![Page 1: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/1.jpg)
Lecture 5: Disclosure and Production of Electronic Records
6/9/2003
CSCE 590
Summer 2003
![Page 2: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/2.jpg)
Initial Disclosure
• Amendments to the Federal Rules of Civil Procedures have established mandatory initial disclosure in which all parties have to provide, early in litigation, a copy of, or a description by category or location of, all documents, data compilations, and tangible things that are in the possession, custody, or control of the party and any evidence that the disclosing party may use to support its claims or defense.
![Page 3: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/3.jpg)
Civil Discovery
• Civil discovery is the formal means by which parties in a lawsuit gather arguably relevant information from other parties in the lawsuit. Litigants can also obtain information from parties who are not litigants.
![Page 4: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/4.jpg)
Discovery
• Can be expensive• Information does not have to be admissible
as evidence– Could be for the purpose of leading to
admissible evidence
• Don't have to prove in court that you need it– Just request it– No 'probable cause' like in criminal cases
![Page 5: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/5.jpg)
Discovery Vehicles
• Depositions: taking sworn testimony outside of court, in front of court reporter
• Interrogatories: written questions soliciting specific written answers
• Request for production of written documents: used to inspect things in custody or control of another party
• Subpoenas duces tecum: compels non-parties to make their stuff available for inspection
![Page 6: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/6.jpg)
Four Phases to Producing
• Identification: identify all pertinent records• Preservation: take affirmative steps to
preserve the records and avoid spoliation• Filtering: review the records to determine
what is responsive and must be identified or produced
• Production: finally makes the records available, or produces them
![Page 7: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/7.jpg)
Identification:Determine What is Needed
• Preparation for initial disclosure– Determine what records the producing party might use
to support its case or defense– Break down claims and defenses into their legal
elements– Determine what facts they must prove to prevail
• In responding to discovery requests:– Requests are usually very broad (sometimes to drive up
your cost of producing)– Determine the precise records that would satisfy the
requests
![Page 8: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/8.jpg)
Identification: Determine What the Producing Party Has
• Electronic evidence consultant helps by asking producing party questions that make it consider:– All categories of records the producing party generates
or maintains in the course of business
– Kinds of records its IT is intended to generate or store
• Interviews of management, computer staff, and key individuals to get this info– Sample questions pages 24-25
![Page 9: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/9.jpg)
Cast Your Net Widely During Identification
• Do not limit the scope of your investigation– May miss something they are requesting – Or miss something that could help your case
• Don't forget computer generated evidence– Logs, registry files, config files– Can corroborate user generated records (emails,
documents, etc)
• In the end, attorney must sign the initial disclosure or discovery response to certify – She thinks it is complete (disclosure) – Or consistent with court rules (discovery)
![Page 10: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/10.jpg)
Anticipate Problems Producing Data
• Discovery rules allow parties to withhold records containing privileged communications– HR records, customer info, trade secrets,
proprietary info licensed form 3rd parties,etc
• Also trial preparation materials• Don't want these to get into public record or
even to be revealed at all in some cases
![Page 11: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/11.jpg)
Anticipate Problems Gaining Access to Data
• Data stored off-site– Employees using home computers and
employer may not even know about it
• Encryption – Someone forgets password or leaves company
• Obsolete or missing hardware or software– Reading old backup tapes
![Page 12: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/12.jpg)
Consider Costs of Producing
• Estimate probable costs of preserving, reviewing, and producing
• Helps producing party better mange discovery and the litigation
• Excessive cost - can motion to limit discovery or shift costs onto party seeking the discovery
• Consultant can state estimated cost in an affidavit or declaration
• Could be used to help decide a settlement value of the case
![Page 13: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/13.jpg)
Consider the Cost of Failure • Monetary sanctions• May not allow offending party to enter certain
evidence• May allow certain factual issues to be presumed
against the offending party• Court can dismiss claims or defenses• Enter a default judgment against a party failing to
comply• Spoliation of evidence: the destruction or
significant alteration of evidence - not just intentional, but includes failure to preserve also– Spoliation is a big problem with electronic evidence
![Page 14: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/14.jpg)
Preservation
• Preserve media rather than files– Helps preserve files that may be of later interest– Preserves time stamps– Preserves residual or deleted data– Preserves corroborating evidence
• First order of business - prevent harm– Immediately take media out of service– Backup media in backup pools to prevent re-use– Hard drives - bit by bit copy, put copy back into
production to avoid business interruption, keep original
![Page 15: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/15.jpg)
Evidentiary Images• Evidentiary duplicate - exact bit for bit copy of
media onto like media• Evidentiary image - bit for bit image of original
media into one or more files• Use the images or duplicates for analysis,
examinations, or data recovery efforts• Normal disk copying or backup programs only
copy files the file system recognizes• Physically write protect media (like tapes and
floppies) when possible
![Page 16: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/16.jpg)
Survey the Terrain
• Connect information collected in identification stage with the specific hardware to which it applies
• Helps identify what needs to be imaged - which of the mail server's disks, etc
• Sample questions to develop a detailed catalogue to link sources of data to specific hardware to be examined on pages 34-35
![Page 17: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/17.jpg)
Preparing Evidentiary Images • Make sure where you are placing duplicate is
forensically cleaned• Imaging process should not change the original
evidence • Process used to create the evidentiary image must
result in an image or duplicate that allows an accurate and complete review of everything that existed, in the way it existed, on the original medium
• Chain of custody still applies• Store where there is no unauthorized access
![Page 18: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/18.jpg)
Filtering
