Category Archives: Computer Forensics

Drafting Digital Forensic Examination Protocols

28 Tuesday Aug 2018

Posted by in Computer Forensics, E-Discovery, Uncategorized

4 Comments

A computer or smart phone under forensic examination is like a sprawling metropolis of neighborhoods, streets, buildings, furnishings and stuff–loads of stuff.  It’s routine for a single machine to yield over a million discrete information items, some items holding thousands of data points.  Searching so vast a virtual metropolis requires a clear description of what’s sought and a sound plan to find it.

In the context of electronic discovery and digital forensics, an examination protocol is an order of a court or an agreement between parties that governs the scope and procedures attendant to testing and inspection of a source of electronic evidence.  Parties and courts use examination protocols to guard against compromise of sensitive or privileged data and insure that specified procedures are employed in the acquisition, analysis, and reporting of electronically-stored information (ESI).

A well-conceived examination protocol serves to protect the legitimate interests of all parties, curtail needless delay and expense and forestall fishing expeditions.  Protocols may afford a forensic examiner broad leeway to adapt procedures and follow the evidence, or protocols may tightly constrain an examiner’s discretion, to prevent waiver of privilege or disclosure of irrelevant, prejudicial material.  A good protocol helps an examiner know where to start his or her analysis, how to proceed and, crucially, when the job is done.

As a litigator for over 35 years and a computer forensic examiner for more than 25 years, I’ve examined countless devices and sources for courts and litigants.  In that time, I’ve never encountered a forensic examination protocol of universal application.  “Standard” procedures change over time, adapted to new forms of digital evidence and new hurdles–like full-disk encryption, solid-state storage and explosive growth in storage capacities and data richness.  Without a protocol, a forensics examiner could spend months seeking to meet an equivocal examination mandate.  The flip side is that poor protocols damn examiners to undertake pointless tasks and overlook key evidence.

Drafting a sensible forensic examination protocol demands a working knowledge of the tools and techniques of forensic analysis so counsel doesn’t try to misapply e-discovery methodologies to forensic tasks.  Forensic examiners deal in artifacts, patterns and configurations.  The data we see is structured and encoded much differently than what a computer user sees.  The significance and reliability of an artifact depends on its context.  Dates and times must be validated against machine settings, operating system functions, time zones and corroborating events.

Much in digital forensics entails more than meets the eye; consequently, simply running searches for words and phrases “e-discovery-style” is far less availing than it might be in a collection of documents.

If you can conceive of taking the deposition of a computer or smart phone, crafting a forensic examination protocol is like writing out the questions in advance.  Like a deposition, there are basic inquiries that can be scripted but no definitive template for follow-up questions.  A good examiner–of people or computers–follows the evidence yet hews to relevant lines of inquiry and respects boundaries.  A key difference is, good advocates fit the evidence to their clients’ narrative where good forensic examiners let the evidence tell its own story.

If you’ve come here for a form examination protocol, you’ll find it; but the “price” is learning a little about why forensic examination protocols require certain language and above all, why you must carefully adapt any protocol to the needs of your case. Continue reading

Preserving MAC Times Collecting Files in E-Discovery

20 Wednesday Jun 2018

Posted by in Computer Forensics, E-Discovery

5 Comments

MAC timesChecking the mailbag, I received a great question from a recent Georgetown E-Discovery Training Academy attendee.  I’m posting it here in hopes my response may be useful to you.

My student wrote: I have a question in regard to zipping eDiscovery data. We’ve always used 7zip to zip our collections. The filenames are too long for Microsoft to be happy with them in their original state. One of our consultants is now telling me that I’m changing metadata. Can you clear this up for me? Am I changing metadata just by zipping a file? If I am, are there other simple tools that I can use? 

Metadata is always changed in the copying of files within a Windows environment.  Anytime you copy data to new media, Windows changes some of its metadata.  Some e-discovery collection tools change the values back to the originating values as part of the collection process.  Thus, the metadata changes, then changes back to undo the change.  If you want to use such tools, they are out there.

