SlideShare ist ein Scribd-Unternehmen logo

BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners

Als PPTX, PDF herunterladen
BoyarMiller
BoyarMiller

Texas Bar’s CLE Presentation You Lost me at Gigabyte: Working with Computer Forensic Examiners

Business
1 von 56
You Lost Me at Gigabyte: Electronic Forensic Protocols and Working with Computer Forensic Examiners Texas Bar Webinar - May 17, 2016 Craig Ball, John T. Myers, and Kasi Chadwick
What we will Cover…
PAGE Overview • Drafting and execution of electronic forensic protocols. • We will walk through the lifecycle of a protocol. • Best practices for completing a forensic examination. 3
What is an Electronic Forensic Protocol
PAGE What is an Electronic Forensic Protocol? • An electronic forensic protocol is a set of procedures through which the harvesting, review, and (sometimes) the destruction of electronic content is conducted. • Agreed forensic protocols can be drafted pursuant Rule 11 of the Texas Rules of Civil Procedure and/or in conjunction with injunctive relief. • Alternatively, court-ordered forensic discovery can be issued—generally to remedy discovery abuses. 5
PAGE 6 • Be careful when seeking to deploy a found or form protocol. • Each case presents unique considerations for forensic assessment. • Each requires a protocol tailored to the needs, sources, parties and risks attendant to the matter.
PAGE Why an Electronic Forensic Protocol? Agree Forensic Protocol • Generally speaking, executing an agreed forensic protocol is a way to fast-track the discovery processes. • Provides a mechanism through which the parties may expeditiously locate and collect allegedly misappropriated data. Court Ordered Forensic Protocol • Provides a way to access data that has not been produced through discovery. 7
Agreed and Court-Ordered Forensic Protocols
PAGE In re Weekley Homes, L.P. • Alleged discovery abuse  Trial court ordered a forensic protocol • In re Weekley Protocol:  Four forensic experts identified.  Experts to take an evidentiary image of the hard drives in question using “procedures that is generally acceptable as forensically sound.”  From the images, experts would search for deleted emails from the relevant year using specified search terms.  Owner of data then had opportunity to review the responsive data.  Responsive data was to be provided to requesting party. • Responding party sought mandamus relief. 9
PAGE • Supreme Court concluded the trial court abused its discretion. • Made this finding because the requesting party’s “conclusory statements that the deleted emails it seeks ‘must exist’ and that deleted emails are in some cases recoverable is not enough to justify the highly intrusive method of discovery the trial court ordered…” • In order to obtain a court-ordered forensic protocol, more must be shown. • Case-by-case analysis. 10 In re Weekley Homes, L.P.
PAGE In re Weekley Homes, L.P. - Dicta • The Supreme Court contrasted their decision with In re Honza, 242 S.W.3d 578, 583 (Tex. App.—Waco 2008). • The Supreme Court distinguished In re Weekley from Honza:  Honza sought forensic review to obtain the metadata for a document. No question of document’s existence.  There was a direct relationship between the hard drives sought and the plaintiff’s claims.  There was extensive testimony as to the forensic expert’s experience and qualifications prior to granting the forensic review. 11
Legal Standard for Court- Ordered Electronic Forensic Protocols
PAGE In re Weekley Homes, L.P. • Per Rule 196.4 of the Texas Rules of Civil Procedure: • Employing Rule 196.4, the In re Weekley outlined the legal standard for a court-ordered electronic forensic examination sought to remedy an alleged discovery abuse. 13
Agreed Forensic Protocols
PAGE Agreed Forensic Protocols • If the parties agree to execute an agreed forensic protocol, there is more freedom to craft the review. 15
Selecting Your Forensic Expert
PAGE Selecting Your Forensic Expert • Selecting a qualified forensic expert is critical.  Qualified and experienced forensic experts help ensure proper collections and processing of data.  In the world of forensics, there are many way to skin the cat.  Using an inexperienced expert can cause omissions of critical evidence—and in some cases—destruction of the evidence altogether. • Per In re Weekley, your expert’s credentials are important in obtaining a court-ordered forensic protocol. 17
PAGE • Important to involve forensic expert as early in process as possible. Protocols put in place without expertise often create unrealistic expectations with respect to the practical limits of forensic analysis. You can't order an examiner to fly. • Optimum outcomes are achieved using a neutral examiner, abetted by input and consensus from partisan experts from each side. • Clear delineation of examiner's ethical responsibilities is essential. Obligations to Court and opposing party should be made manifest, where applicable, to avoid inherent conflicts. 18 Selecting Your Forensic Expert
PAGE Selecting Your Forensic Examiner • No company is skilled at digital forensics. Examiners are individuals, and no affiliation guarantees competency. Look closely at the examiner, not the company. • Referrals from colleagues helpful. • Know what licensure requirements apply to the examiner. • Examiners should be experienced in writing intelligible reports. 19
Costs
PAGE Costs • Be sure it is crystal clear who must pay the examiner and by what date. No contingent fees ever. • Set interim reporting requirements with reasonable limits on time and cost. Do not let yourself be surprised by the cost. • Generally, the requesting party will pay. 21
What are we Examining?
PAGE What are we Examining? • How will target information be identified? • We need to consider:  The potential custodians of information,  What types of files will be extracted, and  How the potentially responsive data will be culled for review. 23
PAGE What are we Examining? • Where is the target information kept? • While forensic examinations of cell phones and cloud- based accounts do not normally produce reviewable documents, these extractions can provide important clues to the rest of the puzzle. 24
PAGE What are we Examining? • The easy targets:  Computers (personal and company devices)  External storage devices • The more complex:  Cell phones  Cloud-based storage systems (e.g. cloud-based e-mail accounts, DropBox) 25
How will we be Examining?
PAGE Methodologies • Specific methodologies should be agreed upon, where feasible; else, range of and limits upon investigator's discretion must be expressly addressed in the protocol. 27
What will be Pulled from the Target Devices?
PAGE What will be Pulled from the Target Devices? • Question: What is the universe of data to be extracted? • Will the forensic expert be harvesting:  Active Files (e.g. .docs, .pdfs, .xls)  Deleted file identification  Device connection log  Internet Artifacts 29
