GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• ESI and E-Discovery
• Valid E-Discovery Plans
• Drafting/Granting Discovery Orders
• Case Studies
E-DISCOVERY
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
ESI and E-Discovery
requests are becoming a
standard part of civil cases.
• Electronic Systems Information
• E-Discovery Process• Goals of Discovery0101001101110000011001010110001101101001011000010110110001101001011100110111010001110011001000000110100101101110001000000100010100101101010001000110100101110011011000110110111101110110011001010111001001111001001000000110000101101110011001000010000001000100011010010110011101101001011101000110000101101100001000000100011001101111011100100110010101101110011100110110100101100011011100110000110100001010
ESI Request
Processing the Data
Production
ESI & E-Discovery
Case Studies
Court OrdersE-Discovery Plans
ESI & E-DISCOVERY
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
We use the term ESI to describe any information stored on
electronics. At its core we
are talking about 0s and
1s
• The Digital Age • Electronic Hardware• Types of Information
Extracted
ESI & E-Discovery
Case Studies
Court OrdersE-Discovery Plans
Electronic Systems Info…
E-Discovery ProcessGoals of E-Discovery
ELECTRONIC SYSTEMS INFORMATION
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Paper is hard to preserve, reference and search.
• Electronic communication dominating workplace
• Handwriting is slow and it is difficult to catch errors
• Medical, financial and most other businesses moving to the paperless office.
THE DIGITAL AGEESI & E-Discovery
Case Studies
Court OrdersE-Discovery Plans
Electronic Systems Info…
E-Discovery ProcessGoals of E-Discovery
Paper is no longer the medium of
choice. Typing has replaced writing.
The Digital Age
Electronic HardwareInformation Extracted
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Desktop Computers
• Laptop Computers
• Cell/Smart Phones
• Tablets
• Phone Systems
• Video Cameras
• Digital Key Systems
ELECTRONIC SYSTEMS/HARDWA
REESI & E-Discovery
Case Studies
Court OrdersE-Discovery Plans
Electronic Systems Info…
E-Discovery ProcessGoals of E-Discovery
Offices tend to have more electronics storing data
than they have people.
The Digital Age
Electronic HardwareInformation Extracted
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Emails• Text Messages• Office Documents• Internet History• Social Media (Facebook, blogs,
tweets)• Instant Messages (Skype, Yahoo,
ooVoo)• Office Databases• Phone Conversations• Video Captures• Computer Use Logs
INFORMATION EXTRACTED
ESI & E-Discovery
Case Studies
Court OrdersE-Discovery Plans
Electronic Systems Info…
E-Discovery ProcessGoals of E-Discovery
The most requested
information involves the
Internet; emails and browsers.
The Digital AgeElectronic Hardware
Information Extracted
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
The process for E-
Discovery is often a give and take.
Attorney:
• Request for discovery of electronic systems information
Judge:
• Drafts or approves order to define scope and terms
E-Discovery Team:
• Identifies hardware possibly containing data
• Preserves and collects the data from that hardware
• Processes, reviews and analyses data
• Produces findings to the court
Data and Digital Forensic Specialists
• Analyze and summarize production
• Provide expert opinions and feedback
• Assist Attorneys in court
E-DISCOVERY PROCESS
ESI & E-Discovery
Case Studies
Court OrdersE-Discovery Plans
Electronic Systems Info…
E-Discovery ProcessGoals of E-Discovery
The Digital AgeElectronic HardwareInformation Extracted
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Find specific documents claimed to exist by the attorney’s client that support their position.
• Prove that their client did not have or ever have documents, emails, images, etc. that they are being accused of possessing.
• Prove the whereabouts of their client at a specific time.
• Find documents that might exist or might have been deleted by the opposition that might discredit their position.
• Show the opposition and/or client’s virtual persona in order to reinforce suspected real life activities.
GOALS OF ESI REQUESTS
The goal is to find either documents entered by either party or find logs
related to the use of the
computer or system.
ESI & E-Discovery
Case Studies
Court OrdersE-Discovery Plans
Electronic Systems Info…
E-Discovery Process
Goals of E-Discovery
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Identifying the Hardware
• Preserving the Data
• Collecting the Data
• Processing the Collection
• Review/Analyze for Accuracy
• Production
VALID E-DISCOVERY PLANS
Recognizing a valid E-Discovery
plan is necessary to avoid pitfalls such as data corruption.
