in the cloud ediscovery & forensics · 2020. 9. 3. · 4discovery ediscovery & forensics in...

©2020 - 4Discovery

eDiscovery & Forensics in the Cloud

“The Cloud”

2

4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD

“The Cloud”

3

● “The Cloud” is just having someone else host an application for you○ You pay a fee for the service/software (SaaS)○ No longer have to purchase hardware, worry about

updates/backups, scalability, networking, etc.○ Higher availability, and you can usually access your

data from anywhere!

● This also typically means that users can log in and access data from any computer anywhere, which makes theft easy

● Availability of accessing logs can be limited and may not contain all the info you need

● This data is discoverable and all the rules of evidence apply


Examples of Cloud Services

4


Cloud on Cloud

5


The Importance of Cloud Data● Flexera 2020 State of the Cloud Report

○ 61% of businesses plan on migrating more workloads to the cloud○ Over half of respondents said COVID is accelerating their use of the cloud

● Almost everything is electronically stored, and the data can show:○ Data Points

■ When employees access systems, edit documents, upload data, export reports from cloud services, etc.

■ Amount of time people spend viewing documents■ IP addresses, failed login attempts, and other important security information

○ Substantive information, admissions■ Emails / Texts – to combat “revisionist history”■ Policies / Practices – official and unofficial ■ Other internal documents

6

How is this Different?

7


Documents Have Changed● When we think of a document, we think of a Microsoft Word

file stored on a computer● Cloud based documents often have to be converted to a

usable format● May contain features that are only available in their native

environment

8


Documents Have Revisions & History● Dates & Metadata Differ - We’re

used to created/modified/accessed dates and Author, Last Printed, Saved, etc…

● Cloud services can have any number of metadata fields, with no standardization

● Documents in the Cloud may have unlimited versions and authors/contributors available

9

Cloud Services and Cloud Data work together, functionality can be reduced when producing.


Storage Has Changed● Computer hard drives and USB storage aren’t everything...

10


Computer and Cloud are Merging

11


Forensics In the Cloud

12


Browsing History

13

● All modern browsers maintain a history of your browsing activity○ Chrome can even sync your browsing history your Google

account● In addition, browsers maintain a “cache”, which can be full

copies of the web pages that you’ve viewed● Microsoft, Chrome, and Firefox all behave differently when it

comes to SSL pages (i.e. 🔒https://…) ○ Cache-Control: no-store/no-cache headers are site specific,

and browsers will handle disk caching differently for each

● Virtually all web browsers now include a “private browsing” mode, that in addition to preventing browsing history from being retained, disables the disk cache entirely.


Mobile Data

14

● All modern mobile devices allow for backups to the Cloud● Call Logs, SMS/MMS, Chats, Internet History, Calls, Calendar

(and more) are all available without access to the device

Collecting & Preserving Cloud Data

15


Scoping & Planning● It all goes back to scope…

○ What do you need?○ Why do you need it?○ What do you need to prove with this data?

● Talk to your vendor about the cloud service you would like to collect from:○ What methods of collection are available?○ What data/fields are available?○ Is the cloud collection “good enough?”○ Is the metadata going to be accurate?○ Is timeliness a factor?○ Do you need a subpoena?

16

Reminder: This data is constantly syncing and changing as users interact with it


Developing A Plan● Lit Holds / Preservation Requests

○ Make sure these are specific and timely● Subpoenas / Discovery Requests

○ Have good definitions○ Ask for specific data over specific timeframes

■ Be ready to articulate a valid reason why you are asking for these items○ The methods that you request and produce Cloud data will vary, update your

protocols to match. ■ i.e. The latest revision of Google Docs will be produced in Word format

● Protocols○ Include an expert!

■ Often, things are agreed upon that are not technically feasible○ Make sure to think about it holistically

■ EDRM

17


Litigation Holds● Cloud data can be subject to a legal hold, just

like any other ESI. Be specific in the types of records and timeframe that you are requesting

● Cloud data and associated logs do not stay around forever, and it can be difficult to do an “in-place hold” on the data.

