Three Steps to Cutting Your E-Discovery Costs Print E-mail
Written by Ryan Lerminiaux   
Wednesday, 08 October 2008 11:26

In the last few weeks we have witnessed the passing of the Wall Street bailout package, the sub-prime lending crisis and the downfall of a few major banks.  Needless to say, these days money is in short supply, and keeping money in the bank is more important than ever.  E-Discovery is often an important part of the litigation process, and it can be a very expensive process if you're not careful.  With that in mind, I would like to suggest a few steps that can help keep your E-Discovery costs manageable and save you money over the life of your project.

Step One

Make sure you bring in the right Computer Forensic/E-Discovery company from the beginning.  While this may seem obvious, it is probably the most important step.    I have worked on at least three cases in the last year where JD&A was called in to replace another company that could not live up to all the promises they made.  Having to replace one vendor with another is always going to incur additional costs to you or your client.  It will take time for a replacement to come in, figure out the situation, and relearn (if not completely redo) everything the previous company did, and all of these actions will increase the total cost.  Paying the bills is never fun; it is even less enjoyable if you have to do it twice for the same service. 

It pays to spend a little extra time when shopping for your E-Discovery vendor.  Do your research; just because a firm provides the lowest bid or is the biggest name doesn't mean they are qualified. Consider the source of the information. Did you get the quote from a sales person, or from someone that will actually be performing the work? Don't forget to talk to colleagues; one of the best ways to find reliable help is through other satisfied customers.

Can your potential vendor provide you with a list of references so that you can check the quality of their work?  You want to look for reliable vendors that do a lot of repeat business with their clients.  This is a good sign a vendor has their clients' best interests in mind, and the vendor is not out to run up a huge bill on a one-time engagement and never do business with that client again.  Spending the time up front greatly reduces the risk of having to replace your vendor halfway through an E-Discovery project, and will therefore save you money.  Once you find the right company to handle your E-Discovery project, it is time to get them involved in your decision-making process.

Step Two

Bring your Computer Forensic/E-Discovery expert into the loop as early in the project as possible.  Assuming that you spent the time to find a quality firm, you should make use of your expert to his or her full potential.  Clients hire attorneys to help make important legal decisions because matters of the law should be handled by well-trained professionals.  The same is true when a law firm hires an E-Discovery firm to handle an ESI (Electronically Stored Information) project.

Another important goal in the early stages of an E-Discovery project is putting your expert in touch with your or your client's IT staff.  Sometimes when technical information has to go from IT person to lawyer and back to IT person it can become misrepresented and misunderstood.  In this situation it is best to let the IT professionals (both the IT staff and your Computer Forensic/E-Discovery experts) have a meeting of the minds, which could happen in your presence.  During this meeting, your expert will develop an accurate understanding of what the E-Discovery project entails, allowing them to be better prepared if on-site work is required, since the type and amount of equipment needed varies greatly by situation. The result is less time spent on-site trying to figure out any unknowns. If this work is being done on an hourly basis, then you want it to go as smoothly and efficiently as possible.

You should consult with your expert early and often about the scope and details of the ESI aspect of the case.  Your expert can help you determine what types of data or information sets can and should be collected.  Your expert can help you identify data stores you may not have considered or are unaware of, such as source code repositories or wikis. 

Acquisition can be expensive; why collect data from sixty laptops and six Email servers if data relevant to your case is only found on one-third of those systems?  Instead of casting a very broad and costly net, allow your expert to provide his recommendations to narrow the acquisition scope down to a smaller set of systems with the highest probability of containing relevant data.  The same is true when requesting information from opposing counsel.

Law firms often have a difficult time sorting through data provided by opposing counsel through the discovery process.  We find that law firms routinely agree with opposing counsel to share TIFFs and text extractions of the native files.  This presents several problems, the most important of which is this: without native files, what do you compare the TIFFs and text extractions to in order to assure accuracy?  TIFFs are not easily searchable, and text extractions are created by passing a file through an OCR (Optical Character Recognition) program, which can be inaccurate 

You should involve you E-Discovery expert when making any ESI discovery requests.  They can make sure you are asking for the right data in the best format possible. By doing so, you can save money down the road by avoiding costly review problems due to poor data quality or irrelevant data.

Step Three

Keep your keyword search list(s) short and to the point.  If you've spent the time and consideration to collect only the relevant data you need and you've thus far kept acquisition costs down, then why ruin it now by running a hundred search terms against it?  Think of the E-Discovery process as a funnel.  You and your expert have already culled the amount of data down significantly by identifying and forensically acquiring only the systems that had the highest probability of containing the relevant data.  Now you will cull this data down even more by developing a set of quality search terms that will, in turn, provide quality responsive data.  Notice that I stress quality over quantity; your end goal is to be left with a small amount of highly responsive data to review.

