E-Discovery Trends and Forensic Tips

Listen to LTN Electronic Discovery writer and editor Craig Ball give an update of what he sees happening in the field of Electronic Discovery as well as an overview of how forensics fit into many electronic discovery cases. One of the more widely quoted experts in the field, Craig Ball is a true pioneer in electronic discovery and one of the most visible experts in the country having delivered over 500 presentations and papers on electronic discovery. Craig’s articles on forensic technology and electronic discovery frequently appear in the national media, including in American Bar Association, ATLA, and American Lawyer Media print and online publications. He writes a monthly column on computer forensics and e-discovery for Law Technology News called “Ball in your Court” which was honored as both the 2007 and 2008 Gold Medal honoree as “Best Regular Column” as awarded by Trade Association Business Publications International. Craig runs a forensic consulting firm in Austin, Texas and frequently serves as a Special Master in complex electronic discovery cases.

[DDET Click here to read the transcript]
Karl Schieneman-Interviewer from JurInnov

Craig Ball-Guest

K: Hello everyone. This is Karl Schieneman with JurInnov. Welcome to another edition of ESI Bytes – an electronic discovery show with the purpose to make concepts in electronic discovery accessible to everyone for a price that everyone can afford, which is free, but also without having to be at a certain place or travel to listen to speakers who talk all over the country in many cases. Today’s guest is no exception. I’m thrilled that we have Craig Ball on today’s show for a number of reasons; first, Craig is a prolific contributor to continuing legal and professional education programs throughout the United States. He’s delivered in excess of 500 presentations and papers. His articles on forensic technology and electronic discovery frequently appear in the national media. I was at a national conference in D.C. and listened to Craig be interviewed by The Wall Street Journal during a break. He’s been in American Bar Association publications, ATLA, American Lawyer, media print and online publications. He also writes a monthly column on computer forensics and e-discovery for Law Technology News called, “Ball in Your Court”. By the way, Law Technology News is a free publication that I encourage everyone to subscribe to. It’s still free, right Craig?

C: Oh yeah, absolutely.

K: Okay. Craig was honored as the 2007-2008 Gold Medal Honoree as the Best Regular Column as awarded by the Trade Associations Publications International. Many, many other awards. A couple of funny things…Craig, I’d like to prepare for these shows by reading articles. I gave up with you. I’ve got a stack in front of me!

C: I didn’t know they were that bad.

K: No, there’s a lot of information to cover. The last thing I wanted to mention is that here at ESI Bytes, we’re trying very hard to be agnostic. Craig Ball, among many things, is a forensic expert nationally just as the service JurInnov provides. When Tim Opsitnick and I were putting together a list of good speakers who are knowledgeable, we both wanted you on the show.

C: Thank you, Karl. I’m hoping to move you right over into atheist.

K: Okay. A lot of people would like to know (when they hear someone like yourself talk) is how did you get involved in the field of electronic discovery?

C: Oh goodness gracious. Well, I’ve been involved with computers really since I built my first electronic slide rule in the fifth grade. I was a nerd…it was clear that I was never going to have a girlfriend the way I was behaving. I learned basic programming in high school using a time-shared main frame, and I was well on my way to fulfilling my then dream of becoming an electrical engineer and an inventor. I got sidetracked into the law. Even as a lawyer, I was an early adopter of PC’s back in the TRS80, or what’s called “trash 80 days” of the very first personal computers. I moved into IBM and Compaq’s and Clone’s and Bulletin Boards and the Internet and web development for bar associations teaching technology to lawyers. My hobby was data recovery and forensics, so you could see; I never terminally outgrew the nerdiness. Judges than started appointing me as what today would be called “Special Masters”- this goes back some years. I started writing and publishing and lecturing, some of the things you were kind enough to mention. From there, I’ve ridden the tide.

K: That’s great. We actually did a real nice show on Special Masters last week with Jonathan Redgrave. It’s an interesting field in it of itself. Now, (we are) looking at the field of electronic discovery just generally, and then we’re going to talk about forensics – which we’ll focus most of the show on. Where do you see the field of electronic discovery going?

C: Well, I think in terms of penetration into cases – shared numbers of cases where electronic discovery will be an object of early concern and will be consuming a lot of lawyers’ time and attention. I see a very substantial growth not withstanding an overall contraction of the legal industry. I want to be clear about that – I think we’ll see a dollar contraction in some ways on electronic discovery, and that’s a very good thing. Right now electronic discovery costs too much. It is simply whatever the market will bear in terms of pricing, which is rather disingenuously tied to volumes before appropriate filtering and search. I think we’re going to see overall dollars stagnate or maybe even go down a bit in the coming year. For most of us in the practice, e-discovery is going to be growing in our consciences and growing in our day-to-day activities. I look at it this way – the volume and the variety of revealing electronic evidence is growing at a continuing explosive level. If you remember the old quip of the infamous safecracker, Willy Sutton, he was asked why he robbed banks. He said, “Well, that’s where the money is.” We’re going to turn more and more to ESI, because like it or not, that is where the evidence is.

K: Well, is the field getting better over the last couple of years, because this is still a pretty new field?

C: Oh, I think unquestionably the field is getting better of you define better as I do with people developing better skills, making fewer mistakes, starting earlier to address the problem…Obviously we’ve seen a tremendous amount of growth in a number of cases that have exposed flaws. Lawyers who don’t act honestly where e-discovery is concerned, or competently with destruction of evidence. That’s going on more and more because electronic evidence is being focused on more and more. I am encouraged – I think the overall ties of understanding are rising albeit more slowly than I had hoped.

