| Some of my thoughts on E-Discovery versus Computer Forensics | | Print | |
| Written by Keith J. Jones | |||
| Tuesday, 29 April 2008 18:27 | |||
|
Some of my thoughts on E-Discovery versus Computer Forensics I find that e-discovery and computer forensics are commonly misunderstood and often used in the wrong context. Many skills used during computer forensics projects can be easily applied to e-discovery projects, and vice versa, even though the goals of these processes are very different. In this blog article I will attempt to highlight the similarities and clarify the differences between both. I will also attempt to show how they can be combined for a more complete and comprehensive computer investigation. In order to put e-discovery and computer forensics in context, I will discuss these terms used during the situation of litigation. The graph below represents any litigation involving computer data that you may experience. Imagine that any litigation will begin at the top stage and progress towards the bottom stage. As the litigation starts at the top and travels downward, it may be solved in any of the current stages before reaches the next stage. In those cases, the litigation does not have to travel the whole triangle but can be easily solved with less work. That is a reason why I made the graph into a triangle. A number of filed litigations are settled before they actually go to court, and therefore not every stage in the graph below is needed.
The pre-litigation advice stage usually takes place before any incident occurs. For example, common pre-litigation advice could consist of a recommendation to implement e-mail and documentation retention systems in order to make future incidents easier and less costly. Since the initial advice stage is usually dependent on the situation and client we speak with, we will switch gears for the purposes of this article to talk about the e-discovery and computer forensic stages of your incident. E-discovery: The first stage of litigation consists of determining what documents or files exist and where they exist on all of the computer systems in question. At the early stages of litigation, you may just want all of the relevant documents or files from the computer systems so that you can use them to build the specifics of your case. The criteria for any e-discovery project usually boils down to needing every relevant document on the computer systems that matches a certain specification. Keyword searching is the most commonly used specification in these cases and usually yields sufficient results for most situations. Keyword searching usually yields an acceptable percentage of deleted and undelete files from your computer systems. Although it sounds simple, e-discovery is far from that. There are a lot of factors that can make e-discovery a lot more complicated than it sounds. The sheer quantity of data is usually the driving factor in how difficult an e-discovery project will be. For most companies is not out of the question to have 10 or more employees involved in any one litigation. Each of those employees may have at least one laptop or desktop and probably has one or more e-mail mailboxes. A single file could be duplicated hundreds of times across each person's computer and e-mail mailbox. In many instances, multiple files are duplicated in this manner amongst many users. This duplication becomes difficult when you must process, analyze, and produce the data so somebody can easily review it by hand. One of the goals we attempt to accomplish during e-discovery is to provide the smallest most relevant data set from a very large unstructured data set. By limiting the duplication of the files mentioned above, we make it possible for reviewers to review only one file and then the review is simultaneously applied to many different places that file originally existed. Computer Forensics: E-discovery may be used at the beginning of a project when it is more important to find a great quantity of relevant data rather than the minute artifacts in a computer system. On the other hand, computer forensics is often used when a specific piece of data needs to be analyzed at great depth. Computer forensics is often used to explain, in technical terms, what a person did and when it was done on a computer system. An examiner could use computer forensics on a very small set of data, such as one file, to help prove the case. Sometimes only one file could be the "smoking gun". For example, we may use computer forensics to determine if a computer system was maliciously modified before the investigation began. Computer forensics would allow us to examine specific portions of the hard drive, such as file metadata, in order to determine if the computer system was modified in an unauthorized manner. Another example of computer forensics may be the examination of a rogue file on a computer system. A painstaking examination can be made of any unknown file in order to determine what the file is for, what it accomplishes, why it is on the computer system, and how it originally got there. Similarities: First, people that perform e-discovery and computer forensics use the same types of data. Computer data is usually acquired by the same forensic software using the same techniques which saves every bit of a computer hard drive for your processing efforts. Both e-discovery and computer forensics can undelete computer files and recover data that the user believes has been removed from their computer system. This is because in most circumstances the data that is acquired is the same for both processes. Second, some of the same software tools can be used for e-discovery and computer forensics. For example, we have used the forensic toolkit (FTK) and both e-discovery projects and computer forensic projects. Most software along these lines provides the user with deleted and undeleted files in an easy to navigate format. What you choose to do with the files is dictated by the type of project you are working on, such as an e-discovery project or computer forensics