Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
©2020 - 4Discovery
eDiscovery & Forensics in the Cloud
“The Cloud”
2
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
“The Cloud”
3
● “The Cloud” is just having someone else host an application for you○ You pay a fee for the service/software (SaaS)○ No longer have to purchase hardware, worry about
updates/backups, scalability, networking, etc.○ Higher availability, and you can usually access your
data from anywhere!
● This also typically means that users can log in and access data from any computer anywhere, which makes theft easy
● Availability of accessing logs can be limited and may not contain all the info you need
● This data is discoverable and all the rules of evidence apply
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Examples of Cloud Services
4
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Cloud on Cloud
5
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
The Importance of Cloud Data● Flexera 2020 State of the Cloud Report
○ 61% of businesses plan on migrating more workloads to the cloud○ Over half of respondents said COVID is accelerating their use of the cloud
● Almost everything is electronically stored, and the data can show:○ Data Points
■ When employees access systems, edit documents, upload data, export reports from cloud services, etc.
■ Amount of time people spend viewing documents■ IP addresses, failed login attempts, and other important security information
○ Substantive information, admissions■ Emails / Texts – to combat “revisionist history”■ Policies / Practices – official and unofficial ■ Other internal documents
6
How is this Different?
7
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Documents Have Changed● When we think of a document, we think of a Microsoft Word
file stored on a computer● Cloud based documents often have to be converted to a
usable format● May contain features that are only available in their native
environment
8
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Documents Have Revisions & History● Dates & Metadata Differ - We’re
used to created/modified/accessed dates and Author, Last Printed, Saved, etc…
● Cloud services can have any number of metadata fields, with no standardization
● Documents in the Cloud may have unlimited versions and authors/contributors available
9
Cloud Services and Cloud Data work together, functionality can be reduced when producing.
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Storage Has Changed● Computer hard drives and USB storage aren’t everything...
10
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Computer and Cloud are Merging
11
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Forensics In the Cloud
12
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Browsing History
13
● All modern browsers maintain a history of your browsing activity○ Chrome can even sync your browsing history your Google
account● In addition, browsers maintain a “cache”, which can be full
copies of the web pages that you’ve viewed● Microsoft, Chrome, and Firefox all behave differently when it
comes to SSL pages (i.e. 🔒https://…) ○ Cache-Control: no-store/no-cache headers are site specific,
and browsers will handle disk caching differently for each
● Virtually all web browsers now include a “private browsing” mode, that in addition to preventing browsing history from being retained, disables the disk cache entirely.
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Mobile Data
14
● All modern mobile devices allow for backups to the Cloud● Call Logs, SMS/MMS, Chats, Internet History, Calls, Calendar
(and more) are all available without access to the device
Collecting & Preserving Cloud Data
15
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Scoping & Planning● It all goes back to scope…
○ What do you need?○ Why do you need it?○ What do you need to prove with this data?
● Talk to your vendor about the cloud service you would like to collect from:○ What methods of collection are available?○ What data/fields are available?○ Is the cloud collection “good enough?”○ Is the metadata going to be accurate?○ Is timeliness a factor?○ Do you need a subpoena?
16
Reminder: This data is constantly syncing and changing as users interact with it
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Developing A Plan● Lit Holds / Preservation Requests
○ Make sure these are specific and timely● Subpoenas / Discovery Requests
○ Have good definitions○ Ask for specific data over specific timeframes
■ Be ready to articulate a valid reason why you are asking for these items○ The methods that you request and produce Cloud data will vary, update your
protocols to match. ■ i.e. The latest revision of Google Docs will be produced in Word format
● Protocols○ Include an expert!
■ Often, things are agreed upon that are not technically feasible○ Make sure to think about it holistically
■ EDRM
17
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Litigation Holds● Cloud data can be subject to a legal hold, just
like any other ESI. Be specific in the types of records and timeframe that you are requesting
● Cloud data and associated logs do not stay around forever, and it can be difficult to do an “in-place hold” on the data.
