law enforcement or Internet/company property abuse.

Computer forensics focuses on acquisition, restoration and analysis of digital data. In business world, computer forensics can be used to restore corrupted or lost data, resurrect outdated software environment, and analyze common security breach activities.

A Computer Forensics Expert

A computer forensics expert is an experienced personnel who can access a compromised computer, duplicate all files and directories and document all steps taken during the recovery and discovery process. A computer forensics expert is an experienced personnel who can maintain the integrity of data, preserving the chain of control and following a proven methodology of review. A computer forensics expert can track deleted files, hidden files, files created by the system such as an automatic backup of a document, or fragmented files that are scattered throughout the storage devices. A computer forensics expert is an experienced personnel who can document the location of electronic data, its nature, format and other identifiers.

A Computer Forensics Expert Witness

A computer forensics expert witness is an experienced personnel who is adept at handling the tools of computer forensics, resolving matters in corporates and litigation processes by contributing to the evidence pool, establishing truth for more efficient and rapid resolution, judgment or settlement. Digital data that is lost, stolen, deleted or otherwise manipulated can be of evidential value in a lawsuit.

Role of a Computer Forensics Expert Witness

A computer forensics expert witness plans strategies: The analytical and technical skill sets of a computer forensics expert witness provides attorneys with assistance at every step of the litigation process through discoverable and electronically stored information and the form in which it should be presented strategically.

A computer forensics expert witness assists counsel for plaintiff: The attorney for a plaintiff is entitled to all electronic information that is key to the litigation and he may request the electronic data to support his client’s claims. The computer forensics expert witness can brainstorm with the attorney and the client regarding all physical locations of the relevant and different forms of e-data. The computer forensics expert witness can also assist in determining if data wiping or encryption utilities were used.

The computer forensics expert witness assists the counsel for defendant:

  • The computer forensics expert witness confers with the client and his IT personnel attorney for the defendant to discuss how to maintain files during litigation and how to preserve and protect data
  • The computer forensics expert witness can assist in balancing privacy with evidence production by providing electronic discovery on behalf of their clients, including redacting proprietary or attorney/client privileged data
  • The computer forensics expert witness also assists his client’s IT professionals understand the legal requirements associated with preservation of electronic data
  • The computer forensics expert witness can attend “meet and confer” sessions.
  • The computer forensics expert witness suggests information to request with respect to backup procedures
  • The computer forensics expert witness provides assistance with wording for interrogation and requests for potential deposition questions for IT personnel
  • The computer forensics expert witness can determine where and how often the suspect had used the Internet if it is relevant to the case
  • The computer forensics expert witness restores and recovers deleted files
  • The computer forensics expert witness researches and determines if any dates have been altered
  • The computer forensics expert witness helps parties understand the scope and nature of electronic data collection, filters privileged data and assists in determining the extent of the data accessed

Analysis: The computer forensics expert witness researches analyzes the key words, documents or dates important to the litigation as an evidence to tampering and data deletion.

The computer forensics expert witness can offer testimony:

  • The computer forensics expert witness has the skills and experience to explain technical concepts and present mass amounts of data in a clear and understandable manner with respect to electronic evidence
  • The computer forensics expert witness can demonstrate the securely collected and preserved data as electronic evidence
  • The computer forensics expert witness needs to make sure the proper software is used as only a few software programs have been tested and approved by various courts as forensically sound and reliable
  • The computer forensics expert witness must also assure that he is employing accepted procedures including documenting the chain of custody of electronic data
  • The computer forensics expert witness must also assure that his overall ability to testify and demonstrate that the procedures he is employing is forensically sound
  • The computer forensics expert witness must be aware of the ethics of his profession and laws governing his testimony
  • The computer forensics expert witness should have reputable experience
  • The computer forensics expert witness must be able to withstand cross-examination

Data Triage Technologies offers Computer Forensics and Expert Witness Services to the legal communities in California and throughout the United States. Data Triage’s computer forensics experts identify, preserve and analyze potentially discoverable electronic evidence, while maintaining a cost effective approach throughout the process to support ongoing investigation. Let the professionals at Data Triage Technologies assist you in obtaining the evidence vital for winning your case!

Does Your Company Have A Computer Incident Response Team (CIRT)?

