Collection

He Sees You When You’re Sleeping — eDiscovery Trends

 

A recent post in the Law Librarians Blog illustrates not only the different ways in which personal data can be captured, but also the continued growth of devices that might contain that data.

In He Sees You When You’re Sleeping, He Knows When You’re Awake…, the authors discuss potential tracking of mouse movements, current data tracking on smart TVs and even the possibility for data to be kept and tracked on…your toothbrush:

  • An October story from Ars Technica discusses how Facebook is working on a way to log cursor movements, beyond tracking where someone clicks on a page to determine an ad’s effectiveness.  According to the Wall Street Journal, Facebook wants to pay attention to the areas a cursor lingers over, even without a click or other interaction.  And, if you’re using a mobile device, Facebook will still be noting when, for instance, “a user’s newsfeed is visible at a given moment on the screen of his or her mobile phone.”
  • Imagine if your toothbrush could keep track of your brushing habits?  According to ZDNet, Salesforce CEO Marc Benioff sees that happening.  “Everything is on the Net. And we will be connected in phenomenal new ways," said Benioff. Benioff highlighted how his toothbrush of the future will be connected. The new Philips toothbrush is Wi-Fi based and have GPS. "When I go into the dentist he won't ask if I brushed. He will say what's your login to your Philips account. There will be a whole new level of transparency with my dentist”.
  • One device that is already capturing your personal data is the smart TV, in some cases whether you want it or not.  A blogger in the U.K. has discovered that his LG smart TV sends details about his viewing habits back to LG servers.  Those habits also include the file names of items viewed from a connected USB stick.  There is a setting in the TV that purports to turn this behavior off (it’s on by default).  It doesn’t work as data is forwarded to LG no matter what the setting.  LG’s response to the disclosure was less than reassuring – “The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer,” the representatives wrote in a response to the blogger. “We understand you feel you should have been made aware of these T’s and C’s at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.”

Nice.  Imagine a case where, in addition to hard drives and smart phones, data collectors need to perform collection on flatscreen TVs and toothbrushes?  If it sounds farfetched, remember that, several years ago, cell phones didn’t store data and texts didn’t even exist.

So, what do you think?  What is the most unusual device from which you’ve ever collected data?   Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

EDRM Publishes Collection Standards – eDiscovery Trends

On the heels of announcing a transition to nonprofit status by May 2014, the Electronic Discovery Reference Model (EDRM) has now introduced Collection Standards for electronically stored information (ESI) for public comment.

In their press release to announce the new standards, EDRM noted that a group of attendees at this past May’s annual meeting “decided that ‘collection’ of ESI had evolved to the point that it made sense to document collection best practices and considerations for developing a collection strategy. The team, including Julie Brown, Teri Christensen, Kevin Clark, Sean d’Albertis, Kevin Esposito, Faisal Habib, Valerie Lloyd, Rick Nalle, Andrea Donovan Napp and John Wilson, has collaborated over the last several months to develop these standards which are now available for public comment.”

The collection standards page, which is available here, defines best practices to identify what processes are repeatable and the understandable risks and rewards that can be used to evaluate a strategy in various cases.  It focuses on different approaches for collection, including:

  • Forensic Image (Physical or Logical Target)
  • Custom Content/Targeted Image
  • Non-Forensic Copy
  • Exports – Harvesting Email
  • Exports – Non-Email
  • Exceptions (technologies that the standards don’t yet address, including mobile devices, instant messaging, MACs, International Protocols, and social media/ other types of cloud storage).

Each approach includes definitions, pros and cons of that approach and a glossary of terms.  Defined terms are hyperlinked with pop-up definitions, making it easy to define any terms that need it.

Want to know the different types of email formats that are typically exported for discovery purposes?  This document has it.  Want to know when you should consider creating a forensic image of the data in question?  It’s there too.  The standards provide clear best practices in easy-to-understand terms that should be a useful reference for anybody who will need to tackle ESI collection for their cases.  Good move to publish the standards they have now instead of waiting to address the exception technologies, which are much more complex.