examination. Most software, like FTK, offers functionality for a mass export of the files matching your criteria, or you can use the software to examine specific files as you would do during a computer forensic examination. Third, the same basic skill sets for the examiner are required for e-discovery and computer forensics. Since we use the same software for e-discovery and computer forensic projects, the user does not have to learn anything new to use the software to accomplish two different goals. Therefore, the same basic skill sets of data acquisition, processing, and presentation are used in both e-discovery and computer forensic projects. Once you have learned the software and the methodologies behind it, it is very easy to apply them to other types of projects. Lastly, the same basic processes are used for e-discovery and computer forensics. Most of the same basic processes are initially used in both types of projects. For example, in nearly every e-discovery and computer forensic project you will want the capability of examining deleted files. Usually the first steps to these projects undelete any deleted files on the computer you are examining. Keyword searching is often used during e-discovery projects in order to reduce the data set that you have to review. Keyword searching is also used during computer forensics to locate the file or files you want to examine. Also, in both e-discovery and computer forensic projects you do not want to examine the same file over and over, which would dramatically waste your time. This is a process that we call de-duplication. You can de-duplicate the data using the same process during e-discovery and when performing computer forensics. Nearly any type of process you use on one you can apply to the other. Differences: First, there is a vast difference in breadth versus the depth of the analysis that occurs between e-discovery and computer forensics. In e-discovery, you usually produce a large number of files with little regard to their actual content. Granted, you may still care some about the content of the files as you are producing data that is responsive to some set of predefined criteria, but very rarely do we actually examine the content of every single file during an e-discovery project. We are usually producing these documents for a different party, such as our client, to review. While performing computer forensics, we may be interested in all of the files on the computer system, but we spend a majority of our time examining a select few files. We could spend many hours, days, or months just examining one file on a computer system if it is relevant to our investigation. Second, an examiner's goals are very different between e-discovery and computer forensics. During e-discovery, our goal is usually to produce relevant documents for a third party to examine. During computer forensics, we are usually performing the examination of the relevant files ourselves. The files we examine during computer forensics tend to be a lot more difficult to view natively. For example, we will examine event logs, installed programs, file metadata, and many other types of files that the reviewers during an e-discovery project would not be able to understand. Furthermore, e-discovery is typically used to produce a large number of files in order to substantiate your case while computer forensics is used to play back a user's activity on computer system. Third, a different level of planning goes into an e-discovery project versus a computer forensic examination. We find that often during e-discovery engagements that the client wants us to grab a large number of computers versus focusing our examination on a select few during computer forensics examinations. A different sense of planning is needed when large numbers of computers are to be examined versus only a few. It is not uncommon to see hundreds and hundreds of computers during e-discovery when we would only examine a select few during a computer forensics project. It can be very difficult getting access to hundreds of computers when each has a person using them during the normal workday. If you have to examine only a few computers, your planning becomes much easier. Bringing It Together: You may be wondering: "Why take the time to differentiate between these two different types of projects?" In my opinion, I think it is unnecessary for people to choose two different companies or individuals to provide the same basic services. As you can see above, there are more similarities than differences between e-discovery and computer forensics. It is my belief that being good at one makes you better with the other. Allow me to explain. Being able to manage large data sets (we have worked on some cases that involved more than 54 terabytes of information) and getting to the relevant data more efficiently, as it is often done during e-discovery projects, only complements your computer forensics efforts that you perform later on. Sometimes finding the really important files for your computer forensic analysis is very similar to finding the relevant files in e-discovery project. Conversely, understanding a large number of computer file formats in painstaking detail, as often done in computer forensic projects, can make your e-discovery procedures much better because you can process files that common software and consultants may not be able to process. In some cases these more difficult files, such as proprietary files, can hold the most important information for your case. The moral the story? The next time you are hiring a person or engaging an outside company for your e-discovery or computer forensic needs, I recommend that you select a person or company that can complete the full triangle I presented above for you. There should be no need for you to select one person or company to complete just the e-discovery process and then find another person or company to take care of your computer forensic needs.
Additional References: http://en.wikipedia.org/wiki/E-discovery http://en.wikipedia.org/wiki/Computer_forensics
|
