Nuix webinar presentation: See the bigger picture faster – early case assessment (ECA) best practices

See the Bigger Picture Faster

Early Case Assessment Best Practices

23 November 2016 Copyright Nuix 2016 2

Presenters

Aidan Jewell, Solutions Consultant, Nuix

Aidan joined Nuix in 2014, bringing a decade of digital forensic investigation experience to

the EMEA team. As a Solutions Consultant, Aidan is responsible for pre and post sales

technical consultation, in addition to sharing his Nuix and investigations experience and

expertise with clients through workshops and the Nuix Bytes YouTube channel.

Carl Barron, Senior Solutions Consultant, Nuix

Carl has joined the company in March 2012. He provides pre and post-sale consultancy,

technical support and solution implementation. Carl brings a wide variety of knowledge in

both hardware and software with an enthusiast approach to help customers improve

workflows. Prior to joining Nuix, Carl worked as a Forensic Technician for a leading

Litigation Support Vendor in London.


Session Agenda

• Introduction

• Outline of current problem (Data Volumes)

• What is ECA?

• Benefits of ECA

• Tiered Processing

• Early Access & Collaboration

• Visuals

• Advanced ECA Features

• Summary

Outline of the current problem


Data volumes and filing in 1986

1986 – back in the good old days…

• Dictate, approve, and send and perhaps 50 documents per day

• All documents received and carbon copies of documents sent were filed

• We had desk diaries

• Some firms kept a central book for attendance notes of important

discussions

• In a couple of days you could read into the documents – involving up to,

say, 2,000 documents - 2 metres of shelf space


Data volumes and filing in 2016

2016 – surrounded by technology…

• Send and receive by email hundreds of documents each day, with

still larger volumes of material coming in via SFTP

• Copies are saved all over the place (and on multiple devices)

• Yet more lurking “in the Cloud”

• Jebb Bush’s email dump – 1,800,000 emails - over a kilometre of

shelf space


Data everywhere

1 Email from me to you…


Data everywhere

1 Email from me to you…~12 copies

Copyright Nuix 2015 923 November 2016

Data Volume

Year 2000

=

20GB Hard Drive 6 Rooms


Data Volume

Year 2016

=

1TB Hard Drive 300 Rooms

What is ECA (Early Case Assessment)?


What is ECA?

Definition

• An industry-specific term generally used to describe a variety of tools or methods for investigating and

quickly learning about a Document Collection for the purposes of estimating the risk(s) and cost(s) of

pursuing a particular legal course of action. 1

• A widely abused term in which corporate data is sifted and categorised with a view to determining an

organisation's exposure in the context of a dispute. The best ECA systems allow the sifting to take place

within a corporation's own data store and can be used to drill down rapidly to identify the most pertinent

evidentiary material and to facilitate decisions whether to litigate or settle. 2

1.Maura R. Grossman and Gordon V. Cormack, EDRM page & The Grossman-Cormack Glossary of Technology-Assisted Review, with Foreword by John M. Facciola, U.S. Magistrate

Judge, 2013 Fed. Cts. L. Rev. 7 (January 2013). ↩2.LitSavant Ltd., Glossary, http://www.litsavant.com/full-glossary.aspx ↩

http://www.edrm.net/resources/glossaries/grossman-cormack/eca#note-14961-1

http://www.edrm.net/resources/glossaries/grossman-cormack/eca#note-14961-2

http://www.edrm.net/13770

http://www.fclr.org/fclr/articles/html/2010/grossman.pdf

http://www.fclr.org/fclr/articles/

http://www.edrm.net/resources/glossaries/grossman-cormack/eca#return-note-14961-1

http://www.litsavant.com/full-glossary.aspx

http://www.edrm.net/resources/glossaries/grossman-cormack/eca#return-note-14961-2

Why Early Case Assessment?


Why ECA?

• Case Strategy

• Reduce Risk

• Reduce Cost

• Fight or settle?

• Drive into facts of the data

• Proactively manage litigation


Proportionality

• Budgets are limited

• Courts increasingly keen to avoid traditional, standard, disclosure

• Need to cull multiple copies

• Equally, where appropriate, ensure the full history of documents is

recovered

• Involving forensic experts to collect the documents is expensive and feels

like “overkill” (and is both expensive and disruptive)


Early Case Assessment

• Often just a simple investigation

• Over 95% of disputes settle rather than proceed to a hearing

• The key issues are always the same:

– Resource

– Investigate further or stop?

– Fight or flee?



• Numbers, Statistics & Predicting the cost of review

• Investigative Review

• Drive into facts of the data

• Fight or settle?

• Transition into review after

• Case Strategy

Triage & Tiered Processing


Triage


Tiered Processing

Tier 1

Tier 2

Tier 3

Tier 4

Metadata and Thumbnails

- Identify key files/exhibits/timelines for deeper processing

- 80-90% of the total files (no logs, for example)

Process Text, Extract Entities, Near Duplication

- Performed on tagged items (documents, communications etc.)

- 20-40% of the total files

Forensics

- Analyse registry, slack space etc.