In order to avoid unnecessary amounts of data, your expert should be consulted when creating keyword searches to be run against the ESI you have collected; they can help to avoid producing large amounts of false-positives by reviewing your terms.  An example of this might be searching for a company's name that also happens to be a program commonly used by Windows.  We have seen some unsuccessful search terms in the last year, such as the number 200, the word Yahoo, and a person's name, which hit on every single email that he sent because his emails contained a signature block. 

Allowing your E-Discovery expert to be involved in the creation of your lean and mean search term list will potentially reduce costs substantially in the project. Having a smaller search list doesn't mean it will miss data that a larger list would pick up.  Your goal is to create the smallest set of terms that you know are going to be highly responsive to the data you are looking for, while avoiding terms that will create large numbers of false-positive hits.

If you input a smaller, more refined set of search terms, your output will be a smaller, more refined set of highly responsive data.  That means you will save money on your load file production cost, which is usually charged per gigabyte.  Inevitably, your refined data set will cost less to host than a larger data set containing tons of false-positives.  Finally, a small, highly responsive data set takes less time to review, and this labor is usually performed by outside contractors at an hourly rate; less review time equals less hours billed by reviewers.

Money is tight these days, but if you follow these steps you should be able to save some extra cash on a future E-Discovery project.  Don't forget that a cheaper E-Discovery project will also make your client happy, and a happy client is a client for life.
 
EDD Reviewer Power Tools Volume I Print E-mail
Written by Ryan Meeks   
Tuesday, 30 September 2008 09:06

Have you ever had a responsive file that you couldn’t open because you didn’t have the correct native viewer?  Have you ever had a file that you couldn’t open because the file was damaged or corrupted?  If you are responsible for reviewing electronic evidence for your firm than you can probably answer yes to both of these questions.   Perhaps your “smoking gun” is hiding in one the files that you cannot view.  So what do you do?

You could spend a fortune in software licenses to be able to view these files or you could answer many of these common problems with Avantstar’s Quick View Plus.  With thousands of different native file types possible on computers you are bound to encounter an unusual responsive file.  Quick View Plus is particularly useful for legacy file formats such as old versions of Lotus 1-2-3 and WordPerfect files.  Starting at $46.00 for a single user license, Quick View Plus is a simple and inexpensive way to be able to review over 300 different file formats without having to worry about the native programs.  Not only can it open these various files, it opens them while maintaining the original formatting.  As if this is not enough, Quick View can even be used to open some damaged files that even the native programs will not open.  For example, Adobe Acrobat is very picky about the condition of PDF files that it is willing to open.  Quick View Plus will open a damaged PDF and allow you to review the undamaged portions of the file.  This could be just a few sentences or even several pages in larger documents.

Quick View Plus is a must have tool for anyone who has to review a wide variety of files.  It’s inexpensive, simple, and versatile software that will compliment anybody’s toolkit.
 
Rule 502: Are You Privy to What's Privileged? Print E-mail
Written by Ryan Meeks   
Tuesday, 23 September 2008 15:13

As the amount of ESI (electronically stored information) continues to grow, the amount of data that needs to be reviewed in any E-Discovery project continues to grow with it. This growth increases both the time and cost to the point of making a thorough review very difficult. This not only causes problems with reviewing relevant data but also any data that may prove relevant but is protected by an attorney-client privilege or work-product protection. The monumental amount of information that must be sorted through to prevent the accidental disclosure of any privileged information has certainly caused some unintentional release of protected knowledge to opposing counsel. Not only is this an obvious concern for whatever is accidently disclosed, it can also be seen as a waiver to any other communications that have the same subject matter.

 

An idea sparked by then-House Judicial Committee Chairman James Sensenbrenner in 2006 pushed the Judicial Conference’s Advisory Committee on Evidence Rules into introducing a proposed rule to help protect against any inadvertent disclosures. After three years of development, the new rule known as “Rule 502” was passed through and approved by the Senate on February 28, 2008 and through the House on September 8, 2008. On September 19, 2008, it was approved and signed by the President.

 

Rule 502 allows for the revocation of any material released in any Federal or State proceeding as long as the following criteria are met:

1) the disclosure is inadvertent;

2) the holder of privilege or protection took reasonable steps to prevent disclosure; and

3) the holder promptly took reasonable steps to rectify the error.

 

Rule 502 does not in any way change the substantive law concerning the privileged or protected information. It remains the holders responsibility to verify the information qualifies for the privilege and does not apply to court ordered waivers.

