Houston Paralegal Association Annual CLE Conference Presentation http://www.boyarmiller.com/news-and-publications/presentations/electronic-forensic-protocols-and-working-with-computer-forensic-examiners

1. Electronic Forensic Protocols
and Working with Computer
Forensic Examiners
Houston Paralegal Association
Kasi Chadwick

2. What we will
Cover…

3. PAGE
Overview
• What is an electronic forensic examination and what
is its purpose?
• The execution of electronic forensic protocols and the
life cycle of a protocol.
• Best practices for completing a forensic examination.
3

4. What is an electronic
forensic examination?

5. PAGE
What is an Electronic Forensic Examination?
• Electronic forensic examinations can be used to
review the contents of an individual’s:
 Computer;
 Cell phone;
 Cloud-based e-mail system (Hotmail; Gmail);
 USB device; or
 Generally any medium upon which data is stored.
• Generally, an inventory of the content of the target
device, called a file listing, is provided to the
requesting party.
• The review is principally conducted using the file
listing.
5

6. PAGE
Ease of Review
“Possession is 9/10 of the law”
• Examination of devices in your possession.
• Examination of devices not in your possession.
• Alternative is to execute a forensic protocol.
6

7. What is an Electronic
Forensic Protocol

8. PAGE
What is an Electronic Forensic Protocol?
• An electronic forensic protocol is a set of procedures
through which the harvesting, review, and
(sometimes) the destruction of electronic content is
conducted.
• Agreed forensic protocols can be drafted pursuant
Rule 11 of the Texas Rules of Civil Procedure and/or in
conjunction with injunctive relief.
• Alternatively, court-ordered forensic discovery can be
issued—generally to remedy discovery abuses.
8

9. PAGE 9
• Be careful when
seeking to deploy a
found or form protocol.
• Each case presents
unique considerations
for forensic
assessment.
• Each requires a
protocol tailored to the
needs, sources, parties
and risks attendant to
the matter.

10. PAGE
Why an Electronic Forensic Protocol?
Agree Forensic Protocol
• Generally speaking, executing an agreed forensic
protocol is a way to fast-track the discovery
processes.
• Provides a mechanism through which the parties may
expeditiously locate and collect allegedly
misappropriated data.
Court Ordered Forensic Protocol
• Provides a way to access data that has not been
produced through discovery.
10

11. Legal Basis

12. PAGE
In re Weekley Homes, L.P.
• Alleged discovery abuse  Trial court ordered a forensic
protocol
• In re Weekley Protocol:
 Four forensic experts identified.
 Experts to take an evidentiary image of the hard drives in
question using “procedures that is generally acceptable as
forensically sound.”
 From the images, experts would search for deleted emails from
the relevant year using specified search terms.
 Owner of data then had opportunity to review the responsive
data.
 Responsive data was to be provided to requesting party.
• Responding party sought mandamus relief.
12

13. PAGE
• Supreme Court concluded the trial court abused its
discretion.
• Made this finding because the requesting party’s
“conclusory statements that the deleted emails it
seeks ‘must exist’ and that deleted emails are in
some cases recoverable is not enough to justify the
highly intrusive method of discovery the trial court
ordered…”
• In order to obtain a court-ordered forensic protocol,
more must be shown.
• Case-by-case analysis.
13
In re Weekley Homes, L.P.

14. PAGE
In re Weekley Homes, L.P. - Dicta
• The Supreme Court contrasted their decision with In
re Honza, 242 S.W.3d 578, 583 (Tex. App.—Waco 2008).
• The Supreme Court distinguished In re Weekley from
Honza:
 Honza sought forensic review to obtain the
metadata for a document. No question of
document’s existence.
 There was a direct relationship between the hard
drives sought and the plaintiff’s claims.
 There was extensive testimony as to the forensic
expert’s experience and qualifications prior to
granting the forensic review.
14

