The Shadow Knows

24 Saturday Sep 2011

Posted by in Computer Forensics, E-Discovery

4 Comments

“You can get anything back from a computer, can’t you?  Even the deleted stuff!”

I get that that a lot, and tend to respond, “Pretty much.”  My lawyer side wants to add, “but it depends.”  Like most in computer forensics, I tend to downplay the challenges and uncertainties of data recovery, not so much to promote forensic examination as to discourage data destruction.  Until a forensic examiner processes the evidence, it’s hard to say whether we can recover particular deleted data; but dollars-to-diamonds, a forensic exam will shed light on the parties and issues.

Lately, the likelihood of recovering deleted files on late-model Windows systems has gone way, way up, even if the data’s been thoroughly flushed from the Recycle Bin.  Microsoft has been gradually integrating a feature called Volume Snapshot Service (a/k/a Volume Shadow Copy Service) into Windows since version XP; but until the advent of Windows 7, you couldn’t truly say the implementation was so refined and entrenched as to permit the recovery of anything a user deletes from a remarkable cache of data called Volume Shadow Copies.

Volume shadow copies are old news to my digital forensics colleagues, but I suspect they are largely unknown to the e-discovery community.  Though a boon to forensics, volume shadow copies may prove a headache in e-discovery because their contents represent reasonably accessible ESI; that is, much more potentially probative evidence that you can’t simply ignore. So, for heaven’s sake, don’t tell anybody. 😉 Continue reading

A Bit About Data Mapping

23 Friday Sep 2011

Posted by in E-Discovery

4 Comments

Earlier this week, I did a webcast on “data mapping.” Data mapping is one of those nimble e-discovery buzz words–like ECA and Predictive Coding–that takes on any meaning the fertile minds in the Marketing Department care to ascribe.

I use “data mapping” to encompass methods used to memorialize the identification of ESI–an essential prerequisite to everything in the EDRM east of Information Management. Of course, like Nessie and Bigfoot, Information Management is something many believe exists but no one has ever shown to be anything but a myth. Consequently, identification of ESI, viz. data mapping, is the de facto entry point for all things e-discovery.

Continue reading

What Are We Waiting For?

05 Monday Sep 2011

Posted by in E-Discovery

3 Comments

Winston Churchill said that, “Democracy is the worst form of government except all those other forms that have been tried from time to time.”  That famous quip neatly describes keyword search in e-discovery.  It stinks, yet lawyers turn to keyword search again and again, because it seems like the best option out there.  It’s the devil we know.

Though keywords serve us well when searching the web, they perform poorly finding “all documents touching, concerning or relating to” an issue in litigation.   The failure is particularly pronounced when keyword search is pursued in the usual fashion of opponents horse trading terms without testing them against sample data or adapting the list to ameliorate well-known flaws like misspellings, noise words and synonyms. Continue reading

De-NISTing: De-FECTive

31 Wednesday Aug 2011

Posted by in Computer Forensics, E-Discovery

10 Comments

If you’re on this turf, chances are you already know that de-NISTing is a technique used in e-discovery and computer forensics to reduce the number of files requiring review by excluding standard components of the computer’s operating system and off-the-shelf software applications like Word, Excel and other parts of Microsoft Office.  Everyone has this  digital detritus on their systems; things like Windows screen saver images, document templates, clip art, system sound files and so forth.  It’s the stuff that comes straight off the installation disks, and it’s just noise to a document review.

It’s called “de-NISTing” because those noise files are identified by matching their hash values (i.e., digital fingerprints) to a huge list of software hash values maintained and published by the National Software Reference Library, a branch of the National Institute for Standards and Technology (NIST).  The NIST list is free to download, and pretty much everyone who processes data for e-discovery and computer forensic examination uses it.  If you’re paying a vendor to de-NIST, you probably think you’re getting value for the service.  I expect nearly everybody who de-NISTs believes that they’re culling the most common operating system and application files.  I mean, that’s the whole point, right?

Sorry to burst your bubble. Continue reading

Too Native Review

30 Tuesday Aug 2011

Posted by in E-Discovery

Comments Off on Too Native Review

Native file review and production in e-discovery is a bit like evolution.  Just when you think the evidence in support would persuade anyone, up pops someone who’s firmly and vocally unconvinced.

When I’m extolling the virtues of producing native file formats in a speech or webcast, I sometimes get pushback like this: “Hey Craig, you’re always telling people to ask for native files.  Well, I think native production is slower and more expensive because it takes so freakin’ long to load each file into Word, and messes up the metadata.”

I’m dumbfounded.  I want to answer, “Wait a sec.  You’re comparing the review of a bunch of document images using an evidence review platform like Concordance to opening each data file in its native application?  Are you kidding me?” Continue reading

Industry Substandard: Stripping Application Metadata

24 Wednesday Aug 2011

Posted by in Uncategorized

1 Comment

Shouldn’t we be aghast that firms still deal with tracked changes and comments in Word documents by simply wishing them away?  “It isn’t discoverable if it wasn’t in the final version” is a risky rationale.  “It might be privileged, so quietly remove it all,” is well, kinda nuts.

Here’s why: Consider that ESI can be broadly characterized as a record, a communication or a hybrid of both.  What we store for retrieval is a record, and what we transmit is a communication.  There’s much crossover, and sometimes we show instead of tell. Continue reading

“Whether I shall turn out to be the hero of my own life, or whether that station will be held by anybody else, these pages must show.”

20 Saturday Aug 2011

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Uncategorized

1 Comment

I christen this blog with words from David Copperfield, my favorite book by my favorite author, Charles Dickens.  I want the heroes of this site to be its readers: the lawyers, judges, support personnel and others with the wisdom to know they must master electronic evidence and the temerity to try.

Blogging is an indulgence and a responsibility.  If I want you to visit, I’ve got to give you something worth your time.  Here, I’ll share things I’ve picked up about electronic discovery and computer forensics, striving to make those topics as interesting, exciting and engaging for you as they are for me.  If I occasionally eke out a well-turned phrase or make you smile, all the better.  Now and then, I may indulge in a personal post about something else, but I trust you’ll skip anything that doesn’t catch your fancy. Continue reading