● Once it’s gone, recovery is usually impossible to retrieve, even through subpoenas
18
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Exporting Data● Many platforms have enabled a profile download feature for users
○ Some of these are very similar to productions from Law Enforcement subpoenas○ Require cooperative access to the account to request
● The ability to export data from a service is highly variable○ As the adoption of cloud services has increased, many platforms added profile
download options○ Privacy laws (GDPR, CCPA)○ A few reasons why: to give clients continuity and avoid subpoenas
● Many sources now have an export feature○ i.e. Google Takeout, Facebook Profile Download
● Export may be in raw form but may not be easily readable○ i.e. Slack is in JSON, Gmail is in MBOX with no folders
● Often, it takes extra time and effort to convert them to easily readable forms
19
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Cloud Services v Other ESI● Options / Settings
○ The amount of data, and the duration of access may depend on subscription levels (Slack, O365)
○ Office 365 Advanced eDiscovery requires E5 license○ Data Loss Prevention (DLP) and eDiscovery exports in Slack require Enterprise
License● Ownership of Hardware
○ Rather than being on physical media in control of the organization, it is typically stored on hardware that belongs to the service provider
○ You don’t access that hardware for data collection● Data Storage & Access
○ Most Cloud services export data in a “raw” format that requires additionalmanipulation to be usable
20
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
API’s● Application Programming Interface (API) - Communication protocol between a
client/user and a service. ● Cloud service exposes and defines a method to communicate with a service from a
application or custom program.○ dropbox.listfiles('/Photos/', recursive = True, include_deleted = True)
● API data can go both ways…○ The API may provide you with information that is not visible to the end user○ The service may have features in the software that are not accessible through the
API● Some API’s may not be documented (iCloud) and require tons of research to access
● Depending on the Cloud provider, and what data you are interested in... some custom programming may need to be done
21
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Crawl/Capture● You may not have an API, they change all the time● It may be just a collection of web pages
○ Most modern web pages are not static content
● Audio/Video (Click to Play)● Ads & Banners can be different based on cookies and past
browsing history● Interactive Pages requiring User input● Unlimited Scroll Pages
● May require you to capture to PDF of Image format○ Timestamp and Hash for Authentication
22
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Deleted Data● We’re not Gods
○ You can’t just email a person at Google to help with your legal issue○ Microsoft has certain data they won’t give you○ Facebook doesn’t take support calls
● Deleted data is not the same in the cloud○ On devices, we typically look at unallocated space and other artifacts
● With cloud data, you are at the mercy of the service provider
23
● Everything isn’t available○ Example: Deleted G Suite Gmail
Messages recoverable within 25 days
● Need to be aware of limitations up front
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Collection Gotchas!● You don’t control everything
○ Logs and other important data may not be available● Rate Limiting
○ ZenDesk allows only certain API calls before you get throttled● Data Access & Credentialing
○ Do you have proper access to do the collection?● Two-Factor
○ Can you reach the person you need to contact in a timely fashion?● Encryption
○ WhatsApp/Signal/Wickr and other apps may be more difficult to collect
24
Legal Issues
25
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Potential Spoliation● Cloud data doesn’t exist forever
○ Accounts are closed for inactivity○ Accounts are locked○ Accounts are terminated for violating TOS
● Service provider changes○ Did you actually get “everything” before you closed the account?
● Cloud services change… new features are added, old ones are discontinued● Service provider closing / discontinuation of support
○ Remember Yahoo Messenger?!● Loss of Verification/Login Access
○ i.e. new phone number, new email address● Case Study: Yahoo has announced plans to discontinue the vintage chat service on
July 17, 2018.
26
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
2015 Amendments to FRCP● Rule 37(e)(1) & (2) Spoliation and Curative Measures: Where ESI "that should have
been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery", upon a showing of prejudice a court "may order measures no greater than necessary to cure the prejudice." If the conduct is intentional, a court may (A) "presume that the lost information was unfavorable to the party"; (B) "instruct the jury that it may or must presume the information was unfavorable to the party" (adverse inference / spoliation instruction); or (C) "dismiss the action or enter a default judgment."
27
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
2018 CLOUD Act● The CLOUD Act amends a U.S. privacy law known as the Stored Communications Act
(SCA), which restricts the disclosure of stored electronic data to third parties, including the U.S. government.
● Requires that certain internet-based service providers subject to U.S. jurisdiction disclose the contents of … an “electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States”
● It explicitly authorizes U.S. law enforcement to obtain data held by U.S. Cloud Service Providers (“CSPs”) regardless of where in the world the data is physically stored.
28
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Opposing Data● The easiest way to get access to data in a Cloud
account is through a well crafted discovery request ○ Many Cloud providers have a “takeout” feature
● Cloud accounts… deactivated vs deleted○ Deactivated accounts can be brought back
online at any time○ Deleted accounts may still be able to be
reactivated within a period of time
● Processes exist to gain access to account for deceased Custodians○ A few social media sites allow you to
‘memorialise’ an account
29
Twitter does not currently offer account holders a self-serve method to obtain other, nonpublic information (e.g., IP logs) about their Twitter accounts. If a Twitter user requires his or her non-public account information, please direct the user to request this information directly from Twitter, Inc. by sending an email to [email protected] with subject: Request for Own Account Information; we will respond with further instructions.
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Subpoenas● Facebook v. Superior Court of the City and County of San Francisco (2018)
○ Refused the subpoenas, arguing they could not disclose the information under the federal Stored Communications Act. However, the California Supreme Court said there was an exception for "lawful consent" under Section 2702 of the Act.