What will be Provided to the Requesting Party?
PAGE What will be Provided to the Requesting Party? • Once the universe of data to be harvested is defined, the next important consideration is how identified files will be reviewed by the parties. • Many experts believe absent gross misconduct, a party and a partisan examiner should not be afforded direct access to an opponent's ESI and devices absent agreement of the parties. 31
PAGE Two Approaches Inclusive  Entire file listing/extraction with all personal/privileged data removed produced to both parties. Culled  Require requesting party to propose search terms to cull data prior to production of file listings. 32
Additional Front-End Drafting Considerations
PAGE Additional Considerations to be Decided Before Execution • Who will hold the devices while the protocol is executed?  For how long will the devices be sequestered?  How will the devices be kept secure? • How will the forensic images be maintained? • Confidentiality?  Confidential designations?  AEO designations? 34
PAGE Additional Considerations to be Decided Before Execution • Consider an iterative process to keep the case moving forward. A few key issues examined first, then a few more. Don't boil the ocean. • Address whether the examiner can assess the integrity of the evidence. If the digital books have been cooked (e.g., drives swapped, wrong machine supplied, drive wiping seen, etc.), can the examiner address this as a threshold matter? 35
Harvesting the Data
PAGE Harvesting the Data from the Target Devices • After the protocol is executed by the parties, the forensic expert’s work comes into play. • Selecting the right expert is critical.  There are a number of tools forensic experts can use. The forensic expert’s expertise is important here. • Example: Different data extraction programs work best on different devices.  Incorrect collection methods or incorrect tools can destroy critical metadata (e.g. creation date, last accessed date). 37
Data Review
PAGE Review of Target Information • File listings and extractions are generally produced in .xls format. • Listings can be thousands of pages long. • .xls proficiency is critical. • Most time-intensive activity. 39
PAGE Review of Target Information • Spreadsheets of extracted metadata are increasingly ill-suited as a form of production for review because of row limitations. • 1,048,576+ Excel rows sound like a lot until you realize that more than that number of discrete items are routinely seen on a single device (after processing compressed and container files). • Alternatives? 40
PAGE What are we Reviewing? • Files – Names – Sizes – Creation dates – Last accessed dates – Last modified dates – Whether files are deleted and – Whether a file is overwritten • Web Information – Browser history – Web bookmarks – Cookie history • Mobile Devices – Call logs – Text messages – SMS messages – Applications – Contacts 41 With the careful review of a listing or extraction, we can see:
PAGE Best Practices for Data Review • Be wary of the examiner seeking support for your theory. You want an impartial skeptic, not an advocate on a mission to please you. • Request a “timeline” be extracted from the target device. • Once you have found files of interest create a separate listing which only includes those files. 42
PAGE Culling Responsive Data - Identifying “Identified Files” • What is “responsive data?”  Should be defined in the protocol.  Generally defined as data the opposition believes in good faith to be their information. 43
What to do with Identified Files?
PAGE What’s Next? • Once the requesting party has identified the files for review, the parties should collectively review the identified files. • The forensic expert is instructed to pull the files from the forensic image. (Normally, devices are returned to the custodian after imagining.) 45
PAGE Review of Identified Files File Review Meeting Schedule a meeting with between the parties to review the files. Independent Production to Both Parties Have the forensic expert directly provide the identified files to the parties for review. – Two-Step Process – Responding party is first provided the files for review and then respondent provides to the requesting party. 46
PAGE What are we Searching for in our Review of the Identified Files? • Who’s data is it? • In the protocol, the parties should identify what files/data will be subject to deletion. • The protocol should also provide what to do if the parties cannot agree as to the proper classification content of the file/data.  Who is responsible for motion practice concerning the data? 47
Deletion of Identified Files
PAGE Deletion Considerations in Your Protocol • In the deletion process, it is important that your protocol provides that an image of the original file listing be maintained. • The expert should only be instructed to delete the data from the device—not the device’s image. • Spoliation. • May need image to prove use and/or damages. 49
Additional Notes
PAGE Spoliation • Because a file listing can show the life and death of a file, improperly preserved evidence can present significant problems to a responding party. • Whether a deleted file is recoverable dictates the degree of any spoliation implications. 51
PAGE International Collections • Because we are searching for electronically misappropriated information, it is common for target devices to be located in different countries. • International Collections  Kits  On-site collections • Compliance with international laws  EU laws are different.  Sometimes, if the information is personal in nature, the information belongs to the employee, even if the information is located on the employer’s devices.  There are exceptions. 52
PAGE Defend Trade Secret Act of 2016 • The DTSA was signed into law by President Obama last week. • The DTSA creates a “civil seizure” mechanism to collect and sequester electronic storage devices believed to contain a stolen trade secret soon after filing suit. • The DTSA—and the “best practices” expected to be created under the DTSA—may have implications on how forensic discovery is conducted in the future. 53
Additional Resources
PAGE Additional Resources • http://www.craigball.com/LIT_FebMarch14_EDiscBulletin.pdf • http://www.craigball.com/Ball_Becoming_a_Better_Witness_on_ Digital_Forensics.pdf • http://www.craigball.com/CF.pdf • http://www.craigball.com/What_Judges_Computer_Forensics- 200807.pdf 55
PAGE Questions? Kasi Chadwick BoyarMiller kchadwick@boyarmiller.com (832) 615-4290 John T. Myers Chorus Consulting john.myers@chorusconsulting.net (713) 203-5743 56 Craig Ball Attorney and Forensic Technologist Certified Computer Forensic Examiner craig@ball.net 512-514-0182

