May 14, 2013 E-DISCOVERY- WHERE TECHNOLOGY MEETS THE LAW AND
WHAT HR PROFESSIONALS TECHNICALLY NEED TO KNOW!
Slide 3
Business Card Drawing
Slide 4
Forensics + Investigations Consulting Firm 40+ staff Founded in
1999 HQ: Bedminster, NJ Key Offices: Syracuse, NY Seattle, WA
Portland, OR Washington, DC Philadelphia, PA Minneapolis, MN
Licensed Investigators in Multiple States The Intelligence Group -
Background
Slide 5
Integrating Investigative Techniques: Background Investigation
Motives, finances, lifestyle, other leads Forensic Accounting and
Analysis Investigative accounting, often involves the tracing,
locating and evaluation of assets (personal and business). Digital
Forensics Evidentiary: documents, communications, computer
activity
Slide 6
Investigative Research Services: Evolution of the Background
Investigation More data than ever, but what to trust? More than
pushing a button: Internet, Databases, Document Repositories and
Human Intelligence Information vs. Intelligence Integrated suite of
investigative research tools to fulfill specific needs: Litigation
Intelligence Financial Intelligence Digital Intelligence Background
Investigation
Slide 7
Litigation Intelligence Services: Litigant or Individual
Background Investigation Residential Histories / Jurisdictions
Criminal Histories Litigation Histories Media Evaluation Business
Interests and employment Asset Screens and Searches Locates and
Skip Tracing Age, residences, other characteristics to verify
Expert Witness Backgrounds Investigative Research Services:
Slide 8
Financial Intelligence Services: Asset Screens & Searches
Real Property, other licensed assets (vehicles, etc.) Shareholder
info (subject to thresholds) Credit, liens, judgment histories
Banking relationships Lifestyle, reputational, etc. Financial
Viability Screening (Corps., etc.) Corporate Successorship
Histories Investigative Research Services:
Slide 9
Digital Intelligence Services:
Slide 10
Todays Primer Basics of Electronically Stored Information (ESI)
Types of ESI (Electronically Stored Information) Methods to
investigate, identify, and obtain ESI as Evidence: eDiscovery
Digital Forensics Digital Monitoring and Surveillance Anonymous
Messaging Investigation Social Media Preservation and Analysis
Slide 11
Modern Life Communications
Slide 12
Data Explosion... One Zettabyte
1,000,000,000,000,000,000,000.
Slide 13
Basics of ESI
Slide 14
Two Characteristics of ESI ESI can walk out the door. ESI
leaves digital footprints behind.
Slide 15
ESI Is Portable Perspective: Todays typical PC has a
100-gigabyte drive 1 GB equals about 125,000 pages of text or about
42 bankers boxes of documents 1 DVD equals about 587,500 pages of
text or 197.4 bankers boxes A DVD in its case weighs about four
ounces 197 bankers boxes worth of documents would weigh about 7,880
pounds or around four tons
Slide 16
Laptops/Desktops Servers Phone Systems (VoIP) Printers &
Copiers PDAs/Cell phones CDs/DVDs USB Thumb Drive. Where is
Electronically Stored Information?
Slide 17
What other devices contain ESI?.
Slide 18
The Corporate Enterprise Network
Slide 19
Types of ESI: Accessible vs. Inaccessible Huh?
Slide 20
ACTIVE DATA aka (Accessible) What You See easily accessible by
user in the ordinary course of business (typical sources: hard
drives, servers, disks and other portable media) Types of ESI:
1.Word Processing Docs, Spreadsheets, Slide Presentations,
Databases, Graphics, Design and Engineering Drawings, etc.
2.Company email domain ([email protected]) 3.Embedded, Encrypted,
Password Protected Accessible vs. Inaccessible.
Slide 21
INACTIVE DATA aka (Inaccessible) What You CANNOT See Not easily
accessible without forensic tools and methods (typical sources:
hard drives, servers, disks and other portable media) Types of ESI:
1.Deleted and Hidden Files 2.Unallocated Files and Slack Space
3.Deleted Internet History and Web based email activities 4.Much
more Accessible vs. Inaccessible.
Slide 22
Methods to investigate, identify, and obtain ESI as
Evidence:
Slide 23
eDiscovery eDiscovery: The process of collecting, preparing,
reviewing, and producing electronically stored information (ESI) in
the context of the legal process. Typical Services: Collection
typically accessible data only Preparing de-duplication, indexing,
and culling of ESI, processing into.tiff files Review- creation of
load files, hosted review, predictive coding aka
TAR-Technology-Assisted Review Production typically charged per
gigabyte or per page for native production or conversion to.tiff
files, bates stamping. Source: The Sedona Conference Glossary:
E-Discovery & Digital Information Management (Third Edition)
September 2010
Slide 24
Digital Forensics Strategic, focused, controlled analysis of
ESI. Digital forensics often investigate: Smaller amounts of
relevant Active and Inactive (deleted) files Metadata Internet
History, Web Based E-Mail Activity Registry, Link, and Event logs
May require Expert Reporting & Testimony Definition: Digital
Forensics aka Computer Forensics (Cyberforensics), is the process
of gathering evidence suitable for presentation in a court of law.
