2013 Boston Ediscovery Summit. Computer Forensics for the Legal Issue-Spotter

Transcription

1 2013 Boston Ediscovery Summit Computer Forensics for the Legal Issue-Spotter James Berriman CEO, Evidox Corporation A Preliminary Comment Issue spotting applies to the practice of ediscovery just as to any other field of law. How do we spot issues? Abstraction Conceptualization Pattern recognition Focus on scenarios, not irrelevant details 1

2 Two Major Categories of Ediscovery Active-File Ediscovery Forensic Ediscovery Active-File Ediscovery Scope of Active-File Ediscovery: Active files -- not deleted files User files -- not system files These are human readable files Created by users, accessed by users Usually in business-oriented formats s, word-processed documents, spreadsheets, presentations, media files, etc. 2

3 Active-File Ediscovery Scope of Active-File Ediscovery: Communications, reports, financials, marketing materials, work product, etc. In short: electronic business records The digital equivalent of traditional paper files Often highly voluminous Relevance depends on substantive content Active-File Ediscovery What matters is on the face of the document 3

4 Active-File Ediscovery Evidence On the Face of the Document : What are the terms of this proposal? What are the warranties in this contract? What is the scope of this specification? What is stated in this communication? What is the invention claimed in this patent? What is represented in this advertisement? Active-File Ediscovery This is traditional legal issue-spotting: - Relevance - - Materiality - - Privilege - These determinations do not require technical expertise regarding the electronic format of the document 4

5 Forensic Ediscovery Scope of Forensic Ediscovery: A different goal and a different methodology To look behind the face of the active user files To assess the digital context of the evidence To assess conduct (or misconduct) of the user: What the user did with the documents What the user did with the computer Forensic Ediscovery Scope of Forensic Ediscovery: Spoliation: Was relevant evidence deleted? Can it be recovered? Authenticity: Is the document authentic? Altered? Fabricated? History: When was the document created? Edited? Printed? By whom? Other versions? Access: Who accessed it, viewed it? 5

6 Forensic Ediscovery Scope of Forensic Ediscovery: Transmittal: Was the document copied to another device? Transmitted? Uploaded? User Activity: What was the user doing with this device at a certain date and time? What applications did the user install? Use? What web sites did the user visit? What communications did the user have? Forensic Ediscovery Scope of Forensic Ediscovery: This requires a search for technical clues in the digital environment where the evidence resides 6

7 Forensic Ediscovery Scope of Forensic Ediscovery: System caches (automatic system copies) System databases (like the Windows Registry) File system data (creation date, access date) Technical data within files (transmission headers, access logs, internal attributes) Residue of deleted data and past disk activity Forensic Ediscovery This requires technical issue-spotting: the province of the forensic expert 7

8 Active-File vs. Forensic Ediscovery Where is the evidence? What is the focus? What is the objective? What kind of expertise? Who does the assessment? What is the result? Active-File Ediscovery Active user documents (electronic business records) Substantive content on face of documents Find relevant documents Legal issue-spotting Lawyer (with technical help) Document production Forensic Ediscovery Digital environment of hard drive or device User conduct (or misconduct) behind face of documents Find technical clues Technical issue-spotting Forensic expert (with legal help) Expert opinion / report The General Methodology of Active-File Ediscovery 8

9 Major Repositories of Electronic Evidence Mail Server File Servers Database Servers Web Server DR Backups Archives Workstations Portable Devices Media Active-File Ediscovery: The Methodology Identify relevant custodians Identify relevant repositories (custodian-centric) Implement preservation plan (repository-centric) Interview custodians (learn criteria for relevance) Select sub-repositories of interest Develop culling and processing criteria Conduct disclosures / preliminary conference Create review set (culled, deduped, processed) Review documents for actual responsiveness Produce responsive subset 9

10 Visualizing the Active-File Winnowing Process Entire client network all devices 2. Preserved subset 3. Selected subset 4. Processed subset review set 5. Responsive subset production Review Platform Production Set The General Methodology of Forensic Ediscovery (We will focus on Windows systems) 10

11 The Basics: What is a Byte? What is a byte? Think of a byte as a single character Letter, number, symbol Code (tab, return, etc.) Unit of data or value The smallest unit of information we care about The Basics: What is a Cluster? What is a cluster? A cluster is a group of bytes on a storage device It is the organizational unit of file storage 4K bytes (4096) per cluster is a common size This allows the system to handle bytes in groups It allows a smaller number of storage addresses Jim s school bus analogy 11

