A Best Practice Framework for Data Acquisition

Transcription

1 A Best Practice Framework for Data Acquisition Corporate Headquarters 595 Greenhaven Road Pawcatuck, CT US European Office London, United Kingdom P: F:

2 Electronic data and electronic evidence. Finding it, accessing it and collecting it can be a daunting process. As the role of electronic data becomes increasingly more critical to the litigation process, it s imperative to develop rigorous protocols and procedures for data acquisition. The Oliver Group has spent years defining, building and implementing a best practices approach to the acquisition process. Based on international standards, direct experience and technical expertise, our proven framework has helped us successfully manage engagements across multiple jurisdictions. At a high level, the data acquisition process typically can be broken into three phases: Secure communication procedures Incident handling and escalation paths Status meeting schedule Initial documentation/information request list The assessment process Every organization varies in its organization, infrastructure, technical environment, and culture. As a result, the engagement must be tailored to meet the unique requirements of the situation to ensure the complete and accurate capture of the dataset. The assessment process consists of: Administrative Discovery Technical Discovery Data Acquisition Action Plan Step One Administrative Discovery Phase One: Planning The planning phase allows The Oliver Group to refine the engagement strategy to meet the specific needs of the company. Ideally the planning phase should begin with a kickoff meeting that defines and validates the overall approach, and ends with stakeholder signoff. Without agreement and understanding among the stakeholders at the outset, the likelihood of errors, delays and increased cost rises. The kickoff meeting should, at a minimum; cover the following items: Administrative discovery is all about understanding the root cause of the inquiry for information and the entities and people that may be involved. It is important to consider is who is the main driver of the process: internal legal departments, outside counsel or regulatory entities. How data is acquired and handled may vary depending on the nature of the inquiry, which may be as a result of: Government investigation Internal audit request/investigation or other sources Criminal or civil litigation Initial rules-of-engagement Identification of project stakeholders High level goals and objectives The Oliver Group l 2

3 The final element of administrative discovery is getting a clear picture of organizational layout and the flow of information between departments and individuals. This provides a roadmap of where key players sit within the organization and what are the most appropriate places to look for key custodian data. All of these facets must be taken into consideration because they have a direct impact on the project and its ultimate deliverables. For example, choosing a forensic acquisition approach instead of a non-forensic approach has significant impact on the entire electronic discovery process and the accessibility of certain data post-acquisition. Step Two: Technical Discovery An understanding of the client s specific technical environment is critical to determining the scope of collection, the necessary tools and resources required, and formation of an appropriate action plan. The Oliver Group works in concert with clients to acquire specific technical information spanning several key areas (see chart). This upfront process can be completed by the client s internal IT and compliance staff, however, The Oliver Group frequently works with corporate clients and law firms in an advisory capacity to: Develop a litigation readiness plan which evaluates these areas in advance of an event Assist with locating and accessing relevant data Generate the specific strategy and tactics of collection Provide technical oversight and guidance The Oliver Group l 3

4 Step Three: Collection Plan Upon assessment of all pertinent information, The Oliver Group, in conjunction with the client, develops a Data Acquisition Action Plan which consists of the following aspects: The Oliver Group l 4

5 Phase Two: Collection Phase Two encompasses the actual collection of electronic data and is structured entirely to address the findings and action plan agreed upon in Phase One. A typical data acquisition project may include: Locating data deemed relevant on local drives or networks Verification that all relevant files have been located Documentation of all harvested data Installation of data capture devices and confirmation of capture location Accessing relevant and file server data Creation of separate archive files for both file server and data Providing a final report of collected files During acquisition, The Oliver Group preserves all data associated with the electronic file including: Naming conventions Path structure System level metadata (filename, create date, modify date, last access date, and original file location) File level metadata (internal fields storing information such as author, subject, summary, etc) Experts and Teams Due to the complexity of the data acquisition process it s imperative to build the right acquisition team and enhance it with individual experts as necessary. Data acquisition teams typically will include a combination of senior level consultants and systems engineers with backgrounds in a variety of relevant fields: Computer forensics Data collection Media restoration Electronic discovery processing Acquisition Tools Depending on the requirements of the project, a variety of acquisition tools may be used to automate and support the collection effort. The Oliver Group has developed a proprietary set of tools to enhance industry standard tools. The Oliver Group s approach to acquiring data is in accordance with forensically sound practices, ensuring data integrity is maintained throughout the process. A combination of standard and proprietary applications is used to locate and collect client data along with the appropriate tools for managing the logistics of the project. Acquisition Procedures The Oliver Group s benchmark methodology was developed through extensive work on large scale acquisition projects. We ve developed a streamlined, efficient process to acquire massive amounts of data as well as the needle in a haystack variety. This capability can only be found among service providers who have deep technical expertise and real world experience with the electronic data discovery process. The Oliver Group l 5

