cyberforensics & electronic data discovery edd: the uniquely american game...
TRANSCRIPT
Cyberforensics & Electronic Cyberforensics & Electronic Data DiscoveryData Discovery
EDD: the Uniquely American GameEDD: the Uniquely American GameIncentives Incentives SanctionsSanctions
JusticeJustice
EDD Growth FactsEDD Growth Facts Proliferation of electronic dataProliferation of electronic data
Over 90% of business docs are created & stored Over 90% of business docs are created & stored electronicallelectronicall
Lyman, Peter and Hal R. Varian, Lyman, Peter and Hal R. Varian, How Much How Much InformationInformation, 2003 , 2003 http://www.sims.berkeley.edu/how-much-info-2003http://www.sims.berkeley.edu/how-much-info-2003
Cohasset Study: Cohasset Study: ““the majority of organizations are not prepared the majority of organizations are not prepared
to meet many of their current or future to meet many of their current or future compliance and legal responsibilities.”compliance and legal responsibilities.”
46% of surveyed firms have no formal 46% of surveyed firms have no formal recordkeeping procedures recordkeeping procedures
65% do not include e-Docs among documents 65% do not include e-Docs among documents systematically retainedsystematically retained
Under served EDD opportunities are Under served EDD opportunities are considerableconsiderable
EDD Importance of eMailEDD Importance of eMail Est. 500K eMail msgs per secondEst. 500K eMail msgs per second Replacing official correspondence Replacing official correspondence Contracts enforceable in emailContracts enforceable in email
Valid as offer or acceptance Valid as offer or acceptance Can be validated, authenticated & attributed Can be validated, authenticated & attributed
using electronic signatures, certificates, etc.using electronic signatures, certificates, etc. Broad public expectations that email utility Broad public expectations that email utility
depends on freedom of expression, depends on freedom of expression, particularly in fast changing environments, particularly in fast changing environments, despite async despite async e.g., commodities or financial market price e.g., commodities or financial market price
changeschanges Replaces phone or F2F conversationsReplaces phone or F2F conversations
Some High Visibility EDD CasesSome High Visibility EDD Cases
MS, Gates’ IE Bundling impact on NetscapeMS, Gates’ IE Bundling impact on Netscape Zubulake v. UBSZubulake v. UBS Warburg Warburg employment employment Morgan Stanley Perelman litigationMorgan Stanley Perelman litigation Martha Stewart insider trading caseMartha Stewart insider trading case Jack Grubman Jack Grubman
CitigroupCitigroup//Salomon Smith Barney telecom Salomon Smith Barney telecom analystanalyst
Types of leading cases & industry impact:Types of leading cases & industry impact: Financial services, antitrust, securities law, Financial services, antitrust, securities law,
employment, Pharmasemployment, Pharmas
Discovery Begets JusticeDiscovery Begets Justice Most foreigners amazed at U.S. style litigiousness Most foreigners amazed at U.S. style litigiousness
US defines individual rights broadlyUS defines individual rights broadly US justice system allows broad vindication US justice system allows broad vindication
Role of civil procedures to force transparencyRole of civil procedures to force transparency Discovery of embarrassing, exposing or incriminating Discovery of embarrassing, exposing or incriminating
evid evid Is US strength derived from transparencyIs US strength derived from transparency
Simplistic: political & economic freedoms, cultural, Simplistic: political & economic freedoms, cultural, historical, diversity, access to natural resources historical, diversity, access to natural resources
Are others nations future strength drawn from Are others nations future strength drawn from their lack of transparencytheir lack of transparency EX: EU Data Retention Directive only ISP & TelCo data & EX: EU Data Retention Directive only ISP & TelCo data &
only for Criminal, Counter Terorismonly for Criminal, Counter Terorism
Litigators Vision of Discovery Litigators Vision of Discovery
““As a litigator, I will tell you documents are just As a litigator, I will tell you documents are just the bane of our existence. Never write when the bane of our existence. Never write when you can speak. Never speak when you can you can speak. Never speak when you can wink.”wink.” Statement of Jordan Eth, Statement of Jordan Eth, Sarbanes-Oxley: The Good, Sarbanes-Oxley: The Good,
The Bad, The UglyThe Bad, The Ugly, Nov.10, 2005 on panel hostedby , Nov.10, 2005 on panel hostedby the National Law Journal and Stanford Law School’s the National Law Journal and Stanford Law School’s Center on Ethics, Center on Ethics, reprinted in reprinted in Nat.L.J. at p.18 Nat.L.J. at p.18 (Dec.12, 2005).(Dec.12, 2005).