I think the more important concern is whether the tools and methods you employ reconstruct the metadata that matters and preserve the integrity of the evidence files.  There is a simple way for you to assess that: check the MAC (modified/accessed/created) dates and hash the files in and out!  You did some exercises of this nature in my Georgetown Academy workbook. Continue reading

Preserving Alexa History: Ugly-but-Easy

24 Saturday Mar 2018

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Uncategorized

7 Comments

amazon-alexa-history-angleTwo years ago, I blogged about the challenge of seeking to preserve records of interactions with the Amazon Echo/Alexa family of devices and applications.  I concluded:

“Listen, Amazon, Apple, Microsoft and all the other companies collecting vast volumes of our data through intelligent agents, apps and social networking sites, you must afford us a ready means to see and repatriate our data.  It’s not enough to let us grab snatches via an unwieldy item-by-item interface.  We have legal duties to meet, and if you wish to be partners in our digital lives, you must afford us reasonable means by which we can comply with the law when we anticipate litigation or respond to discovery. “

In a testament to my thought leadership, nothing whatsoever has happened since my call-to-arms in terms of the ability to preserve Alexa app history data.  It’s as bad as it was two years ago and arguably worse because Echo products have grown so popular and the Alexa interface has been integrated into so many devices that the problem is bigger now by leaps and bounds.

Don’t get me wrong, I am Alexa’s biggest fan (and adore her sisters, “Amazon” and “Computer,” so-called for the alternate “wake words” I use to trigger voice communication to Amazon’s servers from other Echo devices).  If anything, Craig the Consumer is happier now with the Echo ecosystem than two years ago.  Wearing my user hat, Alexa’s a peach (and, yes, I am perfectly comfortable with her from a privacy point of view).  Wearing my e-discovery propeller beanie, Alexa is a pain in the butt.  She’s a data gold digger who cooks the books to make it supremely difficult to account for what she’s taken. Continue reading

Docendo Discimus: Q & A

07 Wednesday Mar 2018

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Uncategorized

7 Comments

teach-learn

The Latin maxim Docendo Discimus means “by teaching, we learn.”  So true, because absent my need to stay up-to-date to teach, it’s easy to fall behind.  I teach various places, but of longest standing at the University of Texas School of Law, my alma mater.  My subject is E-Discovery and Digital Evidence, a three-credit, 14-week course.  In my course, information technology enjoys equal status with case law and procedure.  Half the semester is dedicated to mastering the “e” in e-discovery: the foundations of modern information storage and retrieval.  That balance is unique among law school courses.  I don’t elevate information technology because I happen to know how to teach it; I do it because I think it’s what the students need most and don’t get.  It’s certainly what lawyers need most and don’t get.

Why?

Surprisingly, that’s a contentious question.  The arguments against teaching the technology side of e-discovery and digital evidence range from “it’s not law” to “lawyers hire people for the tech stuff, so why bother?”

I think the explanation for the marginalization of information technology in e-discovery classes is simpler: lawyers teaching law school classes have a limited ability to teach technology.  My guess is that if the teachers knew the technology as well as they know the law, there would be more balance in the curriculum.

The limits of instructors hobbles the curriculum of e-discovery, which should spring from the needs of the students.  We should gear our syllabi to what must be learned rather than what can be taught.  First, let’s teach the teachers.

That won’t be easy.  The level of interest is low, and who wants to draw the circle of competence to leave themselves outside the circle?  Too, there are virtually no instructional channels or materials.  No formal incentives.  No funding.  Many invested in the status quo ante.  And all that aside, there’s a dearth of experienced instructors.  We are fuc… challenged.

Continue reading

Houston: We’ve Got a Problem

30 Wednesday Aug 2017

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Personal, Uncategorized

7 Comments

19-hurricane-harveyHouston is my hometown.  I wasn’t born there (though both my children were); but, I got there as quickly as I could, at age 17 to study at Rice University.  I practiced law in Houston and kept a home in the Houston area for 38 years, longer by far than anywhere else.  I have deep Texas roots, proud Houston roots.  So, it pains me to see what’s happening in Harris County, and as a past President of the Houston Trial Lawyers Asociation, I’m thinking of all my colleagues whose offices are submerged or inaccessible and whose practices will be devastated and disrupted by Hurricane Harvey.

Right now, the needs are basic: shelter, food, clothing, medical care and such.  Soon, however, we must restore the legal and business infrastructure.  Though Houston is home to several megafirms, the majority of Houston lawyers–the best lawyers in the world–are small firm- and solo practitioners.  It’s these lawyers who will help people pick up the pieces of their lives by prosecuting claims for storm damage when insurers decline to pay what’s owed.  In Texas, the need is dire as the toadying Texas Legislature serves at the pleasure of big national insurance carriers, a fact borne out by legislation that, even before Harvey’s waters recede, will operate to deprive Texas insureds of substantial rights to recover for storm losses, effective September 1.  Ironic.  Tragic. Despicable.

So, we must pull together to help Gulf Coast lawyers recover from the storm. My friend, Tom O’Connor, unselfishly organized a relief effort for Louisiana lawyers when Katrina crippled New Orleans and environs.  I’m proud to have contributed in a small way to that effort, financially and by speaking in New Orleans about tech tools to help lawyers cope. I look forward to the chance to work with Tom and with The Computer and Technology Section of the State Bar of Texas to do the same for Gulf Coast lawyers.

