Transcript Business Card Drawing - Greater Valley Forge Human

E-DISCOVERY- WHERE
TECHNOLOGY MEETS
THE LAW AND WHAT
HR PROFESSIONALS
“TECHNICALLY” NEED
TO KNOW!
May 14, 2013
Business Card Drawing
The Intelligence Group - Background
•
•
•
•
•
Forensics + Investigations Consulting Firm
40+ staff
Founded in 1999
HQ: Bedminster, NJ
Key Offices:
• Syracuse, NY
• Seattle, WA
• Portland, OR
• Washington, DC
• Philadelphia, PA
• Minneapolis, MN
• Licensed Investigators in Multiple States
Integrating Investigative Techniques:
• Background Investigation
– Motives, finances, lifestyle, other leads
• Forensic Accounting and Analysis
– “Investigative accounting”, often involves the tracing, locating
and evaluation of assets (personal and business).
• Digital Forensics
– Evidentiary: documents, communications, computer activity
Investigative Research Services:
Background Investigation
• Evolution of the ‘Background Investigation’
– More data than ever, but what to trust?
– More than pushing a button: Internet, Databases, Document
Repositories and Human Intelligence
– Information vs. Intelligence
• Integrated suite of investigative research tools to fulfill specific needs:
– Litigation Intelligence
– Financial Intelligence
– Digital Intelligence
Investigative Research Services:
Litigation Intelligence Services:
• Litigant or Individual Background Investigation
– Residential Histories / Jurisdictions
– Criminal Histories
– Litigation Histories
– Media Evaluation
– Business Interests and employment
– Asset Screens and Searches
• Locates and Skip Tracing
– Age, residences, other characteristics to verify
• Expert Witness Backgrounds
Investigative Research Services:
Financial Intelligence Services:
• Asset Screens & Searches
– Real Property, other licensed assets (vehicles, etc.)
– Shareholder info (subject to thresholds)
– Credit, liens, judgment histories
– Banking relationships
– Lifestyle, reputational, etc.
• Financial Viability Screening (Corps., etc.)
• Corporate Successorship Histories
Investigative Research Services:
Digital Intelligence Services:
Today’s Primer
» Basics of Electronically Stored Information (ESI)
» Types of ESI (Electronically Stored Information)
» Methods to investigate, identify, and obtain ESI as
Evidence:
 eDiscovery
 Digital Forensics
 Digital Monitoring and Surveillance
 Anonymous Messaging Investigation
 Social Media Preservation and Analysis
Modern Life Communications
Data Explosion
.
.
.
One Zettabyte
1,000,000,000,000,000,000,000
.
Basics of ESI
Two Characteristics of ESI
• ESI can walk out the door.
• ESI leaves “digital footprints” behind.
ESI Is Portable
Perspective:
Today’s typical PC has a 100-gigabyte drive
1 GB equals about 125,000 pages of text or
about 42 bankers’ boxes of documents
1 DVD equals about 587,500 pages of text or
197.4 bankers’ boxes
– A DVD in its case weighs about four ounces
– 197 bankers’ boxes worth of documents
would weigh about 7,880 pounds or
around four tons
Where is Electronically Stored
Information?
•Laptops/Desktops
•Servers
•Phone Systems (VoIP)
•Printers & Copiers
•PDA’s/Cell phones
•CD’s/DVD’s
•USB Thumb Drive
.
What other devices contain ESI?
.
The Corporate Enterprise Network
Types of ESI:
Accessible vs. Inaccessible
Huh?
Accessible vs. Inaccessible
ACTIVE DATA aka (Accessible)
“What You See” – easily accessible by
user in the ordinary course of business (typical
sources: hard drives, servers, disks
and other portable media)
Types of ESI:
1. Word Processing Docs, Spreadsheets,
Slide Presentations, Databases, Graphics,
Design and Engineering Drawings, etc.