Derivative update by Ruhnka & Bagby JDFSL:Derivative update by Ruhnka & Bagby JDFSL: ““Never type when you can write, Never speak when Never type when you can write, Never speak when
you can whisper…”you can whisper…”
EDD is a GameEDD is a Game
More EDD & ERM costs than if Target More EDD & ERM costs than if Target cheaply found the smoking guncheaply found the smoking gun But perceived costs if admissions avoided and But perceived costs if admissions avoided and
this was undectected this was undectected Natural reaction to hide misbehavior despite Natural reaction to hide misbehavior despite
some evidence of leniency if forthrightsome evidence of leniency if forthright Less social costs of litigation if discovery Less social costs of litigation if discovery
could become more efficient could become more efficient Reduced societal pressure for reforms that Reduced societal pressure for reforms that
eviscerate rights eviscerate rights EDD requires Strategic PlanningEDD requires Strategic Planning
Technology Advantages in Litigation Time saving Reduced cost
EX: photocopying, review, coding Automated production of required
documents Quickly sift, manipulate, information to
determine patterns, inconsistencies & issues
Imposes planning & structure to management of information & case preparation
Non-Responsiveness is PunishedNon-Responsiveness is Punished
Discovery Sanctions ordered against:Discovery Sanctions ordered against: Arthur Andersen, UBS Warburg, Morgan Arthur Andersen, UBS Warburg, Morgan
Stanley, Martha StewartStanley, Martha Stewart Legal Counsel sanctioned for encouraging Legal Counsel sanctioned for encouraging
non-responsivenessnon-responsiveness E.g., Rambus discovery sanctions- privilege lost E.g., Rambus discovery sanctions- privilege lost
Significant experience with hair-splittingSignificant experience with hair-splitting Response to broaden requests & include Response to broaden requests & include
excessive granularity detail excessive granularity detail Give us every document, letter, memo, email…Give us every document, letter, memo, email…
Ignoring a Smoking Gun Is FailureIgnoring a Smoking Gun Is Failure Each party has incentive to do EDD fishing Each party has incentive to do EDD fishing
expeditionsexpeditions Huge discovery burdens incentivize EDD targets into Huge discovery burdens incentivize EDD targets into
settlementsettlement Arguably malpractice not to pursue aggressive EDDArguably malpractice not to pursue aggressive EDD
Smoking guns are increasingly decisive Smoking guns are increasingly decisive Defendants have been successful with litigation Defendants have been successful with litigation
& tort reforms focused on early case dismissal & tort reforms focused on early case dismissal before incurring discovery costsbefore incurring discovery costs EX: ’95 PSLRA’s Automatic Stay of Discovery EX: ’95 PSLRA’s Automatic Stay of Discovery
http://www.sia.com/capitol_hill/html/private_sec_lit_reform_act.htmlhttp://www.sia.com/capitol_hill/html/private_sec_lit_reform_act.html
The Cost of EDD in Court Cases (US)The Cost of EDD in Court Cases (US)
0
50
100
150
200
250
300
1999 2000 2001 2002
EDD
US Millions
Electronic EvidenceElectronic Evidence
Computer actions – electronic traces from email, Computer actions – electronic traces from email, invoices, viruses, hacker attacks, web activity, invoices, viruses, hacker attacks, web activity, communicationscommunications
Network Log dataNetwork Log data Personal device log data Personal device log data Includes Actual Content, Attachments &/or Meta Includes Actual Content, Attachments &/or Meta
Data Data Meta Data can provide audit trail contained in log files, Meta Data can provide audit trail contained in log files,
meta data (descriptions or properties of data-files or meta data (descriptions or properties of data-files or emailemail) )
Business records open to pre-trial discoveryBusiness records open to pre-trial discovery U.S. adversary system permits preparation for trial by U.S. adversary system permits preparation for trial by
accessing facts relevant to case, if held by opponent or accessing facts relevant to case, if held by opponent or 3d parties 3d parties
Pre-Trial Investigation Pre-Trial Investigation
Conducted both pre/post filingConducted both pre/post filing Private InvestigatorsPrivate Investigators
Traditional & electronic sleuthing constrained Traditional & electronic sleuthing constrained by privacy, eavesdropping, wiretap, etc.by privacy, eavesdropping, wiretap, etc.