The goal is to perform a structured investigation while maintaining
a documented chain of evidence to find out exactly who, what, when,
how, and when a digital device was used. Distinction between
eDiscovery vs. Digital Forensics
Slide 25
The Digital Iceberg Live ESI found by Native Tools (such as
Windows Explorer, E-Discovery tools) ESI found by forensic tools
(Deleted, edited, renamed, hidden, difficult to locate, etc.).
Slide 26
Forensic Investigations have become routinely used as an
investigative tool in HR matters such as: Restricted
CovenantNon-CompeteTheft of Trade Secret IP TheftWhistleblower /
RetaliationDiscrimination Sexual HarassmentWrongful
TerminationClass Action Workers CompensationWorkplace
investigations...Many more
Slide 27
Which Tool To Use? Electronic DiscoveryDigital Forensics
Applications:Typically Civil LitigationCivil Litigation, Internal
Investigations, Criminal Scope:Can Be Enterprise-wideTypically
Focused Specific Individuals and Equipment Strategy:Fishing Culling
Large Volumes of Data - Later Investigative Searching for Specific
Data - Early Data Types:Documents, Files, Enterprise Email
Docs/Files, Deleted Data, All Communications, Internet Data
Attributes:Document-specific MetadataRe-creation of Time-Critical
Events
Slide 28
Difference between Traditional Copying and Forensic Imaging
Traditional Copying: Gets active data (the visible files), changes
metadata such as access date/time of the files. Forensically
Acquired Image: A write- protected exam that is an exact bit-by-
bit copy of all data on a drive. Enables recovery of data even
after the data on the drive has been erased or reformatted.
Slide 29
Preservation: Copying Logical Files Copying files from one
folder to another. Original evidence is changed. Hidden data is not
copied. Original File Copy...
Slide 30
Bit-by-bit copies of original data. Exact representation of
original evidence. Software like EnCase, Linux DD, and Forensic
ToolKit. The original evidence is NOT modified. Original 1 1 2 2
Forensic Imaging Preservation: Mirror Image....
Slide 31
To authenticate the evidence is to confirm that the forensic
copy is exactly the same as the original. The hash is a digital
fingerprint. (Changing a single character, from s to S in a Word
document will change the hash value). Authenticating the
Evidence
Slide 32
Permanently Deleted?
Slide 33
Delete Does NOT Mean FOREVER Unallocated space Temporary files
File slack Hidden files History files The nature of data storage on
computer disks often allows for data recovery from deleted,
formatted, damaged hard disks!
Slide 34
SecondSetofBooks.xls TradeSecrets.doc OffshoreAccount.html Its
All Just ONEs and ZEROs!
Slide 35
^econdSetofBooks.xls ^radeSecrets.doc ^ffshoreAccount.html
Delete Does NOT Mean FOREVER Deleted files are no longer accessible
by Windows, but the data for the file will remain on the computer
hard drive until overwritten by new data....
Slide 36
Live Exhibit of Finding Deleted Files
Slide 37
Deleting a file makes the entry unavailable to the Windows
Operating System (and invisible to the user) Tearing Up the Card
Doesnt Eliminate the Book Only Wiping the Device Eliminates the
Data Formatting Does NOT Mean Gone FOREVER
Slide 38
Formatted Computer Hard Drives FAT- File Allocation Tables or
Card Catalog FAT contains the file names and the locations of
active files on the disk. Formatting a hard drive is like Cutting
up an Index Card. The FAT is cleared, and deleted files organized
into tracks and sectors to be overwritten.
Slide 39
Risks of conducting Digital Investigations on your own
Typically: Not Trained in Investigations Can be considered a Biased
Party Chain of Custody is Non-Existent or Incomplete Tools are NOT
Certified by the court High Risk of Spoliation Not a Credible
Expert Unproven methods may cause potential inadmissability in
court People are strongly cautioned against conducting their own
internal investigation using a Retail IT shop Geek Squad or other
IT Staff,a close friend or relative, yourself, or otherwise...
Slide 40
The Flip side The flip side of data preservation is, of course,
spoliation. Spoliation is the destruction or material alteration of
evidence or the failure to preserve property for anothers use as
evidence in pending or reasonably foreseeable litigation. The
authority to impose sanctions for spoliation arises under the
courts inherent powers. Sanctions are warranted for spoliation of
ESI is challenging because it is easier to intentionally or
inadvertently delete or modify ESI and it is more difficult for
parties to craft preservation policies that ensure that the
appropriate data are preserved.