● Once it’s gone, recovery is usually impossible to retrieve, even through subpoenas

18


Exporting Data● Many platforms have enabled a profile download feature for users

○ Some of these are very similar to productions from Law Enforcement subpoenas○ Require cooperative access to the account to request

● The ability to export data from a service is highly variable○ As the adoption of cloud services has increased, many platforms added profile

download options○ Privacy laws (GDPR, CCPA)○ A few reasons why: to give clients continuity and avoid subpoenas

● Many sources now have an export feature○ i.e. Google Takeout, Facebook Profile Download

● Export may be in raw form but may not be easily readable○ i.e. Slack is in JSON, Gmail is in MBOX with no folders

● Often, it takes extra time and effort to convert them to easily readable forms

19


Cloud Services v Other ESI● Options / Settings

○ The amount of data, and the duration of access may depend on subscription levels (Slack, O365)

○ Office 365 Advanced eDiscovery requires E5 license○ Data Loss Prevention (DLP) and eDiscovery exports in Slack require Enterprise

License● Ownership of Hardware

○ Rather than being on physical media in control of the organization, it is typically stored on hardware that belongs to the service provider

○ You don’t access that hardware for data collection● Data Storage & Access

○ Most Cloud services export data in a “raw” format that requires additionalmanipulation to be usable

20


API’s● Application Programming Interface (API) - Communication protocol between a

client/user and a service. ● Cloud service exposes and defines a method to communicate with a service from a

application or custom program.○ dropbox.listfiles('/Photos/', recursive = True, include_deleted = True)

● API data can go both ways…○ The API may provide you with information that is not visible to the end user○ The service may have features in the software that are not accessible through the

API● Some API’s may not be documented (iCloud) and require tons of research to access

● Depending on the Cloud provider, and what data you are interested in... some custom programming may need to be done

21


Crawl/Capture● You may not have an API, they change all the time● It may be just a collection of web pages

○ Most modern web pages are not static content

● Audio/Video (Click to Play)● Ads & Banners can be different based on cookies and past

browsing history● Interactive Pages requiring User input● Unlimited Scroll Pages

● May require you to capture to PDF of Image format○ Timestamp and Hash for Authentication

22


Deleted Data● We’re not Gods

○ You can’t just email a person at Google to help with your legal issue○ Microsoft has certain data they won’t give you○ Facebook doesn’t take support calls

● Deleted data is not the same in the cloud○ On devices, we typically look at unallocated space and other artifacts

● With cloud data, you are at the mercy of the service provider

23

● Everything isn’t available○ Example: Deleted G Suite Gmail

Messages recoverable within 25 days

● Need to be aware of limitations up front


Collection Gotchas!● You don’t control everything

○ Logs and other important data may not be available● Rate Limiting

○ ZenDesk allows only certain API calls before you get throttled● Data Access & Credentialing

○ Do you have proper access to do the collection?● Two-Factor

○ Can you reach the person you need to contact in a timely fashion?● Encryption

○ WhatsApp/Signal/Wickr and other apps may be more difficult to collect

24

Legal Issues

25


Potential Spoliation● Cloud data doesn’t exist forever

○ Accounts are closed for inactivity○ Accounts are locked○ Accounts are terminated for violating TOS

● Service provider changes○ Did you actually get “everything” before you closed the account?

● Cloud services change… new features are added, old ones are discontinued● Service provider closing / discontinuation of support

○ Remember Yahoo Messenger?!● Loss of Verification/Login Access

○ i.e. new phone number, new email address● Case Study: Yahoo has announced plans to discontinue the vintage chat service on

July 17, 2018.

26


2015 Amendments to FRCP● Rule 37(e)(1) & (2) Spoliation and Curative Measures: Where ESI "that should have

been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery", upon a showing of prejudice a court "may order measures no greater than necessary to cure the prejudice." If the conduct is intentional, a court may (A) "presume that the lost information was unfavorable to the party"; (B) "instruct the jury that it may or must presume the information was unfavorable to the party" (adverse inference / spoliation instruction); or (C) "dismiss the action or enter a default judgment."

27


2018 CLOUD Act● The CLOUD Act amends a U.S. privacy law known as the Stored Communications Act

(SCA), which restricts the disclosure of stored electronic data to third parties, including the U.S. government.

● Requires that certain internet-based service providers subject to U.S. jurisdiction disclose the contents of … an “electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States”

● It explicitly authorizes U.S. law enforcement to obtain data held by U.S. Cloud Service Providers (“CSPs”) regardless of where in the world the data is physically stored.

28


Opposing Data● The easiest way to get access to data in a Cloud

account is through a well crafted discovery request ○ Many Cloud providers have a “takeout” feature

● Cloud accounts… deactivated vs deleted○ Deactivated accounts can be brought back

online at any time○ Deleted accounts may still be able to be

reactivated within a period of time

● Processes exist to gain access to account for deceased Custodians○ A few social media sites allow you to

‘memorialise’ an account

29

Twitter does not currently offer account holders a self-serve method to obtain other, nonpublic information (e.g., IP logs) about their Twitter accounts. If a Twitter user requires his or her non-public account information, please direct the user to request this information directly from Twitter, Inc. by sending an email to [email protected] with subject: Request for Own Account Information; we will respond with further instructions.