 

Although Rule 502 is a step in the right direction to help keep costs down in your discovery process, it is important to know that reviewers are not completely off the hook. The second criteria of the new rule should be on every reviewers mind. Proof that the “reasonable” steps were taken to prevent disclosure is going to be key to insure that you are not subjecting yourself to a waiver of privilege. Looking back at Judge Grimm’s decision in Victor Stanley, Inc. v. Creative Pipe, Inc., 2008 WL 2221841 (D. Md. May 29, 2008) we can see that providing a detailed analysis of the disclosed material can and will have a major impact under this new rule. In this case, defendant Creative Pipe, Inc. accidentally released 165 privileged documents to opposing counsel. Judge Grimm decided that the defendants basic search term list and failure to manually test the results of the shared documents was not enough to prove that appropriate steps were taken to prevent disclosure and that this acted a waiver of privilege.

 

This should be a warning to all those who review for any protected data. Rule 502 provides an extra safeguard from releasing privileged documents but only if the appropriate steps are taken and properly documented as to show the efforts put into preventing unintentional disclosure.
 
The Final Day of Black Hat 2008 Print E-mail
Written by Brian E. Dykstra   
Thursday, 07 August 2008 23:09
The final day of Black Hat 2008 was a mixed bag of presentations from vendor fluff to overly technical slide shows that NASA scientists will be studying for years to come. Social engineering and a variety of non-hacking technical tricks were the highlights of the day.

The morning started out well with a very entertaining and informative presentation by Shawn Moyer and Nathan Hamiel, Idea Information Security, on all the mischief that can be accomplished on social networking web sites. The presentation ranged from simple tricks for forcing your way onto peoples MySpace friends list to simple Java Trojans that automatically log an unsuspecting user out of their account as soon as they log in. They even got computer security luminary, Marcus Ranum to help them demonstrate how even security professionals divulged personal information to a fake Linkedin profile posing as him. The presenters had much more material than they were actually able to cover in the time allotted and we will be following up with them to get more information on the implications of fake corporate social networks.

One of the most cutting-edge presentations this year was Visual Forensic Analysis and Reverse Engineering of Binary Data by Greg Conti and Erik Dean, US Military Academy West Point. They effectively demonstrated the advantages and efficiencies possible by viewing data in two dimensions rather than one. Their research also demonstrated the potential advantages of unknown data visualization over traditional identification techniques. This area of computer forensics is in its infancy but shows a great deal of potential.

Internet scams are alive and well as chronicled by Jerimiah Grossman and Arian Evans. The duo presented eleven different hacking and scamming scenarios not related by computer intrusion but through business logic. Some of the schemes presented included establishing 58,000 accounts to collect the few cents used to verify a valid account and collected over $60,000.00 before being caught. Another scam involves exploiting the business logic of online shopping networks to receive products that were initially purchased but then rapidly cancelled before the scammer was actually charged. The disconnect between the ordering systems and shipping systems allowed over $400,000.00 worth of cancelled orders to be shipped. This was defiantly a case of seller beware.

Bruce Dang of Microsoft provided a very informative briefing on how hackers exploit flaws in Microsoft Office products to attack the unwary. The presentation was extremely technical (including Assembly language opcode) but organized in such a way made it easy to understand what went into these exploits so commonly used as the payload in phishing attacks. Bruce also provided some simple protection techniques and offered various free Microsoft software and knowledge resources to the audience.

In the next several weeks we will pull together our notes from all the presentation, conduct some follow-up interviews and bring Law.com readers the best of Black Hat USA 2008. 
 
Black Hat 2008 - Day One Print E-mail
Written by Brian E. Dykstra   
Thursday, 07 August 2008 11:33
The opening day of Black Hat 2008 was mix of highs and lows that makes this annual technology conference so much fun to attend. The Bad Sushi phishing presentation by Nitesh Dhanjani and Billy Rios lived up to its name. Together they effectively demonstrated just how simple it is for a phisher to get started in the identity theft business and the variety of "phisher-on-phisher" crime that occurs in the "phishing ecosystem".

During the Highway to Hell: Hacking Toll Systems presentation by Mark Lawson, Root Labs, demonstrated how you could steal and change the unique FasTrak toll pay system transponder identification code commonly used in the San Francisco Bay area. Although the Bay Area Transportation Administration (BATA) states that the transponder device is read-only according to the manufacturer's specifications, Mr. Lawson presented credible information to the contrary.

The DNS Goodness presentation presented by IOActive, Director of Penetration Testing, Dan Kaminisky was definitely the big event of the day. With over 2,000 attendees packed in to a room suitable for about 800, Dan told the intriguing story of his discovery of the Internet-wide DNS vulnerability and the careful planning by the world's leading technology companies to distribute a fix. We'll have more on the Kaminisky DNS exploit in a later article from our private interview with Dan.