● Serving Civil Subpoenas on Cloud providers can be difficult, users may be notified
30
● Check the Terms of Service (ToS) and research Law Enforcement guides
● Keep requests limited. You will need a user ID or other unique identifier
Analyzing, Producing, & Reviewing Cloud Data
31
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Dealing with Cloud ESI● Office Documents and Email are formats most
people are familiar with
● Cloud data is usually meant to be used with a specific service, the data extracted is typically not in a format that you can just double-click on and review○ See the Slack JSON example to the right
● Your discovery protocols should deal with this… especially if a privilege review is needed or redactions are required
32
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Cloud Data and the EDRM● Processing
○ Since some of this data is collected in an unstructured format, it needs to be processed to prepare it for review
● Review & Analysis○ How are you going to ingest the data?○ Are there special considerations for priv review?
● Production○ What format does it need to be in?○ Does this data need to be redacted?○ Do you need load files?
33
So...
34
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Takeaways● Nearly every person and company has some data in the Cloud● Cloud data is vastly different than traditional ESI from a computer
○ Formats may need to be converted for usability/review○ Typical metadata fields will need to be changed
● The service provider controls the type and duration of logs that are available○ Get them while you can○ Can be based on your service plan
● The Cloud doesn’t have free/unallocated space where deleted data can be retrieved○ Spoliation can easily happen
● Preserving a computer may not get you all the data/documents● Internet/Browser History can provide clues as to the types of cloud storage being used● Preserve using the API or export functions from the service provider, screen capture as
a last resort● Ensure your discovery protocols are focused and based on reality
35
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
About 4Discovery● B2B digital forensics firm that provides organizations and attorneys with digital
forensic, information security, and electronic discovery services.
● Our forensic experts have decades of experience helping attorneys and organizations gain valuable insight from electronic data.
● We have worked on projects of all sizes from imaging and analyzing one phone to imaging and analyzing hundreds of devices across five continents. Our client roster includes government organizations, companies and law firms of every size, and forensic and eDiscovery vendors.
● Clients appreciate our innovative customized solutions as well as our timely response. As a result, most of our new business comes from repeat clients and client referrals.
● Follow our company page on LinkedIn for the lastest advisories, updates, and insights.
37
Rules of Electronic Discovery
38
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
2015 Amendments to FRCP● Rule 26(b)(1) Proportionality: Requested discovery (including ESI) must be relevant
"and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit."
39
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Obligatory Stats & Trends Slide● According to IDG’s 2018 Cloud Computing Survey,
○ 73% of organizations had at least one application in the cloud○ 17% planned to have one within the next 12 months
● According to IDC’s Data Age 2025 report,○ They estimated there are 33 Zettabytes of data across all media types○ They expect it will grow to 175 Zettabytes by 2025○ They expect 49% of this will be in the cloud
● According to Canalys’ Cloud Channel Analysis from April 2019,○ The global worldwide cloud infrastructure service market grew 42% in Q1 2019
40
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
FRCP● Fed.R.Civ.P. 26(f)(2) (Conference Content; Parties’ Responsibilities): “In conferring, the
parties must... discuss any issues about preserving discoverable information; and develop a proposed discovery plan.”
● Fed.R.Civ.P. 26(f)(3) (Discovery Plan): “A discovery plan must state the parties’ views and proposals on … (C) any issues about disclosure or discovery or preservation of electronically stored information, including the form or forms in which it should be produced.”
41
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
FRCP● Fed.R.Civ.P. 34(b)(1)(C): “[A] party requesting production of ESI “may specify the
form or forms in which electronically stored information is to be produced.”
● Fed.R.Civ.P. 34(b)(2)(E)(ii): “(i) A party must produce documents as they are kept in the usual course of business or must organize and label them to correspond to the categories in the request; (ii) If a request does not specify a form for producing electronically stored information, a party must produce it in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms; and (iii) A party need not produce the same electronically stored information in more than one form.”
42
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Inherent Authority● Inherent Authority: The Court also retains discretion to award monetary sanctions
(including costs of bringing matter to Court’s attention), order a permissive spoliation jury instruction, bar the use of evidence, and allowing additional depositions (or re-depositions). See, e.g., Flair Airlines v. Gregor, LLC, 2018 WL 8445779, at * 2 (N.D.Ill. Dec. 14, 2018) (citation omitted) (“courts have the inherent power to impose sanctions against a party or counsel for the failure to preserve or produce documents.”)
