In August of 2007, the Texas Department of Public Safety's Private Security Bureau clarified how they believe Private Investigator licensing should apply to both computer forensic and e-discovery vendors practicing within their state.  An excerpt from their clarification follows:

"First, the distinction between "computer forensics" and "data acquisition" is significant.

...For example, when the service provider is charged with reviewing the client's computer-based data for evidence of employee malfeasance, and a report is produced...[they have] provided a regulated service.

On the other hand, if the company simply collects and processes electronic data (whether in the form of hidden, deleted, encrypted files, or otherwise), and provides it to the client in a form that can then be reviewed and analyzed for content by others (such as by an attorney or an investigator), then no regulated service has been provided." (emphasis added)

Click for the full article (and click the "Computer Forensics" link after the jump).

Though this clarification is from 2007, it's a good example of what other states have still failed to publish, and what lawmakers (even in Texas) have failed to put clearly into law.  Many states have vague statutes in the books that leave computer forensic and e-discovery practitioners in an uncomfortable limbo, unsure of the legality of performing their services in (or for) that state.  We'll keep you updated.

The disposable cartridge in your portable label maker might contain a perfect copy of every label it's ever printed.

...You...you haven't just been throwing them out, have you?

Recently, our portable label maker (the "Brother P-touch PT-1830 Electronic Labeling System") ran out of labeling tape. After putting in another label cartridge (specifically, the "TZ-231 12mm 1/2 inch Laminated White") and continuing to print, I decided to pop the old, disposable cartridge open with a flathead to see what was inside.

First, a word on the label maker itself. It's a well-made label maker, but it's relatively "low-frills." Most importantly, it doesn't have a "history" function (that is, you can't "recall" all your previous printings), though you can save up to five of your most commonly printed labels with one of the "Favorites" buttons. You'd probably assume the label maker wouldn't keep an electronic log of what was printed unless told to do so with the press of a "Favorites" button, since having it do otherwise would be burdensome and relatively useless.

That "lack of logging" assumption makes sense based on experience with how and why computers log (generally only logging what is crucial to the smooth operation of the software they run or what's important to and/or requested by the user). And since the item's manual doesn't mention any such logging functionality, it's probably a safe assumption to make.

But when you think "logs," don't just think "electronically stored." Because for a machine that's only partially electronic, you'd only be partially right.

The above picture is what's contained inside every cartridge of this type: a physical "negative" copy of every label that it has successfully printed on a single, long, film-like tape. It's not created for logging purposes, per se; it stores these "copies" merely because it has nowhere else to put the rest of the black film-covering that would have become the letters, numbers, and designs you normally print out. So what happens when you throw out your cartridge? To a malicious someone in the know, it's an easy-to-spot cassette with everything you've ever printed wrapped neatly around a spool.

You're probably thinking that you don't print anything too sensitive on your portable label makers. But if you label folders with client names or print IP addresses, usernames and passwords to display on servers or computers (it happens), you're using the label maker for a somewhat sensitive purpose. As for data as sensitive as full names with social security numbers, few would likely ever have to a need to print such information with a label maker, but I can think of at least some situations where it's plausible (such as on HR records, or a person tasked with filling out a number of forms that repeatedly ask for their name, social, DOB, etc.).

Security concerns stemming from the use of printing devices certainly aren't a new phenomenon. Typewriters that use single-strike carbon typewriter ribbon, for example, store every character a user types. Every time a user presses a key, the "type hammer" with the character corresponding to the key the user pressed swings forward, striking both a ribbon of carbon paper and your document. This is necessary to create the printed character on the page. But unbeknownst to some is what's left behind: an imprint of the character you just typed at that location on the carbon paper, which then advances along and is saved on its spool even after you remove your typed document.

Just like the cartridge in our label maker, this ribbon sticks around on a spool merely because it has nowhere else to go; quite the opposite of most computer software's "discard unless instructed to keep" mentality. Of course, this mentality makes sense on a machine that's able to control the transience of the information it processes, unlike a single-use, self-contained label cartridge or carbon typewriter ribbon where that information literally has nowhere to go.