Slide 41
Examples of Digital Evidence E-Mail Temporary Internet Files
Hidden Files / Temporary Files Metadata.
Slide 42
Whats in a email thread? Emails typically have the threads
included... This week is not good. -----Original Message----- To:
[email protected], Randy G. Kruger Jr.@ANDERSEN WO,
[email protected], [email protected] cc: Date:
01/09/2002 10:26 AM From: [email protected] Subject:
Lunch OK you slackers (excluding Shaw), I'll give you another
chance to respond. Lunch this week or next, let me know what's
good. If meeting after work is better for you, let me know.
Schroeder
Slide 43
Forensic recovery of all email contents can reveal the entire
email thread. Whats in a email thread? This week is not good. I
have too large a pile of documents to shred. Next week is better. I
suggest Wednesday, Thursday or Friday. -----Original Message-----
To: [email protected], Randy G. Kruger Jr.@ANDERSEN WO,
[email protected], [email protected] cc: Date:
01/09/2002 10:26 AM From: [email protected] Subject:
Lunch OK you slackers (excluding Shaw), I'll give you another
chance to respond. Lunch this week or next, let me know what's
good. If meeting after work is better for you, let me know.
Certainly all of you can stop shredding documents for 5 minutes to
respond. Schroeder..
Slide 44
E-Mail Temporary Internet Files Hidden Files / Temporary Files
Metadata. Examples of Digital Evidence
Slide 45
Web Based Email Internet Browsing History (search terms)
Temporary Internet Files Online Banking & Day Trading...
Slide 46
Analysis of Temporary Internet Cache Often Reveals the Smoking
Gun 1.Discovery of other internet-based email accounts and multiple
communications between involved parties. 2.Multiple emails with
attached documents (trade secrets). 3.Abundance of possession of
X-rated or possibly contraband graphics to blow credibility of
character. 4.Uncovering of undisclosed assets and/or other
financial records. 5.The establishing that the harassed employee is
actually a harasser him/herself.
Slide 47
E-Mail Temporary Internet Files Hidden Files / Temporary Files
Metadata. Examples of Digital Evidence
Slide 48
Hiding Files Xratedpics.jpg Renamed to: personalfile.txt.
Slide 49
Attempting to Hide Files Renaming the file only makes the file
name insignificant. HOWEVER, it does NOT change its true file
creation type attributes..
Slide 50
Hiding Files Does NOT Change Created File Type As.TXT (Notepad
file) As.GIF (Graphic file) As.XLS (Excel file)
Slide 51
Temporary Created Files
Slide 52
E-Mail Temporary Internet Files Hidden Files / Temporary Files
Metadata. Examples of Digital Evidence
Slide 53
Why is Metadata Important? Can Provide Evidence of Access An
individual burning a cd or copying multiple files to a thumb drive
to take with him/her could have their last accessed date altered.
Can Serve as Evidence Evidence deliberately erased, bits and bytes
of metadata may provide the missing programs titles, and can prove
the existence of the now erased data. Forensic techniques can
recover both. The most common definition of metadata is data about
data.
Slide 54
Types of ESI that contain metadata EmailsSpreadsheets Graphics
- Pictures Word Docs Almost all of the information that you
typically want in discovery can be retrieved COST EFFECTIVELY (if
done properly) by getting the documents electronically......
Slide 55
You See / We See Printed Email Backdated MS Office Word
Document
Slide 56
The Old Fashioned Way (Paper) vs. Today (Digital) ESI contains
information that a hard copy does not: Creation Dates/Times Access
Dates/Times Versions Comments Author Login Information E-Mail
Access Lists, Audit Trails and Computer Logs Gateways/Web Browsing
History Much, much more...
Slide 57
Case Studies Sexual Harassment Investigation (Cases are
Hypothetical)
Slide 58
Case Study # 1 Sexual Harassment
Slide 59
Youre Fired!. Case Study # 1 Sexual Harassment
Slide 60
Claimed sexual harassment by CEO Tolerated it for 18 months Too
fearful to come forward Married woman, active in community.... Case
Study # 1 Sexual Harassment
Slide 61
Slide 62
New York Boston Case Study # 1 Sexual Harassment
Slide 63
Analysis of Internet Activity Searches for the term Sexual
Harassment Case Study # 1 Sexual Harassment
Slide 64
Instant Message Logs Chats with friend about contempt for boss
and plan to get him. Case Study # 1 Sexual Harassment
Slide 65
Deleted Email Analysis Recovery of deleted emails reveal
longstanding relationship with co- worker in Boston office Case
Study # 1 Sexual Harassment
Slide 66
8/1/04 to 11/08/06 Creation Date was three days prior to her
complaint being filed. Case Study # 1 Sexual Harassment
Slide 67
SEVEN FIGURE -Settlement Avoided- Company files charges against
Exec.