2. Company email domain ([email protected])
3. Embedded, Encrypted, Password
Protected
.
Accessible vs. Inaccessible
INACTIVE DATA aka (Inaccessible)
.
“What You CANNOT See” – Not easily
accessible without forensic tools and methods
(typical sources: hard drives, servers, disks and
other portable media)
Types of ESI:
1. Deleted and Hidden Files
2. Unallocated Files and “Slack” Space
3. Deleted Internet History and Web based email
activities
4. Much more
Methods to investigate, identify, and
obtain ESI as Evidence:
eDiscovery
eDiscovery: The process of collecting, preparing,
reviewing, and producing electronically stored
information (“ESI”) in the context of the legal process.
Typical Services:
Collection – typically accessible data only
Preparing – de-duplication, indexing, and culling of
ESI, processing into .tiff files
Review- creation of load files, hosted review,
predictive coding aka “TAR-Technology-Assisted
Review”
Production – typically charged per gigabyte or per
page for native production or conversion to .tiff files,
bates stamping.
Source: The Sedona Conference® Glossary: E-Discovery & Digital Information
Management (Third Edition) September 2010
Distinction between
eDiscovery vs. Digital Forensics
Digital Forensics – Strategic, focused,
controlled analysis of ESI.
Digital forensics often investigate:
» Smaller amounts of relevant Active and Inactive
(deleted) files
» Metadata
» Internet History, Web Based E-Mail Activity
» Registry, Link, and Event logs
» May require Expert Reporting & Testimony
Definition: Digital Forensics aka Computer Forensics (Cyberforensics),
is
the process of gathering evidence suitable for presentation in a court of law.
The goal is to perform a structured investigation while maintaining a
documented chain of evidence to find out exactly who, what, when , how , and
when a digital device was used.
The Digital “Iceberg”
“Live” ESI found by Native Tools
(such as Windows Explorer, E-Discovery tools)
.ESI
found by forensic tools
(Deleted, edited, renamed, hidden,
difficult to locate, etc.)
Forensic Investigations have become routinely used as an
investigative tool in HR matters such as:
Restricted Covenant
Non-Compete
Theft of Trade Secret
IP Theft
Whistleblower / Retaliation
Discrimination
Sexual Harassment
Wrongful Termination
Class Action
Workers Compensation
Workplace investigations
...Many more
Which Tool To Use?
Electronic Discovery
Digital Forensics
Applications:
Typically Civil Litigation
Civil Litigation, Internal
Investigations, Criminal
Scope:
Can Be Enterprise-wide
Typically Focused – Specific
Individuals and Equipment
Strategy:
“Fishing” – Culling Large
Volumes of Data - Later
“Investigative” – Searching for
Specific Data - Early
Data Types:
Documents, Files,
Enterprise Email
Docs/Files, Deleted Data, All
Communications, Internet
Data Attributes:
Document-specific Metadata
Re-creation of Time-Critical Events
Difference between Traditional
Copying and Forensic Imaging
• Traditional Copying: Gets active data
(the “visible” files), changes metadata
such as access date/time of the files.
• Forensically Acquired Image: A writeprotected exam that is an exact bit-bybit copy of all data on a drive. Enables
recovery of data even after the data
on the drive has been erased or
reformatted.
Preservation: Copying Logical Files
–
–
–
Copying files from one folder to another.
Original evidence is changed.
Hidden data is not copied. ...
Original
File Copy
...
...
Preservation: Mirror Image
–
–
–
–
Bit-by-bit copies of original data.
Exact representation of original evidence. ..
Software like EnCase, Linux DD, and Forensic ToolKit.
The original evidence is NOT modified.
.
Original
Forensic
Imaging
1
.
2
Authenticating the Evidence
• To authenticate the evidence is to confirm that the
forensic copy is exactly the same as the original.
• The hash is a digital fingerprint. (Changing a single
character, from “s” to “S” in a Word document will change
the hash value).
