|
1
|
- The FAQs, the Do’s and the Don’ts
- How this technology can make or break your case
|
|
2
|
- It is the process of identifying, collecting, screening, and producing
electronically stored data in response to a request or subpoena
- The manner in which the evidence is collected, reviewed, and prepared
may be as important as the fact that the evidence was requested at all
- Electronic Discovery allows us to segregate, identify, index, and even
authenticate documents in a fraction of the time and at a fraction of
paper discovery
- Statistics show that Electronic Discovery reduces trial time by as much
as one-third
|
|
3
|
- 1 in 20 companies has battled a workplace lawsuit triggered by email
- 14% of companies have been ordered by a court or regulatory body to
produce employee email – a 5% increase since 2001
(American Management Assoc. 2003)
- The average volume of discovery data collected from a custodian has
increased by more than 500% in the past five years
- Discovery represents 50% of litigation costs on average and up to 90% of
costs in cases where it’s actively used
- Paper discovery costs an average of $0.70 a page; Electronic Discovery
costs an average of $0.23 per page
(Law Office Computing, Jun/Jul 2003)
|
|
4
|
|
|
5
|
- Have become an integral part of our society
- 92% of new information generated worldwide in 2002 was digital,
primarily stored on hard disks (Univ. of CA 2003)
- Paper represented only 0.01%
- 70% of electronically documents never migrates to paper
- Electronic Discovery is a fact of life in litigations today
- To ignore electronic discovery is to flirt with disaster
|
|
6
|
|
|
7
|
- The phrase was first coined in 1991 at a conference sponsored by IACIS
- A relatively new field in the Private Sector
- In use since the mid-1980s by law enforcement and intelligence
organizations
- Forensic specialties deal with the application of law to a particular
science
|
|
8
|
|
|
9
|
|
|
10
|
|
|
11
|
- If employees spent 63% of their time on non-work related activities, are
they defrauding their employer?
- 51% of U.S. employees who use the Internet at work spend between 1 and 5
hours per day online for non-work related activities
|
|
12
|
- Deal with the:
- Acquisition
- Preservation
- Identification
- Extraction
- Analysis
- Documentation
- of digital evidence, in order that it can be admissible in a court of
law
|
|
13
|
- Involve the use of sophisticated technologies, tools & procedures
- Their application must be rigidly followed to assure the preservation of
evidence & accuracy of results
- Computer Forensics is no different
- Most Computer Forensic tools exist in the form of specialized computer
software applications
|
|
14
|
- Fraud investigations & white collar crimes
- Any case that uses documentary evidence
- Employment cases
- Divorce cases
- All type of litigations
|
|
15
|
- Today’s average hard disk
storage capacity is 40 to 80 Gigs
- The average page holds 2,000 to 4,000 characters or bytes
- A 40 Gig hard disk stores 40 billion bytes
or 10 to 20 million pages
- A 500-page ream of paper is 1.5” thick
- That’s 30-60,000” or 2,500-5,000 ft. high
- The Empire State Bldg., is 1,453 ft. high
|
|
16
|
- Technology comes to the rescue
- Keyword searches allow the examiner to quickly find the hidden evidence
- The more accurate the keywords used in the search the better the results
- Use unique keywords or a combination of keywords
- MD5 Hashes allow you to exclude known programs
|
|
17
|
|
|
18
|
|
|
19
|
|
|
20
|
|
|
21
|
- Artifacts can be found in system
files, and other areas such as:
- Swap file
- Print spool file
- Files deleted from Recycle Bin
- Temporary Internet Files
- Favorites, Cookies, Recent, Sent To, and other files found under the
user’s Files and Folders created by NTFS when the user logs into
a PC for the first time
|
|
22
|
|
|
23
|
|
|
24
|
|
|
25
|
- The “killer application” that made the Internet
today’s world-wide communications medium
- 5.5 trillion messages were sent in 2001. Of those, Gartner Research
estimates that half were business related
- Books have been written on managing email communications
- The “informality” of the medium usually makes people say
things in email messages that they would never otherwise write down
|
|
26
|
- If used to its full potential, Outlook keeps track of every sensitive
detail about one’s personal and professional life
- The information stored in Outlook can usually make your
case—literally!
- Getting access to ones email archives and contacts folders can yield
better evidence than getting the full cooperation of a “scorned
spouse”
|
|
27
|
|
|
28
|
- Since the storage of the data is at a remote server location, it is
absolutely, safe. Right?
- No one, other than the account holder, can access such communications.
