Lecture 5: Disclosure and Production of Electronic Records

6/9/2003

CSCE 590

Summer 2003

Initial Disclosure

• Amendments to the Federal Rules of Civil Procedures have established mandatory initial disclosure in which all parties have to provide, early in litigation, a copy of, or a description by category or location of, all documents, data compilations, and tangible things that are in the possession, custody, or control of the party and any evidence that the disclosing party may use to support its claims or defense.

Civil Discovery

• Civil discovery is the formal means by which parties in a lawsuit gather arguably relevant information from other parties in the lawsuit. Litigants can also obtain information from parties who are not litigants.

Discovery

• Can be expensive• Information does not have to be admissible

as evidence– Could be for the purpose of leading to

admissible evidence

• Don't have to prove in court that you need it– Just request it– No 'probable cause' like in criminal cases

Discovery Vehicles

• Depositions: taking sworn testimony outside of court, in front of court reporter

• Interrogatories: written questions soliciting specific written answers

• Request for production of written documents: used to inspect things in custody or control of another party

• Subpoenas duces tecum: compels non-parties to make their stuff available for inspection

Four Phases to Producing

• Identification: identify all pertinent records• Preservation: take affirmative steps to

preserve the records and avoid spoliation• Filtering: review the records to determine

what is responsive and must be identified or produced

• Production: finally makes the records available, or produces them

Identification:Determine What is Needed

• Preparation for initial disclosure– Determine what records the producing party might use

to support its case or defense– Break down claims and defenses into their legal

elements– Determine what facts they must prove to prevail

• In responding to discovery requests:– Requests are usually very broad (sometimes to drive up

your cost of producing)– Determine the precise records that would satisfy the

requests

Identification: Determine What the Producing Party Has

• Electronic evidence consultant helps by asking producing party questions that make it consider:– All categories of records the producing party generates

or maintains in the course of business

– Kinds of records its IT is intended to generate or store

• Interviews of management, computer staff, and key individuals to get this info– Sample questions pages 24-25

Cast Your Net Widely During Identification

• Do not limit the scope of your investigation– May miss something they are requesting – Or miss something that could help your case

• Don't forget computer generated evidence– Logs, registry files, config files– Can corroborate user generated records (emails,

documents, etc)

• In the end, attorney must sign the initial disclosure or discovery response to certify – She thinks it is complete (disclosure) – Or consistent with court rules (discovery)

Anticipate Problems Producing Data

• Discovery rules allow parties to withhold records containing privileged communications– HR records, customer info, trade secrets,

proprietary info licensed form 3rd parties,etc

• Also trial preparation materials• Don't want these to get into public record or

even to be revealed at all in some cases

Anticipate Problems Gaining Access to Data

• Data stored off-site– Employees using home computers and

employer may not even know about it

• Encryption – Someone forgets password or leaves company

• Obsolete or missing hardware or software– Reading old backup tapes

Consider Costs of Producing

• Estimate probable costs of preserving, reviewing, and producing

• Helps producing party better mange discovery and the litigation

• Excessive cost - can motion to limit discovery or shift costs onto party seeking the discovery

• Consultant can state estimated cost in an affidavit or declaration

• Could be used to help decide a settlement value of the case

Consider the Cost of Failure • Monetary sanctions• May not allow offending party to enter certain

evidence• May allow certain factual issues to be presumed

against the offending party• Court can dismiss claims or defenses• Enter a default judgment against a party failing to

comply• Spoliation of evidence: the destruction or

significant alteration of evidence - not just intentional, but includes failure to preserve also– Spoliation is a big problem with electronic evidence

Preservation

• Preserve media rather than files– Helps preserve files that may be of later interest– Preserves time stamps– Preserves residual or deleted data– Preserves corroborating evidence

• First order of business - prevent harm– Immediately take media out of service– Backup media in backup pools to prevent re-use– Hard drives - bit by bit copy, put copy back into

production to avoid business interruption, keep original

Evidentiary Images• Evidentiary duplicate - exact bit for bit copy of

media onto like media• Evidentiary image - bit for bit image of original

media into one or more files• Use the images or duplicates for analysis,

examinations, or data recovery efforts• Normal disk copying or backup programs only

copy files the file system recognizes• Physically write protect media (like tapes and

floppies) when possible

Survey the Terrain

• Connect information collected in identification stage with the specific hardware to which it applies

• Helps identify what needs to be imaged - which of the mail server's disks, etc

• Sample questions to develop a detailed catalogue to link sources of data to specific hardware to be examined on pages 34-35

Preparing Evidentiary Images • Make sure where you are placing duplicate is

forensically cleaned• Imaging process should not change the original

evidence • Process used to create the evidentiary image must

result in an image or duplicate that allows an accurate and complete review of everything that existed, in the way it existed, on the original medium