In a pre-presentation demonstration by Michael Zusman, Intrepidus Group, we got to see a potentially very dangerous vulnerability that runs through a variety of vendors SSL VPN (Virtual Private Network) clients commonly used in web browsers. Michael demonstrated how simply having the vulnerable ActiveX or Java control installed in a web browser , allowed him to gain full access to a remote user's laptop by simply visiting a web page.

We had one of those serendipitous Black Hat moments during an unexpectedly interesting presentation by researchers Tadayoshi Kohno and Kevin Fu from academia on the Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices. Together they showed how private patient data could be extract from an implanted medical device such as an implanted cardiac defibrillator. The presenters also showed how device could be altered via radio transmissions to harm or possibly even kill a patient.

Today we are looking forward to attending presentations on attacking social network, virtualization security, cutting-edge computer forensic visualization and database tools. Our wildcard presentations of the day include technical threats to the 2008 presidential elections and targeted attacks on Microsoft Office documents.
 
Welcome to Black Hat 2008 Print E-mail
Written by BD   
Wednesday, 06 August 2008 11:08
We've got ourselves successfully registered and have a full day ahead of us. We'll be attending the best of the great selection of presentation available at this year's Black Hat 2008 Briefings in Las Vegas. We'll then be writing a series articles about the latest and most interesting items for Law.com. Today we are scheduled to attend presentations on:
  • Bad Sushi - Fighting back against phishing attacks
  • When Lawyers Attack - Strangely the only presentation focused on E-Discovery
  • Highway to Hell - A presentation on privacy flaws in the EZ-PASS and FasTrak toll systems
  • Storm Botnet - A look at the largest automated computer attack plaguing the Internet
  • XPloiting Google Gadgets - Apparently there are some security flaws in these handy little tools
  • BlueTooth 2.1 - A presentation on new security features and flaws
  • The Virtualization Security Apocalypse - The title really says it all

Later today we will also be doing a one-on-one interview with Dan Kaminsky, Directory of Penetration Testing for IOActive, of recent Domain Name Service (DNS) flaw discovery fame. Dan was responsible for identifying and carefully notifying the government and vendors about a serious security flaw in the DNS system that literally affected the security of the entire Internet.  

For our readers not familiar with DNS, it is the behind-the-scenes service on the Internet that makes sure all web browsing, email and instant messaging makes it back-and -forth between the right computers. Mr. Kominisky and his team of researchers discovered a previously unknown flaw in the DNS protocol that we all use that would allow a hacker to redirect your or intercept your Internet traffic.

We also plan to do several other interviews to day with the more "interesting" presenters and getting comments from some the computer security elite that attend this annual event. We'll pull together a summary of the best of today's events for a new blog posting later today.
 
7 Myths about Computer Forensics Print E-mail
Written by Ryan Lerminiaux   
Tuesday, 06 May 2008 14:14

            We live in a very technologically advanced society. These days everyone relies on computers in one way or another. Whether it is ordering your groceries online, buying a gift for your mother on an auction site, or doing your tax returns. We are all very dependent on computers. This trend has held true in the legal system as well. Everyday more and more computers and computer related accessories are being introduced as evidence in courtrooms around the world. This presents a daunting task for the computer forensics professional. This task is made even more difficult by myths and unrealistic expectations about a computer’s capabilities, as well as what a forensic professional can do with a computer, spawned by popular culture. Computers and the internet are the new fad. There are hundreds of books, movies, and TV shows about computers. Some of them true, but the majority of the material we see on TV shows and movies is very fictionalized and unrealistic.

I’m sure most people are familiar with CSI, the popular forensics show. At some point each season they use “computer forensics” to solve parts of their cases. I was recently watching an episode where the CSI crew used “computer forensics” to track down a suspect via the airline tickets he had purchased. The computer technician mashed furiously on his keyboard while the words “Computer Forensics” flashed in red on the top of his screen. Before I knew it, they had located their suspect. Unfortunately folks that is not really how it works. I am sure lawyers feel the same way about shows like Law and Order.

