may 14, 2013 e-discovery- where technology meets the law and what hr professionals “technically”...

May 14, 2013 E-DISCOVERY- WHERE TECHNOLOGY MEETS THE LAW AND WHAT HR PROFESSIONALS TECHNICALLY NEED TO KNOW!

Business Card Drawing

Forensics + Investigations Consulting Firm 40+ staff Founded in 1999 HQ: Bedminster, NJ Key Offices: Syracuse, NY Seattle, WA Portland, OR Washington, DC Philadelphia, PA Minneapolis, MN Licensed Investigators in Multiple States The Intelligence Group - Background

Integrating Investigative Techniques: Background Investigation Motives, finances, lifestyle, other leads Forensic Accounting and Analysis Investigative accounting, often involves the tracing, locating and evaluation of assets (personal and business). Digital Forensics Evidentiary: documents, communications, computer activity

Investigative Research Services: Evolution of the Background Investigation More data than ever, but what to trust? More than pushing a button: Internet, Databases, Document Repositories and Human Intelligence Information vs. Intelligence Integrated suite of investigative research tools to fulfill specific needs: Litigation Intelligence Financial Intelligence Digital Intelligence Background Investigation

Litigation Intelligence Services: Litigant or Individual Background Investigation Residential Histories / Jurisdictions Criminal Histories Litigation Histories Media Evaluation Business Interests and employment Asset Screens and Searches Locates and Skip Tracing Age, residences, other characteristics to verify Expert Witness Backgrounds Investigative Research Services:

Financial Intelligence Services: Asset Screens & Searches Real Property, other licensed assets (vehicles, etc.) Shareholder info (subject to thresholds) Credit, liens, judgment histories Banking relationships Lifestyle, reputational, etc. Financial Viability Screening (Corps., etc.) Corporate Successorship Histories Investigative Research Services:

Digital Intelligence Services:

Todays Primer Basics of Electronically Stored Information (ESI) Types of ESI (Electronically Stored Information) Methods to investigate, identify, and obtain ESI as Evidence: eDiscovery Digital Forensics Digital Monitoring and Surveillance Anonymous Messaging Investigation Social Media Preservation and Analysis

Modern Life Communications

Data Explosion... One Zettabyte 1,000,000,000,000,000,000,000.

Basics of ESI

Two Characteristics of ESI ESI can walk out the door. ESI leaves digital footprints behind.

ESI Is Portable Perspective: Todays typical PC has a 100-gigabyte drive 1 GB equals about 125,000 pages of text or about 42 bankers boxes of documents 1 DVD equals about 587,500 pages of text or 197.4 bankers boxes A DVD in its case weighs about four ounces 197 bankers boxes worth of documents would weigh about 7,880 pounds or around four tons

Laptops/Desktops Servers Phone Systems (VoIP) Printers & Copiers PDAs/Cell phones CDs/DVDs USB Thumb Drive. Where is Electronically Stored Information?

What other devices contain ESI?.

The Corporate Enterprise Network

Types of ESI: Accessible vs. Inaccessible Huh?

ACTIVE DATA aka (Accessible) What You See easily accessible by user in the ordinary course of business (typical sources: hard drives, servers, disks and other portable media) Types of ESI: 1.Word Processing Docs, Spreadsheets, Slide Presentations, Databases, Graphics, Design and Engineering Drawings, etc. 2.Company email domain ([email protected]) 3.Embedded, Encrypted, Password Protected Accessible vs. Inaccessible.

INACTIVE DATA aka (Inaccessible) What You CANNOT See Not easily accessible without forensic tools and methods (typical sources: hard drives, servers, disks and other portable media) Types of ESI: 1.Deleted and Hidden Files 2.Unallocated Files and Slack Space 3.Deleted Internet History and Web based email activities 4.Much more Accessible vs. Inaccessible.