There is so much to do, and we must each do what we can according to our particular ways and means. Helping Texas lawyers harness technology to weather the storm is something I can do, and I know it’s within the capability of many of my readers. Houston needs help, and Houston deserves it.  After Hurricane Katrina, Houston took in a quarter of a million evacuees, some forty thousand of them stayed.  When I was at Rice, Houston welcomed 200,000 Vietnamese refugees.  No city is more diverse.  None more self-reliant and can-do.  No city has a bigger heart.

There are a lot of sodden computers and hard drives in Houston and all along the Gulf Coast.  Where once we grabbed the family photo album in an evacuation, today, cherished photos (and crucial client data) is all digital.  To that end, I offer this link to a post I wrote after Katrina addressing data recovery.  We have come a long way since since August 2005.  The Cloud and mobile devices play a big role in data storage, and many hard drives are now solid state; still, the majority of computers rely on mechanical hard drives for long term storage, and water plays havoc with mechanical hard drives. What you do with a damaged device in the aftermath makes a huge difference in whether the data they contain can be resurrected.

Please help Houston, and Houston lawyers, get back on their feet.  Believe me, Houstonians would be there for you.  They’ve proved it many times before.

 

Custodian-Directed Preservation of iPhone Content: Simple. Scalable. Proportional.

26 Wednesday Jul 2017

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Uncategorized

29 Comments

charge sync2This article makes the case for routine, scalable preservation of potentially-relevant iPhone and iPad data by requiring custodians back up their devices using iTunes (a free Apple program that runs on PCs and Macs), then compress the backup for in situ preservation or collection.

The Need
Most of you will read this on your cell phone.  If not, it’s a virtual certainty that your cell phone is nearby. Few of us separate from our mobile devices for more than minutes a day.   On average, cell users spend four hours a day looking at that little screen.  On average.  If your usage is much less, someone else’s is much more.

It took 30 years for e-mail to displace paper as our primary target in discovery.  It’s taken barely 10 for mobile data, especially texts, to unseat e-mail as the Holy Grail of probative electronic evidence.  Mobile is where evidence lives now; yet in most cases, mobile data remains “off the table” in discovery. It’s infrequently preserved, searched or produced.

No one can say that mobile data isn’t likely to be relevant, unique and material.  Today, the most candid communications aren’t e-mail, they’re text messages.  Mobile devices are our principal conduit to online information, eclipsing use of laptops and desktops.  Texts and app data reside primarily and exclusively on mobile devices.

No one can say that mobile data isn’t reasonably accessible.  We use phones continuously, for everything from games to gossip to geolocation.  Texts are durable (the default setting on an iPhone is to keep texts “Forever”).  Mobile content easily replicates as data backed up and synched to laptops, desktops and online repositories like iCloud.  The mobile preservation burden pales compared to that we take for granted in the preservation of potentially-relevant ESI on servers and personal computers.

Modest Burden.  That’s what this article is about.  My goal is to demonstrate that the preservation burden is minimal when it comes to preserving the most common and relevant mobile data.  I’ll go so far as to say that the burden of preserving mobile device content, even at an enterprise scale, is less than that of preserving a comparable volume of data on laptop or desktop computers.  Too, the workflows are as defensible and auditable as any we accept as reasonable in meeting other ESI preservation duties. Continue reading

A New Paradigm in Mobile Device Preservation

18 Tuesday Apr 2017

Posted by in Computer Forensics, E-Discovery, Uncategorized

32 Comments

mobile-device-security[1]Can anyone doubt the changes wrought by the modern “smart” cellphone?  My new home sits at the corner of one-way streets in New Orleans, my porch a few feet from motorists.  At my former NOLA home, my porch faced cars stopped for a street light.  From my vantage points, I saw drivers looking at their phones, some so engrossed they failed to move when they could.  Phones impact how traffic progresses through controlled intersections in every community.  We are slow-moving zombies in cars.

Distracted driving has eclipsed speeding and drunken driving as the leading cause of motor vehicle collisions.  Walking into fixed objects while texting is reportedly the most common reason young people visit emergency rooms today.  Instances of “distracted walking” injury have doubled every year since 2006.  Doing the math, 250 ER visits in 2006 are over half a million ER visits today, because we walk into poles, doors and parked cars while texting.

Look around you.  CAUTION: This will entail looking up from your phone.  How many are using their phones? At a concert, how many are experiencing it through the lens of their cell phone cameras?  How many selfies?  How many texts?  How many apps?

Lately I’ve begun asking CLE attendees how many are never more than an arm’s length from their phones 24/7.  A majority raise their hands.  These are tech-wary lawyers, and most are Boomers, not Millennials.