In fact, government employees that worked on sensitive documents in the days of the typewriter were required to lock their typewriter ribbons in a safe at the end of the day (much like we (hopefully) secure our computer data with encryption). Once the typewriter ribbons used by these employees reached the end of their spool, they were burned.

Devices that read and transcribe typewriter ribbons (such as the Ribbon Analysis Workstation by Envisage Systems) are still in use today in government agencies such as Immigration and Customs Enforcement (ICE), according to this article in Government Security News Magazine. The FBI's Questioned Documents Unit(QDU) also has the ability to "examine and analyze typewriter ribbons," and as of 2006, they too maintained a ribbon analysis workstation.

While label makers might not have the same amount or type of data on them as typewriters, the risk is still present when using them in certain scenarios. The next time you're switching the cartridge in your label maker, think about what you've been labeling and determine if you need a more secure method of destruction than simply throwing it in the trash. (Or just pop it open and check for yourself!)

For those interested in further reading on printing privacy concerns, check out this interesting PC World article on how some documents printed with many standard printers reportedly contain information, including their printer's serial numbers (an effective way to tie documents back to a single, physical printer), encoded in barely-visible dots on the printed page. Then head over to the Electronic Frontier Foundation for a number of resources, including a preliminary research paper with detailed information and examples of these "printer dots" in action.

As soon as you commit information to a medium other than your memory, it's very easy to lose positive control over that information. This will happen almost instantly unless you are able to understand and control every facet of the both the commission to, and the storage of, that medium. Keep that in mind.

But don't write it down.

The data collection process begins before your EDD vendor ever sets foot on site with the preservation requests you deliver to your clients.  Data preservation seems to be one of the biggest issues in most e-discovery disputes, so make sure that your client is well aware of what a legal hold means.  Be careful not to define the hold too narrowly, because further review of collected data may bring additional custodians into an e-discovery collection.  Data that is deleted during a legal hold (regardless of relevance) will negatively affect your client's image.

After determining which custodians are involved, begin communicating with your client.  Find out what electronic devices your custodians possess and where they store data.  Do they use a laptop or a desktop?  Do they have an external hard drive or thumb drive that may contain relevant data?  Do they use any kind of webmail for business-related communication?  Anything that is left out of a collection could be brought up later by opposing counsel to show that someone was attempting to hide something.

If you feel that custodians are going to be cooperative, let them know what is happening.  You can be somewhat vague on details, but can let them know what your EDD vendor is going to be doing, and when their computers need to be available for collection.  The more a custodian knows, the more likely they will be cooperative.  If you think the custodians are going to be uncooperative, you can collect the computers for "maintenance" purposes or to "check if the computer is capable of software upgrade ‘X.'"   Either way, have a game plan in place and execute it before your vendor arrives on-site.  Without a plan, the possibility for confusion and missed evidence increases (along with your total cost).  Also remember that an informed EDD vendor means a better, less expensive collection with less time spent on site.

(Need to catch up? Start at Part 1)

Employees with Mobile Computers

The more time that your vendor spends on site, the more money you will have to pay in the end.  Sometimes the simplest hurdles can make what should be a smooth operation into a really bumpy adventure.  If your collection targets specific employees' computers, it is important to make sure those people (or at least their computers) are present when your vendor arrives.  Now that people are frequently using laptops as their primary computers, it is not uncommon for them to be taken out of the office.  In our experience, there is at least one laptop or laptop owner that cannot be located for nearly every project.  Users may be working from home that day, on vacation, or inexplicably absent.

"Hostile" Employees

Employees occasionally see a collection as an invasion of their privacy.  They can be uncooperative, act as if they are too busy to be bothered, or may even become combative.  It is common for computers to "suddenly" stop working as soon as the EDD vendor gets their hands on them.  The employee then blames the EDD vendor for what are usually pre-existing issues with their computer.  Hostile employees might also begin deleting files that they don't want people to know that they had.  These files are often unrelated to your discovery project (such as copyrighted music and movies or pornography) but mass deletion of any files does not look good during data preservation efforts.  Make sure that your client is aware of this fact.