With all of this in mind I will attempt to dispel the most common myths about computer forensics. These are things we have been asked about time and time again. Computer Forensics isn’t nearly as sexy as TV and movies make it out to be and here is why:


A computer forensics analyst can recover any file that was ever deleted on a computer since it was built. This simply is not true. We can, however, recover deleted files, and/or parts of deleted files, but this number differs for every computer. When you delete a file or empty your recycle bin the file you have selected has its entry removed from the computer’s file system. The contents of the file has not been written over or removed from your hard drive, it simply has had its entry in the file system directory removed. This means that the file will hang around in unallocated file space until the file system writes a new file over it. A new file can be written over the old one because it no longer has a placeholder in the directory, in the form of a directory entry. For example, if you are in a movie theatre and decide you need to use the restroom, you will usually leave something in your seat, like your coat, in order to let others know that seat is occupied. You can think of the coat as the file’s directory entry. If you decide to take your coat with you when you go, there is no way for others to know that you are occupying that seat. There is a good possibility when you return from the restroom your seat will still be there, but there is a chance it may now be occupied by another person, and you just lost the best seat in the house.

Metadata is the all knowing, all seeing, end all piece of information on a file. Not even close. Most people think of Metadata like the slip that comes in a book you check out from the library. Those slips contain a list of all the people that have checked the book out recently, and for how long they had it. Metadata is not like that. While it does contain some useful information about the file, the scope of that information is much more limited than most people think. In general here is a list of the information contained in a file’s Metadata:

             I. The Author

             II. MAC Time (Modified, Accessed, Created)

             III. File Name

             IV. File Size

             V. File Location

             VI. File Properties (i.e. Hidden , Read-Only)

This is still very useful information but it is by no means the information rich tome that people make it out to be.

Having a forensic software license makes someone a computer forensics expert. If owning a hockey stick makes me an NHL all star than yes. I don’t know that I need to go into great detail on this issue. Since computer forensics is still such a new field, there is a lack of standards and guidelines for practicing computer forensics. If you want to practice law in America, you must pass the Bar. There is no system like this in place for the computer forensics field. Therefore, there are a lot of people out there that claim to be computer forensics experts, when in truth they have a decent understanding of a computer forensics program and that is about it. Simply put, would you want someone to perform surgery on you because they happen to own an MRI machine, or someone that went to school for it?

E-Discovery is an uncontrollable money eating machine. If you work with a veteran firm that has a lot of experience in this area, this is not the case. We do a lot of EDD work here at Jones Dykstra and Associates, I’d say about eighty percent of my time is spent doing EDD work for my clients. Most of the time when clients come to us with EDD request we spend a great deal of time getting background information from them, like the number of laptops, desktops, and servers they currently employ, as well as what types of information they need us to produce. Then we figure out, based on their needs, which systems we need to target. Based on this analysis we are able to give them a very accurate fixed price up front, with no hidden surprises. Our veteran experience allows us to judge very accurately the amount of work we will have to do, to produce the desired results for our clients, and thusly we are able to give them a fixed price on our work most of the time.

Cell phone forensics is easy. Not really. There are few programs available to do cell phone forensics. These programs also don’t work very well. This is due in part to the fact that new cell phones come out every day, and it’s very hard for these software vendors to keep up with the ever changing cell phone market. These programs are also targeted at older phone types, not the Smartphone/PDA/Espresso maker type that most business people use today. In our line of work these tend to be the type of people targeted for investigation. These new phones contain their own operating systems, like Windows Mobile and others, which causes problems for the forensic programs. Many of these newer Smartphones are still being tested by software vendors. Even if you are able to make a forensic duplicate of one of these phones, the data you get out of it is very hard to view.

The best available data is on running machines. Not always, there are options that a lot of people do not consider. It is not a problem to shut down an employee’s workstation and duplicate it, but what do you do if you need to pull information from a company’s main database? Can you shut it down? How will that affect daily operations? I’ve seen the fear in the faces of a company’s IT staff when we asked them to shut down their domain controller or Exchange Server. They know that those systems can be very temperamental and may not come back if we have to shut them down. A lot of the time when we are doing EDD work, the information we are looking for occurred in the past. Why not pull the information we need from backup tapes? Most responsible companies keep an accurate library of backup tapes. Isn’t that the point of a backup tape, to store important company information in a non-volatile format? In the case of the Exchange Server, do we really have to shut down the system to duplicate it, or can we pull the PSTs we need using Exmerge. These are very safe alternatives to shutting down vital running systems, and will most likely contain the information we are looking for, in these scenarios everyone wins.

Computer forensics experts catch the hacker every time. Most of the time they go untouched. When companies call us in after an intrusion, they usually want us to stop the bleeding but rarely care about catching the group responsible for the intrusion. Most of the attacks we have seen recently originate in China, and there isn’t really anything we can do to stop them. We have no jurisdiction there and the hackers know we can’t touch them. Most companies are not willing to put the time, the money, or the effort into catching the people that attack them. They want the intrusion to stop, the attacker removed, and they want information on how to better protect themselves in the future.