According to the press release, the public comment period extends through November 15, 2013, which is only 17 days later than the standards were officially published.  That time period seems a bit short to me; hopefully, EDRM will consider extending it.

It’s shaping up to be a banner year for EDRM, as, since the May annual meeting, several EDRM projects (Metrics, Jobs, Data Set and the new Native Files project) have already announced new deliverables and/or requested feedback.

So, what do you think?  Will these new Collection Standards be a useful best practices guide?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

For Successful Discovery, Think Backwards – eDiscovery Best Practices

The Electronic Discovery Reference Model (EDRM) has become the standard model for the workflow of the process for handling electronically stored information (ESI) in discovery.  But, to succeed in discovery, regardless whether you’re the producing party or the receiving party, it might be helpful to think about the EDRM model backwards.

Why think backwards?

You can’t have a successful outcome without envisioning the successful outcome that you want to achieve.  The end of the discovery process includes the production and presentation stages, so it’s important to determine what you want to get out of those stages.  Let’s look at them.

Presentation

As a receiving party, it’s important to think about what types of evidence you need to support your case when presenting at depositions and at trial – this is the type of information that needs to be included in your production requests at the beginning of the case.

Production

The format of the ESI produced is important to both sides in the case.  For the receiving party, it’s important to get as much useful information included in the production as possible.  This includes metadata and searchable text for the produced documents, typically with an index or load file to facilitate loading into a review application.  The most useful form of production is native format files with all metadata preserved as used in the normal course of business.

For the producing party, it’s important to save costs, so it’s important to agree to a production format that minimizes production costs.  Converting files to an image based format (such as TIFF) adds costs, so producing in native format can be cost effective for the producing party as well.  It’s also important to determine how to handle issues such as privilege logs and redaction of privileged or confidential information.

Addressing production format issues up front will maximize cost savings and enable each party to get what they want out of the production of ESI.

Processing-Review-Analysis

It also pays to determine early in the process about decisions that affect processing, review and analysis.  How should exception files be handled?  What do you do about files that are infected with malware?  These are examples of issues that need to be decided up front to determine how processing will be handled.

As for review, the review tool being used may impact production specs in terms of how files are viewed and production of load files that are compatible with the review tool, among other considerations.  As for analysis, surely you test search terms to determine their effectiveness before you agree on those terms with opposing counsel, right?

Preservation-Collection-Identification

Long before you have to conduct preservation and collection for a case, you need to establish procedures for implementing and monitoring litigation holds, as well as prepare a data map to identify where corporate information is stored for identification, preservation and collection purposes.

As you can see, at the beginning of a case (and even before), it’s important to think backwards within the EDRM model to ensure a successful discovery process.  Decisions made at the beginning of the case affect the success of those latter stages, so don’t forget to think backwards!

So, what do you think?  What do you do at the beginning of a case to ensure success at the end?   Please share any comments you might have or if you’d like to know more about a particular topic.

P.S. — Notice anything different about the EDRM graphic?

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Rejects Defendant’s “Ultra-Broad” Request, Denies Motion to Compel Production – eDiscovery Case Law

 

In NOLA Spice Designs, LLC v. Haydel Enters., Inc., No. 12-2515 (E.D. La. Aug. 2, 2013), Louisiana Magistrate Judge Joseph C. Wilkinson, Jr. denied a motion to compel a plaintiff and its principal (a third-party defendant) to produce their passwords and usernames for all websites with potentially relevant information and to compel a forensic examination of its computers.

In this trademark infringement case under the Lanham Act, the defendant moved to compel the plaintiff and its principal to produce “‘passwords and user names to all online websites related to the issues in this litigation, including social media, weblogs, financial information and records,’” and to “submit their computers to an exhaustive forensic examination . . . with ‘access to full electronic content [including] online pages and bank accounts, including without limitation, online postings, weblogs, and financial accounts, for a time period from October 13, 2009 to the present, including deleted and archived content.”  