The Company IT Person

Most companies employ an IT person or department.  These personnel can be very beneficial to a collection if they are cooperative with attorney and EDD vendor requests.  Unfortunately, this isn't always the case.  The IT person may feel that the EDD vendor is there because they did something wrong.  IT may also feel left out of what they believe to be their business, and will try to direct the collection (i.e., "You don't need to duplicate that system.").  Some IT people are also very protective of "their" computers and don't like outside entities touching what they perceive to own.

So what can you do to avoid these and other collection pitfalls?  Read our final blog in this series to find out.

(Need to catch up? Check out Part 1.)

(Need to catch up?  Click here for "Data of Mass Destruction: Part I.")

We've finally reached the first stage of destruction: degaussing.  Degaussing is a process where magnetic media is exposed to a powerful, alternating magnetic field of sufficient intensity to completely saturate the media.  Let me start by saying all degaussers are not created equal. 

All of the degaussers we used were rented from the fine people at Data Devices International (www.datadev.com) out in San Marino, CA.  Renting a degausser for a destruction project probably makes sense for most people as the purchase price for a degausser ranges from $3,500-$25,000.  You'd have to be performing a lot of destruction on a regular basis to make that kind of purchase pay back.

The Bad:  We started the project with a Verity System V660 EVO hard drive degausser with infrared remote control.  The V660 is a table top style degausser that supposed to generate 6,600 gauss of energy and be suitable for server and PC hard drives but not tapes.  Having some experience with degaussers, the V660 seemed like a good choice with a high energy output and claims of one pass, five second degauss cycles.

As a computer forensic/e-discovery professional, I'm always suspicious of hardware and software vendor claims, so of course we decided to test a few hard disks after degaussing to ensure they were properly degaussed.  Testing a degaussed hard disk drive is a bit of a tricky scenario and far from perfect.  Degaussing may leave a hard disk in a condition where it won't spin or function properly when connected to a computer but could still contain data on the internal hard drive platters.  This is usually caused by the degaussing process corrupting the "servo tracks" on the hard disk drive that tell the computer how to communicate with the hard drive.  In very general terms it is usually a good sign that the hard disk drive was successfully degaussed if the "servo tracks" were scrambled.  Short of a clean room review of the platters from a hard drive damaged in such a manner, there isn't a good in-house testing option.  Our much simpler test was to simply connect the degaussed hard disk drive to a computer running Linux.  We checked for the following:

1. Does the hard disk drive spin-up when powered?
2. Is the hard disk drive successfully detected by the Linux host computer?
3. Does the Linux host computer detect a file system on the hard disk drive?
4. Is there reviewable data on the hard disk after degaussing?

Generally if you can answer yes to any of the four questions above the hard disk in question was not completely degaussed.  After carefully following the degaussing instructions included with the Verity Systems V660 degausser we performed our four-step checking procedure.  To our surprise not only did the first three drives we tested all spin-up properly, but the file systems on the hard disks were successfully detected and data was reviewable.   We decided that something must be wrong with our process so after double-checking the degausser's manual, we degaussed the hard disk drives again and retested.   After a 2nd, 3rd and 4th run through the V660 we were still able to review data on the hard disks.  Next we decided to check line voltage where we plugged the degausser in to make sure it was providing enough power for the degaussing process.  After checking everything we could think of, speaking with tech support at Data Devices International and unsuccessfully degaussing the hard disk several more times we decided the V660 must have been damaged during shipping.