 

            Well I hope I’ve done a decent job at dispelling some of the myths about computer forensics. It’s not as sexy as CSI makes it sound is it? On the other hand we do get to do a lot of cool things in the field, and we do get to help a lot of people during their time of need. Those things definitely make up for the lack of flash that TV portrays.
 
Some of my thoughts on E-Discovery versus Computer Forensics Print E-mail
Written by Keith J. Jones   
Tuesday, 29 April 2008 18:27

Some of my thoughts on E-Discovery versus Computer Forensics

I find that e-discovery and computer forensics are commonly misunderstood and often used in the wrong context. Many skills used during computer forensics projects can be easily applied to e-discovery projects, and vice versa, even though the goals of these processes are very different. In this blog article I will attempt to highlight the similarities and clarify the differences between both. I will also attempt to show how they can be combined for a more complete and comprehensive computer investigation.

In order to put e-discovery and computer forensics in context, I will discuss these terms used during the situation of litigation. The graph below represents any litigation involving computer data that you may experience. Imagine that any litigation will begin at the top stage and progress towards the bottom stage. As the litigation starts at the top and travels downward, it may be solved in any of the current stages before reaches the next stage. In those cases, the litigation does not have to travel the whole triangle but can be easily solved with less work. That is a reason why I made the graph into a triangle. A number of filed litigations are settled before they actually go to court, and therefore not every stage in the graph below is needed.

The pre-litigation advice stage usually takes place before any incident occurs. For example, common pre-litigation advice could consist of a recommendation to implement e-mail and documentation retention systems in order to make future incidents easier and less costly. Since the initial advice stage is usually dependent on the situation and client we speak with, we will switch gears for the purposes of this article to talk about the e-discovery and computer forensic stages of your incident.

E-discovery:

The first stage of litigation consists of determining what documents or files exist and where they exist on all of the computer systems in question. At the early stages of litigation, you may just want all of the relevant documents or files from the computer systems so that you can use them to build the specifics of your case. The criteria for any e-discovery project usually boils down to needing every relevant document on the computer systems that matches a certain specification. Keyword searching is the most commonly used specification in these cases and usually yields sufficient results for most situations. Keyword searching usually yields an acceptable percentage of deleted and undelete files from your computer systems.

Although it sounds simple, e-discovery is far from that. There are a lot of factors that can make e-discovery a lot more complicated than it sounds. The sheer quantity of data is usually the driving factor in how difficult an e-discovery project will be. For most companies is not out of the question to have 10 or more employees involved in any one litigation. Each of those employees may have at least one laptop or desktop and probably has one or more e-mail mailboxes. A single file could be duplicated hundreds of times across each person's computer and e-mail mailbox. In many instances, multiple files are duplicated in this manner amongst many users. This duplication becomes difficult when you must process, analyze, and produce the data so somebody can easily review it by hand. One of the goals we attempt to accomplish during e-discovery is to provide the smallest most relevant data set from a very large unstructured data set. By limiting the duplication of the files mentioned above, we make it possible for reviewers to review only one file and then the review is simultaneously applied to many different places that file originally existed.

Computer Forensics:

E-discovery may be used at the beginning of a project when it is more important to find a great quantity of relevant data rather than the minute artifacts in a computer system. On the other hand, computer forensics is often used when a specific piece of data needs to be analyzed at great depth. Computer forensics is often used to explain, in technical terms, what a person did and when it was done on a computer system. An examiner could use computer forensics on a very small set of data, such as one file, to help prove the case. Sometimes only one file could be the "smoking gun".

For example, we may use computer forensics to determine if a computer system was maliciously modified before the investigation began. Computer forensics would allow us to examine specific portions of the hard drive, such as file metadata, in order to determine if the computer system was modified in an unauthorized manner. Another example of computer forensics may be the examination of a rogue file on a computer system. A painstaking examination can be made of any unknown file in order to determine what the file is for, what it accomplishes, why it is on the computer system, and how it originally got there.

Similarities:

First, people that perform e-discovery and computer forensics use the same types of data. Computer data is usually acquired by the same forensic software using the same techniques which saves every bit of a computer hard drive for your processing efforts. Both e-discovery and computer forensics can undelete computer files and recover data that the user believes has been removed from their computer system. This is because in most circumstances the data that is acquired is the same for both processes.

Second, some of the same software tools can be used for e-discovery and computer forensics. For example, we have used the forensic toolkit (FTK) and both e-discovery projects and computer forensic projects. Most software along these lines provides the user with deleted and undeleted files in an easy to navigate format. What you choose to do with the files is dictated by the type of project you are working on, such as an e-discovery project or computer forensics examination. Most software, like FTK, offers functionality for a mass export of the files matching your criteria, or you can use the software to examine specific files as you would do during a computer forensic examination.