15. Legal Standard for Court-
Ordered Electronic Forensic
Protocols

16. PAGE
In re Weekley Homes, L.P.
• Per Rule 196.4 of the Texas Rules of Civil Procedure:
• Employing Rule 196.4, the In re Weekley outlined the
legal standard for a court-ordered electronic forensic
examination sought to remedy an alleged discovery
abuse.
16

17. Agreed Forensic Protocols

18. PAGE
Agreed Forensic Protocols
• If the parties agree to execute an agreed forensic
protocol, there is more freedom to craft the review.
18

19. Selecting Your Forensic
Expert

20. PAGE
Selecting Your Forensic Expert
• Selecting a qualified forensic expert is critical.
 Qualified and experienced forensic experts help ensure
proper collections and processing of data.
 In the world of forensics, there are many way to skin
the cat.
 Using an inexperienced expert can cause omissions of
critical evidence—and in some cases—destruction of
the evidence altogether.
• Per In re Weekley, your expert’s credentials are
important in obtaining a court-ordered forensic
protocol.
20

21. PAGE
Selecting the expert is a great place to add value!
• When selecting an expert, paralegals can add
significant value.
 Questions are critical!
 It is important that you find an expert with whom you
can collaborate.
21

22. PAGE
• Important to involve forensic expert as early in
process as possible. Protocols put in place without
expertise often create unrealistic expectations with
respect to the practical limits of forensic analysis. You
can't order an examiner to fly.
• Optimum outcomes are achieved using a neutral
examiner, abetted by input and consensus from
partisan experts from each side.
• Clear delineation of examiner's ethical responsibilities
is essential. Obligations to Court and opposing party
should be made manifest, where applicable, to avoid
inherent conflicts.
22
Selecting Your Forensic Expert

23. PAGE
Selecting Your Forensic Examiner
• No company is skilled at digital forensics. Examiners
are individuals, and no affiliation guarantees
competency. Look closely at the examiner, not the
company.
• Referrals from colleagues helpful.
• Know what licensure requirements apply to the
examiner.
• Examiners should be experienced in writing
intelligible reports.
23

24. What are we Examining?

25. PAGE
What are we Examining?
• Paralegal/Examiner relationship is critical at this stage.
• Paralegals and Lawyers should know their case to best
identify the target information.
• How will target information be identified?
• We need to consider:
 The potential custodians of information,
 What types of files will be extracted, and
 How the potentially responsive data will be culled for review.
25

26. PAGE
What are we Examining?
• Where is the target
information kept?
• While forensic
examinations of cell
phones and cloud-
based accounts do not
normally produce
reviewable documents,
these extractions can
provide important clues
to the rest of the puzzle.
26

27. PAGE
What are we Examining?
• The easy targets:
 Computers (personal and company devices)
 External storage devices
• The more complex:
 Cell phones
 Cloud-based storage systems (e.g. cloud-based e-mail
accounts, DropBox)
27

28. How will we be Examining?

29. PAGE
Methodologies
• Specific methodologies should be agreed upon,
where feasible; else, range of and limits upon
investigator's discretion must be expressly addressed
in the protocol.
29

30. What will be Pulled from the
Target Devices?

31. PAGE
What will be Pulled from the Target Devices?
• Question: What is the universe of data to be
extracted?
• Will the forensic expert be harvesting:
 Active Files (e.g. .docs, .pdfs, .xls)
 Deleted file identification
 Device connection log
 Internet Artifacts
31

32. PAGE
Giga-what?:Format for the Information
• Depending on your firm’s staffing and electronic capabilities,
many paralegals my be chiefly responsible for obtaining the data
in the proper format.
• Another place where working with your examiner is important.
• Examiners can provide the target information in a variety of
formats.
• If you don’t ask, you won’t know.
• Sometimes, failure to ask questions results in an inability to
process the data.
32

33. Additional Front-End
Considerations

34. PAGE
Additional Considerations to be Decided Before
Execution
• Who will hold the devices while the protocol is
executed?
 For how long will the devices be sequestered?
 How will the devices be kept secure?
• How will the forensic images be maintained?
• Confidentiality?
 Confidential designations?
 AEO designations?
34