The plaintiff and its principal refused to disclose passwords and user names based on “privacy and confidentiality objections.”  While acknowledging that the defendant is correct in stating that “there is no protectable privacy or confidentiality interest in material posted or published on social media”, Judge Wilkinson noted that the defendant’s citation and arguments “miss the point”.  Judge Wilkinson stated that “ultra-broad request for computer passwords and user names poses privacy and confidentiality concerns that go far beyond published social media matters and would permit Haydel to roam freely through all manner of personal and financial data in cyberspace pertaining to” the plaintiff and its principal.

With regard to the request for forensic examination of the computers of the plaintiff and its principal, Judge Wilkinson acknowledged that such an examination is “within the scope of ESI discovery contemplated by Fed. R. Civ. P. 34(a)(1)(A).  However, “such requests are also subject to the proportionality limitations applicable to all discovery under Rule 26(b)(2)(C), including the prohibition of discovery that is unreasonably cumulative or duplicative or that could be obtained from some more convenient, less burdensome or less expensive source, or the benefit of which is outweighed by its burden or expense, when considering the needs of the case, the amount in controversy, the parties’ resources, the importance of the issues at stake and the importance of the proposed discovery to those issues.”  {emphasis added}

While “restrained and orderly computer forensic examinations” have been permitted when it’s been demonstrated that the producing party “has defaulted in its discovery obligations by unwillingness or failure to produce relevant information by more conventional means”, a party’s “mere skepticism that an opposing party has not produced all relevant information is not sufficient to warrant drastic electronic discovery measures”, added Judge Wilkinson.

As a result, Judge Wilkinson ruled that “this overly broad request seeking electronically stored information (ESI), which far exceeds the proportionality limits imposed by Fed. R. Civ. P. 26(b)(2)(C) – expressly made applicable to ESI by Rule 26(b)(2)(B) – is denied.” {emphasis added}

So, what do you think?  Did the defendant’s request exceed proportionality limits?   Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

A Model for Reducing Private Data – eDiscovery Best Practices

Since the Electronic Discovery Reference Model (EDRM) annual meeting just four short months ago in May, several EDRM projects (Metrics, Jobs, Data Set and the new Native Files project) have already announced new deliverables and/or requested feedback.  Now, the Data Set project has announced another new deliverable – a new Privacy Risk Reduction Model.

Announced in yesterday’s press release, the new model “is a process for reducing the volume of private, protected and risky data by using a series of steps applied in sequence as part of the information management, identification, preservation and collection phases” of the EDRM.  It “is used prior to producing or exporting data containing risky information such as privileged or proprietary information.”

The model uses a series of six steps applied in sequence with the middle four steps being performed as an iterative process until the amount of private information is reduced to a desirable level.  Here are the steps as described on the EDRM site:

  • Define Risk: Risk is initially identified by an organization by stakeholders who can quantify the specific risks a particular class or type of data may pose. For example, risky data may include personally identifiable information (PII) such as credit card numbers, attorney-client privileged communications or trade secrets.
  • Identify Available Data: Locations and types of risky data should be identified. Possible locations may include email repositories, backups, email and data archives, file shares, individual workstations and laptops, and portable storage devices. The quantity and type should also be specified.
  • Create Filters: Search methods and filters are created to ‘catch’ risky data. They may include keyword, data range, file type, subject line etc.
  • Run Filters: The filters are executed and the results evaluated for accuracy.
  • Verify Output: The data identified or captured by the filters is compared against the anticipated output. If the filters did not catch all the expected risky data, additional filters can be created or existing filters can be refined and the process run again. Additionally, the output from the filters may identify additional risky data or data sources in which case this new data should be subjected the risk reduction process.
  • Quarantine: After an acceptable amount of risky data has been identified through the process, it should be quarantined from the original data sets. This may be done through migration of non-risky data, or through extraction or deletion of the risky data from the original data set.

No EDRM model would be complete without a handy graphic to illustrate the process so, as you can see above, this model includes one that illustrates the steps as well as the risk-time continuum (not to be confused with the space-time continuum, relatively speaking)… 😉

Looks like a sound process, it will be interesting to see it in use.  Hopefully, it will enable the Data Set team to avoid some of the “controversy” experienced during the process of removing private data from the Enron data set.  Kudos to the Data Set team, including project co-leaders Michael Lappin, director of archiving strategy at Nuix, and Eric Robi, president of Elluma Discovery!