6 The core procedure model for data acquisition within an enterprise includes: Creating A Master Custodian List The custodian list is comprised of all relevant custodian names that are supplied by the client s IT staff and their counsel. Forming a comprehensive, accurate master list is an essential element to protecting data integrity, maintaining chain of custody, and ensuring that every responsive file for each custodian is collected. The master custodian list serves as a blueprint for the collection and tracking of custodian data. The list can only be developed if there is a full understanding of the client s technical environment, current and historic data archiving, data identification, and data storage procedures. Custodian Naming Due to the uniqueness of client environments and naming structures, a variety of challenges can develop that may impact the accuracy and completeness of a data set, including: Changes in last names (e.g., marriage) Different names that could generate a similar naming structure (for example: Jen Smith and John Smith could generate a similar jsmith naming structure) A change by the client s IT department to the custodian coding/naming structure of employees for the organization, including id type naming conventions which have no reference to a custodian without a key To combat these challenges, The Oliver Group has developed quality control measures such as: Working with the client IT staff to gain all account information for all relevant custodians Cross checking all user naming/ identification conventions with the client s IT administration Verifying custodian information post extraction by sampling data to confirm correct custodian name and naming convention File Tracking Every relevant file for every user must be tracked and accounted for during data collection. The Oliver Group acquisition teams utilize approved forms and standardized documents to track: Collection components Key collection metrics The collection and delivery of files for further electronic discovery processing Acquisition Logs To accurately document acquisition activities, The Oliver Group utilizes a series of collection logs and reports designed to maintain all relevant details associated with data collected. These logs capture: Which drives, folders and files have been accessed The date, time, and location of the collection Full path names Where data has been transferred Notes about the collection Size of data collected Hash values if applicable The Oliver Group uses a combination of detailed event logs, media intake logs and data restoration logs (as well as others depending on the project) to provide a complete audit trail covering data acquisition to data delivery. The Oliver Group l 6

7 Phase Three: Closeout Data Transfer and Delivery Once data is collected, it must then be transferred and transported to a processing facility. The Oliver Group recommends placing collected data onto external hard drives. This media type allows for the easiest transportation of the data and simplifies the subsequent transition into the restoration process. All data transfer is recorded and documented in Chain of Custody logs, to assure that all data and media are accounted for at all times. Special precautions should be taken when packaging, transporting, and storing electronic media. The Oliver Group recommends that media be shipped in secure, hard-case containers designed specifically for the shipment of the particular media type. These containers should be designed to protect the media against temperature fluctuation, humidity fluctuation, physical shock, and electrostatic discharge. By doing so, clients minimize the chance of source media being tampered with or otherwise damaged. It is also important to include a manifest of the shipment s contents in each container. This manifest should clearly indicate the contents of the shipment and the project to which it belongs, along with information about the client s point-of-contact should there be any questions or issues related to the shipment. Many clients have standardized formats for their shipment manifests and Chain-of-Custody documentation, however, The Oliver Group will provide templates upon request. The method of shipment is determined by the client s needs and preferences. Shipping methods range from utilization of large scale commercial services such as FedEx and UPS, to secure courier services. The Oliver Group is also equipped to transport the media once a phase of the collection or the entire collection process is complete. is generated to provide an accurate means of correlating collected data to its source. The Oliver Group s data collection policies are designed to adhere to the strict chain of custody procedures which investigations of this nature demand. The Oliver Group maintains strict Chain-of- Custody procedures, designed to ensure the security and integrity of clients data. Upon receipt of media, The Oliver Group conducts a catalog of the collected data s contents. This includes a physical inspection of the media, creation of the Chain-of-Custody Document and the recording of any documentation included with the shipment. The Chain-of-Custody documents serve as comprehensive tape inventory reports and are maintained by The Oliver Group throughout the project s lifecycle. Clients are provided with copies of the Chainof-Custody documents for their records. Media Preservation Upon completion of the intake process, media is housed within The Oliver Group s secure media library. For active processing, media is checked out of the library and transferred to our production area, which is accessible only to senior executives and authorized production team. Conclusion Collecting electronic data is a sophisticated and complex process. By working with The Oliver Group, clients leverage The Oliver Group s unique expertise in data recovery and our proven experience in managing large scale data collection projects. Through The Oliver Group, clients access a technical team that has developed collection methodologies built upon the principles of data integrity and chain of custody. They tap into the knowledge of The Oliver Group s engineers who have knowledge and skill sets spanning the areas of computer forensics, data collections, data restoration, and electronic discovery processing. Chain-of-Custody The Oliver Group ensures that all data collected is tracked precisely throughout the project s lifecycle and that a documented source history The Oliver Group l 7