35. PAGE
Additional Considerations to be Decided Before
Execution
• Consider an iterative process to keep the case
moving forward.
• A few key issues examined first, then a few more. Don't boil the
ocean.
• Address whether the examiner can assess the
integrity of the evidence. If the digital books have
been cooked (e.g., drives swapped, wrong machine
supplied, drive wiping seen, etc.), can the examiner
address this as a threshold matter?
35

36. Harvesting the Data

37. PAGE
Harvesting the Data from the Target Devices
• After the protocol is executed by the parties, the
forensic expert’s work comes into play.
• Selecting the right expert is critical.
 There are a number of tools forensic experts can use.
The forensic expert’s expertise is important here.
• Example: Different data extraction programs work
best on different devices.
 Incorrect collection methods or incorrect tools can
destroy critical metadata (e.g. creation date, last
accessed date).
37

38. Data Review

39. PAGE
Review of Target Information
• File listings and
extractions are
generally produced in
.xls format.
• Listings can be
thousands of pages
long.
• .xls proficiency is
critical.
• Most time-intensive
activity. 39

40. PAGE
Review of Target Information
• Spreadsheets of extracted metadata are increasingly
ill-suited as a form of production for review because
of row limitations.
• 1,048,576+ Excel rows sound like a lot until you
realize that more than that number of discrete items
are routinely seen on a single device (after processing
compressed and container files).
• Alternatives?
40

41. PAGE
What are we Reviewing?
• Files
– Names
– Sizes
– Creation dates
– Last accessed dates
– Last modified dates
– Whether files are deleted
and
– Whether a file is
overwritten
• Web Information
– Browser history
– Web bookmarks
– Cookie history
• Mobile Devices
– Call logs
– Text messages
– SMS messages
– Applications
– Contacts
41
With the careful review of a listing or extraction, we can
see:

42. What to do with Identified
Files?

43. PAGE
What’s Next?
• Once the requesting party has identified the files for
review, the parties should collectively review the
identified files.
• The forensic expert is instructed to pull the files from
the forensic image. (Normally, devices are returned to
the custodian after imagining.)
43

44. PAGE
What are we Searching for in our Review of the
Identified Files?
• Who’s data is it?
• In the protocol, the parties should identify what
files/data will be subject to deletion.
• The protocol should also provide what to do if the
parties cannot agree as to the proper classification
content of the file/data.
 Who is responsible for motion practice concerning the
data?
44

45. Deletion of Identified Files

46. PAGE
Deletion Considerations in Your Protocol
• In the deletion process, it is important that your
protocol provides that an image of the original file
listing be maintained.
• The expert should only be instructed to delete the
data from the device—not the device’s image.
• Spoliation.
• May need image to prove use and/or damages.
46

47. Additional Notes

48. PAGE
Spoliation
• Because a file listing can show the life and death of a
file, improperly preserved evidence can present
significant problems to a responding party.
• Whether a deleted file is recoverable dictates the
degree of any spoliation implications.
• Many times, spoliation happens inadvertently.
– Especially in more protracted litigation, paralegals can help monitor a
case’s activity to help their lawyers.
48

49. PAGE
International Collections
• Because we are searching for electronically
misappropriated information, it is common for target
devices to be located in different countries.
• International Collections
 Kits
 On-site collections
• Compliance with international laws
 EU laws are different.
 Sometimes, if the information is personal in nature, the
information belongs to the employee, even if the
information is located on the employer’s devices.
 There are exceptions.
49

50. PAGE
Defend Trade Secret Act of 2016
• The DTSA was signed into law by President Obama last
week.
• The DTSA creates a “civil seizure” mechanism to collect
and sequester electronic storage devices believed to
contain a stolen trade secret soon after filing suit.
• The DTSA—and the “best practices” expected to be
created under the DTSA—may have implications on how
forensic discovery is conducted in the future.
50

51. Additional Resources

52. PAGE
Questions?
Kasi Chadwick
BoyarMiller
kchadwick@boyarmiller.com
(832) 615-4290
52