Third, the same basic skill sets for the examiner are required for e-discovery and computer forensics. Since we use the same software for e-discovery and computer forensic projects, the user does not have to learn anything new to use the software to accomplish two different goals. Therefore, the same basic skill sets of data acquisition, processing, and presentation are used in both e-discovery and computer forensic projects. Once you have learned the software and the methodologies behind it, it is very easy to apply them to other types of projects.

Lastly, the same basic processes are used for e-discovery and computer forensics. Most of the same basic processes are initially used in both types of projects. For example, in nearly every e-discovery and computer forensic project you will want the capability of examining deleted files. Usually the first steps to these projects undelete any deleted files on the computer you are examining. Keyword searching is often used during e-discovery projects in order to reduce the data set that you have to review. Keyword searching is also used during computer forensics to locate the file or files you want to examine. Also, in both e-discovery and computer forensic projects you do not want to examine the same file over and over, which would dramatically waste your time. This is a process that we call de-duplication. You can de-duplicate the data using the same process during e-discovery and when performing computer forensics. Nearly any type of process you use on one you can apply to the other.

Differences:

First, there is a vast difference in breadth versus the depth of the analysis that occurs between e-discovery and computer forensics. In e-discovery, you usually produce a large number of files with little regard to their actual content. Granted, you may still care some about the content of the files as you are producing data that is responsive to some set of predefined criteria, but very rarely do we actually examine the content of every single file during an e-discovery project. We are usually producing these documents for a different party, such as our client, to review. While performing computer forensics, we may be interested in all of the files on the computer system, but we spend a majority of our time examining a select few files. We could spend many hours, days, or months just examining one file on a computer system if it is relevant to our investigation.

Second, an examiner's goals are very different between e-discovery and computer forensics. During e-discovery, our goal is usually to produce relevant documents for a third party to examine. During computer forensics, we are usually performing the examination of the relevant files ourselves. The files we examine during computer forensics tend to be a lot more difficult to view natively. For example, we will examine event logs, installed programs, file metadata, and many other types of files that the reviewers during an e-discovery project would not be able to understand. Furthermore, e-discovery is typically used to produce a large number of files in order to substantiate your case while computer forensics is used to play back a user's activity on computer system.

Third, a different level of planning goes into an e-discovery project versus a computer forensic examination. We find that often during e-discovery engagements that the client wants us to grab a large number of computers versus focusing our examination on a select few during computer forensics examinations. A different sense of planning is needed when large numbers of computers are to be examined versus only a few. It is not uncommon to see hundreds and hundreds of computers during e-discovery when we would only examine a select few during a computer forensics project. It can be very difficult getting access to hundreds of computers when each has a person using them during the normal workday. If you have to examine only a few computers, your planning becomes much easier.

Bringing It Together:

You may be wondering: "Why take the time to differentiate between these two different types of projects?" In my opinion, I think it is unnecessary for people to choose two different companies or individuals to provide the same basic services. As you can see above, there are more similarities than differences between e-discovery and computer forensics. It is my belief that being good at one makes you better with the other. Allow me to explain.

Being able to manage large data sets (we have worked on some cases that involved more than 54 terabytes of information) and getting to the relevant data more efficiently, as it is often done during e-discovery projects, only complements your computer forensics efforts that you perform later on. Sometimes finding the really important files for your computer forensic analysis is very similar to finding the relevant files in e-discovery project. Conversely, understanding a large number of computer file formats in painstaking detail, as often done in computer forensic projects, can make your e-discovery procedures much better because you can process files that common software and consultants may not be able to process. In some cases these more difficult files, such as proprietary files, can hold the most important information for your case.

The moral the story? The next time you are hiring a person or engaging an outside company for your e-discovery or computer forensic needs, I recommend that you select a person or company that can complete the full triangle I presented above for you. There should be no need for you to select one person or company to complete just the e-discovery process and then find another person or company to take care of your computer forensic needs.


On the other hand, if you are a person or company that takes care of these needs, I recommend that you do not pigeonhole yourself into only one type of analysis. The e-discovery and computer forensics industry is large and still waiting for its superstars. Be sure to explore all that it offers.