Subpoenas● Facebook v. Superior Court of the City and County of San Francisco (2018)

○ Refused the subpoenas, arguing they could not disclose the information under the federal Stored Communications Act. However, the California Supreme Court said there was an exception for "lawful consent" under Section 2702 of the Act.

● Serving Civil Subpoenas on Cloud providers can be difficult, users may be notified

30

● Check the Terms of Service (ToS) and research Law Enforcement guides

● Keep requests limited. You will need a user ID or other unique identifier

Analyzing, Producing, & Reviewing Cloud Data

31


Dealing with Cloud ESI● Office Documents and Email are formats most

people are familiar with

● Cloud data is usually meant to be used with a specific service, the data extracted is typically not in a format that you can just double-click on and review○ See the Slack JSON example to the right

● Your discovery protocols should deal with this… especially if a privilege review is needed or redactions are required

32


Cloud Data and the EDRM● Processing

○ Since some of this data is collected in an unstructured format, it needs to be processed to prepare it for review

● Review & Analysis○ How are you going to ingest the data?○ Are there special considerations for priv review?

● Production○ What format does it need to be in?○ Does this data need to be redacted?○ Do you need load files?

33

So...

34


Takeaways● Nearly every person and company has some data in the Cloud● Cloud data is vastly different than traditional ESI from a computer

○ Formats may need to be converted for usability/review○ Typical metadata fields will need to be changed

● The service provider controls the type and duration of logs that are available○ Get them while you can○ Can be based on your service plan

● The Cloud doesn’t have free/unallocated space where deleted data can be retrieved○ Spoliation can easily happen

● Preserving a computer may not get you all the data/documents● Internet/Browser History can provide clues as to the types of cloud storage being used● Preserve using the API or export functions from the service provider, screen capture as

a last resort● Ensure your discovery protocols are focused and based on reality

35

Chad Gough’s Contact Info

(312) 924-5761

[email protected]

36


About 4Discovery● B2B digital forensics firm that provides organizations and attorneys with digital

forensic, information security, and electronic discovery services.

● Our forensic experts have decades of experience helping attorneys and organizations gain valuable insight from electronic data.

● We have worked on projects of all sizes from imaging and analyzing one phone to imaging and analyzing hundreds of devices across five continents. Our client roster includes government organizations, companies and law firms of every size, and forensic and eDiscovery vendors.

● Clients appreciate our innovative customized solutions as well as our timely response. As a result, most of our new business comes from repeat clients and client referrals.

● Follow our company page on LinkedIn for the lastest advisories, updates, and insights.

37

Rules of Electronic Discovery

38


2015 Amendments to FRCP● Rule 26(b)(1) Proportionality: Requested discovery (including ESI) must be relevant

"and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit."

39


Obligatory Stats & Trends Slide● According to IDG’s 2018 Cloud Computing Survey,

○ 73% of organizations had at least one application in the cloud○ 17% planned to have one within the next 12 months

● According to IDC’s Data Age 2025 report,○ They estimated there are 33 Zettabytes of data across all media types○ They expect it will grow to 175 Zettabytes by 2025○ They expect 49% of this will be in the cloud

● According to Canalys’ Cloud Channel Analysis from April 2019,○ The global worldwide cloud infrastructure service market grew 42% in Q1 2019

40


FRCP● Fed.R.Civ.P. 26(f)(2) (Conference Content; Parties’ Responsibilities): “In conferring, the

parties must... discuss any issues about preserving discoverable information; and develop a proposed discovery plan.”

● Fed.R.Civ.P. 26(f)(3) (Discovery Plan): “A discovery plan must state the parties’ views and proposals on … (C) any issues about disclosure or discovery or preservation of electronically stored information, including the form or forms in which it should be produced.”

41


FRCP● Fed.R.Civ.P. 34(b)(1)(C): “[A] party requesting production of ESI “may specify the

form or forms in which electronically stored information is to be produced.”

● Fed.R.Civ.P. 34(b)(2)(E)(ii): “(i) A party must produce documents as they are kept in the usual course of business or must organize and label them to correspond to the categories in the request; (ii) If a request does not specify a form for producing electronically stored information, a party must produce it in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms; and (iii) A party need not produce the same electronically stored information in more than one form.”

42


Inherent Authority● Inherent Authority: The Court also retains discretion to award monetary sanctions

(including costs of bringing matter to Court’s attention), order a permissive spoliation jury instruction, bar the use of evidence, and allowing additional depositions (or re-depositions). See, e.g., Flair Airlines v. Gregor, LLC, 2018 WL 8445779, at * 2 (N.D.Ill. Dec. 14, 2018) (citation omitted) (“courts have the inherent power to impose sanctions against a party or counsel for the failure to preserve or produce documents.”)