Permanently Deleted?
Delete Does NOT Mean
FOREVER
The nature of data storage on computer disks often allows for data
recovery from deleted, formatted, damaged hard disks!
File slack
It’s All Just ONEs and ZEROs!
SecondSetofBooks.xls
TradeSecrets.doc
OffshoreAccount.html
Delete Does NOT Mean
FOREVER
.^econdSetofBooks.xls
.^radeSecrets.doc
.^ffshoreAccount.html
Deleted files are no longer
accessible by Windows, but the
data for the file will remain on the
computer hard drive until
overwritten by new data.
Live Exhibit of Finding Deleted Files
Formatting Does NOT Mean Gone
FOREVER
“Deleting” a file makes the entry unavailable to the Windows
Operating System (and invisible to the user)
Tearing Up the Card Doesn’t Eliminate the Book
Only Wiping the Device Eliminates the Data
Formatted Computer Hard Drives
FAT- File Allocation Tables or
“Card Catalog”
FAT contains the file names and the
locations of active files on the disk.
Formatting a hard drive is like
“Cutting up an Index Card.” The
FAT is cleared, and deleted files
organized into tracks and sectors to
be overwritten.
Risks of conducting Digital
Investigations on your own
People are strongly cautioned against conducting their own
internal investigation using a Retail IT shop “Geek Squad” or
other IT Staff,a close friend or relative, yourself, or otherwise...
Typically:
Not Trained in Investigations
Can be considered a Biased Party
Chain of Custody is Non-Existent or
Incomplete
Tools are NOT Certified by the court
High Risk of Spoliation
Not a Credible Expert
Unproven methods may cause potential
inadmissability in court
The “Flip side”
The flip side of data preservation is, of course, spoliation.
Spoliation is “the destruction or material alteration of
evidence or the failure to preserve property for
another’s use as evidence in pending or reasonably
foreseeable litigation.”
The authority to impose sanctions for spoliation arises
under the court’s inherent powers.
Sanctions are warranted for spoliation of ESI is challenging
because it is easier to intentionally or inadvertently delete
or modify ESI and it is more difficult for parties to craft
preservation policies that ensure that the appropriate data
are preserved.
Examples of Digital Evidence
•
•
•
•
E-Mail
.
Temporary
Internet Files
Hidden Files / Temporary Files
Metadata
What’s in a email thread?
Emails typically have
the threads
included...
This week is not good.
-----Original Message----To: [email protected], Randy G. Kruger Jr.@ANDERSEN WO,
[email protected], [email protected]
cc:
Date: 01/09/2002 10:26 AM
From: [email protected]
Subject: Lunch
OK you slackers (excluding Shaw), I'll give you another chance to respond.
Lunch this week or next, let me know what's good. If meeting after work is
better for you, let me know.
Schroeder
What’s in a email thread?
Forensic recovery
of all email contents
can reveal the entire
email thread.
.
This week is not good.
I have too large a pile of documents to shred.
Next week is better. I suggest Wednesday, Thursday or Friday.
-----Original Message----To: [email protected], Randy G. Kruger Jr.@ANDERSEN WO,
[email protected], [email protected]
cc:
Date: 01/09/2002 10:26 AM
From: [email protected]
Subject: Lunch
.
OK you slackers (excluding Shaw), I'll give you another chance to respond.
Lunch this week or next, let me know what's good. If meeting after work is
better for you, let me know.
Certainly all of you can stop shredding documents for 5 minutes to respond.
Schroeder
Examples of Digital Evidence
•
•
•
•
E-Mail
Temporary Internet Files .
Hidden Files / Temporary Files
Metadata
Temporary Internet Files
Web Based Email
Internet Browsing History (search terms)
.
.
.
Online Banking & Day Trading
Analysis of Temporary Internet Cache
Often Reveals the Smoking Gun
1. Discovery of other internet-based
email accounts and multiple
communications between involved
parties.