Data Devices International overnight shipped a brand new, replacement Verity Systems V660 to us and we started the whole procedure over again.  To our surprise the new V660 also failed to properly degauss the hard disks.  In the end we found that a process of running the hard disks through the V660 eight times for 30 seconds at a pass (changing drive orientation each time) was the only way to successfully degauss a single hard disk drive.  If you add that up, it means we had to actively degauss each hard drive for a total of 4 minutes to produce acceptable results.  The problem with this extended-run, multiple-pass process is that both the hard disk drives and the Verity Systems V660 become very hot.  The metal casing of the hard disk drives was actually heated to the point that the operator had to wear heavy gloves to prevent burning his hands.  This heating problem also cased the V660 to overheat and trip the automatic shut-off/cool-down after degaussing four to eight hard disk drives.  To make matters even worse, the hard disk drives vibrated so loud, even when secured in the drive holder with the lid closed, that the operator had to wear hearing protection.

To summarize, our experience with two Verity Systems V660s was very bad and we would not recommend this degausser to anyone.

For the second part of our destruction project we decided to select a degausser that used a new technology, specifically, capacitive discharge degaussing, rather than copper coil used in older degaussers like the Verity Systems V660.  A capacitive discharge degausser stores up energy in large capacitors and then releases the energy in a powerful electromagnetic burst.  The capacitive discharge process produces very little heat and the degausser can be run almost continuously.  Capacitive discharge degaussers are also known as "pulse degaussers".

The Good:  Data Devices International provided us with one of their new Garner HD-3WXL Continuous Duty Drive and Tape degaussers.  One of the first things that we noticed about the new HD-3WXL degausser was that it seemed lighter, and was smaller and easier to move around because of carrying handles.  During a careful read-through of the instruction manual we noticed that there was a warning about electromagnetic energy from the degausser being measurable up to twelve inches away from the unit during operation.  We always recommend removing sensitve magnetic media such as cell phones, USB thumb drives, electronic keys and credit cards when working with any degausser.   It is probably unlikely that these items would be adversely affected but why risk a pocket full of wiped credit cards?

The Garner HD-3WXL degausser worked even better than we expected.  The degausser ran quiet, cool and quick.  We didn't experience any drives that failed to degauss after a single 10 second pass.  We also liked the little voltmeter on the side of the HD-3WXL that let us know it was actually pulsing the hard disk drives.  There is a short little video of the HD-3WXL degausser doing its job at http://www.datadev.com/degausser-hard-drive-data-security-lto-hd3.html .  Unlike a lot of other tools we've used, it performed exactly as advertised on YouTube.

The final phase of the destruction project was to take all of the freshly degaussed hard disk drives and various other bits of storage media to a physical destruction facility.  We selected the oddly-named Back Thru The Future Computer Recycling, Inc. (BTTF) in Ogdensburg, New Jersey.   You can securely send drives to BTTF in locking security containers that they will send to you, but we chose to deliver the hard disk drives in person.  An important step in this final phase is to securely pack all of the hard drive for delivery to the physical destruction facility.  We recommend using a heavy-duty banker box and not putting more than 30-40 hard drives in each box because of the weight.  It is also important to make an exact count of how many hard drives are placed in each box.  Here we recommend writing the number of drives in each box on the outside of the box and securely sealing it with packing tape for delivery.  It is probably overkill but we like to treat every piece of digital media provided to us by a client as evidence until it is no longer our responsibility, therefore I recommend initialing each banker box where the tape and box meet as would normally be done for evidence.  This extra little step makes tampering with any of the boxes obvious should anything unfortunate happen during delivery.

Once the hard disk drives are delivered to BTTF expect to spend some time with one of their employees recounting all of the hard drives to make sure nothing got lost in transit.  From there the good people at BTTF will take control of the hard disk drives and generate another list by serial number of each piece of magnetic media before grinding everything into little metal shreds.

BTTF also has an excellent YouTube video on their web site of hard disk drives going into the shredder at http://www.backthruthefuture.com/index.php.  The hard drive shredder is a lot of fun to watch after all the careful work that goes into a properly performed data destruction project.   Once everything has been completely shredded, BTTF will provide a full set of their own certificates of destruction.  The final step is combine the two sets of certificates of destruction into a final set and store it with other archived corporate documents.