43
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Northern District of Illinois MIDP● Timing: Must list, describe and identify location of ESI relevant to claims and defenses,
and produce within 40 days after serving initial response○ Continuing duty to supplement within 30 days after information discovered
● Presumptive Format: Unless the parties agree or the Court orders otherwise, a party must produce ESI in the form requested by the receiving party
● Must Confer and Attempt to Agree on ESI Disclosure / Production, including:○ the requirements and limits on the preservation, disclosure, and production of ESI○ appropriate ESI searches, including custodians and search terms, or other use of
technology assisted review; and○ the form in which ESI will be produced
● Resolving Disputes: If the parties are unable to resolve any dispute regarding ESI and seek resolution from the Court, they must present the dispute in a single joint motion or, if the Court directs, in a conference call with the Court. Any joint motion must include the parties’ positions and the separate certification of counsel required under Rule 26(g).
44
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Orders Governing ESI● Fed. R. Civ. P. 26(c)(1): The Court can enter a protective order to limit discovery “for
good cause shown ... to protect a party or person from annoyance, embarrassment, oppression, or undue burden or expense.”
● Fed. R. Civ. P. 26(b)(2)(B): “A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. On motion to compel discovery or for a protective order, the party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of Rule 26(b)(2)(C).”
45
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
Orders Governing ESI● Fed. R. Civ. P. 26(b)(2)(C): Once a party makes a showing under Fed. R. Civ. P.
26(b)(2)(B), a court still may allow the discovery if the requesting party shows good cause. However, the Court may still limit the discovery if it is unreasonably cumulative or duplicative, can be obtained from some other source that is more convenient, less burdensome, or less expensive, the party seeking the discovery has had ample opportunity to obtain it, or it is not relevant or is otherwise disproportional to the needs of the case within the meaning of Rule 26(b)(1).
● Exemplars of Protective Order and Order Governing ESI (after Parties have completed substantial work). City of Rockford v. Mallinckrodt ARD Inc., 326 F.R.D. 489 (N.D.Ill. 2018); Kleen Products, LLC v. Packaging Corp. of America, 2012 WL 4498465, at *19 (N.D.Ill. Sept. 28, 2012).
46
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
The Importance of eDiscovery● Why is ESI Discovery (eDiscovery) so critical in employment cases?
● Almost everything is electronically stored, and the data can show:○ Data Points
■ When employees clock-in and out, input certain data, enter certain areas (i.e., badge swipes), perform certain tasks
■ Amount of time employees are clocked-in and out (exact and averages)■ Does employer include commissions/bonuses in overtime rate?■ Extrapolate / Statistical significance
○ Substantive information, admissions■ Emails / Texts – to combat “revisionist history”■ Policies / practices – official and unofficial ■ Other internal documents
47
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
The Importance of eDiscovery● Because of what the data does not show (examples from pay disparity, wage cases)
○ Employer doesn’t track reasons for starting pay (pay disparity)○ Employer doesn’t establish basis for classification as exempt○ Employer doesn’t record all time worked (off-the-clock and misclassification)○ Data is inaccurate or unreliable (multiple clock-ins on same date, employees
clocking out before clocking in, employees clocking-in before entering workplace) ○ Data goes back only a certain amount of time○ Data cuts off after a certain amount of time or has gaps○ Data shows ongoing, uncorrected issues (future claims)○ Data is otherwise incomplete
48
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
The Importance of eDiscovery● Because of less obvious information the data may show (not just data itself, but how
data is maintained)○ To show data holder passed responsibility for inputting, processing or maintaining
data to third-parties○ To show data holder is capable of doing it properly (ex: employer tracks other
employees properly, employer pays other employees properly, employer’s system has the capability of tracking all time worked)
○ To show data holder did things differently in past○ To show data holder is sophisticated/knowledgeable (to show willfulness, lack of
good faith)○ To show data holder is negligently, recklessly or deliberately using an archaic
system ○ To force change (injunctive relief) or prove successful result (force a “voluntary”
change)
49
4DISCOVERY EDISCOVERY & FORENSICS IN THE CLOUD
The Importance of eDiscovery● Because of even less obvious information the data may show
○ Evidence of other claims (related or otherwise)○ Often happens when data originates or is stored in multiple locations: (1)
inconsistencies; (2) disorganization; and (3) other wrongdoing ○ Data can be used in ways other than you think (i.e. employer has no time records
but has mileage data; can calculate unpaid time based on mileage)○ Data reveals evidence of other violations (i.e., employer don’t track pay by
gender, so potential CFA/Title VII claims)○ If employer not in total control of data, it can give rise to issues:
■ Joint employers (violations of joint employer are violations of all) ■ Independent contractors (same)■ Vendors (same)
○ Even when third-parties certify or assure compliance with applicable laws, that doesn’t bind employees. May result in litigation with former colleagues, business partners, etc.
50