New eDisclosure Protocol

Exchanging electronic data in a way that maximises its inherent “value” (facilitating efficient management of the data – including the identification of duplicates, searching, filtering, sorting, grouping etc) is more complicated than is the case when exchanging paper documents.

The latest – and one of the most promising – attempts to create a protocol framework for disclosure in the electronic age has been published by TeCSA – the Technology and Construction Solicitors’ Association – at the start of November 2013.

There is a real need to ensure that the parties work in a way that delivers a defensible, proportionate and efficient disclosure process and, for perfectly understandable reasons, the judiciary’s current understanding of the issues that arise is patchy.

Used properly, the N265 Electronic Documents Questionnaire could be used to cover much of the same ground but, for reasons that aren’t obvious, it has always been an “optional” document – ignored by the substantial majority of lawyers.

The TeCSA Protocol (along with the associated Guidelines) are a positive development in providing what is a template Disclosure Order for the parties to work within and will, hopefully, be widely adopted.

Encryption and a loss of innocence…

Encryption software is routinely used to encrypt sensitive data however the extent to which we now know that the NSA and other security organisations have sought to develop systems to monitor:

  • Any computers connected to the Internet and
  • All information passing between them

has made it apparent that any system or software that hinders this will be viewed as a problem that needs to be overcome.

To quote the N.S.A. “In the future, superpowers will be made or broken based on the strength of their cryptanalytic programs…

One of the most common – and respected – options in the commerical world is TrueCrypt, a popular encryption product that is perceived to be open source and independent.

Bizarrely, although a market leading product, no-one knows who wrote it.

The effect of the recent revelations has been to damage a number of the, perhaps naive, assumptions that many held that included a belief that there was a general entitlement to privacy and in the case or TrueCrypt that now involves a move to undertake an independent audit.

It isn’t something that is currently “provable” either way but:

  1. looking at what has come out over recent months as a result of the material published and in the light of how the security agencies now appear,
  2. how likely is it that the NSA does not have a means to unlock TrueCrypt encryption (with a not-insignificant risk of the security services of other nation states also having the potential to achieve the same result)?

The Future?

There are ways to implement effective security and, looking to the future, the “price” that the security agencies are likely to pay for the recent revelations is that the consequential loss of trust will cause at least some organisations to reject the traditional approach (that included an assumption that governments and the manufacturers of hardware and software were supportive of a goal to create systems to store data and communicate securely).

Remote data collection

There is  a common misconception that it is necessary to physically attend to capture electronic data in a “forensically sound” way (i.e. preserving the material in its original state).

We regularly perform this sort of exercise  ’remotely’ – without the need for a forensic technician to attend on-site.

This saves time, cost and disruption, without compromising on the “defensibility” of the collection.

  • When it is appropriate to rely on the client’s IT staff and/or data custodians to identify the sources of electronic documents to be collected.
  • To provide the additional reassurance of collection using forensic technology/techniques in circumstances where the alternative may otherwise be for the client’s IT staff to perform a ‘do it yourself’ collection.
  • When the client’s IT environment and policies provide sufficient access for us to obtain ‘remote’ access with administrative rights to access and copy data from the identified location(s).

Our standard approach in such scenarios is to arrange for an encrypted hard drive and forensic software (generally FTK Imager or EnCase) to be shipped out to the target location and then use remote access software to “drive” the process of imaging the material that is of interest.

If the volumes are modest and there is a good internet connection we can then retrieve the material using a secure file transfer system.

Otherwise we arrange for the (encrypted) drive which can then be couriered back to us.

The upshot is that the data can be collected in a way that avoids the cost and expense associated with physically sending a forensic expert to the location where the collection needs to be carried out.

Google – More eDiscovery Ideas

In recent months Google have been adding a lot of polish to their Gmail or Google Mail services including customizable tabs, improved mail composition and Hangouts, which is an attempt to give mail more of social media feel. The new look inbox with customizable tabs is of particular interest. The concept is fairly simple:

  1.  Your inbox consists of 5 optional tabs including primary, social, promotions, updates and forums.
  2. When you receive a new email Google attempts to assign the email to the appropriate category and therefore makes it available in the relevant tab.
  3. The tabs/categories and what goes into each is fully customizable and if you want to tweak it you can.