2. Multiple emails with attached
documents (trade secrets).
3. Abundance of possession of X-rated
or possibly contraband graphics to
blow credibility of “character”.
4. Uncovering of undisclosed assets
and/or other financial records.
5. The establishing that the “harassed
employee” is actually a “harasser”
him/herself.
Examples of Digital Evidence
•
•
•
•
E-Mail
Temporary Internet Files
Hidden Files / Temporary Files
Metadata
.
Hiding Files
.
Xratedpics.jpg
Renamed to: personalfile .txt
Attempting to Hide Files
Renaming the file only makes the file name insignificant.
HOWEVER, it does NOT change its true file creation type
attributes.
.
Hiding Files Does NOT Change
Created File Type
As .TXT (Notepad file)
As .GIF (Graphic file)
As .XLS (Excel file)
Temporary Created Files
Examples of Digital Evidence
•
•
•
•
E-Mail
Temporary Internet Files
Hidden Files / Temporary Files
Metadata .
Why is Metadata Important?
The most common definition of “metadata” is “data about data”.
Can Provide Evidence of Access
An individual burning a cd or copying multiple files
to a thumb drive to take with him/her could have
their last accessed date altered.
Can Serve as Evidence
Evidence deliberately erased, “bits and bytes” of
metadata may provide the missing programs’ titles,
and can prove the existence of the now erased
data.
…Forensic techniques can recover both.
Types of ESI that contain metadata
.
Word Docs
Spreadsheets
Almost all of the information that you
typically want in discovery can be
retrieved COST EFFECTIVELY (if done
properly) by getting the documents
.
electronically.
.
.
Emails
.
Graphics - Pictures
You See / We See
Printed Email
Backdated
MS Office Word
Document
The Old Fashioned Way
(Paper) vs. Today (Digital)
ESI contains information that a hard copy does not:
•
•
•
•
•
•
•
•
•
Creation Dates/Times
Access Dates/Times
Versions
Comments
Author
Login Information
E-Mail Access Lists, Audit Trails and Computer Logs
Gateways/Web Browsing History
Much, much more...
Case Studies
(Cases are Hypothetical)
Sexual Harassment
Investigation
Case Study # 1– Sexual Harassment
Case Study # 1– Sexual Harassment
You’re Fired!
.
Case Study # 1– Sexual Harassment
.•
Claimed sexual harassment by CEO
.• Tolerated it for
18 months
.• Too fearful to
come forward
.• Married woman,
active in community
Case Study # 1– Sexual Harassment
Case Study # 1– Sexual Harassment
New York
Boston
Case Study # 1– Sexual Harassment
Analysis of Internet Activity
• Searches for the term
“Sexual Harassment”
Case Study # 1– Sexual Harassment
Instant Message Logs
• Chats with friend about contempt
for boss and plan to “get him.”
Case Study # 1– Sexual Harassment
Deleted Email Analysis
• Recovery of deleted emails reveal
longstanding relationship with coworker in Boston office
Case Study # 1– Sexual Harassment
8/1/04
to
11/08/06
Creation Date was three days prior to her complaint
being filed.
Case Study # 1– Sexual Harassment
SEVEN FIGURE
-Settlement AvoidedCompany files charges
against Exec.
New Techniques & Solutions
• Digital Monitoring and Surveillance
• John Doe Investigations (i.e. tracing and
identifying senders of anonymous emails)
• Social Media Preservation
Digital Monitoring and Surveillance
• “Real Time” Forensics
–
–
Allow you to record and view what your employees do on the
computer, internet, reduce inappropriate and non-work related
activities.
