Posts Tagged ‘Litigation Support’

Why E-Discovery Protocol?

Monday, April 18th, 2011

Too many Electronically Saved Information cases are left pending, without ever discovering the light of a solution in sight. The E-Discovery protocol is expected to facilitate the just, speedy, and inexpensive conduct of discovery involving Electronically Stored Information (ESI) in civil cases, and to promote, whenever possible, the resolution of disputes regarding the discovery of ESI without the intervention.

Lawyers engaged in civil litigation on smaller matters are not sure regarding the extent to which ESI must be preserved. They are worried about the costs associated with identifying, preserving, collecting, reviewing, and producing this information. This uncertainty, and a lack of understanding of the technical issues involved, forces many lawyers to choose one of the two extremes: over preservation to prevent sanctions or delegate preservation responsibilities to vendors or the clients themselves.

Without the benefit of large E-Discovery budgets, attorneys handling smaller matters may find themselves trapped. Engaging an outside expert to assess the client’s technology infrastructure and implement an appropriate E-Discovery protocol is prohibitively expensive. Clients may not be comfortable with the internal information being assessed by outside experts when their own technology personnel can handle the chunk of information. They may question the need to hire outside experts. These are, of course, reasonable arguments

Usually the time consuming collection of ESI may even go waste. Then there is the attorney review time which again takes a long time to process including the chunks of useless data that must have been collected. An E-Discovery protocol is intended to provide the parties with a comprehensive framework to address and resolve a wide range of ESI issues but it is not intended to be an inflexible checklist.

The Court expects parties to consider the nature of the claim, the amount in controversy, agreements of the parties, the relative ability of the parties to conduct discovery of ESI, and such other factors as may be relevant under the circumstances. Therefore not all aspects of this Protocol may be applicable or practical for a particular matter, and indeed, if the parties do not intend to seek discovery of ESI it may be entirely inapplicable to a particular case. The Court encourages the parties to use this Protocol in cases in which there will be discovery of ESI, and to resolve ESI issues informally and without supervision whenever possible.

The Process for Recovering Electronic Evidence

Tuesday, March 1st, 2011

There are two primary steps in the process of recovering electronic data; “acquisition” of the target medium, and a forensic byte-by-byte analysis of the data.

Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer medium.

Rather than producing interpretative conclusions, as in many forensic disciplines, computer forensic science produces direct information and data that may have some significance in a case. This type of direct data collection has wide-ranging implications for both the relationship between the investigator and the forensic scientist and the work product of the forensic computer examination.

Using customized computer forensic tools, the target medium is acquired through a non-invasive complete area-by-area bit-stream image procedure. During the imaging process, it is critical the mirror image be acquired in a DOS environment. Switching on the computer and booting into its operating system will subtly modify the file system, potentially destroying some recoverable evidence.

The resulting image becomes the “evidence file,” which is mounted as a read-only or “virtual” file, on which the forensic examiner will perform their analysis. The forensics software used by CFI creates an evidence file that will be continually verified by a Cyclical Redundancy Checksum (“CRC”) algorithm for every 64 sectors (block) of data and a by a MD5 128 bit encryption hash file for the entire image. Both steps verify the integrity of the evidence file, and confirms the image has remained unaltered and forensically intact. Using the MD5 hash encryption, changing even one bit of data will result in a notification that the evidence file data has been changed and is no longer forensically intact.

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, a federal criminal statute outlawing various computer crimes, provides a civil remedy for companies victimized by a violation of the statute.In this new digital age, the CFAA is fast becoming recognized as a proactive tool that can be used by companies to retrieve stolen data, prevent its dissemination in the marketplace and obtain compensatory damages resulting from its theft, use and malicious destruction.

Role of the Computer Forensics Expert Witness in the Litigation Process

Wednesday, September 22nd, 2010

Computer Forensics

Computer forensics are used in criminal investigation, civil litigation, hacking, embezzlement, industrial espionage, insurance fraud and law enforcement or Internet/company property abuse.

Computer forensics focuses on acquisition, restoration and analysis of digital data. In business world, computer forensics can be used to restore corrupted or lost data, resurrect outdated software environment, and analyze common security breach activities.

A Computer Forensics Expert

A computer forensics expert is an experienced personnel who can access a compromised computer, duplicate all files and directories and document all steps taken during the recovery and discovery process. A computer forensics expert is an experienced personnel who can maintain the integrity of data, preserving the chain of control and following a proven methodology of review. A computer forensics expert can track deleted files, hidden files, files created by the system such as an automatic backup of a document, or fragmented files that are scattered throughout the storage devices. A computer forensics expert is an experienced personnel who can document the location of electronic data, its nature, format and other identifiers.