 

Additional References:

http://en.wikipedia.org/wiki/E-discovery

http://en.wikipedia.org/wiki/Computer_forensics

 
 
Affordable iSCSI Storage, Part 2 Print E-mail
Written by Steve Malloy   
Monday, 21 April 2008 14:52

How To Connect To iSCSI Storage From A Client System

Windows:

To access your new created iSCSI storage solution using Windows, the Microsoft iSCSI Software Initiator must be obtained and installed. It can be downloaded from Microsoft at the following location:

Microsoft iSCSI Software Initiator

Once downloaded, install the software by double clicking the icon that is named similar to Initiator-2.06-build3497-x86fre.exe, this may be different depending on the version downloaded.

Once installed, double click the icon titled Microsoft iSCSI Initiator. This will open up a new window which is the setup and configuration window for your remote iSCSI target.

From this window, click on the Discovery tab. In relation to iSCSI, discovery is the step in which, by means of IP address, the initiator is able to reach across the network and attach to the remote disk(s).

Under target portals, click add. This will bring up a new windows which asks for the IP address or the DNS name and port of the remote disk(s) that you wish to attach to.

In my setup, I used 10.50.100.100 as the address of the remote target on port 3260 which is the default iSCSI port. Enter the IP address which was used during the setup of the iSCSI target along with the port which was set (typically 3260). Once this information is set, click ok. If a connection is made, no error message will be returned, otherwise an error message stating “Unable to make connection” will be displayed.

Now that a connection has been established, click on the Targets tab. Under targets, you should be able to see the name of your target, which was decided upon during the target setup. Click on this name and click the Log On button.

This will open a new window, in this window, you will be able to choose if the initiator connects to the remote disks automatically each time Windows is booted. It is recommended that this option is chosen so that if the power goes out, or should your system be rebooted without you being on hand to reconnect to the remote disk(s), any automated tasks will not loose the ability to access them.

Click the Bound Volumes/Devices tab. At the bottom of the Window, click Add.

From this window, click Bind All. This will attach all current iSCSI drives to the initiator. This step does not format the drives, and drives can be removed from this setup if only certain drives are to be used.

Once the drives are bound, click ok and exit the iSCSI initiator, right click on my computer and select manage. This will open a new window, in this window double clock Storage.

Then double click Disk Management(Local).

This will then open a new menu of all disks available to Windows. If the iSCSI disks have not been formated yet, they will appear as an unallocated drive. Right click on the unallocated drive and click New Partition. This will open up a guided wizard for partitioning the disk. Once the wizard is completed, the new disk will be accessible like a local disk.

 

Linux:

To use the iSCSI server with a Linux operating system, use the following steps. Note: All steps assume that the iSCSI Initiator that was installed earlier during this document is also installed on the machine you wish to use to connect to the server.The first steps in connecting to the iSCSI server under Linux is that it must be discovered. To discover a iSCSI server, use the following command.

iscsiadm –m discovery –t sendtargets –p <IP address of the iSCSI storage computer>:3260

Now that the target is discovered the iSCSI service must be restarted so that the target is setup. To do this type

service iscsi restart

Now that the target is setup, it can be access like a normal disk under fdisk and formated as needed. If the hard disk is already formated, it will remain formated as what is previously was formated as.

 

VMware ESX Server:

NOTE: Due to graphics quality issues, images were excluded from this section. To view these instructions with images, view the attached PDF documentation at the end of this article.

To use the iSCSI server with ESX Server 3i, use the following steps. Once logged into the Virtual Infrastructure Client, click on Configuration than Networking. From the networking screen, clock Add Networking and create a new VMkernel. Follow the steps in the wizard to setup the VMkernel.

Once the VMkernel is setup, click on Storage Adapters and look for iSCSI Software Adapter. Click on the adapter listed and in the lower window click on properties.

This will open a new tabbed window. Click on the Dynamic Discovery tab and then click add. A new window will open asking for the IP address and port of the iSCSI server. Once this information is entered, click ok, the IP address should now be listed in the Dynamic Discovery window. Click close to exit this window.

Right click on the iSCSI adapter and click rescan, this should discovery the available hard drives in the iSCSI server and list them.

Now that the iSCSI server has been attached to, the disks need to be configured for use by the ESX server. To do this, click on Storage, once in the storage window click Add Storage.

A new window will appear, in this window choose the Disk/Lun option.

Follow the wizard presented until you get to the Formatting step of the wizard. At this step, a few options are presented. These are the maximum sizes that any disk created in a virtual machine can be. For instance, if set to 256 GB as in the picture, a new disk created under a virtual machine running Windows can be no larger than 256 GB. Make sure to choose accordingly to your needs when at this step.

Finish the wizard and a new storage location will be accessible under ESX server which any virtual machine can be configured to use.


To download these instructions in PDF format, use the following link: Affordable iSCSI Storage, part 2.pdf

 
 
More Articles...
<< Start < Prev 1 2 3 Next > End >>

Page 1 of 3