Instant Alerts of Potential Danger
•
Scan for dangerous keywords in emails sent and received, web sites visited,
chats and instant messages, and keystrokes typed
John Doe and Anonymous Messaging
Investigations
• Duty to investigate
• RISK – Theft of IP, Data
Breach, Fraud, Qui Tam,
Reputation…
Social Media Preservation and Analysis
• Legal Cases Involving Social Media
Rapidly Increasing
• Preservation methods now exist
• Spoliation and discovery abuses
Facebook Spoliation Costs Lawyer
$522,000; Ends His Legal Career
Lester v. Allied Concrete Co., Case No. CL.08-150, CL09-223
(Va. Circuit Court of the City of Charlottesville Sept. 1, 2011
.
Spoliation Instruction in
Facebook Account Deletion.
Gatto v. United Air Lines, Inc., et al., Case No. 10cv-1090-ES-SCM (D.N.J. Mar. 25, 2013)
Social Media Examples
Social Media Examples
•
•
•
•
A waitress can't deal with a bad tip
She stayed home from work just to browse Facebook
Flight attendants hated on their airline carrier
She was depressed, but Facebook showed her
Closing Thoughts
Getting Started with the Basics
1. Identify ALL critical trade secret information (paper and electronic) on
ALL IT systems.
2. Identify ALL employees, contractors, vendors and other service
providers who have access to trade secret information.
3. Evaluate ALL alternative technology work flows, systems, security
access points.
4. Review ALL current information systems which contain trade secret
information and documentation.
5. Identify and/or develop a work flow to track how trade secret
information is received, created, accessed, modified, stored,
processed, or destroyed.
Effective ePrevention Usage Policies
Potentially Relevant Policies:
 Privacy policies
 Incident response policies
 Employee policies
 Digital Asset Ownership
 Internet Usage
 Computer Usage
 Social Media
 Non Disclosure
 Mobile Device Usage
 Email Usage
 BYOD - Bring Your Own' Device policy
 Business partner policies (e.g.,contract policies)
“Design for a later. investigation!”
Top Tips for a Successful Digital
Investigation
•
•
•
•
•
Don’t Tamper With Evidence
Preserve the Chain of Evidence
Don’t rely on internal IT staff
Terminate ALL physical and digital access rights
Retrieve ALL copies of sensitive information from
employee
• Secure computers and information system assets
• Assess your risk and exposure
• Conduct forensic imaging and investigation
We can provide a proactive “Quick Peek” forensic analysis that compiles evidence
regarding:
• any file copying activities that took place 90 days prior to departure;
• what files may have been deleted;
• what websites may have been browsed or used for email; and
• other areas of potential investigative interest.
Important Issues to Consider Early
and Often
Do you envision this matter “may” Require Credible Expert
Testimony at some point?
.
Does this matter require copying of ESI or Forensic Acquisition
(Chain of Custody, MD5 Hash authentication) of ESI, and Analysis?
At the very least, can you rest assure that NO Spoliation has
taken place?
.
Do the risk costs “outweigh” the Initial Acquisition costs?
.
.
77
When to use a Digital Forensic Expert?
It depends what you can afford...or NOT afford!
Before or when filing a TRO - Temporary Restraining
Order; Preliminary Injunction; Preservation Order;
Certifications; Affidavits.
Expert Rebuttal Testimony
Proactive vs Reactive
As early on as possible...in order to determine
whether or not you have a case!
Before the Risk of potential Malpractice, Spoliation,
Sanctions, et al.
“The Best Defense is a Great Offense!”
78
Thank You for your attention!
Any
Questions?
DISCLAIMER: These slides are made available for educational purposes only as well as to give you general
information and a general understanding of the law, not to provide specific legal advice. This information should
not be used as a substitute for competent legal advice from a licensed professional attorney in your state.
While we try to make sure that all information is accurate at all times, we are not responsible for typographical
and other errors that may appear; however, it is your responsibility to verify with that all details listed are
accurate.
Contact Information:
Rob Kleeger – Managing Director
Direct: 908-396-1467
Mobile: 973-699-0167
Email: [email protected]
1545 Route 206 – Suite 202
Bedminster, NJ 07921