Saturday, July 31st, 2010

Computer Incident Response Team is an expert group that handles computer security incidents. Whenever a new technology arrives, it is invariably dogged by misuse like the first worm in the IBM VNET and Morris Worm that hit Internet and paralyzed it. This led to the formation of the first Computer Emergency Response Team at Carnegie Mellon University under U.S. Government contract. With the massive growth in the use of Information and Communications Technologies thereafter, the Computer Incident Response Team (CIRT) has come to stay as an essential part of large organizations.

No matter how well your network is protected, there are always incidents you are not prepared to deal with, by yourself. It may be because the problem is beyond your technical know-how for the necessary action to be taken. Security policy of a company is not complete until procedures are put into place for the handling and recovery from the incidents. The best solution is to include a Computer Incident Response Team (CIRT) within the company’s incident response procedures.

What is a Computer Incident Response Team (CIRT)?

A Computer Incident Response Team (CIRT) is a group of people who can promptly and correctly handle an incident. A Computer Incident Response Team (CIRT) can quickly contain, investigate and recover from an incident that poses a threat to the security of an organization. A Computer Incident Response Team (CIRT) is usually comprised of members from within the company. A Computer Incident Response Team (CIRT) must have people with the authority to make decisions and take actions.

Who constitute a Computer Incident Response Team CIRT?

Depending on the needs and resources of the company a Computer Security Incident Response Team (CIRT) is constituted.

Members in a Computer Security Incident Response Team (CIRT):

Management: A member of upper level management on the Computer Security Incident Response Team can make the big decisions, and be an effective resource involved in evaluating security, selecting a team, developing a policy and exercising the plan during an incident based on input from the members of the team.

Information Security: They are the trained personnel in the area of handling electronic incidents with an ability to handle a multitude of incidents. An Information Security member on the Computer Security Incident Response Team can assess the extent of the damage and execute containment, basic forensics and recovery.

IT Team: In the event of an incident, the IT team on the Computer Security Incident Response Team knows where the data can be accessed or discovered before the evidence or the corrupt database is over written and replaced from a back up.

The IT/MIS: The IT/MIS on the Computer Security Incident Response Team can assist the Information Security team with technical matters if required.

IT Auditor: The IT Auditor tracks the incident and works with IT/security conducting post-incident reviews to avoid problems in the future.

Security: The Security on the Computer Security Incident Response Team can assess any physical damage, investigate physical evidence and guard evidence during a forensics investigation to maintain a chain of evidence.

Attorney: An attorney on the Computer Security Incident Response Team is useful for supplying them with legal advice on the usability of any evidence collected during an investigation and also provide advice regarding liability issues that affect customers, vendors or the general public.

Human Resource: Many incidents involve company employees. The Human Resource on the Computer Security Incident Response Team provides advice as to how best to handle situations when an employee is discovered to be involved.

Public Relations: The Public Relations on the Computer Security Incident Response Team communicate with team leaders, the press and stockholders to ensure an accurate understanding of the issue, the company status and current situation.

Financial Auditor: Financial Auditor on the Computer Security Incident Response Team has the hardest job to do when an incident occurs putting a monetary figure that has occurred as a result of an incident for insurance companies and to press charges under the National Information Infrastructure Protection Act.

Some managers may not opt to create a team and prefer outsourcing professionals when an incident occurs. For them creating a Computer Incident Response Team may not be the best solution for every company, but it can prove to be an invaluable tool. Computer Incident Response Team improves the response time to any computer based problems an organization may face.

Data Triage’s Computer Incident Response Team helps the organizations which has become the victim a of security breach. CIRT team captures and isolates evidence while restoring services efficiently. Steps are taken to insure the evidence is preserved for possible litigation or legal compliance.

Intrusion Detection System Logs as Evidence and Legal Aspects

Wednesday, February 20th, 2008

Modern techniques and methodologies for detecting attacks and malicious activities on computers and networks have evolved a lot over the last couple of years. The need for detecting intrusion attempts before the actual attack simplifies the job of securely administering computer networks. Often an attacker will probe different ports and services on a network to get intelligence about the structure of the network. Afterwards how and what services can be compromised is decided. This is a common strategy applied by most of the attackers and this is where Intrusion Detection Systems (IDS) comes in. They simplify the job of detecting attacks well before the actual attack by tracing the trails that the attacker leaves while gathering intelligence about a network. Government legislations however often act as a barrier in accessing/ monitoring private communications. This article will particularly focus on the potential of using IDS logs as evidence in legal proceedings. It will also address the Commonwealth Telecommunication Interception Act to identify some conflicting issues that at some extent acts as a barrier for deployment of IDS tools.

(more…)