12 The Basics: What is a Cluster? An unformatted drive Lots of byte locations (3200 bytes) No clusters No files The Basics: What is a Cluster? A formatted drive Same number of byte locations Now grouped into 50 clusters 64 bytes per cluster in this example Fewer addresses to worry about Still no files All clusters are therefore unallocated 12

13 The Basics: What is a Cluster? Here is a file (blue) It occupies 1 cluster That cluster is allocated to the file Logical size (blue) = 54 bytes Physical size (cluster) = 64 bytes Leftover space = slack = 10 bytes Unallocated space = 49 clusters The Basics: What is a Cluster? The file is now larger (blue) It occupies 2 clusters Those 2 clusters are allocated Logical size (blue) = 100 bytes Physical size (clusters) = 128 bytes Leftover space = slack = 28 bytes Unallocated space = 48 clusters 13

14 The Basics: What is a Cluster? The file is now even larger (blue) It occupies 4 clusters Those 4 clusters are allocated Logical size (blue) = 193 bytes Physical size (clusters) = 256 bytes Leftover space = slack = 63 bytes Unallocated space = 46 clusters The Basics: The File System & File Deletion What happens when you format a drive? A new drive has capacity (e.g., 100 GB) But it has no organizational structure It has bytes but no clusters When you format a drive: The cluster size is defined (e.g., 4K) The clusters are mapped and addressed A Master File Table (MFT) is created 14

15 The Basics: The File System & File Deletion The Master File Table The MFT is itself a file Think of it as the Table of Contents for the drive Contains a data record for each file on the drive Points to file s address (the clusters that store it) Contains many fields of metadata about each file Metadata = data about the file, not on the face of the document The Basics: The File System & File Deletion Metadata in the Master File Table File name, file extension, full path Status: active or deleted Type: file or folder (a folder is a special type of file) Dates/times of creation, last access, last save Attributes (read only, hidden, system) Permissions (which users can access, save) Logical size (size of the document itself) Physical size (in whole cluster increments) 15

16 The Basics: The File System & File Deletion Does any of this sound familiar? It should. MFT is the source of Windows Explorer data: Filenames, extensions Datestamps Attributes All from the MFT The Basics: The File System & File Deletion MFT is also the source of Properties data in Windows Explorer: Size = logical size Size on disk = physical size Datestamps Attributes All from the MFT 16

17 A Disgruntled Employee Scenario A Disgruntled Employee Scenario 17

18 A Disgruntled Employee Scenario A Disgruntled Employee Scenario 18

19 A Disgruntled Employee Scenario A Disgruntled Employee Scenario 19

20 A Disgruntled Employee Scenario A Disgruntled Employee Scenario 20

21 A Disgruntled Employee Scenario A Disgruntled Employee Scenario 21

22 A Disgruntled Employee Scenario A Disgruntled Employee Scenario 22

23 A Disgruntled Employee Scenario A Disgruntled Employee Scenario 23

24 A Disgruntled Employee Scenario A Disgruntled Employee Scenario If this were a system drive (C:\ drive) it would also contain system files, system caches, executables, drivers, libraries, icons, help files. 24

25 A Disgruntled Employee Scenario A Disgruntled Employee Scenario Active-File Ediscovery: Only the active user files Not system files Not slack space Not unallocated space 25

26 A Disgruntled Employee Scenario Forensic Ediscovery Everything: Active user files System files Slack space Unallocated space Forensic Ediscovery: The Methodology Forensic Preservation: Objective: to preserve the exact existing state of the entire digital storage device Every byte in every cluster, top to bottom Do not boot it up, do not turn it on: This could change the state Use a write blocker to avoid changes Use specialized forensic preservation software 26

27 Forensic Ediscovery: The Methodology Forensic Preservation: This approach preserves everything: The Master File Table All active user files All active system files and caches All recoverable deleted files, user and system All residue of past disk activity All slack space All unallocated space Forensic Ediscovery: The Methodology Forensic Preservation: The resulting archive is called a forensic image Call it a forensic image (a well-defined term) Do not call it a mirror (an ambiguous term) A forensic image basically converts the entire digital storage area into one huge searchable file The forensic expert can search, scroll through, and review the entire space at the byte level 27

28 Forensic Analysis: The Basics What You Can Do With a Forensic Image For Minimal Expense Forensic Analysis: The Basics 1. Extract and Review the Master File Table The MFT can be extracted easily in Excel format You can review the name of every file and folder listed in the MFT, active and deleted You can sort by any of the fields of data You can run full-text searches on the file and folder names Tremendous bang for the buck 28