• Chain of custody still applies• Store where there is no unauthorized access

Filtering

• Attorneys do this, especially with privileged materials

• Consultant has 3 goals in filtering– Facilitate attorney's review of records by

making them readable– Reduce data attorney must review– Gather info about records that can be later used

to identify and organize records

Sample Filtering Process Using Following Directory Structure

/prep files requiring further processing

/prep/special recovered, encrypted, e-mail source files

/prep/pslack extracted slack

/prep/pcluster extracted unassigned clusters

/review data ready to be indexed for attorney review

/review/rfiles unprocessed, unaltered files after data reduction

/review/rslack reduced slack, text only

/review/rcluster reduced unassigned clusters, text only

/review/converted recovered deleted files, encrypted files, extracted e-mail; no data in original form

Standard Data Filtering Steps

1. Access or restore evidentiary image files and restore backup tapes

• Some software will verify as it restores• May need a system configured exactly like

the original to use backup software to restore backup tapes

• Backup software may have changed timestamps of backed up files when they were written to tape

2. Generate file lists with hash values and other info about files• Capture this info before any filtering or access of

files takes place (and changes access timestamps) to use a reference later:– Long and short file names– Extensions– Last written or modified dates and times– Created dates and times if available– Last access dates and times if available– Logical sizes– File paths– File hash values

3. Recover deleted data

• Check to see if discovery includes deleted data before going to the trouble

• If it does, try it early• Copy recovered file to /prep/special• Preserve directory structure when copying to

/prep/special to prevent overwriting files with the same name

• Do a file list with hashes on recovered files as in Step 2

4. Recover slack or unassigned clusters

• Check to see if discovery includes residual data in slack and unassigned clusters

• Extract all slack into /prep/pslack • Extract unassigned clusters into /prep/pclusters• Reduce them to text (remove non-text characters)

– Use strings utility

• Put results in /review/rslack and /review/rclusters

5. Identify and remove known files• Operating system and application files (known

files) can be reduced by their hash values• Hashkeeper database from NDIC at

ftp://ftp.cis.fed.gov/pub/HashKeeper/Docs/HKSum.htm

• NIST’s National Software Reference Library at htttp://www.nsrl.nist.gov/

• Automated tools:– FTK and Encase can take Hashkeeper values to filter

known files– Maresware has compare and hash command line

tools can be used in batch files http://www.mareswares.com/

6. Remove other unnecessary file types

• Often there is sufficient criteria to rule out particular file types in a case– May only need text, not executables

• Run program to make sure file types match their extensions before ruling out file types– Compares file’s internal header info with extension

• Save extension mismatch files into /prep/special directory

7. Remove duplicates

• Removing duplicate files is called de-dupping

• Attorneys must agree as to what constitutes a duplicate – may not be just identical hash values

• Changes to file name or location may be important• Important pruning issue when examining several

backups• All remaining files are in /review/rfiles

8. Identify and decrypt encrypted files

• Encrypted data can raise spoliation issues if ignored

• May not be economical to brute-force decrypt– Try to get keys from person who encrypted it

– Use a password recovery tool like AccessData’s Password Recovery Tool Kit (PRT)

• Tools to identify encrypted files: – Maresware’s ispgp to find PGP encrypted files, PGP keyrings,

and PGP sugnature files

– AccessData’s Forensic Tool Kit (FTK) and PRT identifies encrypted data

• Move encrypted files to /prep/special

• Put any successfully decrypted files in /review/converted

9. Extract email and attachments

• Some e-mail apps use proprietary formats, non-text

• E-mail should be extracted and converted to text with their native applications and put in /review/converted

• Also extract any attachments and put in /prep/special

10. Index text data

• The R (review) directories now contain all data to be reviewed by attorneys– Attorneys will either do string searches or index-based

searches for large collections of data

• Index entire review directory with a tool like dtSearch from http://www.dtsearch.com

• Review indexing log after indexing to check for any files that couldn’t be indexed

11. Review for content

• Attorneys review and sort files into three categories: – Non-responsive: irrelevant to discovery or not

requested– Responsive: relevant to discovery or to the

producing party’s case– Privileged: relevant, but fall under legal

privilege and do not have to be produced

Production• Organize the records for production (Step 12)

– Segregate responsive from non-responsive by deleting non-responsive and move privileged to another directory

– Bates numbering: sequential numbering scheme traditionally used by attorneys to uniquely label each page of paper documents and other tangible objects for identification during case preparation

• Maresware has bates_no tool for files http://www.maresware.com/

• Example:– Forensics.doc Forensics.EC001.doc

– Lab Expenses.xls Lab Expenses.EC002.xls

– Big_Presentation.ppt Big_Presentation.EC003.ppt

Prepare Production and Privilege Logs

• Production log:– Consultant prepares new list of responsive files with

• Hash values

• Bates numbers

– Combines with original file list to get: • File name, Bates number, original date and time stamps, file

size, path, and hash values for all produced files

• Privilege log:– Similar list for privileged files with attorneys’

description for legal basis for withholding them

Prepare Distribution Media

• Copy to CDROM or other media:– Bates numbered files– Production logs– Privilege logs

• Give to attorneys who:– Signs discovery response or initial disclosure

statements– Serves it on the other parties

References

• Chapter Two, Handbook of Computer Crime Investigation (Eoghan Casey)