Empfohlen

Electronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic ExaminersElectronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic Examiners
BoyarMiller
 
Trade Secret Theft in the Digital Age
Trade Secret Theft in the Digital AgeTrade Secret Theft in the Digital Age
Trade Secret Theft in the Digital Age
BoyarMiller
 
E discovery keynote
E discovery keynoteE discovery keynote
E discovery keynote
David Harvey
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
Teja Bheemanapally
 
Mastering E-Discovery Presentation (partial)
Mastering E-Discovery Presentation (partial)Mastering E-Discovery Presentation (partial)
Mastering E-Discovery Presentation (partial)
Brendan Kenny
 
Electronic Document Management And Discovery
Electronic Document Management And DiscoveryElectronic Document Management And Discovery
Electronic Document Management And Discovery
Ronald Coleman
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
ArthyR3
 
Proportionality in Ediscovery
Proportionality in EdiscoveryProportionality in Ediscovery
Proportionality in Ediscovery
Josh Kubicki
 

Empfohlen

Electronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic ExaminersElectronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic Examiners
BoyarMiller
 
Trade Secret Theft in the Digital Age
Trade Secret Theft in the Digital AgeTrade Secret Theft in the Digital Age
Trade Secret Theft in the Digital Age
BoyarMiller
 
E discovery keynote
E discovery keynoteE discovery keynote
E discovery keynote
David Harvey
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
Teja Bheemanapally
 
Mastering E-Discovery Presentation (partial)
Mastering E-Discovery Presentation (partial)Mastering E-Discovery Presentation (partial)
Mastering E-Discovery Presentation (partial)
Brendan Kenny
 
Electronic Document Management And Discovery
Electronic Document Management And DiscoveryElectronic Document Management And Discovery
Electronic Document Management And Discovery
Ronald Coleman
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
ArthyR3
 
Proportionality in Ediscovery
Proportionality in EdiscoveryProportionality in Ediscovery
Proportionality in Ediscovery
Josh Kubicki
 
Social Issues in Computing : Forensics
Social Issues in Computing : ForensicsSocial Issues in Computing : Forensics
Social Issues in Computing : Forensics
Karuna Kak
 
Computer Assisted Review and Reasonable Solutions under Rule26
Computer Assisted Review and Reasonable Solutions under Rule26Computer Assisted Review and Reasonable Solutions under Rule26
Computer Assisted Review and Reasonable Solutions under Rule26
Michael Geske
 
Defining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case AssessmentDefining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case Assessment
Aubrey Owens
 
File000168
File000168File000168
File000168
Desmond Devendran
 
File000116
File000116File000116
File000116
Desmond Devendran
 
Ediscovery model order
Ediscovery model orderEdiscovery model order
Ediscovery model order
Seth Row
 
Lect 4 computer forensics
Lect 4 computer forensicsLect 4 computer forensics
Lect 4 computer forensics
Kabul Education University
 
Lect 2 computer forensics
Lect 2 computer forensicsLect 2 computer forensics
Lect 2 computer forensics
Kabul Education University
 
Through a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet CensorshipThrough a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet Censorship
Joss Wright
 
PASSCO - Examining the Ebb and Flow of Electronic Discovery: Tips, Tools, and...
PASSCO - Examining the Ebb and Flow of Electronic Discovery: Tips, Tools, and...PASSCO - Examining the Ebb and Flow of Electronic Discovery: Tips, Tools, and...
PASSCO - Examining the Ebb and Flow of Electronic Discovery: Tips, Tools, and...
Kirby Drake
 
Who's Afraid of eDiscovery?
Who's Afraid of eDiscovery?Who's Afraid of eDiscovery?
Who's Afraid of eDiscovery?
CallPM
 