Factual & witness (informal) discoveryFactual & witness (informal) discovery Consensual interviewsConsensual interviews Search expertsSearch experts Internal investigationsInternal investigations Game theoretic & strategic considerationsGame theoretic & strategic considerations
Pre-Trial DiscoveryPre-Trial Discovery
Act or process of finding or learning Act or process of finding or learning something that was previously unknown something that was previously unknown
Right of all litigants in the U.S.Right of all litigants in the U.S. Compulsory disclosure, at any opposing party's Compulsory disclosure, at any opposing party's
request, of information that relates to the litigation request, of information that relates to the litigation Limits:Limits:
Limits imposed given long history of intentional & Limits imposed given long history of intentional & harassing burden imposed on opposing partiesharassing burden imposed on opposing parties
But, such limits not intended to assist discovery But, such limits not intended to assist discovery target in hiding relevant informationtarget in hiding relevant information
Discovery ProcessDiscovery Process
Litigants request information from Litigants request information from the opposing party relevant to issues the opposing party relevant to issues raised in claims and defenses raised in claims and defenses
Traditionally: Traditionally: InterrogatoriesInterrogatories DepositionsDepositions Examination Examination Production of Documents Production of Documents
Definitions of Computer ForensicsDefinitions of Computer Forensics
““The application of computer investigation The application of computer investigation and analysis techniques in the interests of and analysis techniques in the interests of determining potential legal evidence.”determining potential legal evidence.”
““The The sciencescience of acquiring, preserving, of acquiring, preserving, retrieving, and presenting data that has retrieving, and presenting data that has been processed electronically and stored been processed electronically and stored on computer media.” (FBI) on computer media.” (FBI)
The discovery, recovery, preservation The discovery, recovery, preservation & control of digital data or documents & control of digital data or documents
Analysis, verification and presentation of Analysis, verification and presentation of eVidence in court & internal investigations eVidence in court & internal investigations
Computer/Network ForensicsComputer/Network Forensics
Forensics - search for eVidence by file Forensics - search for eVidence by file content analysis, meta-data, logs & content analysis, meta-data, logs & expensive erasure recovery techniquesexpensive erasure recovery techniques EX: post-erasure shadow may remain of un-erased EX: post-erasure shadow may remain of un-erased
magnetic filings, even after repeated overwritesmagnetic filings, even after repeated overwrites
Targeting electronic devices: Targeting electronic devices: computers, cell phones, PDAs, voice-mail, servers, computers, cell phones, PDAs, voice-mail, servers,
disks, zip drives, backup tapesdisks, zip drives, backup tapes
Targeting communications: Targeting communications: email, Internet transmissions, IM, chat rooms, email, Internet transmissions, IM, chat rooms,
listservs, usenet groupslistservs, usenet groups
Locations for the Recovery of eVidence: Locations for the Recovery of eVidence: Data RepositoriesData Repositories
Network Workstations and LaptopsNetwork Workstations and Laptops File Servers, Shared DrivesFile Servers, Shared Drives Application Servers, Enterprise ApplicationsApplication Servers, Enterprise Applications
EX: Peoplesoft, SAPEX: Peoplesoft, SAP Home or Offsite ComputingHome or Offsite Computing Paper Documents, Current office long term Paper Documents, Current office long term
storagestorage Diskettes, DVDs, CDs, Portable Storage Diskettes, DVDs, CDs, Portable Storage
DevicesDevices Backup media tapeBackup media tape Network Email serversNetwork Email servers Mobile Devices, Blackberry, Palm, Pocket PCMobile Devices, Blackberry, Palm, Pocket PC Instant MessageInstant Message