Smart phones have changed us.  Litigants are at a turning point in meeting e-discovery duties, and lawyers ignore this sea change at peril.  The “legal industry” has chosen self-deception when it comes to mobile devices. It’s a lie in line with corporate bottom lines, and it once found support in the e-discovery case law and rules of procedure.  But, no more.

Today, if you fail to advise clients to preserve relevant and unique mobile data when under a preservation duty, you’re committing malpractice. 

Yes, I used the “M” word, and not lightly. Continue reading

A Dozen E-Discovery Strategies for Requesting and Producing Parties

30 Monday Jan 2017

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Uncategorized

6 Comments

competency-and-strategy_ballTwo characteristics that distinguish successful trial lawyers are preparation and strategy.

Strategy is more than simply doing what the rules require and the law allows.  Strategy requires we explore our opponent’s fears, goals and pain points … and our own.  Is it just about the money?  Can we deflect, distract or, deplete the other side’s attention, energy or resources?  How can they save face while we get what we want?

In a world where less than one-in-one-hundred cases are tried, discovery strategy, particularly e-discovery strategy, is more often vital than trial strategy.  Yet, strategic use of e-discovery garners little attention, perhaps because the fundamentals demand so much focus, there’s little room for flourishes.  As lawyers, we tend to cleave to one way of approaching e-discovery and distrust any way not our own.  If you only know one way of doing things, how do act strategically?

Strategic discovery is the domain of those who’ve mastered the tools, techniques and nuances of efficient, effective discovery.  That level of engagement, facility and flexibility is rare; but, you can be still be more strategic in e-discovery even if you’ve got a lot to learn.

Recently, I had to dash off a dozen e-discovery strategies for requesting and producing parties.  I’m not completely happy with my lists, but I think I nailed a few of the essentials for each side.

A Dozen E-Discovery Strategies for Requesting and Producing Parties

(from Ball, Competency and Strategy in E-Discovery (2017))

Continue reading

E-Discovery Lessons from the Huma Abedin E-Mails

30 Sunday Oct 2016

Posted by in Computer Forensics, E-Discovery, Uncategorized

33 Comments

comey

I’m livid about FBI Director James Comey’s handling of the Huma Abdein e-mails. “Reckless” doesn’t begin to describe Comey’s self-indulgent decision to release information about a situation he clearly does not yet grasp, in a manner that elevates Jim Comey above longstanding Justice Department policy and the integrity of a Presidential election.  Mr. Comey’s justification is couched entirely in his personal predilections, not those of the Bureau or Justice.  It is all “I, I, I” and none of  “we the Bureau” or “we the Justice Department.”  Mine is a procedural objection, not a political one. Whatever my glee at seeing Trump exposed for the weasel I know him to be, I would be every bit as critical had Comey’s half-baked announcement concerned Trump’s e-mail as Clinton’s.  But, Comey’s folly is an opportunity to glean some e-discovery insight.   Continue reading

Proportionality and Emerging Technologies

19 Wednesday Oct 2016

Posted by in Computer Forensics, E-Discovery, Uncategorized

8 Comments

angela-buntingIn the wee hours last evening, I received a question posed by Angela Bunting with Nuix down in Sydney, Australia.  Angela has such deep knowledge of e-discovery above and below the Equator that I was flattered to be queried by someone I’d go to for guidance.  It was a magnificent hypothetical question.

Angela posited a scenario where a producing party used emerging technolgies to either mechanically translate foreign language text to English or voice recordings to text.   In each instance, the quality of the resultant searchable text was poor, akin to bad OCR, and characterized by poor searchability due to malformed and missing words, misleading substitutions, etc.  As a  consequence of  this poor searchability, some documents that should have been produced were not and, to make matters worse, the requesting party had some of the omitted documents, so could readily demonstrate serious flaws in production.

Challenged by the requesting party, the producing party defends the use of the automated transcription or translation based on proportionality.  To do the same work any other way would have required use of costly and time-consuming manual labor.

So, there you have it: the automated approach was faster and cheaper, but also much less accurate and complete, resulting in a failure to produce non-privileged responsive material.

Angela asked what I believed the view of the courts might be in such a situation?  Would the Court require the work be done again using a more accurate, more expensive method? Might sanctions issue?  Would the Court excuse the failure based on proportionality?

Predicting what courts will do based on skeletal hypotheticals is a crap shoot.  Outcomes turn on the peculiar facts of each case and, when the issue is e-discovery, on counsels’ skill in acquainting the judge with the technical underpinnings.

But, I gave it a shot, and here’s my reply:

Continue reading