computer forensics ppt
TRANSCRIPT
Computer ForensicsComputer ForensicsWhat Every Lawyer Should KnowWhat Every Lawyer Should Know
Presenter: Albert Barsocchini, Esq.Presenter: Albert Barsocchini, Esq.Email: Email: [email protected]@guidancesoftware.comPhone: 415.760.0154Phone: 415.760.0154
Legal DisclaimerLegal Disclaimer
• This presentation shall not be consideredlegal advice and is only provided as an informational resource
• All cited authorities should be verified,updated, and interpreted by your attorney
Data = Digital DataData = Digital Data
• Over 93 percent of all information generated in 1999 was in digital format.(In Re Bristol-Myers Squibb Securities Litigation, 205 F.R.D. 437, 440, fn2 (2002) [citing UC Berkeley Study])
DigitalNon-Digital
Digital vs. Non-Digital
E-DiscoveryE-Discovery
• Electronic Data and Documents Are Discoverable• “Electronic data and documents are potentially
discoverable . . . Organizations must properly preserveelectronic data and documents that can reasonably beanticipated to be relevant to litigation” The SedonaPrinciples, Principle 1
• “The discovery of electronic data . . . in today’s world . .. includes virtually all cases” Zubulake v. UBSWarburg, 217 F.R.D. 309, 317 (S.D.N.Y. 2003)
Where Computer Forensics is Used Where Computer Forensics is Used
••DefamationDefamation••Computer CrimesComputer Crimes••Wrongful TerminationWrongful Termination••Trade Secret TheftTrade Secret Theft••Intellectual Property TheftIntellectual Property Theft••Sexual HarassmentSexual Harassment
••Fraud and MisrepresentationFraud and Misrepresentation••Breach of ContractBreach of Contract••Divorce ProceedingsDivorce Proceedings••Misuse of Email Misuse of Email ••Spoliation of EvidenceSpoliation of Evidence
••Discovery RequestsDiscovery Requests••Internal InvestigationsInternal Investigations••Incident ResponseIncident Response••Compliance / Risk AuditingCompliance / Risk Auditing••Due DiligenceDue Diligence••Data RecoveryData Recovery
The Digital OfficeThe Digital Office
•• Fax ServersFax Servers
•• Computer WorkstationsComputer Workstations
•• PrintersPrinters
•• LaptopsLaptops
•• File ServerFile Server
•• Routers and FirewallsRouters and Firewalls
•• Cell Phones and HybridsCell Phones and Hybrids
•• Hand Held DevicesHand Held Devices
•• Copy / Scanner MachinesCopy / Scanner Machines
•• Internet Service ProviderInternet Service Provider
•• Remote WorkstationsRemote Workstations
•• Voice Message CentersVoice Message Centers
Data StorageData Storage
••Hard drivesHard drives
••Back up mediaBack up media
••Zip,Jaz,FloppiesZip,Jaz,Floppies
••CDCD’’s / DVDs / DVD’’ss
••PDAPDA’’ss
••LaptopsLaptops
••Thumb drivesThumb drives
••Network FoldersNetwork Folders
••Personal / Corporate Web StoragePersonal / Corporate Web Storage
Evidence Sources Evidence Sources
• Databases
• File header information
• Alterations
• Hidden comments
• File fragments
• File properties OS, application or network logs
• Temporary files
•Relationship/arrangement of files
• Deleted data
• Metadata
• Web activity logs
Data Types
1.Active2.Embedded Metadata
3.Archival Individual and Enterprise4.Residual
Less Data & More Useful
More Data & Less Useful
A seven-factor test to determine whether cost shifting should occur. The factors are:1. The extent to which the request is specifically tailored; 2. The availability of such information from other sources; 3. The total cost of production, compared to the amount in controversy; 4. The total cost of production, compared to the resources available to each party; 5. The relative ability of each party to control costs and its incentive to do so; 6. The importance of the issues at stake in the litigation; and 7. The relative benefits to the parties of obtaining the information
* See Zubulake v. UBS Warburg, No. 02 Civ. 1243 (S.D. N.Y. 2003)
Archival DataAccessible vs. Inaccessible
Rationale: It is expensive and time consuming to restore archivaRationale: It is expensive and time consuming to restore archival media. Should be l media. Should be for emergency use only. No absolute duty to preserve backup medifor emergency use only. No absolute duty to preserve backup media. Should be a last a. Should be a last resort after a showing of likelihood of discovering relevant infresort after a showing of likelihood of discovering relevant information.ormation.