29 Forensic Analysis: The Basics 1. Extract and Review the Master File Table Sort by full path user accounts: This shows the contents of every user account C:\Documents and Settings\[user] See the name of every user account See the names of all files and icons on the Desktop for each user See the names of all files and icons in the My Documents folder for each user Forensic Analysis: The Basics 1. Extract and Review the Master File Table Sort by full path Recent folders: See the contents of the Recent folders These contain links to user-accessed files (how the Recent Documents list is populated) Even if the files are now deleted or missing C:\Documents and Settings\user\Recent C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\ 29

30 Forensic Analysis: The Basics 1. Extract and Review the Master File Table Sort by full path application folders: See a list of all installed applications C:\Program Files\[application folders] See the date of each installation (the create date of the application folder) Forensic Analysis: The Basics 1. Extract and Review the Master File Table Sort by full path browser caches: See a list of all files contained in the user s browser caches C:\Documents and Settings\[user]\Local Settings\Temporary Internet Files This can reveal names of sites visited, names of cookies, even preserved search terms 30

31 Forensic Analysis: The Basics 1. Extract and Review the Master File Table Sort by file extension: See names of all files of particular user types Word, Excel, PowerPoint, etc. Looks at datestamps and timestamps Look for the absence of expected file types Forensic Analysis: The Basics 1. Extract and Review the Master File Table Sort by date (last accessed or created): See the names of the very last files touched prior to preservation See file activity on any specific date of interest See when the drive was formatted (the create date of the MFT and system folders) See when the operating system was installed (the create date of the system folders) 31

32 Forensic Analysis: The Basics 1. Extract and Review the Master File Table Sort by date (last accessed or created): Look for evidence of "batch" file operations (large collections of files with near-identical "created" or "accessed" dates) If someone dragged and dropped an entire folder of files, they will all cluster together when sorted by create date Forensic Analysis: The Basics 2. Extract Active User Files Remember: A forensic image ALSO contains all active user files Have them extracted so you can review them just like normal active-file ediscovery You do not need a forensic expert to assess active user files 32

33 Forensic Analysis: The Basics 3. Extract Recoverable Deleted User Files A forensic image also contains all recoverable deleted files (i.e., not yet overwritten) Have them restored and extracted so you can review them just like normal active-file ediscovery Forensic Analysis: The Basics 4. Request a Link Analysis The Recent links store information regarding full path and access date for each accessed file A Link Analysis can extract that information and provide you with a report It shows which user files the user launched even if the files themselves are now deleted or are stored elsewhere (network, external storage) 33

34 Forensic Analysis: The Basics 5. Request a USBSTOR Analysis The Windows Registry keeps track of every USB device ever attached to the computer Type of device, manufacturer, model number, serial number, date of installation You can see what USB devices the user attached Forensic Analysis: The Basics 6. Request a Print Spooler Analysis When documents are sent to the printer, they are stored in a temporary system cache This is called the Print Spooler It is possible to extracted stored files from the Print Spooler This allows you to recover files that were printed even if later deleted or never saved on the drive 34

35 Forensic Analysis: The Basics 7. Run keyword searches in unallocated space Even if a file is partially overwritten (and therefore not recoverable as a file ) it is possible that the surviving fragments contain searchable text Most embedded text in user files is in standard ASCII or Unicode format Text remains human readable even if the surrounding formatting is lost Forensic Analysis: The Basics 7. Run keyword searches in unallocated space Hits in unallocated space are extracted in the form of an Excel spreadsheet Each hit is extracted with surrounding text on either side of the hit This allows the fragment to be assessed in context 35

36 Forensic Analysis: The Basics 8. Advanced Analysis There are many other things that a forensic expert can do depending on circumstances and objectives Question & Answers 36

37 About the Author - James Berriman Evidox Corporation CEO & Co-Founder, 2006 to present Ediscovery, forensics, and technology consulting and expert services Boston University School of Law Lecturer in Law, appointed 2011 Teaches Ediscovery & Advanced Civil Procedure Goodwin Procter LLP Senior Counsel & Director of Litigation Technology, 1999 to 2006 Founder of Litigation Technology Group Litigation Attorney, 1990 to 1999 Education JD, cum laude, Boston University School of Law, 1990 BA, summa cum laude, State University of New York, Potsdam College, 1980 Computer Forensics for the Legal Issue-Spotter James Berriman CEO, Evidox Corporation 37