Locations for the Recovery of eVidenceLocations for the Recovery of eVidence
Computer files & meta dataComputer files & meta data Recycle Bins, including dates of deletionsRecycle Bins, including dates of deletions Backup tapes & other archivesBackup tapes & other archives Logs & cache filesLogs & cache files Slack & unallocated spaceSlack & unallocated space Email, copies to self, forwarded messages, Email, copies to self, forwarded messages,
and deleted messages foldersand deleted messages folders SWAP files – This is a memory expanding SWAP files – This is a memory expanding
feature that downloads data from main feature that downloads data from main memory to a temporary storage area on PCmemory to a temporary storage area on PC
33rdrd Party Providers, ie ISPs Party Providers, ie ISPs
What Forensics can FindWhat Forensics can Find Computer forensics can reveal what users Computer forensics can reveal what users
have done on the network:have done on the network: Theft of trade secrets, intellectual property, and Theft of trade secrets, intellectual property, and
confidential dataconfidential data Defamatory or revealing statements in chat Defamatory or revealing statements in chat
rooms, use net groups, or IMrooms, use net groups, or IM Sending of harassing, hateful, objectionable Sending of harassing, hateful, objectionable
emailemail Downloading criminally pornographic materialDownloading criminally pornographic material Downloading & installation unlicensed softwareDownloading & installation unlicensed software Online gambling, Insider trading, solicitation, Online gambling, Insider trading, solicitation,
drug traffickingdrug trafficking Which files accessed, altered, or savedWhich files accessed, altered, or saved
Consequences for Failure to Consequences for Failure to Comply with DiscoveryComply with Discovery
Cannot destroy what is expected to Cannot destroy what is expected to be subpoenaed be subpoenaed
Procedural law in federal & state cts Procedural law in federal & state cts require compliance with discovery require compliance with discovery requests requests
Risks of non-complianceRisks of non-compliance Spoliation Spoliation Obstruction of JusticeObstruction of Justice
Spoliation Spoliation
Tort - interference with or destruction of Tort - interference with or destruction of evidenceevidence
Defense to tort Defense to tort Adverse Evidentiary Interference or Adverse Evidentiary Interference or
Presumption - unable to prove case Presumption - unable to prove case because of destruction because of destruction
Discovery SanctionDiscovery Sanction P&G sanctioned $10,000 for not saving email P&G sanctioned $10,000 for not saving email
communications of 5 key employees P&G ID’dcommunications of 5 key employees P&G ID’d Default Judgment Default Judgment
Employees knowingly destroyed documents Employees knowingly destroyed documents
Obstruction of justiceObstruction of justice Definition: crime of offering Definition: crime of offering
interference of any sort to the work interference of any sort to the work of police, investigators, regulatory of police, investigators, regulatory agencies, prosecutors, or other agencies, prosecutors, or other (usually government) officials (usually government) officials
Often, no actual investigation or Often, no actual investigation or substantiated suspicion of a specific substantiated suspicion of a specific incident need exist to support an incident need exist to support an obstruction charge obstruction charge
EX: Arthur Anderson, Enron, MarthaEX: Arthur Anderson, Enron, Martha
Admissibility of EvidenceAdmissibility of Evidence
Relevance, materiality & Relevance, materiality & (in)Competence(in)Competence
Authentication (proof justifying proof)Authentication (proof justifying proof) Chain of Custody Chain of Custody
HearsayHearsay Business RecordsBusiness Records
PrivilegesPrivileges Expert witnesses & scientific evidence Expert witnesses & scientific evidence
Electronic EvidenceElectronic Evidence What are Business Records?What are Business Records?