Electronic DataElectronic DataThe Hidden StoryThe Hidden Story
••Timed backup copies and slackTimed backup copies and slack••Temp copies and slackTemp copies and slack••Print temp files and slackPrint temp files and slack••Swap filesSwap files••Meta DataMeta Data
E-DiscoveryEE--DiscoveryDiscovery
• Electronic Data and Documents Are Discoverable• Deleted and Residual Data are Discoverable. See
Antioch Co. v. Scrapbook Borders, Inc., 210 F.R.D. 645,652 (D. Minn. 2002) (“[I]t is a well accepted propositionthat deleted computer files, whether they be emails orotherwise, are discoverable”); Simon Prop. Group L.P. v.mySimon, Inc., 194 F.R.D. 639, 640 (S.D. Ind. 2000)(“[C]omputer records, including records that have been‘deleted,’ are documents discoverable under [Rule] 34”)
• Metadata are also Discoverable. See, e.g., the ABA’sProposed Civil Discovery Standard 29(b)(ii) (“A partyrequesting information in electronic form should alsoconsider . . . asking for the production of metadataassociated with the responsive data”)
Problems With Electronic Data Problems With Electronic Data
••AccessibilityAccessibility••InformalityInformality••InvisibilityInvisibility••DurabilityDurability••Retention CostRetention Cost••Meta DataMeta Data
••Volume of Data.Volume of Data.•• Multiple CopiesMultiple Copies•• Multiple LocationsMultiple Locations••Review Time Review Time ••Cost OverrunsCost Overruns•• Easily AbusedEasily Abused
Will you get the Data?Will you get the Data?
•• Is it reasonably obtainable?Is it reasonably obtainable?
•• How specific is the request?How specific is the request?
•• What is the likelihood of success?What is the likelihood of success?
•• Availability of other sources?Availability of other sources?
•• Does the benefit outweigh the burden?Does the benefit outweigh the burden?
•• Purpose of the data (day to day vs. emergency backup)?Purpose of the data (day to day vs. emergency backup)?
•• Cost to gather the data?Cost to gather the data?
•• Resources available to requesting partyResources available to requesting party
Best PracticesBest PracticesElectronic Discovery Electronic Discovery
•• Send Preservation LetterSend Preservation Letter
•• Do an Initial Discovery flyoverDo an Initial Discovery flyover
•• Appoint Neutral Forensic Expert Appoint Neutral Forensic Expert
•• Agree on Inspection ProtocolsAgree on Inspection Protocols
•• Forensic Analysis, Documentation and ReportingForensic Analysis, Documentation and Reporting
*If opposing party does it*If opposing party does it’’s own ins own in--house search, ask house search, ask for specific instructions on how they complied with the for specific instructions on how they complied with the discovery request.discovery request.
Tips For The Asking PartyTips For The Asking Party
•• Expressly Request Electronic DocumentsExpressly Request Electronic Documents•• Narrow the RequestNarrow the Request•• Focus on the Benefit of the InformationFocus on the Benefit of the Information•• Specify the Production FormatSpecify the Production Format•• Know the Technology or the TechnicianKnow the Technology or the Technician
•Take Responsibility for the relevant documents
•Hire a Forensic Expert
•Locate & Preserve computer-based evidence
•Document evidence preservation efforts
•Evaluate (Jurisdiction issues, Specificity of request, Volume and location of data requested)
•Limit by key words, dates, active data
•Extract relevant data into a designated folder
•Object to it as burdensome, overly broad and cost prohibitive
How to Respond to a Electronic Discovery Request?