File000162
File000162File000162
File000162
Desmond Devendran
 
Chap 1 general introduction to computer forensics
Chap 1 general introduction to computer forensicsChap 1 general introduction to computer forensics
Chap 1 general introduction to computer forensics
Malobe Lottin Cyrille Marcel
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
Rahul Baghla
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT V
ArthyR3
 
CTIN EDiscovery
CTIN EDiscoveryCTIN EDiscovery
CTIN EDiscovery
CTIN
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
Dhruv Seth
 
CHFI
CHFICHFI
CHFI
Desmond Devendran
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensics
Kabul Education University
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
bhavithd
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
Singgih Prasetya
 
Computer Forensics in Fighting Crimes
Computer Forensics in Fighting CrimesComputer Forensics in Fighting Crimes
Computer Forensics in Fighting Crimes
Isaiah Edem
 

Weitere ähnliche Inhalte

Was ist angesagt?

Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
Rahul Baghla
 

Was ist angesagt? (19)

Social Issues in Computing : Forensics
Social Issues in Computing : ForensicsSocial Issues in Computing : Forensics
Social Issues in Computing : Forensics
 
Computer Assisted Review and Reasonable Solutions under Rule26
Computer Assisted Review and Reasonable Solutions under Rule26Computer Assisted Review and Reasonable Solutions under Rule26
Computer Assisted Review and Reasonable Solutions under Rule26
 
Defining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case AssessmentDefining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case Assessment
 
File000168
File000168File000168
File000168
 
File000116
File000116File000116
File000116
 
Ediscovery model order
Ediscovery model orderEdiscovery model order
Ediscovery model order
 
Lect 4 computer forensics
Lect 4 computer forensicsLect 4 computer forensics
Lect 4 computer forensics
 
Lect 2 computer forensics
Lect 2 computer forensicsLect 2 computer forensics
Lect 2 computer forensics
 
Through a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet CensorshipThrough a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet Censorship
 
PASSCO - Examining the Ebb and Flow of Electronic Discovery: Tips, Tools, and...
PASSCO - Examining the Ebb and Flow of Electronic Discovery: Tips, Tools, and...PASSCO - Examining the Ebb and Flow of Electronic Discovery: Tips, Tools, and...
PASSCO - Examining the Ebb and Flow of Electronic Discovery: Tips, Tools, and...
 
Who's Afraid of eDiscovery?
Who's Afraid of eDiscovery?Who's Afraid of eDiscovery?
Who's Afraid of eDiscovery?
 
File000162
File000162File000162
File000162
 
Chap 1 general introduction to computer forensics
Chap 1 general introduction to computer forensicsChap 1 general introduction to computer forensics
Chap 1 general introduction to computer forensics
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT V
 
CTIN EDiscovery
CTIN EDiscoveryCTIN EDiscovery
CTIN EDiscovery
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
 
CHFI
CHFICHFI
CHFI
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensics
 

Andere mochten auch

Computer forensic
Computer forensicComputer forensic
Computer forensic
bhavithd
 
Computer Forensics in Fighting Crimes
Computer Forensics in Fighting CrimesComputer Forensics in Fighting Crimes
Computer Forensics in Fighting Crimes
Isaiah Edem
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam
 
Access lesson 06 Integrating Access
Access lesson 06 Integrating AccessAccess lesson 06 Integrating Access
Access lesson 06 Integrating Access
Aram SE
 
Lecture1
Lecture1Lecture1
Lecture1
rjaeh
 
Communication skills in english
Communication skills in englishCommunication skills in english
Communication skills in english
Aqib Memon
 

Andere mochten auch (20)

Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Computer Forensics in Fighting Crimes
Computer Forensics in Fighting CrimesComputer Forensics in Fighting Crimes
Computer Forensics in Fighting Crimes
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 
Document clustering for forensic analysis an approach for improving compute...
Document clustering for forensic analysis an approach for improving compute...Document clustering for forensic analysis an approach for improving compute...
Document clustering for forensic analysis an approach for improving compute...
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
The Rules Have Changed: Developments that Impact the Landscape of Texas Litig...
The Rules Have Changed: Developments that Impact the Landscape of Texas Litig...The Rules Have Changed: Developments that Impact the Landscape of Texas Litig...
The Rules Have Changed: Developments that Impact the Landscape of Texas Litig...
 
BoyarMiller Breakfast Forum: The Houston Commercial Real Estate Markets – Wha...
BoyarMiller Breakfast Forum: The Houston Commercial Real Estate Markets – Wha...BoyarMiller Breakfast Forum: The Houston Commercial Real Estate Markets – Wha...
BoyarMiller Breakfast Forum: The Houston Commercial Real Estate Markets – Wha...
 