- 1-5% of the total files

Carving

- Smart carving of unallocated clusters

- 1% of the total files

90-95% of Cases

finish here


Sample Tier 1 Processing Settings

In the ‘MIME Type Filtering’ tab deselect the following:

Spreadsheets CSV files (deselect Descendants)

System Files Microsoft Registry Decoded Data

Microsoft Registry Key

Containers Java Archive

Microsoft Registry File

No Data Inaccessible Content

Logs All



These settings will be run across only those files selected

for deeper analysis. This will populate the Full Text Indices

for those files, as well as allow for Near Duplicate

highlighting, entity extraction and analysis/linking, and

enhanced multimedia filtering.

In the ‘MIME Type Filtering’ tab deselect the following:

Spreadsheets CSV files (deselect Descendants)




Microsoft Registry File


Logs All



These settings are designed to bring registry analysis and file slack

examination into the investigation, only for those exhibits that

require this deeper level of interrogation.

It also prepares the Unallocated Clusters for intelligent carving by

hashing them.

In the ‘MIME Type Filtering’ tab TICK the following:



Containers Microsoft Registry File

Depending on the investigation, you may wish to also TICK:



Logs All



This final tier is for intelligent carving of Unallocated

Clusters.

By identifying and selecting only those ‘chunks’ of UC that

contain data (via hash comparison), carving can be

accomplished 60-80% quicker than if you were to run

carving over all of the UC.


Quality Checking Your Data

Corrupted Items/Containers

May also contain encrypted TrueCrypt containers

Non-searchable PDFs

PDFs with no text layer!

Bad Extension

Where the file extension doesn’t match the signature

Encrypted

Files/containers Nuix believes to be encrypted

Not Processed

Poisoned Items

Items that cause workers to get stuck in a loop

Early Access & Collaboration






“Victorious warriors win first and then go to

war, while defeated warriors go to war first

and then seek to win.”

― Sun Tzu



Index Data

Export Data

Import Data

Review Data

NUIX WORKSTATION

NUIX DIRECTOR

REVIEW PLATFORM

EXPORT + REPORT



Index Data/ECA

Review Data

NUIX WORKSTATION

NUIX DIRECTOR

NUIX WEB REVIEW & ANALYTICS





Visualisation


Visualisation

[1] Ben Shneiderman, “Research Agenda: Visual Overviews for Exploratory Search”, National Science Foundation workshop on Information Seeking Support Systems, June 26-27, 2008

“The purpose of visualisation is insight, not pictures.” [1]


Visualisation


Visualisation

Analysing Minard's Visualisation Of Napoleon's 1812 March

https://robots.thoughtbot.com/analyzing-minards-visualization-of-napoleons-1812-march


Visualisation

• What does this tell us?

– Lots of data

– Comms in 2000, 2004, 2014

– Lots of recipients

• Much more context

– 2 key communicators

– 3 separate networks

Can this inform better

analysis & review?


Visualisation

• A quick look reveals

– 4 primary sources

– Connect money values

– 3 Countries

– 3 Companies

• Did we expect this?

• Can this inform better

analysis & review?


Visualisation


Visualisation


Visualisation


Visualisation


Visualisation


Visualisation


Visualisation


DEMO

Automatic identification of relevant information

Visualise Links between items/suspects (Pulling a

thread)


Visualisation


Visualisation

Advanced ECA Techniques


Cluster Runs

Group documents and emails together

into numerous ‘clusters’ decided by

similarity or thread


Cluster Runs


Search and Tag

Allows Nuix to automatically tag

items respondent to queries

Can import/share pre-

defined S&T templates

in CSV format


Digest/Hash Lists

Digest Lists

Automatically identify files in your

dataset that match by MD5

Shingle Lists

Automatically identify near-duplicates

Word Lists

Automatically identify files containing

keywords

Fuzzy Hash Lists

Compares SSDeep hashes to identify

potential malware


Automatic Classifiers – Predictive Coding

Nuix can learn how you tag

items, and once it has built up

a sufficient model, can use

that to automatically tag un-

reviewed items.

Summary



Five Practical Tips for Data Analytics in Early Case Assessment

1. Find Out What You Have

2. Look for Issues in the Data

3. Learn what your key players hold

4. Answer the Who, What and When

5. Reduce the noise


Summary

• The challenge to investigate and come to quick conclusions is will

always exist.

• The traditional approach - reading everything - is no longer an option

• The intermediate solution of coming up with keywords fails as

volumes of data continue to increase – proportionality..

• The ability of Nuix to ingest data from multiple sources, filter out

duplicates and irrelevant - and home in on the relevant – material

make it an indispensible investigation and review tool

FIND OUT MORE:

nuix.com/blog

facebook.com/nuixsoftware

linkedin.com/company/nuix

twitter.com/nuix

youtube.com/nuixsoftware

November 23, 2016 COPYRIGHT NUIX 2015 58

nuix.com

https://www.nuix.com/white-papers/early-case-assessment-evolving-from-tactical-to-practical

https://www.nuix.com/white-papers/early-case-assessment-evolving-from-tactical-to-practical

Your way forward

Nuix training courses are designed to help

you unlock the full potential of your Nuix

investment and achieve great results, fast.

View our course options online at:

nuix.com/training

Right tool + right way = right results faster

Data & Analytics

Nuix webinar presentation: See the bigger picture faster – early case assessment (ECA) best practices