Still Need a Reason Why to Use a Still Need a Reason Why to Use a Computer Forensic Expert?Computer Forensic Expert?
• Courts mandate that computer evidence be collected in a forensically sound manner.
• Properly recover deleted, hidden and temporary files normally invisible to the user.
• Prevent data from being damaged or destroyed (computer evidence is fragile and can be easily erased or compromised).
• Safely extract the relevant data• Preserve the chain of custody• Avoid business disruption• Preserve appropriate privileges
Qualifying the Forensic Qualifying the Forensic ExpertExpert
• 80 hours of formalized forensic training• Ence certified or comparable• Number of cases Investigated and frequency• Type of cases• Times testified• Investigation training• Background
Forensic Expert Witness TipsForensic Expert Witness Tips
•• Do hire an unbiased expertDo hire an unbiased expert•• Do check out your expertDo check out your expert’’s credentialss credentials•• DonDon’’t put off hiring your expertt put off hiring your expert•• DonDon’’t censor or omit information from your expertt censor or omit information from your expert•• DonDon’’t unnecessarily limit the scope of your expertt unnecessarily limit the scope of your expert’’s works work•• DonDon’’t try to control your expertt try to control your expert’’s opinions opinion•• DonDon’’t wait for the opposition to bring out weak points in your t wait for the opposition to bring out weak points in your
expertexpert’’s reports report•• Do prepare your expert for testimonyDo prepare your expert for testimony•• Do know exactly what you are looking forDo know exactly what you are looking for•• Do learn about the Computer Forensic professionDo learn about the Computer Forensic profession
Best PracticesBest PracticesForensic InvestigationForensic Investigation
•Define the search (locations and specific material)
•Forensically acquire computer data for examination
•Preserve original data in exact image
•Validate file integrity and preserve chain of custody
•Examine and analyze image data files for evidence
•Document findings
•Court presentation
Best Evidence RuleBest Evidence Rule
• Physical Image = Best Evidence• Broderick v. Texas, 35 S.W.3d 67, 79 (2000)• United States v. Naphorst, (Dist. Ct. NH)
Best Evidence RuleBest Evidence RuleBest Evidence Rule
• Under the Federal Rules of Evidence, there isa specific exemption for computer evidence:“If data are stored in a computer or similardevice, any printout or other output readableby sight, shown to reflect the data accurately,is an ‘original’”• See Federal Rule of Evidence 1001(3)
• Other jurisdictions may have statutoryexceptions as well• See, for example, South Africa’s Electronic
Communications and Transactions Act 25 of 2002,Section 14
Best Evidence RuleBest Evidence RuleBest Evidence Rule
• Is a Printout an Accurate Reflection?• “Hard copy” paper printout of an electronic
document would not “necessarily include all theinformation held in the computer memory as partof the electronic document” (Armstrong v. ExecutiveOffice of The President, 1 F.3d 1274 (D.C. Cir.1993))
What a Forensic Examiner Needs to What a Forensic Examiner Needs to Know to Properly Investigate a CaseKnow to Properly Investigate a Case
•• What exactly are you looking for?What exactly are you looking for?•• Case TypeCase Type•• Names of PartiesNames of Parties•• Existing Evidence to support CaseExisting Evidence to support Case•• Possible Evidence Location(s)Possible Evidence Location(s)•• Key wordsKey words•• Events TimelineEvents Timeline•• Output FormatOutput Format•• Continuous DialogContinuous Dialog
Finding the Smoking GunFinding the Smoking Gun
•• Recover Deleted files (overwritten)Recover Deleted files (overwritten)•• Copied Files (last access date and time)Copied Files (last access date and time)•• Web Activity Web Activity •• User ActivityUser Activity•• Key Word SearchKey Word Search•• Email UseEmail Use•• View User Created Files and DatabasesView User Created Files and Databases•• Evidence of File Destruction or HidingEvidence of File Destruction or Hiding
Examples of the most common investigation requests by attorneysExamples of the most common investigation requests by attorneys