The design of forensic computer workstations
The design of forensic computer workstationsThe design of forensic computer workstations
The design of forensic computer workstations
 
MattockFS Computer Forensic File-System
MattockFS Computer Forensic File-SystemMattockFS Computer Forensic File-System
MattockFS Computer Forensic File-System
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
 
Capturing forensics image
Capturing forensics imageCapturing forensics image
Capturing forensics image
 
File000173
File000173File000173
File000173
 
OWASP Khartoum Cyber Security Session
OWASP Khartoum Cyber Security SessionOWASP Khartoum Cyber Security Session
OWASP Khartoum Cyber Security Session
 
Access lesson 06 Integrating Access
Access lesson 06 Integrating AccessAccess lesson 06 Integrating Access
Access lesson 06 Integrating Access
 
Lecture1
Lecture1Lecture1
Lecture1
 
Communication skills in english
Communication skills in englishCommunication skills in english
Communication skills in english
 

Ähnlich wie BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners

The Litigation Hold – Systems, Processes and Challenges | Daniel S. Day
The Litigation Hold – Systems, Processes and Challenges | Daniel S. DayThe Litigation Hold – Systems, Processes and Challenges | Daniel S. Day
The Litigation Hold – Systems, Processes and Challenges | Daniel S. Day
Rob Robinson
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 
eDiscovery for the Small or Solo Law Firm
eDiscovery for the Small or Solo Law FirmeDiscovery for the Small or Solo Law Firm
eDiscovery for the Small or Solo Law Firm
Clio - Cloud-Based Legal Technology
 

Ähnlich wie BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners (20)

Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsCyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection tools
 
Systemising advice
Systemising adviceSystemising advice
Systemising advice
 
The Litigation Hold – Systems, Processes and Challenges | Daniel S. Day
The Litigation Hold – Systems, Processes and Challenges | Daniel S. DayThe Litigation Hold – Systems, Processes and Challenges | Daniel S. Day
The Litigation Hold – Systems, Processes and Challenges | Daniel S. Day
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Small Law Office Management for the Legal Professional
Small Law Office Management for the Legal ProfessionalSmall Law Office Management for the Legal Professional
Small Law Office Management for the Legal Professional
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
 
Digital emerging trends in computer engineering Evidences.pptx
Digital emerging trends in computer engineering Evidences.pptxDigital emerging trends in computer engineering Evidences.pptx
Digital emerging trends in computer engineering Evidences.pptx
 
Digital emerging trends in computer engineering Evidences.pptx
Digital emerging trends in computer engineering Evidences.pptxDigital emerging trends in computer engineering Evidences.pptx
Digital emerging trends in computer engineering Evidences.pptx
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Computer Forensics (1).pptx
Computer Forensics (1).pptxComputer Forensics (1).pptx
Computer Forensics (1).pptx
 
CYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdfCYBOK: Law and Regulation webinar slides.pdf
CYBOK: Law and Regulation webinar slides.pdf
 
eDiscovery for the Small or Solo Law Firm
eDiscovery for the Small or Solo Law FirmeDiscovery for the Small or Solo Law Firm
eDiscovery for the Small or Solo Law Firm
 
What Every Attorney Needs to Know
What Every Attorney Needs to KnowWhat Every Attorney Needs to Know
What Every Attorney Needs to Know
 
Judging E-Discovery Disputes
Judging E-Discovery DisputesJudging E-Discovery Disputes
Judging E-Discovery Disputes
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
Michael Legg
Michael LeggMichael Legg
Michael Legg
 
Strong Host Security Policies are Good Business
Strong Host Security Policies are Good BusinessStrong Host Security Policies are Good Business
Strong Host Security Policies are Good Business
 

Mehr von BoyarMiller

2022 Breakfast Forum eGuide
2022 Breakfast Forum eGuide2022 Breakfast Forum eGuide
2022 Breakfast Forum eGuide
BoyarMiller
 
"Treacherous Terms – Drafting Contracts to Avoid Litigation"
"Treacherous Terms – Drafting Contracts to Avoid Litigation""Treacherous Terms – Drafting Contracts to Avoid Litigation"
"Treacherous Terms – Drafting Contracts to Avoid Litigation"
BoyarMiller
 

Mehr von BoyarMiller (20)

Key Takeaways: The Future of Houston in an AI World
Key Takeaways: The Future of Houston in an AI WorldKey Takeaways: The Future of Houston in an AI World
Key Takeaways: The Future of Houston in an AI World
 
Women's Event Takeaways
Women's Event TakeawaysWomen's Event Takeaways
Women's Event Takeaways
 
2022 Breakfast Forum eGuide
2022 Breakfast Forum eGuide2022 Breakfast Forum eGuide
2022 Breakfast Forum eGuide
 
BoyarMiller ACC Oct 11 2022 Presentation.pptx
BoyarMiller ACC Oct 11 2022 Presentation.pptxBoyarMiller ACC Oct 11 2022 Presentation.pptx
BoyarMiller ACC Oct 11 2022 Presentation.pptx
 
Information & Insights For Entrepreneurs and Employees
Information & Insights For Entrepreneurs and EmployeesInformation & Insights For Entrepreneurs and Employees
Information & Insights For Entrepreneurs and Employees
 
Six ways to_avoid_litigation_eguide
Six ways to_avoid_litigation_eguideSix ways to_avoid_litigation_eguide
Six ways to_avoid_litigation_eguide
 
Acc oct 22 2019 presentation
Acc oct 22 2019 presentationAcc oct 22 2019 presentation
Acc oct 22 2019 presentation
 