So, what do you think?  What do you think of the process?   Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery Daily is Three Years Old!

We’ve always been free, now we are three!

It’s hard to believe that it has been three years ago today since we launched the eDiscoveryDaily blog.  We’re past the “terrible twos” and heading towards pre-school.  Before you know it, we’ll be ready to take our driver’s test!

We have seen traffic on our site (from our first three months of existence to our most recent three months) grow an amazing 575%!  Our subscriber base has grown over 50% in the last year alone!  Back in June, we hit over 200,000 visits on the site and now we have over 236,000!

We continue to appreciate the interest you’ve shown in the topics and will do our best to continue to provide interesting and useful posts about eDiscovery trends, best practices and case law.  That’s what this blog is all about.  And, in each post, we like to ask for you to “please share any comments you might have or if you’d like to know more about a particular topic”, so we encourage you to do so to make this blog even more useful.

We also want to thank the blogs and publications that have linked to our posts and raised our public awareness, including Pinhawk, Ride the Lightning, Litigation Support Guru, Complex Discovery, Bryan College, The Electronic Discovery Reading Room, Litigation Support Today, Alltop, ABA Journal, Litigation Support Blog.com, Litigation Support Technology & News, InfoGovernance Engagement Area, EDD Blog Online, eDiscovery Journal, Learn About E-Discovery, e-Discovery Team ® and any other publication that has picked up at least one of our posts for reference (sorry if I missed any!).  We really appreciate it!

As many of you know by now, we like to take a look back every six months at some of the important stories and topics during that time.  So, here are some posts over the last six months you may have missed.  Enjoy!

Rodney Dangerfield might put it this way – “I Tell Ya, Information Governance Gets No Respect

Is it Time to Ditch the Per Hour Model for Document Review?  Here’s some food for thought.

Is it Possible for a File to be Modified Before it is Created?  Maybe, but here are some mechanisms for avoiding that scenario (here, here, here, here, here and here).  Best of all, they’re free.

Did you know changes to the Federal eDiscovery Rules are coming?  Here’s some more information.

Count Minnesota and Kansas among the states that are also making changes to support eDiscovery.

By the way, since the Electronic Discovery Reference Model (EDRM) annual meeting back in May, several EDRM projects (Metrics, Jobs, Data Set and the new Native Files project) have already announced new deliverables and/or requested feedback.

When it comes to electronically stored information (ESI), ensuring proper chain of custody tracking is an important part of handling that ESI through the eDiscovery process.

Do you self-collect?  Don’t Forget to Check for Image Only Files!

The Files are Already Electronic, How Hard Can They Be to Load?  A sound process makes it easier.

When you remove a virus from your collection, does it violate your discovery agreement?

Do you think that you’ve read everything there is to read on Technology Assisted Review?  If you missed anything, it’s probably here.

Consider using a “SWOT” analysis or Decision Tree for better eDiscovery planning.

If you’re an eDiscovery professional, here is what you need to know about litigation.

BTW, eDiscovery Daily has had 242 posts related to eDiscovery Case Law since the blog began!  Forty-four of them have been in the last six months.

Our battle cry for next September?  “Four more years!”  🙂

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

How Big is Your ESI Collection, Really? – eDiscovery Best Practices

When I was at ILTA last week, this topic came up in a discussion with a colleague during the show, so I thought it would be good to revisit here.

After identifying custodians relevant to the case and collecting files from each, you’ve collected roughly 100 gigabytes (GB) of Microsoft Outlook email PST files and loose electronic files from the custodians.  You identify a vendor to process the files to load into a review tool, so that you can perform review and produce the files to opposing counsel.  After processing, the vendor sends you a bill – and they’ve charged you to process over 200 GB!!  Are they trying to overbill you?

Yes and no.

Many of the files in most ESI collections are stored in what are known as “archive” or “container” files.  For example, while Outlook emails can be stored in different file formats, they are typically collected from each custodian and saved in a personal storage (.PST) file format, which is an expanding container file. The scanned size for the PST file is the size of the file on disk.