The Two Methods For Conducting Computer Forensic Investigations
Computer ForensicsComputer Forensics
1.Stand Alone “Static Forensics” using EnCase
2.Network Based Forensics using EnCase Enterprise
Static ForensicsStatic Forensics
•• Power off computer and image from DOSPower off computer and image from DOS•• Remove the hard drive and image with the Remove the hard drive and image with the
Windows version of EnCase utilizing a Windows version of EnCase utilizing a hardware write blocking devicehardware write blocking device
•• Image removable media with a Windows Image removable media with a Windows version of EnCase and a write protecting deviceversion of EnCase and a write protecting device
Network ForensicsNetwork Forensics•• Allow access to data without physical entry into a Allow access to data without physical entry into a
locationlocation•• Computer can remain on and in useComputer can remain on and in use•• Preserve and record volatile data Preserve and record volatile data •• Easily conduct covert operationsEasily conduct covert operations•• Avoid power down encryption lock of the entire drive, Avoid power down encryption lock of the entire drive,
folders, removable media, etc.folders, removable media, etc.•• Quickly preview and acquire a computer over the Quickly preview and acquire a computer over the
network from any location. network from any location. •• Easily isolate individual computers from a large Easily isolate individual computers from a large
network and remotely image computers with a high network and remotely image computers with a high target valuetarget value
•• Can use scripts to automate the investigation processCan use scripts to automate the investigation process•• Ability to trace linked eventsAbility to trace linked events•• Establish a time line of eventsEstablish a time line of events
Acquisition and PreservationAcquisition and Preservation
Forensic Analysis Forensic Analysis Using EncaseUsing Encase
Pane 1
Shows you the media.
Pane 2
Groups files by Table, Gallery, Timeline or
Report views .
Pane 3
Select a file in pane 2 and results are displayed by Text, Hex, Report, Picture, Disk or
Evidence view in pane 3.
What The User Sees
What the Forensic Examiner Sees
Documenting and ReportingDocumenting and Reporting
Litigators practicing in today's digital environment must Litigators practicing in today's digital environment must understand the various ways information can be stored and understand the various ways information can be stored and retrieved not only to ensure compliance with discovery retrieved not only to ensure compliance with discovery rules, but also to build the best possible case strategy. rules, but also to build the best possible case strategy. Failing to do so may not only prejudice their case, but may Failing to do so may not only prejudice their case, but may be malpractice.be malpractice.
Summary
Handouts
1. PSD Brochure2. M&A Data Collection
3. Laying the Foundation of the expert witness4. Electronic Discovery Checklist
5. Forensic Facts
Further ResourcesFurther Resources
•• Guidance Software White Papers and Recorded Guidance Software White Papers and Recorded WebinarsWebinars::www.GuidanceSoftware.comwww.GuidanceSoftware.com
•• EnCaseEnCase®® Legal JournalLegal Journal: : www.GuidanceSoftware.com/corporate/whitepapers/downloads/LegalJowww.GuidanceSoftware.com/corporate/whitepapers/downloads/LegalJournal.pdfurnal.pdf
•• Other Resources:Other Resources:•• www.kenwithers.comwww.kenwithers.com
•• ABAABA’’s Proposed Civil Discovery Standards:s Proposed Civil Discovery Standards:www.abanet.org/litigation/documents/home.htmlwww.abanet.org/litigation/documents/home.html
•• http://californiadiscovery.findlaw.com/electronic_data_discoveryhttp://californiadiscovery.findlaw.com/electronic_data_discovery.htm.htm
•• The Sedona Principles:The Sedona Principles:www.thesedonaconference.org/publications_htmlwww.thesedonaconference.org/publications_html
Questions?Questions?Questions?
PSD Services: Forensic Investigations; Incident Response; Compliance and Risk Auditing; Due Diligence; and Data Collection and Recovery
Albert BarsocchiniDirector - Professional Services NWPSD CounselGuidance Software2100 Powell Street, Suite 100 Emeryville CA 94608-1803 [email protected]