Methods to investigate, identify, and obtain ESI as Evidence:

eDiscovery eDiscovery: The process of collecting, preparing, reviewing, and producing electronically stored information (ESI) in the context of the legal process. Typical Services: Collection typically accessible data only Preparing de-duplication, indexing, and culling of ESI, processing into.tiff files Review- creation of load files, hosted review, predictive coding aka TAR-Technology-Assisted Review Production typically charged per gigabyte or per page for native production or conversion to.tiff files, bates stamping. Source: The Sedona Conference Glossary: E-Discovery & Digital Information Management (Third Edition) September 2010

Digital Forensics Strategic, focused, controlled analysis of ESI. Digital forensics often investigate: Smaller amounts of relevant Active and Inactive (deleted) files Metadata Internet History, Web Based E-Mail Activity Registry, Link, and Event logs May require Expert Reporting & Testimony Definition: Digital Forensics aka Computer Forensics (Cyberforensics), is the process of gathering evidence suitable for presentation in a court of law. The goal is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly who, what, when, how, and when a digital device was used. Distinction between eDiscovery vs. Digital Forensics

The Digital Iceberg Live ESI found by Native Tools (such as Windows Explorer, E-Discovery tools) ESI found by forensic tools (Deleted, edited, renamed, hidden, difficult to locate, etc.).

Forensic Investigations have become routinely used as an investigative tool in HR matters such as: Restricted CovenantNon-CompeteTheft of Trade Secret IP TheftWhistleblower / RetaliationDiscrimination Sexual HarassmentWrongful TerminationClass Action Workers CompensationWorkplace investigations...Many more

Which Tool To Use? Electronic DiscoveryDigital Forensics Applications:Typically Civil LitigationCivil Litigation, Internal Investigations, Criminal Scope:Can Be Enterprise-wideTypically Focused Specific Individuals and Equipment Strategy:Fishing Culling Large Volumes of Data - Later Investigative Searching for Specific Data - Early Data Types:Documents, Files, Enterprise Email Docs/Files, Deleted Data, All Communications, Internet Data Attributes:Document-specific MetadataRe-creation of Time-Critical Events

Difference between Traditional Copying and Forensic Imaging Traditional Copying: Gets active data (the visible files), changes metadata such as access date/time of the files. Forensically Acquired Image: A write- protected exam that is an exact bit-by- bit copy of all data on a drive. Enables recovery of data even after the data on the drive has been erased or reformatted.

Preservation: Copying Logical Files Copying files from one folder to another. Original evidence is changed. Hidden data is not copied. Original File Copy...

Bit-by-bit copies of original data. Exact representation of original evidence. Software like EnCase, Linux DD, and Forensic ToolKit. The original evidence is NOT modified. Original 1 1 2 2 Forensic Imaging Preservation: Mirror Image....

To authenticate the evidence is to confirm that the forensic copy is exactly the same as the original. The hash is a digital fingerprint. (Changing a single character, from s to S in a Word document will change the hash value). Authenticating the Evidence

Permanently Deleted?

Delete Does NOT Mean FOREVER Unallocated space Temporary files File slack Hidden files History files The nature of data storage on computer disks often allows for data recovery from deleted, formatted, damaged hard disks!

SecondSetofBooks.xls TradeSecrets.doc OffshoreAccount.html Its All Just ONEs and ZEROs!

^econdSetofBooks.xls ^radeSecrets.doc ^ffshoreAccount.html Delete Does NOT Mean FOREVER Deleted files are no longer accessible by Windows, but the data for the file will remain on the computer hard drive until overwritten by new data....

Live Exhibit of Finding Deleted Files

Deleting a file makes the entry unavailable to the Windows Operating System (and invisible to the user) Tearing Up the Card Doesnt Eliminate the Book Only Wiping the Device Eliminates the Data Formatting Does NOT Mean Gone FOREVER

Formatted Computer Hard Drives FAT- File Allocation Tables or Card Catalog FAT contains the file names and the locations of active files on the disk. Formatting a hard drive is like Cutting up an Index Card. The FAT is cleared, and deleted files organized into tracks and sectors to be overwritten.

Risks of conducting Digital Investigations on your own Typically: Not Trained in Investigations Can be considered a Biased Party Chain of Custody is Non-Existent or Incomplete Tools are NOT Certified by the court High Risk of Spoliation Not a Credible Expert Unproven methods may cause potential inadmissability in court People are strongly cautioned against conducting their own internal investigation using a Retail IT shop Geek Squad or other IT Staff,a close friend or relative, yourself, or otherwise...