A Computer Forensics Expert Witness

A computer forensics expert witness is an experienced personnel who is adept at handling the tools of computer forensics, resolving matters in corporates and litigation processes by contributing to the evidence pool, establishing truth for more efficient and rapid resolution, judgment or settlement. Digital data that is lost, stolen, deleted or otherwise manipulated can be of evidential value in a lawsuit.

Role of a Computer Forensics Expert Witness

A computer forensics expert witness plans strategies: The analytical and technical skill sets of a computer forensics expert witness provides attorneys with assistance at every step of the litigation process through discoverable and electronically stored information and the form in which it should be presented strategically.

A computer forensics expert witness assists counsel for plaintiff: The attorney for a plaintiff is entitled to all electronic information that is key to the litigation and he may request the electronic data to support his client’s claims. The computer forensics expert witness can brainstorm with the attorney and the client regarding all physical locations of the relevant and different forms of e-data. The computer forensics expert witness can also assist in determining if data wiping or encryption utilities were used.

The computer forensics expert witness assists the counsel for defendant:

  • The computer forensics expert witness confers with the client and his IT personnel attorney for the defendant to discuss how to maintain files during litigation and how to preserve and protect data
  • The computer forensics expert witness can assist in balancing privacy with evidence production by providing electronic discovery on behalf of their clients, including redacting proprietary or attorney/client privileged data
  • The computer forensics expert witness also assists his client’s IT professionals understand the legal requirements associated with preservation of electronic data
  • The computer forensics expert witness can attend “meet and confer” sessions.
  • The computer forensics expert witness suggests information to request with respect to backup procedures
  • The computer forensics expert witness provides assistance with wording for interrogation and requests for potential deposition questions for IT personnel
  • The computer forensics expert witness can determine where and how often the suspect had used the Internet if it is relevant to the case
  • The computer forensics expert witness restores and recovers deleted files
  • The computer forensics expert witness researches and determines if any dates have been altered
  • The computer forensics expert witness helps parties understand the scope and nature of electronic data collection, filters privileged data and assists in determining the extent of the data accessed

Analysis: The computer forensics expert witness researches analyzes the key words, documents or dates important to the litigation as an evidence to tampering and data deletion.

The computer forensics expert witness can offer testimony:

  • The computer forensics expert witness has the skills and experience to explain technical concepts and present mass amounts of data in a clear and understandable manner with respect to electronic evidence
  • The computer forensics expert witness can demonstrate the securely collected and preserved data as electronic evidence
  • The computer forensics expert witness needs to make sure the proper software is used as only a few software programs have been tested and approved by various courts as forensically sound and reliable
  • The computer forensics expert witness must also assure that he is employing accepted procedures including documenting the chain of custody of electronic data
  • The computer forensics expert witness must also assure that his overall ability to testify and demonstrate that the procedures he is employing is forensically sound
  • The computer forensics expert witness must be aware of the ethics of his profession and laws governing his testimony
  • The computer forensics expert witness should have reputable experience
  • The computer forensics expert witness must be able to withstand cross-examination

Data Triage Technologies offers Computer Forensics and Expert Witness Services to the legal communities in California and throughout the United States. Data Triage’s computer forensics experts identify, preserve and analyze potentially discoverable electronic evidence, while maintaining a cost effective approach throughout the process to support ongoing investigation. Let the professionals at Data Triage Technologies assist you in obtaining the evidence vital for winning your case!

Intrusion Detection System Logs as Evidence and Legal Aspects

Wednesday, February 20th, 2008

Modern techniques and methodologies for detecting attacks and malicious activities on computers and networks have evolved a lot over the last couple of years. The need for detecting intrusion attempts before the actual attack simplifies the job of securely administering computer networks. Often an attacker will probe different ports and services on a network to get intelligence about the structure of the network. Afterwards how and what services can be compromised is decided. This is a common strategy applied by most of the attackers and this is where Intrusion Detection Systems (IDS) comes in. They simplify the job of detecting attacks well before the actual attack by tracing the trails that the attacker leaves while gathering intelligence about a network. Government legislations however often act as a barrier in accessing/ monitoring private communications. This article will particularly focus on the potential of using IDS logs as evidence in legal proceedings. It will also address the Commonwealth Telecommunication Interception Act to identify some conflicting issues that at some extent acts as a barrier for deployment of IDS tools.