Acc oct 8 2019 presentation
Acc oct 8 2019 presentationAcc oct 8 2019 presentation
Acc oct 8 2019 presentation
 
ALTTA: Unlocking the Key Aspects of Leases
ALTTA: Unlocking the Key Aspects of LeasesALTTA: Unlocking the Key Aspects of Leases
ALTTA: Unlocking the Key Aspects of Leases
 
BoyarMiller's State of the Capital Markets eBook
BoyarMiller's State of the Capital Markets eBookBoyarMiller's State of the Capital Markets eBook
BoyarMiller's State of the Capital Markets eBook
 
2019 Information & Insights For Entrepreneurs
2019 Information & Insights For Entrepreneurs2019 Information & Insights For Entrepreneurs
2019 Information & Insights For Entrepreneurs
 
BoyarMiller - A Law to Think About - The Lifecycle of Employment
BoyarMiller - A Law to Think About - The Lifecycle of EmploymentBoyarMiller - A Law to Think About - The Lifecycle of Employment
BoyarMiller - A Law to Think About - The Lifecycle of Employment
 
BoyarMiller Breakfast Forum: Perspectives on the Energy Industry 2019
BoyarMiller Breakfast Forum: Perspectives on the Energy Industry 2019BoyarMiller Breakfast Forum: Perspectives on the Energy Industry 2019
BoyarMiller Breakfast Forum: Perspectives on the Energy Industry 2019
 
BoyarMiller Breakfast Forum: The Houston Commercial Real Estate Markets – Wha...
BoyarMiller Breakfast Forum: The Houston Commercial Real Estate Markets – Wha...BoyarMiller Breakfast Forum: The Houston Commercial Real Estate Markets – Wha...
BoyarMiller Breakfast Forum: The Houston Commercial Real Estate Markets – Wha...
 
"Treacherous Terms – Drafting Contracts to Avoid Litigation"
"Treacherous Terms – Drafting Contracts to Avoid Litigation""Treacherous Terms – Drafting Contracts to Avoid Litigation"
"Treacherous Terms – Drafting Contracts to Avoid Litigation"
 
BoyarMiller: Pro bono in the trial courts and on appeal
BoyarMiller: Pro bono in the trial courts and on appealBoyarMiller: Pro bono in the trial courts and on appeal
BoyarMiller: Pro bono in the trial courts and on appeal
 
BoyarMiller Breakfast Forum: The Current State of the Capital Markets 2018
BoyarMiller Breakfast Forum: The Current State of the Capital Markets 2018BoyarMiller Breakfast Forum: The Current State of the Capital Markets 2018
BoyarMiller Breakfast Forum: The Current State of the Capital Markets 2018
 
Living in a #metoo World
Living in a #metoo WorldLiving in a #metoo World
Living in a #metoo World
 
BoyarMiller Perspectives on the Energy Industry 2018
BoyarMiller Perspectives on the Energy Industry 2018BoyarMiller Perspectives on the Energy Industry 2018
BoyarMiller Perspectives on the Energy Industry 2018
 
#unplug? Legal and Ethical Challenges in Employment in an Online World
#unplug? Legal and Ethical Challenges in Employment in an Online World#unplug? Legal and Ethical Challenges in Employment in an Online World
#unplug? Legal and Ethical Challenges in Employment in an Online World
 

Kürzlich hochgeladen

The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
gargpaaro
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
Roofing Contractor
 
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur DubaiUAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
jaehdlyzca
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
Nauman Safdar
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
pr788182
 

Kürzlich hochgeladen (20)

PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTSDurg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur DubaiUAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxQSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
 

BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners

  • 1. You Lost Me at Gigabyte: Electronic Forensic Protocols and Working with Computer Forensic Examiners Texas Bar Webinar - May 17, 2016 Craig Ball, John T. Myers, and Kasi Chadwick
  • 3. PAGE Overview • Drafting and execution of electronic forensic protocols. • We will walk through the lifecycle of a protocol. • Best practices for completing a forensic examination. 3
  • 4. What is an Electronic Forensic Protocol
  • 5. PAGE What is an Electronic Forensic Protocol? • An electronic forensic protocol is a set of procedures through which the harvesting, review, and (sometimes) the destruction of electronic content is conducted. • Agreed forensic protocols can be drafted pursuant Rule 11 of the Texas Rules of Civil Procedure and/or in conjunction with injunctive relief. • Alternatively, court-ordered forensic discovery can be issued—generally to remedy discovery abuses. 5
  • 6. PAGE 6 • Be careful when seeking to deploy a found or form protocol. • Each case presents unique considerations for forensic assessment. • Each requires a protocol tailored to the needs, sources, parties and risks attendant to the matter.
  • 7. PAGE Why an Electronic Forensic Protocol? Agree Forensic Protocol • Generally speaking, executing an agreed forensic protocol is a way to fast-track the discovery processes. • Provides a mechanism through which the parties may expeditiously locate and collect allegedly misappropriated data. Court Ordered Forensic Protocol • Provides a way to access data that has not been produced through discovery. 7
  • 9. PAGE In re Weekley Homes, L.P. • Alleged discovery abuse  Trial court ordered a forensic protocol • In re Weekley Protocol:  Four forensic experts identified.  Experts to take an evidentiary image of the hard drives in question using “procedures that is generally acceptable as forensically sound.”  From the images, experts would search for deleted emails from the relevant year using specified search terms.  Owner of data then had opportunity to review the responsive data.  Responsive data was to be provided to requesting party. • Responding party sought mandamus relief. 9
  • 10. PAGE • Supreme Court concluded the trial court abused its discretion. • Made this finding because the requesting party’s “conclusory statements that the deleted emails it seeks ‘must exist’ and that deleted emails are in some cases recoverable is not enough to justify the highly intrusive method of discovery the trial court ordered…” • In order to obtain a court-ordered forensic protocol, more must be shown. • Case-by-case analysis. 10 In re Weekley Homes, L.P.
  • 11. PAGE In re Weekley Homes, L.P. - Dicta • The Supreme Court contrasted their decision with In re Honza, 242 S.W.3d 578, 583 (Tex. App.—Waco 2008). • The Supreme Court distinguished In re Weekley from Honza:  Honza sought forensic review to obtain the metadata for a document. No question of document’s existence.  There was a direct relationship between the hard drives sought and the plaintiff’s claims.  There was extensive testimony as to the forensic expert’s experience and qualifications prior to granting the forensic review. 11
  • 12. Legal Standard for Court- Ordered Electronic Forensic Protocols
  • 13. PAGE In re Weekley Homes, L.P. • Per Rule 196.4 of the Texas Rules of Civil Procedure: • Employing Rule 196.4, the In re Weekley outlined the legal standard for a court-ordered electronic forensic examination sought to remedy an alleged discovery abuse. 13
  • 15. PAGE Agreed Forensic Protocols • If the parties agree to execute an agreed forensic protocol, there is more freedom to craft the review. 15
  • 17. PAGE Selecting Your Forensic Expert • Selecting a qualified forensic expert is critical.  Qualified and experienced forensic experts help ensure proper collections and processing of data.  In the world of forensics, there are many way to skin the cat.  Using an inexperienced expert can cause omissions of critical evidence—and in some cases—destruction of the evidence altogether. • Per In re Weekley, your expert’s credentials are important in obtaining a court-ordered forensic protocol. 17
  • 18. PAGE • Important to involve forensic expert as early in process as possible. Protocols put in place without expertise often create unrealistic expectations with respect to the practical limits of forensic analysis. You can't order an examiner to fly. • Optimum outcomes are achieved using a neutral examiner, abetted by input and consensus from partisan experts from each side. • Clear delineation of examiner's ethical responsibilities is essential. Obligations to Court and opposing party should be made manifest, where applicable, to avoid inherent conflicts. 18 Selecting Your Forensic Expert
  • 19. PAGE Selecting Your Forensic Examiner • No company is skilled at digital forensics. Examiners are individuals, and no affiliation guarantees competency. Look closely at the examiner, not the company. • Referrals from colleagues helpful. • Know what licensure requirements apply to the examiner. • Examiners should be experienced in writing intelligible reports. 19
  • 20. Costs
  • 21. PAGE Costs • Be sure it is crystal clear who must pay the examiner and by what date. No contingent fees ever. • Set interim reporting requirements with reasonable limits on time and cost. Do not let yourself be surprised by the cost. • Generally, the requesting party will pay. 21
  • 22. What are we Examining?
  • 23. PAGE What are we Examining? • How will target information be identified? • We need to consider:  The potential custodians of information,  What types of files will be extracted, and  How the potentially responsive data will be culled for review. 23
  • 24. PAGE What are we Examining? • Where is the target information kept? • While forensic examinations of cell phones and cloud- based accounts do not normally produce reviewable documents, these extractions can provide important clues to the rest of the puzzle. 24
  • 25. PAGE What are we Examining? • The easy targets:  Computers (personal and company devices)  External storage devices • The more complex:  Cell phones  Cloud-based storage systems (e.g. cloud-based e-mail accounts, DropBox) 25
  • 26. How will we be Examining?
  • 27. PAGE Methodologies • Specific methodologies should be agreed upon, where feasible; else, range of and limits upon investigator's discretion must be expressly addressed in the protocol. 27
  • 28. What will be Pulled from the Target Devices?
  • 29. PAGE What will be Pulled from the Target Devices? • Question: What is the universe of data to be extracted? • Will the forensic expert be harvesting:  Active Files (e.g. .docs, .pdfs, .xls)  Deleted file identification  Device connection log  Internet Artifacts 29