Did you ever see one of those vacuum bags that you store clothes in and then suck all the air out so that the clothes won’t take as much space?  The PST file is like one of those vacuum bags – it often stores the emails and attachments in a compressed format to save space.  There are other types of archive container files that compress the contents – .ZIP and .RAR files are two examples of compressed container files.  These files are often used to not only to compress files for storage on hard drives, but they are also used to compact or group a set of files when transmitting them, often in email.  With email comprising a major portion of most ESI collections and the popularity of other archive container files for compressing file collections, the expanded size of your collection may be considerably larger than it appears when stored on disk.

When PST, ZIP, RAR or other compressed file formats are processed for loading into a review tool, they are expanded into their normal size.  This expanded size can be 1.5 to 2 times larger than the scanned size (or more).  And, that’s what some vendors will bill processing on – the expanded size.  In those cases, you won’t know what the processing costs will be until the data is expanded since it’s difficult to determine until processing is complete.

It’s important to be prepared for that and know your options when processing that data.  Make sure your vendor selection criteria includes questions about how processing is billed, on the scanned or expanded size.  Some vendors (like the company I work for, CloudNine Discovery), do bill based on the scanned size of the collection for processing, so shop around to make sure you’re getting the best deal from your vendor.

So, what do you think?  Have you ever been surprised by processing costs of your ESI?   Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Self-Collecting? Don’t Forget to Check for Image Only Files – eDiscovery Best Practices

Yesterday, we talked about the importance of tracking chain of custody order to be able to fight challenges of electronically stored information (ESI) by opposing parties.  Today, let’s talk about a common mistake that organizations make when collecting their own files to turn over for discovery purposes.

I’ve worked with a number of attorneys who have turned over the collection of potentially responsive files to the individual custodians of those files, or to someone in the organization responsible for collecting those files (typically, an IT person).  Self-collection by custodians, unless managed closely, can be a wildly inconsistent process (at best).  In some cases, those attorneys have instructed those individuals to perform various searches to turn “self-collection” into “self-culling”.  Self-culling can cause at least two issues:

  1. You have to go back to the custodians and repeat the process if additional search terms are identified.
  2. Potentially responsive image-only files will be missed with self-culling.

Unless search terms are agreed to by the parties up front, it’s not unusual to identify additional searches to be performed – even when up front agreement, terms can often be renegotiated during the case.  It’s also common to have a number of image-only files within any collection, especially if the custodians frequently scan executed documents or use fax software to receive documents from other parties.  In those cases, image-only PDF or TIFF files can often make up as much as 20% of the collection.  When custodians are asked to perform “self-culling” by performing their own searches of their data, these files will typically be missed.

For these reasons, I usually advise against self-culling by custodians and also don’t recommend that IT perform self-culling, unless they have the ability to process that data to identify image-only files and perform Optical Character Recognition (OCR) to capture text from them.  If your IT department has the capabilities and experience to do so (and the process and chain of custody is well documented), then that’s great.  Many internal IT departments either don’t have the capabilities or expertise, in which case it’s best to collect all potentially responsive files from the custodians and turn them over to a qualified eDiscovery provider to perform the culling (performing OCR as needed to include responsive image-only files in the resulting responsive document set).  With the full data set available, there is also no need to go back to the custodians to collect additional data (unless the case requires supplemental productions).

So, what do you think?  Do you self-collect data for discovery purposes?  If so, how do you account for image-only files?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Chain, Chain, Chain: Chain of Custody – eDiscovery Best Practices

If you’re a baseball fan you probably remember Ryan Braun and the reported failed test for performance enhancing drugs that he successfully challenged by challenging the chain of custody associated with his blood sample.  When it comes to electronically stored information (ESI), ensuring proper chain of custody tracking is also an important part of handling that ESI through the eDiscovery process in order to be able to fight challenges of the ESI by opposing parties.  An insufficient chain of custody is a chain, chain, chain of fools.