43


Northern District of Illinois MIDP● Timing: Must list, describe and identify location of ESI relevant to claims and defenses,

and produce within 40 days after serving initial response○ Continuing duty to supplement within 30 days after information discovered

● Presumptive Format: Unless the parties agree or the Court orders otherwise, a party must produce ESI in the form requested by the receiving party

● Must Confer and Attempt to Agree on ESI Disclosure / Production, including:○ the requirements and limits on the preservation, disclosure, and production of ESI○ appropriate ESI searches, including custodians and search terms, or other use of

technology assisted review; and○ the form in which ESI will be produced

● Resolving Disputes: If the parties are unable to resolve any dispute regarding ESI and seek resolution from the Court, they must present the dispute in a single joint motion or, if the Court directs, in a conference call with the Court. Any joint motion must include the parties’ positions and the separate certification of counsel required under Rule 26(g).

44


Orders Governing ESI● Fed. R. Civ. P. 26(c)(1): The Court can enter a protective order to limit discovery “for

good cause shown ... to protect a party or person from annoyance, embarrassment, oppression, or undue burden or expense.”

● Fed. R. Civ. P. 26(b)(2)(B): “A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. On motion to compel discovery or for a protective order, the party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of Rule 26(b)(2)(C).”

45


Orders Governing ESI● Fed. R. Civ. P. 26(b)(2)(C): Once a party makes a showing under Fed. R. Civ. P.

26(b)(2)(B), a court still may allow the discovery if the requesting party shows good cause. However, the Court may still limit the discovery if it is unreasonably cumulative or duplicative, can be obtained from some other source that is more convenient, less burdensome, or less expensive, the party seeking the discovery has had ample opportunity to obtain it, or it is not relevant or is otherwise disproportional to the needs of the case within the meaning of Rule 26(b)(1).

● Exemplars of Protective Order and Order Governing ESI (after Parties have completed substantial work). City of Rockford v. Mallinckrodt ARD Inc., 326 F.R.D. 489 (N.D.Ill. 2018); Kleen Products, LLC v. Packaging Corp. of America, 2012 WL 4498465, at *19 (N.D.Ill. Sept. 28, 2012).

46


The Importance of eDiscovery● Why is ESI Discovery (eDiscovery) so critical in employment cases?

● Almost everything is electronically stored, and the data can show:○ Data Points

■ When employees clock-in and out, input certain data, enter certain areas (i.e., badge swipes), perform certain tasks

■ Amount of time employees are clocked-in and out (exact and averages)■ Does employer include commissions/bonuses in overtime rate?■ Extrapolate / Statistical significance

○ Substantive information, admissions■ Emails / Texts – to combat “revisionist history”■ Policies / practices – official and unofficial ■ Other internal documents

47


The Importance of eDiscovery● Because of what the data does not show (examples from pay disparity, wage cases)

○ Employer doesn’t track reasons for starting pay (pay disparity)○ Employer doesn’t establish basis for classification as exempt○ Employer doesn’t record all time worked (off-the-clock and misclassification)○ Data is inaccurate or unreliable (multiple clock-ins on same date, employees

clocking out before clocking in, employees clocking-in before entering workplace) ○ Data goes back only a certain amount of time○ Data cuts off after a certain amount of time or has gaps○ Data shows ongoing, uncorrected issues (future claims)○ Data is otherwise incomplete

48


The Importance of eDiscovery● Because of less obvious information the data may show (not just data itself, but how

data is maintained)○ To show data holder passed responsibility for inputting, processing or maintaining

data to third-parties○ To show data holder is capable of doing it properly (ex: employer tracks other

employees properly, employer pays other employees properly, employer’s system has the capability of tracking all time worked)

○ To show data holder did things differently in past○ To show data holder is sophisticated/knowledgeable (to show willfulness, lack of

good faith)○ To show data holder is negligently, recklessly or deliberately using an archaic

system ○ To force change (injunctive relief) or prove successful result (force a “voluntary”

change)

49


The Importance of eDiscovery● Because of even less obvious information the data may show

○ Evidence of other claims (related or otherwise)○ Often happens when data originates or is stored in multiple locations: (1)

inconsistencies; (2) disorganization; and (3) other wrongdoing ○ Data can be used in ways other than you think (i.e. employer has no time records

but has mileage data; can calculate unpaid time based on mileage)○ Data reveals evidence of other violations (i.e., employer don’t track pay by

gender, so potential CFA/Title VII claims)○ If employer not in total control of data, it can give rise to issues:

■ Joint employers (violations of joint employer are violations of all) ■ Independent contractors (same)■ Vendors (same)

○ Even when third-parties certify or assure compliance with applicable laws, that doesn’t bind employees. May result in litigation with former colleagues, business partners, etc.

50