• Attorneys do this, especially with privileged materials
• Consultant has 3 goals in filtering– Facilitate attorney's review of records by
making them readable– Reduce data attorney must review– Gather info about records that can be later used
to identify and organize records
![Page 19: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/19.jpg)
Sample Filtering Process Using Following Directory Structure
/prep files requiring further processing
/prep/special recovered, encrypted, e-mail source files
/prep/pslack extracted slack
/prep/pcluster extracted unassigned clusters
/review data ready to be indexed for attorney review
/review/rfiles unprocessed, unaltered files after data reduction
/review/rslack reduced slack, text only
/review/rcluster reduced unassigned clusters, text only
/review/converted recovered deleted files, encrypted files, extracted e-mail; no data in original form
![Page 20: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/20.jpg)
Standard Data Filtering Steps
1. Access or restore evidentiary image files and restore backup tapes
• Some software will verify as it restores• May need a system configured exactly like
the original to use backup software to restore backup tapes
• Backup software may have changed timestamps of backed up files when they were written to tape
![Page 21: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/21.jpg)
2. Generate file lists with hash values and other info about files• Capture this info before any filtering or access of
files takes place (and changes access timestamps) to use a reference later:– Long and short file names– Extensions– Last written or modified dates and times– Created dates and times if available– Last access dates and times if available– Logical sizes– File paths– File hash values
![Page 22: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/22.jpg)
3. Recover deleted data
• Check to see if discovery includes deleted data before going to the trouble
• If it does, try it early• Copy recovered file to /prep/special• Preserve directory structure when copying to
/prep/special to prevent overwriting files with the same name
• Do a file list with hashes on recovered files as in Step 2
![Page 23: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/23.jpg)
4. Recover slack or unassigned clusters
• Check to see if discovery includes residual data in slack and unassigned clusters
• Extract all slack into /prep/pslack • Extract unassigned clusters into /prep/pclusters• Reduce them to text (remove non-text characters)
– Use strings utility
• Put results in /review/rslack and /review/rclusters
![Page 24: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/24.jpg)
5. Identify and remove known files• Operating system and application files (known
files) can be reduced by their hash values• Hashkeeper database from NDIC at
ftp://ftp.cis.fed.gov/pub/HashKeeper/Docs/HKSum.htm
• NIST’s National Software Reference Library at htttp://www.nsrl.nist.gov/
• Automated tools:– FTK and Encase can take Hashkeeper values to filter
known files– Maresware has compare and hash command line
tools can be used in batch files http://www.mareswares.com/
![Page 25: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/25.jpg)
6. Remove other unnecessary file types
• Often there is sufficient criteria to rule out particular file types in a case– May only need text, not executables
• Run program to make sure file types match their extensions before ruling out file types– Compares file’s internal header info with extension
• Save extension mismatch files into /prep/special directory
![Page 26: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/26.jpg)
7. Remove duplicates
• Removing duplicate files is called de-dupping
• Attorneys must agree as to what constitutes a duplicate – may not be just identical hash values
• Changes to file name or location may be important• Important pruning issue when examining several
backups• All remaining files are in /review/rfiles
![Page 27: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/27.jpg)
8. Identify and decrypt encrypted files
• Encrypted data can raise spoliation issues if ignored
• May not be economical to brute-force decrypt– Try to get keys from person who encrypted it
– Use a password recovery tool like AccessData’s Password Recovery Tool Kit (PRT)
• Tools to identify encrypted files: – Maresware’s ispgp to find PGP encrypted files, PGP keyrings,
and PGP sugnature files
– AccessData’s Forensic Tool Kit (FTK) and PRT identifies encrypted data
• Move encrypted files to /prep/special
• Put any successfully decrypted files in /review/converted
![Page 28: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/28.jpg)
9. Extract email and attachments
• Some e-mail apps use proprietary formats, non-text
• E-mail should be extracted and converted to text with their native applications and put in /review/converted
• Also extract any attachments and put in /prep/special
![Page 29: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/29.jpg)
10. Index text data
• The R (review) directories now contain all data to be reviewed by attorneys– Attorneys will either do string searches or index-based
searches for large collections of data
• Index entire review directory with a tool like dtSearch from http://www.dtsearch.com
• Review indexing log after indexing to check for any files that couldn’t be indexed
![Page 30: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/30.jpg)
11. Review for content
• Attorneys review and sort files into three categories: – Non-responsive: irrelevant to discovery or not
requested– Responsive: relevant to discovery or to the
producing party’s case– Privileged: relevant, but fall under legal
privilege and do not have to be produced
![Page 31: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/31.jpg)
Production• Organize the records for production (Step 12)
– Segregate responsive from non-responsive by deleting non-responsive and move privileged to another directory
– Bates numbering: sequential numbering scheme traditionally used by attorneys to uniquely label each page of paper documents and other tangible objects for identification during case preparation
• Maresware has bates_no tool for files http://www.maresware.com/
• Example:– Forensics.doc Forensics.EC001.doc
– Lab Expenses.xls Lab Expenses.EC002.xls
– Big_Presentation.ppt Big_Presentation.EC003.ppt
![Page 32: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/32.jpg)
Prepare Production and Privilege Logs
• Production log:– Consultant prepares new list of responsive files with
• Hash values
• Bates numbers
– Combines with original file list to get: • File name, Bates number, original date and time stamps, file
size, path, and hash values for all produced files
• Privilege log:– Similar list for privileged files with attorneys’
description for legal basis for withholding them
![Page 33: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/33.jpg)
Prepare Distribution Media
• Copy to CDROM or other media:– Bates numbered files– Production logs– Privilege logs
• Give to attorneys who:– Signs discovery response or initial disclosure
statements– Serves it on the other parties
![Page 34: Lecture 5: Disclosure and Production of Electronic Records](https://reader036.vdocuments.net/reader036/viewer/2022062518/568148b2550346895db5c7de/html5/thumbnails/34.jpg)
References
• Chapter Two, Handbook of Computer Crime Investigation (Eoghan Casey)