The Flip side The flip side of data preservation is, of course, spoliation. Spoliation is the destruction or material alteration of evidence or the failure to preserve property for anothers use as evidence in pending or reasonably foreseeable litigation. The authority to impose sanctions for spoliation arises under the courts inherent powers. Sanctions are warranted for spoliation of ESI is challenging because it is easier to intentionally or inadvertently delete or modify ESI and it is more difficult for parties to craft preservation policies that ensure that the appropriate data are preserved.

Examples of Digital Evidence E-Mail Temporary Internet Files Hidden Files / Temporary Files Metadata.

Whats in a email thread? Emails typically have the threads included... This week is not good. -----Original Message----- To: [email protected], Randy G. Kruger Jr.@ANDERSEN WO, [email protected], [email protected] cc: Date: 01/09/2002 10:26 AM From: [email protected] Subject: Lunch OK you slackers (excluding Shaw), I'll give you another chance to respond. Lunch this week or next, let me know what's good. If meeting after work is better for you, let me know. Schroeder

Forensic recovery of all email contents can reveal the entire email thread. Whats in a email thread? This week is not good. I have too large a pile of documents to shred. Next week is better. I suggest Wednesday, Thursday or Friday. -----Original Message----- To: [email protected], Randy G. Kruger Jr.@ANDERSEN WO, [email protected], [email protected] cc: Date: 01/09/2002 10:26 AM From: [email protected] Subject: Lunch OK you slackers (excluding Shaw), I'll give you another chance to respond. Lunch this week or next, let me know what's good. If meeting after work is better for you, let me know. Certainly all of you can stop shredding documents for 5 minutes to respond. Schroeder..

E-Mail Temporary Internet Files Hidden Files / Temporary Files Metadata. Examples of Digital Evidence

Web Based Email Internet Browsing History (search terms) Temporary Internet Files Online Banking & Day Trading...

Analysis of Temporary Internet Cache Often Reveals the Smoking Gun 1.Discovery of other internet-based email accounts and multiple communications between involved parties. 2.Multiple emails with attached documents (trade secrets). 3.Abundance of possession of X-rated or possibly contraband graphics to blow credibility of character. 4.Uncovering of undisclosed assets and/or other financial records. 5.The establishing that the harassed employee is actually a harasser him/herself.

Hiding Files Xratedpics.jpg Renamed to: personalfile.txt.

Attempting to Hide Files Renaming the file only makes the file name insignificant. HOWEVER, it does NOT change its true file creation type attributes..

Hiding Files Does NOT Change Created File Type As.TXT (Notepad file) As.GIF (Graphic file) As.XLS (Excel file)

Temporary Created Files

Why is Metadata Important? Can Provide Evidence of Access An individual burning a cd or copying multiple files to a thumb drive to take with him/her could have their last accessed date altered. Can Serve as Evidence Evidence deliberately erased, bits and bytes of metadata may provide the missing programs titles, and can prove the existence of the now erased data. Forensic techniques can recover both. The most common definition of metadata is data about data.

Types of ESI that contain metadata EmailsSpreadsheets Graphics - Pictures Word Docs Almost all of the information that you typically want in discovery can be retrieved COST EFFECTIVELY (if done properly) by getting the documents electronically......

You See / We See Printed Email Backdated MS Office Word Document

The Old Fashioned Way (Paper) vs. Today (Digital) ESI contains information that a hard copy does not: Creation Dates/Times Access Dates/Times Versions Comments Author Login Information E-Mail Access Lists, Audit Trails and Computer Logs Gateways/Web Browsing History Much, much more...

Case Studies Sexual Harassment Investigation (Cases are Hypothetical)

Case Study # 1 Sexual Harassment

Youre Fired!. Case Study # 1 Sexual Harassment

Claimed sexual harassment by CEO Tolerated it for 18 months Too fearful to come forward Married woman, active in community.... Case Study # 1 Sexual Harassment

New York Boston Case Study # 1 Sexual Harassment

Analysis of Internet Activity Searches for the term Sexual Harassment Case Study # 1 Sexual Harassment

Instant Message Logs Chats with friend about contempt for boss and plan to get him. Case Study # 1 Sexual Harassment

Deleted Email Analysis Recovery of deleted emails reveal longstanding relationship with co- worker in Boston office Case Study # 1 Sexual Harassment

8/1/04 to 11/08/06 Creation Date was three days prior to her complaint being filed. Case Study # 1 Sexual Harassment

SEVEN FIGURE -Settlement Avoided- Company files charges against Exec.