Information to Track for Chain of Custody

ESI can be provided by a variety of sources and in a variety of media, so you need a standardized way of recording chain of custody for the ESI that you collect within your organization or from your clients.  At CloudNine Discovery, we use a standard form for capturing chain of custody information.  Because we never know when a client will call and ask us to pick up data, our client services personnel typically have a supply of blank forms either in their briefcase or in their car (maybe even both).

Our chain of custody tracking form includes the following:

  • Date and Time: The date and time that the media containing ESI was provided to us.
  • Pick Up or Delivery Location: Information about the location where the ESI was provided to us, including the company name, address, physical location within the facility (e.g., a specific employee’s office) and any additional information important to note where the data was received.
  • Delivering Party: Name of the company and the name of representative of the company providing the media, with a place for that representative to sign for tracking purposes.
  • Delivery Detail (Description of Items): A detailed description of the item(s) being received.  Portable hard drives are one typical example of the media used to provide ESI to us, so we like to describe the brand and type of hard drive (e.g., Western Digital My Passport drive) and the serial number, if available.  Record whatever information is necessary to uniquely identify the item(s).
  • Receiving Party: Name of the company and the name of representative of the company receiving the media, with a place for that representative to sign for tracking purposes.  In our form, that’s usually somebody from CloudNine Discovery, but can be a third party if they are receiving the data from the original source – then, another chain of custody form gets completed for them to deliver it to us.
  • Comments: Any general comments about the transfer of media not already addressed above.

I’ve been involved in several cases where the opposing party, to try to discredit damaging data against them, has attacked the chain of custody of that data to raise the possibility that the data was spoliated during the process and mitigate its effect on the case.  In these types of cases, you should be prepared to have an expert ready to testify about the chain of custody process to counteract those attacks.  Otherwise, you might be singing like Aretha Franklin.

So, what do you think?  How does your organization track chain of custody of its data during discovery?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Capturing Memory and Obtaining Protected Files with FTK Imager – eDiscovery Best Practices

Over the past few weeks, we have talked about the benefits and capabilities of Forensic Toolkit (FTK) Imager from AccessData (and obtaining your own free copy), how to create a disk image, how to add evidence items for the purpose of reviewing the contents of those evidence items (such as physical drives or images that you’ve created) and how to export files and create a custom content image of a targeted collection of files with FTK Imager.  This week, let’s discuss how to Capture Memory and Obtain Protected Files to collect a user’s account information and possible passwords to other files.

Capture Memory

If you’re trying to access the contents of memory from an existing system that’s running, you can use a runtime version of FTK Imager from a flash drive to access that memory.  From the File menu, you can select Capture Memory to capture data stored in memory within the system.

Capturing memory can be useful for a number of reasons.  For example, if TrueCrypt is running to encrypt the contents of the drive, the password could be stored in memory – if it is, Capture Memory enables you to capture the contents of memory (including the password) before it is lost.

Simply specify the destination path and filename to capture memory to the specified file.  You can also include the contents of pagefile.sys, which is a Windows system file that acts as a swap file for memory; hence, it can contain useful memory information as well.  Creating an AD1 file enables you to create an AD1 image of the memory contents – then you can add it as an evidence item to review the contents.

Obtain Protected Files

Because Windows does not allow you to copy or save live Registry files, you would have to image the hard drive and then extract the Registry files, or boot the computer from a boot disk and copy the Registry files from the inactive operating system on the drive. From the File menu, you can select Obtain Protected Files to circumvent the Windows operating system and its file locks, thus allowing you to copy the live Registry files.  If the user allows Windows to remember his or her passwords, that information can be stored within the registry files.

Specify the destination path for the obtained files, then select the option for which files you would like to obtain.  The Minimum files for login recovery option retrieves Users, System, and SAM files from which you can recover a user’s account information.  The Password recovery and all Registry files option is more comprehensive, retrieving Users, System, SAM, NTUSER.DAT, Default, Security, Software, and Userdiff files from which you can recover account information and possible passwords to other files, so it’s the one we tend to use.

For more information, go to the Help menu to access the User Guide in PDF format.

So, what do you think?  Have you used FTK Imager as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.