Slide 68
New Techniques & Solutions Digital Monitoring and
Surveillance John Doe Investigations (i.e. tracing and identifying
senders of anonymous emails) Social Media Preservation
Slide 69
Real Time Forensics Allow you to record and view what your
employees do on the computer, internet, reduce inappropriate and
non-work related activities. Instant Alerts of Potential Danger
Scan for dangerous keywords in emails sent and received, web sites
visited, chats and instant messages, and keystrokes typed Digital
Monitoring and Surveillance
Slide 70
Duty to investigate RISK Theft of IP, Data Breach, Fraud, Qui
Tam, Reputation John Doe and Anonymous Messaging
Investigations
Slide 71
Social Media Preservation and Analysis Legal Cases Involving
Social Media Rapidly Increasing Preservation methods now exist
Spoliation and discovery abuses Facebook Spoliation Costs Lawyer
$522,000; Ends His Legal Career Lester v. Allied Concrete Co., Case
No. CL.08-150, CL09-223 (Va. Circuit Court of the City of
Charlottesville Sept. 1, 2011. Spoliation Instruction in Facebook
Account Deletion. Gatto v. United Air Lines, Inc., et al., Case No.
10- cv-1090-ES-SCM (D.N.J. Mar. 25, 2013)
Slide 72
Social Media Examples
Slide 73
A waitress can't deal with a bad tip She stayed home from work
just to browse Facebook Flight attendants hated on their airline
carrier She was depressed, but Facebook showed her
Slide 74
Closing Thoughts
Slide 75
Getting Started with the Basics 1.Identify ALL critical trade
secret information (paper and electronic) on ALL IT systems.
2.Identify ALL employees, contractors, vendors and other service
providers who have access to trade secret information. 3.Evaluate
ALL alternative technology work flows, systems, security access
points. 4.Review ALL current information systems which contain
trade secret information and documentation. 5.Identify and/or
develop a work flow to track how trade secret information is
received, created, accessed, modified, stored, processed, or
destroyed.
Slide 76
Effective ePrevention Usage Policies Potentially Relevant
Policies: Privacy policies Incident response policies Employee
policies Digital Asset Ownership Internet Usage Computer Usage
Social Media Non Disclosure Mobile Device Usage Email Usage BYOD -
Bring Your Own' Device policy Business partner policies
(e.g.,contract policies) Design for a later investigation!.
Slide 77
Top Tips for a Successful Digital Investigation Dont Tamper
With Evidence Preserve the Chain of Evidence Dont rely on internal
IT staff Terminate ALL physical and digital access rights Retrieve
ALL copies of sensitive information from employee Secure computers
and information system assets Assess your risk and exposure Conduct
forensic imaging and investigation We can provide a proactive Quick
Peek forensic analysis that compiles evidence regarding: any file
copying activities that took place 90 days prior to departure; what
files may have been deleted; what websites may have been browsed or
used for email; and other areas of potential investigative
interest.
Slide 78
77 Do you envision this matter may Require Credible Expert
Testimony at some point? Does this matter require copying of ESI or
Forensic Acquisition (Chain of Custody, MD5 Hash authentication) of
ESI, and Analysis? At the very least, can you rest assure that NO
Spoliation has taken place? Do the risk costs outweigh the Initial
Acquisition costs? Important Issues to Consider Early and
Often....
Slide 79
78 When to use a Digital Forensic Expert? It depends what you
can afford...or NOT afford! Before or when filing a TRO - Temporary
Restraining Order; Preliminary Injunction; Preservation Order;
Certifications; Affidavits. Expert Rebuttal Testimony Proactive vs
Reactive As early on as possible...in order to determine whether or
not you have a case! Before the Risk of potential Malpractice,
Spoliation, Sanctions, et al. The Best Defense is a Great
Offense!
Slide 80
Thank You for your attention! Any Questions? DISCLAIMER: These
slides are made available for educational purposes only as well as
to give you general information and a general understanding of the
law, not to provide specific legal advice. This information should
not be used as a substitute for competent legal advice from a
licensed professional attorney in your state. While we try to make
sure that all information is accurate at all times, we are not
responsible for typographical and other errors that may appear;
however, it is your responsibility to verify with that all details
listed are accurate.
Slide 81
Contact Information: Rob Kleeger Managing Director Direct:
908-396-1467 Mobile: 973-699-0167 Email: [email protected]
1545 Route 206 Suite 202 Bedminster, NJ 07921