New Techniques & Solutions Digital Monitoring and Surveillance John Doe Investigations (i.e. tracing and identifying senders of anonymous emails) Social Media Preservation

Real Time Forensics Allow you to record and view what your employees do on the computer, internet, reduce inappropriate and non-work related activities. Instant Alerts of Potential Danger Scan for dangerous keywords in emails sent and received, web sites visited, chats and instant messages, and keystrokes typed Digital Monitoring and Surveillance

Duty to investigate RISK Theft of IP, Data Breach, Fraud, Qui Tam, Reputation John Doe and Anonymous Messaging Investigations

Social Media Preservation and Analysis Legal Cases Involving Social Media Rapidly Increasing Preservation methods now exist Spoliation and discovery abuses Facebook Spoliation Costs Lawyer $522,000; Ends His Legal Career Lester v. Allied Concrete Co., Case No. CL.08-150, CL09-223 (Va. Circuit Court of the City of Charlottesville Sept. 1, 2011. Spoliation Instruction in Facebook Account Deletion. Gatto v. United Air Lines, Inc., et al., Case No. 10- cv-1090-ES-SCM (D.N.J. Mar. 25, 2013)

Social Media Examples

A waitress can't deal with a bad tip She stayed home from work just to browse Facebook Flight attendants hated on their airline carrier She was depressed, but Facebook showed her

Closing Thoughts

Getting Started with the Basics 1.Identify ALL critical trade secret information (paper and electronic) on ALL IT systems. 2.Identify ALL employees, contractors, vendors and other service providers who have access to trade secret information. 3.Evaluate ALL alternative technology work flows, systems, security access points. 4.Review ALL current information systems which contain trade secret information and documentation. 5.Identify and/or develop a work flow to track how trade secret information is received, created, accessed, modified, stored, processed, or destroyed.

Effective ePrevention Usage Policies Potentially Relevant Policies: Privacy policies Incident response policies Employee policies Digital Asset Ownership Internet Usage Computer Usage Social Media Non Disclosure Mobile Device Usage Email Usage BYOD - Bring Your Own' Device policy Business partner policies (e.g.,contract policies) Design for a later investigation!.

Top Tips for a Successful Digital Investigation Dont Tamper With Evidence Preserve the Chain of Evidence Dont rely on internal IT staff Terminate ALL physical and digital access rights Retrieve ALL copies of sensitive information from employee Secure computers and information system assets Assess your risk and exposure Conduct forensic imaging and investigation We can provide a proactive Quick Peek forensic analysis that compiles evidence regarding: any file copying activities that took place 90 days prior to departure; what files may have been deleted; what websites may have been browsed or used for email; and other areas of potential investigative interest.

77 Do you envision this matter may Require Credible Expert Testimony at some point? Does this matter require copying of ESI or Forensic Acquisition (Chain of Custody, MD5 Hash authentication) of ESI, and Analysis? At the very least, can you rest assure that NO Spoliation has taken place? Do the risk costs outweigh the Initial Acquisition costs? Important Issues to Consider Early and Often....

78 When to use a Digital Forensic Expert? It depends what you can afford...or NOT afford! Before or when filing a TRO - Temporary Restraining Order; Preliminary Injunction; Preservation Order; Certifications; Affidavits. Expert Rebuttal Testimony Proactive vs Reactive As early on as possible...in order to determine whether or not you have a case! Before the Risk of potential Malpractice, Spoliation, Sanctions, et al. The Best Defense is a Great Offense!

Thank You for your attention! Any Questions? DISCLAIMER: These slides are made available for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This information should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. While we try to make sure that all information is accurate at all times, we are not responsible for typographical and other errors that may appear; however, it is your responsibility to verify with that all details listed are accurate.

Contact Information: Rob Kleeger Managing Director Direct: 908-396-1467 Mobile: 973-699-0167 Email: [email protected] 1545 Route 206 Suite 202 Bedminster, NJ 07921