ESI & E-Discovery
Case Studies
Court OrdersE-Discovery Plans
Electronic Systems Info…
E-Discovery ProcessGoals of E-Discovery
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
Home Environment
• Home Computers
• Mobile Devices
• Online Accounts/Social Media
• Internet Service Provider Data
Office Environment
• Central Servers that Store Data
• Backup Systems
• Desktops/laptops
• Mobile Devices
• Video/Voice and other recording devices
IDENTIFYING THE HARDWARE
Additional copies and backups of
data on hardware may be
discovered through the
review stage.
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery PlansIdentifying the
Hardware
Production
Review/Analyze
Processing
Collecting
Preserving
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Placing the data on hold
• Freezing the data in time
• Seize hardware with no warning
• Require shut down of system till matters are resolved
• E-Discovery Team in “Read Only” mode
• No Insert, Update or Delete instructions by team
PRESERVING THE DATA
Preserving the data’s integrity
requires a precise plan
and clear documentatio
n
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery PlansIdentifying the
Hardware
Production
Review/Analyze
Processing
Collecting
Preserving
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
Copy the Data Bit by Bit
• Every “a” = 01100001 is copied perfectly to another drive as 01100001
• Bits are verified as accurate by copy software
Collected Data verified to be accessible
Original data (hard drives) never used in processing
Data can be collected live or offline
COLLECTING THE DATA
The data from the
hardware is copied using
trusted forensic tools and software.
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery PlansIdentifying the
Hardware
Production
Review/Analyze
Processing
Collecting
Preserving
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Search the drive for keywords, word patterns and/or date ranges
• Use common data tools to find data in structured data files
• Flag discovered data with ID Numbers
PROCESSING THE COLLECTED DATA
Processing the data
requires the use of
automated software combined
with skilled query writers
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery PlansIdentifying the
Hardware
Production
Review/Analyze
Processing
Collecting
Preserving
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Look for irrelevant data flood
• Evaluate completeness of data, possible oversights
• Review the readability of the collection
• Look for hidden or encrypted data
REVIEW/ANALYZE FOR ACCURACY
This requires knowledge of
data structure and
a clear unpartisan
review of the data’s
relevance and
completeness.
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery PlansIdentifying the
Hardware
Production
Review/Analyze
Processing
Collecting
Preserving
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Index all discovery for court use
• Produce in standard formats like; PDF, TIFF and at times, print
• Production as seen by the software used to create the file
• Organize the production in logical sequences for readability
PRODUCTION
The production need to be
well organized,
indexed and in context to the software
used to create the
data
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery PlansIdentifying the
Hardware
Production
Review/Analyze
Processing
Collecting
Preserving
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Defining a scope
• Common Pitfalls
• Abuses of the System
DRAFTING/GRANTING DISCOVERY ORDERS
The order must
carefully balance
ensuring that all relevant data can be found with limiting the flood of data
produced and costs
incurred on both sides.
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery PlansIdentifying the
Hardware
Production
Review/Analyze
Processing
Collecting
Preserving
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Define possible related data
• Eliminate specific hardware parameters
• Set timeframe for stages of completion
• Define expected output format
• Determine number of production copies needed
• Plan for Intellectual Property and confidential information filtering
DEFINING A SCOPE
The scope narrows down the details of
what is to be collected and produced. It clarifies the task for the E-Discovery
team to respond to.
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery Plans
Defining a Scope
Abuses of the System
Common Pitfalls
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Cost of production and “low ball” bids
• Time delays caused by unorganized E-Discovery teams scrambling to learn as they go through due process.
• Hardware and software errors
• Uncooperative I.T. staff from the other party, evasive disclosure.
COMMON PITFALLS
Pitfalls can be reduced
by clear communicati
on and expectations
set in the order and
well organized E-
Discovery teams.
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery Plans
Defining a Scope
Abuses of the System
Common Pitfalls
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
E-Discovery Trolls
• Similar to patent trolls, their goal is to force settlements by threatening “shut down” of business critical systems.
Data Flooding
• The goal is to flood the opposite party with so much unreadable data that it masks the relevant data
Greedy E-Guess
• These are IT based individuals who may undercut valid E-Discovery companies to entice unsuspecting lawyers into a “good deal”. Later in the process they continually request more and more finances and eventually break the client’s finances with little or no accurate production to show for it.
ABUSES OF THE SYSTEM
Watch for broad
requests that will cripple the opposite party with cost and excessive
data to cause review time
delays.