Continue reading

Standard v “Targeted” Disclosure

The traditional approach -  disclosing all copies of a document that is supportive or adverse to the case of a party is inappropriate when dealing with electronic, as opposed to hard copy, data.

By way of illustration, the simple act of drafting and sending an email will result in multiple copies of the same document being created that are potentially disclosable including a:

  1. Temporary file on the device used to create the email.
  2. File on the device held by the application used to send the email.
  3. File on the email server that “synchs” with the device.
  4. File held in the “Journal”.
  5. File held in each and every back-up of the email server.
  6. Files held in each subsequent server that is used to relay the message to its recipient(s).
  7. Files held on each device that connects to the server to receive the email.
  8. Files consisting of drafts and partial versions generated during the creation of the email.

Continue reading

The Changing Face of Document Analysis – Cloud Generated Documents in Digital Forensics

In the past few weeks I have been lucky enough to attend both the CEIC conference hosted by Guidance Software, followed by the Techno Security & Forensic Investigations conference hosted by Nuix. Both events were well attended with approximately 1,500 attendees at each with seminars, technical labs, discussion groups and keynotes covering topics from digital forensics, information security, electronic discovery/disclosure and incident response. In addition to this, there was a strong showing from various software and hardware vendors showcasing their latest and greatest technology. It is good to see the industry is progressing consistently and to a high standard.

Continue reading

New CPR rules – format of Disclosure Report

One of the striking aspects of the recently introduced changes has been that, although there is a requirement for those with the conduct of the matter to file and serve a disclosure report, there has been no guidance as to what format that Report should take.

The new Rule 31.5(3) simply provides that, not less than 14 days before the first case management conference each party must file and serve a report verified by a statement of truth, which:

(a) describes briefly what documents exist or may exist that are or may be relevant to the matters in issue in the case;
(b) describes where and with whom those documents are or may be located;
(c) in the case of electronic documents, describes how those documents are stored;
(d) estimates the broad range of costs that could be involved in giving standard disclosure in the case, including the costs of searching for and disclosing any electronically stored documents; and
(e) states which of the directions under paragraphs (7) or (8) are to be sought

Until recently our advice has been to complete an Electronic Documents Questionnaire – which covers the broad issues and is in a format that will be familiar to the Courts and then keep the actual “report” short – containing just a conclusion and outline of what is proposed. (In this connection it is worth noting that the Rules explicitly contemplate that an EDQ may be served in addition to the Report.)

With a striking lack of fanfare, the Ministry of Justice has now published N263 Disclosure Report Form.

Unfortunately, the Ministry of Justice form in some ways complicates – rather than simplifies – matters.

Continue reading

Data Extraction from the Nokia n900 – The Tricky Maemo OS

As today’s guest contributor, it is my pleasure to introduce Harry Trick, Forensic and eDiscovery Technician at Millnet, and experienced mobile device investigator. Today Harry outlines the problems analysts face when confronted with the Maemo operating system and outlines solutions for extracting and analysing data captured from the Nokia n900.

In the modern era the type of mobile phone desired by consumers has changed from a simple, small device used to keep in touch with a few people through calls and text messages to something with more features and connectivity functions such as email and high resolutions cameras. As the need for more features in mobile devices grew a new type of phone emerged, the “smart phone”. One of the first companies to release a commercially successful smart phone was Nokia with the N95. This was not however the first incarnation of a Nokia smart phone, before the N95 were a series of phones that included the Nokia N900. The N900 was packed full of the features that business users wanted such as email functionality, games and a very good camera. As well as these features there were several “hidden” features that appealed to hackers such as easily installable customisable applications.

Continue reading

Spotlight on Nuix

As today’s guest contributor, it is my pleasure to introduce Adrian Cassidy, Director of Solution Consultancy EMEA at Nuix, and experienced forensic investigator and a friend of mine from our days working at 7Safe. Today he outlines the data challenge faced by investigators and explains how Nuix Investigator software can tackle the challenges of collecting, processing and searching data, while still harnessing the power of human intuition.

Investigators have to deal with growing volumes of data in an increasing number of digital storage devices and formats. As this trend keeps going, there is simply no way we can keep using the traditional methods of electronic investigation, especially the part about forensically analysing each device. As an industry, we face real challenges in terms of how we collect, process and search data.

Continue reading