Records created as part of operations or Records created as part of operations or transactionstransactions
EX: electronic computer records, EX: electronic computer records, printouts, meta data, POS, HR files, printouts, meta data, POS, HR files, inventory/production schedules, inventory/production schedules, accounting entries … accounting entries …
Some differences between Federal & Some differences between Federal & State LawsState Laws Federal Rules of Civil Procedure (FRCP) Federal Rules of Civil Procedure (FRCP)
governs conduct of trialgoverns conduct of trial Federal Rules of Evidence (FRE) governs Federal Rules of Evidence (FRE) governs
admissibility of particularadmissibility of particular
Arguments Against ERM/EDD Arguments Against ERM/EDD InvestmentInvestment
EDD is confined to Geek Activity EDD is confined to Geek Activity Doubt any substantial Business Perspectives rest on Doubt any substantial Business Perspectives rest on
EDD or ERM?EDD or ERM? These high visibility cases are not generalizable, These high visibility cases are not generalizable,
mere scare tacticsmere scare tactics Law is a canard, litigation risk too speculativeLaw is a canard, litigation risk too speculative Economic globalization diminishes much need to attend Economic globalization diminishes much need to attend
to U.S.-style EDD matters to U.S.-style EDD matters EDD is Costly, stds nascent, no immediate cash EDD is Costly, stds nascent, no immediate cash
flow flow Still hard to prove ERM negligence or intentional non-Still hard to prove ERM negligence or intentional non-
responsivenessresponsiveness Everybody destroys docsEverybody destroys docs Few Spoliation or Obstruction risks Few Spoliation or Obstruction risks Let others blaze trail to effective EDDLet others blaze trail to effective EDD Ignoring EDD might hide the smoking gunIgnoring EDD might hide the smoking gun
Challenge of Deleting eMails Challenge of Deleting eMails
As with most files in typical OSAs with most files in typical OS Deleting marks for possible overwriting later Deleting marks for possible overwriting later eMail & oter files remain un-erased in eMail & oter files remain un-erased in
various repositoriesvarious repositories EX: recycle bin, trash, server of client, network or EX: recycle bin, trash, server of client, network or
recipient(s), recipient(s) PCs, backups of all the recipient(s), recipient(s) PCs, backups of all the above, printouts, & forwarded recipients & above, printouts, & forwarded recipients & serversservers
Law recognizes NO higher expectation of Law recognizes NO higher expectation of privacy for eMail privacy for eMail
Recovering Deleted eMailRecovering Deleted eMail
Recoverable deleted files are discoverable Recoverable deleted files are discoverable Must show factual basis that email existedMust show factual basis that email existed Must show feasibility of un-deletingMust show feasibility of un-deleting Experts affidavit may be required Experts affidavit may be required
Recovery often ordered after discovery Recovery often ordered after discovery target fails to produce eMail printoutstarget fails to produce eMail printouts
Metadata discoverable if printouts omit Metadata discoverable if printouts omit dates, editing, or tampering apparent dates, editing, or tampering apparent Must demonstrate reasonable basis of Must demonstrate reasonable basis of
suspicion suspicion Mere conjecture insufficient, some evid reqdMere conjecture insufficient, some evid reqd
Who Conducts Deleted eMail Who Conducts Deleted eMail Retrieval?Retrieval?
Requesting party usually prohibited direct Requesting party usually prohibited direct accessaccess Confidentiality & privilege barriers to examination of Confidentiality & privilege barriers to examination of
irrelevant matters irrelevant matters Requesting party representative sometimes present Requesting party representative sometimes present
& may help design search method & may help design search method Safeguards: Mirror image of HD madeSafeguards: Mirror image of HD made
Target’s atty searches imaged HD, filters confidential Target’s atty searches imaged HD, filters confidential info then produces only responsive infoinfo then produces only responsive info
Increasingly, Neutral Third Party service Increasingly, Neutral Third Party service provider used if production is complex or provider used if production is complex or extensive extensive
Hard Disk Drive StorageHard Disk Drive Storage
Contiguous File #1Contiguous File #1
Contiguous File - Additional File #2Contiguous File - Additional File #2
Addit’l Contiguous Files #3, 4 & 5Addit’l Contiguous Files #3, 4 & 5
Addition to Existing File #3Addition to Existing File #3
Addition to Existing File #1Addition to Existing File #1
Deleted File #2Deleted File #2
New File #6 AddedNew File #6 Added
Where is Potentially Over-Where is Potentially Over-writable Slackspace?writable Slackspace?