  • 30. What will be Provided to the Requesting Party?
  • 31. PAGE What will be Provided to the Requesting Party? • Once the universe of data to be harvested is defined, the next important consideration is how identified files will be reviewed by the parties. • Many experts believe absent gross misconduct, a party and a partisan examiner should not be afforded direct access to an opponent's ESI and devices absent agreement of the parties. 31
  • 32. PAGE Two Approaches Inclusive  Entire file listing/extraction with all personal/privileged data removed produced to both parties. Culled  Require requesting party to propose search terms to cull data prior to production of file listings. 32
  • 34. PAGE Additional Considerations to be Decided Before Execution • Who will hold the devices while the protocol is executed?  For how long will the devices be sequestered?  How will the devices be kept secure? • How will the forensic images be maintained? • Confidentiality?  Confidential designations?  AEO designations? 34
  • 35. PAGE Additional Considerations to be Decided Before Execution • Consider an iterative process to keep the case moving forward. A few key issues examined first, then a few more. Don't boil the ocean. • Address whether the examiner can assess the integrity of the evidence. If the digital books have been cooked (e.g., drives swapped, wrong machine supplied, drive wiping seen, etc.), can the examiner address this as a threshold matter? 35
  • 37. PAGE Harvesting the Data from the Target Devices • After the protocol is executed by the parties, the forensic expert’s work comes into play. • Selecting the right expert is critical.  There are a number of tools forensic experts can use. The forensic expert’s expertise is important here. • Example: Different data extraction programs work best on different devices.  Incorrect collection methods or incorrect tools can destroy critical metadata (e.g. creation date, last accessed date). 37
  • 39. PAGE Review of Target Information • File listings and extractions are generally produced in .xls format. • Listings can be thousands of pages long. • .xls proficiency is critical. • Most time-intensive activity. 39
  • 40. PAGE Review of Target Information • Spreadsheets of extracted metadata are increasingly ill-suited as a form of production for review because of row limitations. • 1,048,576+ Excel rows sound like a lot until you realize that more than that number of discrete items are routinely seen on a single device (after processing compressed and container files). • Alternatives? 40
  • 41. PAGE What are we Reviewing? • Files – Names – Sizes – Creation dates – Last accessed dates – Last modified dates – Whether files are deleted and – Whether a file is overwritten • Web Information – Browser history – Web bookmarks – Cookie history • Mobile Devices – Call logs – Text messages – SMS messages – Applications – Contacts 41 With the careful review of a listing or extraction, we can see:
  • 42. PAGE Best Practices for Data Review • Be wary of the examiner seeking support for your theory. You want an impartial skeptic, not an advocate on a mission to please you. • Request a “timeline” be extracted from the target device. • Once you have found files of interest create a separate listing which only includes those files. 42
  • 43. PAGE Culling Responsive Data - Identifying “Identified Files” • What is “responsive data?”  Should be defined in the protocol.  Generally defined as data the opposition believes in good faith to be their information. 43
  • 44. What to do with Identified Files?
  • 45. PAGE What’s Next? • Once the requesting party has identified the files for review, the parties should collectively review the identified files. • The forensic expert is instructed to pull the files from the forensic image. (Normally, devices are returned to the custodian after imagining.) 45
  • 46. PAGE Review of Identified Files File Review Meeting Schedule a meeting with between the parties to review the files. Independent Production to Both Parties Have the forensic expert directly provide the identified files to the parties for review. – Two-Step Process – Responding party is first provided the files for review and then respondent provides to the requesting party. 46
  • 47. PAGE What are we Searching for in our Review of the Identified Files? • Who’s data is it? • In the protocol, the parties should identify what files/data will be subject to deletion. • The protocol should also provide what to do if the parties cannot agree as to the proper classification content of the file/data.  Who is responsible for motion practice concerning the data? 47
  • 49. PAGE Deletion Considerations in Your Protocol • In the deletion process, it is important that your protocol provides that an image of the original file listing be maintained. • The expert should only be instructed to delete the data from the device—not the device’s image. • Spoliation. • May need image to prove use and/or damages. 49
  • 51. PAGE Spoliation • Because a file listing can show the life and death of a file, improperly preserved evidence can present significant problems to a responding party. • Whether a deleted file is recoverable dictates the degree of any spoliation implications. 51
  • 52. PAGE International Collections • Because we are searching for electronically misappropriated information, it is common for target devices to be located in different countries. • International Collections  Kits  On-site collections • Compliance with international laws  EU laws are different.  Sometimes, if the information is personal in nature, the information belongs to the employee, even if the information is located on the employer’s devices.  There are exceptions. 52
  • 53. PAGE Defend Trade Secret Act of 2016 • The DTSA was signed into law by President Obama last week. • The DTSA creates a “civil seizure” mechanism to collect and sequester electronic storage devices believed to contain a stolen trade secret soon after filing suit. • The DTSA—and the “best practices” expected to be created under the DTSA—may have implications on how forensic discovery is conducted in the future. 53
  • 55. PAGE Additional Resources • http://www.craigball.com/LIT_FebMarch14_EDiscBulletin.pdf • http://www.craigball.com/Ball_Becoming_a_Better_Witness_on_ Digital_Forensics.pdf • http://www.craigball.com/CF.pdf • http://www.craigball.com/What_Judges_Computer_Forensics- 200807.pdf 55
  • 56. PAGE Questions? Kasi Chadwick BoyarMiller kchadwick@boyarmiller.com (832) 615-4290 John T. Myers Chorus Consulting john.myers@chorusconsulting.net (713) 203-5743 56 Craig Ball Attorney and Forensic Technologist Certified Computer Forensic Examiner craig@ball.net 512-514-0182