Right?
|
|
29
|
- Also some things have been going on here so everything didn't work out
for the 5th but the 20th should be fine. Actually I'm doing more
(hopefully 30) b/c I had a couple other things that came up that I
needed to get out the way too so we should be fine after the 20th and
that will definitely be the last time (10 - you, 20 - me). I had no idea trying to get a
brand new house
|
|
30
|
- A Forensic Examination enables the examiner to easily compile a detailed
personal profile about the subject
- The heavier the computer use by the subject, the more detailed the
personal profile that can be developed
- Computer users joke that their entire lives are contained in their
PC—that’s no joke from a Forensic Examiner’s
perspective
|
|
31
|
- Upon completion of the Forensic Examination, the examiner should provide
a complete report
- The report should provide a complete accounting of:
- Storage mediums examined
- Physical disk(s) and Volume information
- Description of the file structure
- Results of Keyword searches
- Examples of items found of evidentiary value
- Protocols followed
- Chain of Custody
|
|
32
|
- The system Administrator is a
sharp guy; he’s MSCE and CISCO Certified
- Surely, he can help find the hidden evidence
- His expertise and certifications will make him a superb expert witness
- RIGHT?
|
|
33
|
- MSCEs receive no training in the proper procedures for preserving
electronic evidence or for conducting forensic examinations
- IT Administrator may have a “relationship” with the subject
- Any disk activity can risk damaging or destroying potential evidence
- Turning on a PC alters the state of the hard disk—this could be
used to challenge the veracity of the evidence
|
|
34
|
- Once a determination is made to “confiscate” an
employee’s PC,
the IT Administrator should be
told to UNPLUG—not turn off—
the PC and secure it until it can be received by a properly trained
computer forensic examiner (assuming it’s a Windows PC or MAC)
- This preserves the hard disk in the same state it was when the PC was
confiscated
- Avoids evidentiary challenges in court
|
|
35
|
- If insufficient evidence exists to
“confiscate” the PC, instruct the IT administrator to
advise the suspect that his PC is needed in the IT shop for urgent
maintenance
- The suspect should be discouraged from shutting down the PC—the
admin should make up a story and simply unplug the PC
- Once the PC is safely taken to the IT department, a trained Forensic
examiner can image the hard disk
- The actual PC or another unit, can then be returned to the suspect
|
|
36
|
- Essential: Update employee manuals specifying PC usage policy
- Policy must spell out no expectation of privacy on Company’s
Computer Systems
- Official Document retention policy, which must be followed
- Network Login that spells out the usage policy and states unauthorized
access may result in prosecution
- The login process must require an affirmative confirmation
- In adverse termination cases, consider acquiring an image of the
computer’s hard disk, to preserve the state of data at the point
the employee left the Co.
|
|
37
|
- Immediately Consult with Counsel
- Once a decision is made to confiscate the PC, simply unplug it
- Sequester & maintain a chain of custody of the PC
- Contact and contract a reputable Computer Forensic Examiner
- Look for an examiner that has prior investigative experience in the type
of case in question
- Thoroughly brief the examiner about the case so that he knows what to
look for and can pursue leads as they are developed
- Build a comprehensive list of case-relevant Keywords
- Cancel the subject’s user accounts on all systems
- Consider changing all passwords on networks, intranets, mail servers,
etc.
|
|
38
|
- Once a decision is made to confiscate a
PC do not let anyone use it—including the assigned user
- Do not let the user “copy” or remove his personal files from
his assigned PC
- Do not go on a hunting expedition looking for files
- Do not ask the IT Administrator to take a look at the PC or “see
what he can find”
- Do not allow the suspect to remove “personal” floppies,
CD-ROMs or other storage mediums—including, Company owned PDAs
|
|
39
|
- Consultations: Call us with your questions, anytime
- RRT: Rapid Response Team
- Develop investigative plan
- Pursue investigative leads
- Computer Forensic services
- Forensic accounting services
- Litigation support services
|
|
40
|
- Phillip Rodokanakis, CFE
- Managing Partner
- U.S. Data Forensics, LLC
- 4520 East West Hwy
- Suite #640
- Bethesda, MD 20814
- Tel. 301-657-5600
- FAX 301-907-9227
- phil@usdfllc.com
- www.usdataforensics.com
|
|
41
|
- An application was for employment
- A program was a TV show
- A cursor used profanity
- A keyboard was a piano
- Memory was something that you lost with age
- A CD was a bank account
- If you unzipped anything in public, you'd be in jail for a while!
- Log on was adding wood to a fire
- Hard drive was a long trip on the road
- A mouse pad was where a mouse lived
- A backup happened to your commode!
- Cut - you did with a pocket knife
- Paste you did with glue
- A web was a spider's home
- And a virus was the flu!
|
Notes