ESI & E-Discovery
Case Studies
Court Orders
E-Discovery Plans
Defining a Scope
Abuses of the System
Common Pitfalls
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Wrongful Termination
• Company terminated employee for not completing and sending a critical email and attachment to VIP customer.
• Former employee claims the computer system must have lost the email because he sent it on time.
CASE STUDY
With so much information stored on
computers, its no wonder
just about every type of
case can involve ESI requests.
ESI & E-Discovery
Case Study
Court Orders
E-Discovery Plans
Defining a Scope
Abuses of the System
Common Pitfalls
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• Request is made by the former employees attorney to disclose electronic data related to the email and the attachment in question.
• The goal: show that the client did send the email and attach the critical document
• No specific hardware is named
• Requested that all possible relevant electronics be placed on hold.
WRONGFUL TERMINATION
The case of the lost
email. Was it computer
error or the employee not doing their
work?
ESI & E-Discovery
Case Study
Court Orders
E-Discovery Plans
The Request
Data Specialist Report
E-Discovery Production
The Order
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected] TERM…
THE ORDER
Narrowing the scope
and ordering the discovery of ESI. Refer
to the handout for a complete list of items to be
covered in the order
ESI & E-Discovery
Case Study
Court Orders
E-Discovery Plans
The Request
Data Specialist Report
E-Discovery Production
The Order
• Electronics that store email and files that the former employee had access to during the timeframe in question.
• Email systems and file data storage systems where the attachment and emails would have been processed or saved according and active during the timeframe in question.
• Data may be live collected from active servers or offline collected.
• If additional electronics are identified as possibly containing data during the e-discovery process. Those electronics may be placed on hold as an amendment to this order.
• Data may be collected from in-house e-discovery storage as long as the collection process is validated by both parties e-discovery teams.
• The emails and files produced are limited to data created between 1/1/2001 to 1/15/2001
• Both parties agree to the allowance of the e-discovery team to act as expert data analysts to give opinion pertaining to the history and existence of that email and attachment in question.
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
Identifying and Preserving• E-Discovery Team identifies electronics
• former employees desktop, the email server, the file server and the email filter device as possibly containing relevant data.
Collection• Drives are collected and copied offline, onsite and put back
into use.
Processing
• Keywords used in the email, recipients names, senders name, emails sent around the time in question, documents containing keywords all discovered.
Review/Analyze• Other files in containing folders and versions of files found
are reviewed
• Alternate email logging systems are reviewed for search ability
• Email found with search parameters was recorded as successfully sent by the company email server. Recipients server and intended client electronics data requested to verify receipt.
Production• PDF, TIFF and Printed Copies are made for 5 recipients
WRONGFUL TERM….E-DISCOVERY PROCESS
The E-Discovery
team identifies
valid hardware, collects the data, and
produces the requested
output
ESI & E-Discovery
Case Study
Court Orders
E-Discovery Plans
The Request
Data Specialist Report
E-Discovery Production
The Order
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected] TERM….
DATA SPECIALIST REPORT
• The Data Specialist places the data in context and creates a time-line chart show the history of the file and email in question.
• The chart show the file being created and edited before and after the date and time the email and another similar to it was generated.
• The first email was successfully sent to the client but did not contain the completed attachment. The attachment was named the same as the final document but was blank.
• The client’s email server removed the blank attachment as spam and placed the invalid email on hold
• The full email was also created on the employees machine with the attachment but was simply copied to the sent items folder and though the email showed it having been done earlier that day, metadata shows the file was created late that evening, after the deadline.
• Conclusion, the former employee failed to complete the attachment and attempted to cover up the error by sending a blank attachment email and later trying to falsify a completed email at a later time.
The specialist places all the
produced data in
context and paints a
picture of the history of the
email and attachment
ESI & E-Discovery
Case Study
Court Orders
E-Discovery Plans
The Request
Data Specialist Report
E-Discovery Production
The Order
GLOBAL COMPUSEARCHSpecialists in E-Discovery and Digital Forensicswww.gcsforensics.com
Presented By – Josiah P. Roloff, EnCE, CCE
Spokane, WA - 509.443.9293Palm Springs, CA - 760.459.2122Sacramento, CA - 916.760.7362
Portland, OR - [email protected]
• ESI and E-Discovery
• Valid E-Discovery Plans
• Drafting/Granting Discovery Orders
• Case Studies
E-DISCOVERY