K: You know, I had one general question posted here on the show, which is a live show and the listener said, “Are you concerned about the abuse of electronic discovery from one side to the other?” Ralph Losey and Judge Scheindlin talked about this in our podcast. Do you have any thoughts at all about that as a concern?

C: I do. I think the notion that electronic discovery is being used as a very blunt instrument to extort settlements is overblown and largely unfounded. I think you can’t extort something from someone unless they’re exposed and the only way you get terribly exposed in electronic discovery is being not ready or poorly managing your information. There’s a lot of tools and avenues for the producing parties to cut down on electronic discovery and reduce the volume, to learn how to cut the costs of review (which is where most of the money is spent and wasted), to get better handles on your proliferation of privileged information, and to persuade the court through education of where it makes sense to reign-in out-of-line discovery requests. The fact of the matter is parties haven’t begun to fight. The point of fact is the producing parties had it good for so long; they’ve been getting away with murder for so long. All this screaming is coming about because people didn’t get ready, as they should have. I am not sympathetic to that whole argument.

K: And your answer was wonderful. You just threw out four topics for future shows! Anyway, a lot of the people (and what I think is one of the beauties of this show) in jurisdictions and at firms who haven’t done much of this can now start to experience and learn from people like yourself and some of the other speakers. What advice could you give to someone whose never experienced electronic discovery, from say a law firm’s perspective?

C: Don’t be afraid. I think that there’s a certain intimidation factor that keeps people looking for short-sided, short cut, quick answers instead of digging in to learn it. (They’re) telling themselves that “this is something I cannot get.” You can get it. You break down what you need to know in e-discovery in small enough, manageable bites and you can learn anything. Lawyers are smart, smart people. What I would say is get the education you need. The number one critical issue facing e-discovery today is the lack of substantive knowledge of necessary basic technologies – not the bits and bytes and atomic level stuff, but just the fundamental lingo and concepts of e-discovery that lawyers continue to avoid. I’ll put it to you this way – when you and I were 15 or 16, we devoted many hours to learning a particular skill. We learned to drive. We went to school, our parents taught us, we read a book about it, we devoted a couple of weeks or months to gaining that skill. That skill has served us well everyday of our lives, yet I find most lawyers don’t spend even the minimal time it would take to learn to drive to learn to manage electronic evidence that’s going to be the litmus test to their ability to remain in the litigation practice going forward. Give it at least that effort and I think you’ll be rewarded to find that it’s not as hard (and to master, even) as lawyers tend to convince themselves that it will be.

K: Okay. Corporate clients have a different set of problems because they’re dealing with all these records. Any advice to them?

C: It’s a much more complicated situation to fill into a sound byte.

K: Maybe do a separate show on it, huh?

C: Well, you really could. You could do a whole series of shows on how corporate clients can reduce the costs of e-discovery and make themselves less exposed to it. The fact of the matter is again here, is it’s not as hard. Get it centralized, get rid of what you can get rid of, resist the…I shouldn’t even say resist. Several years ago Karl, I was in the same bandwagon as everybody else saying, “You know, you gotta get rid of more stuff.” In the last two years, I’ve come to the conclusion that what we instead need to be preparing to do is for what is essentially wholesale retention – people not getting rid of anything. That’s what we’re going to face. So, instead of pretending that somebody is going to implement a data destruction program that isn’t going to get them in hot water and it’s really going to be work in a complex data environment, I think that’s nonsense. I think much that is devotedly to be wished is not likely to happen. Let’s prepare for the data environment that is really going to be in place instead of the wishful thinking.

K: Now let’s talk about computer forensics. What are computer forensics and how does it relate to electronic discovery?

C: Computer forensics is really just a global term in the context of litigation and the law – managing, collecting, preserving, and analyzing the electronic traces of all the devices and systems that are parts of our lives today. I like to think of forensics in a somewhat different way. I think computer forensics is finding the drama in the bits and bytes. It’s teasing the human drama, the human story out of all the little traces that we leave in this very wired world. Whether it’s where we go on the internet, on our hand-held devices, what we touch in terms of files, what doors we open with cards, what we do on television and video screens, as we drive around the city as we move around the world and the GPS tracks on our cell phones and our vehicles. All of this enormous mass of disparate data all about us – our favorite subjects. This really allows a great deal of depth and it also serves as an interpretation of meta data – the parts of the data that are not immediately apparent and understandable to the user day-to-day. Making sense of that, knowing what’s reliable and what’s unreliable. Being able to bring it back from the dead when someone may have made it go away – I think that’s really all the world of computer forensics.

K: It’s almost like there should be more t.v. drama on this side of the story instead of murders, huh?

C: You know, blood and gore sells a whole lot more than bits and bytes. Frankly what I have seen from computer forensics, when depicted is on shows, particularly CSI, is enough to make computer forensics just grind his or her teeth to the nubs. It’s awful. They sit down at the evidence computers and start typing away. The next thing you know they found a video of the person committing the crime. It’s nonsense and it’s bad forensics.

K: Okay, when do you need to use computer forensics as an attorney?

C: You need to consider computer forensics in every case. I want to be careful with that. I’m not saying you use computer forensics, but you need to approach every case and ask yourself the question, “is this a case where the degree of preservation and the approach I have to take with the electronic evidence demands a forensic level of preservation and a forensic level of examination.” Most of the time your answer is going to be no, the active data can be preserved to a sufficient degree and we don’t have to worry about all of the forensic nicety. But when you have cases of, for example, data theft, data destruction or spoliation, alteration of data, forgery of electronic documents, or use of computers as an instrumentality of fraud or tort or theft – those should be ringing a bell in your head that these are cases where forensic-level preservation is important and forensic examination may be a case-making or case-breaking technology.

K: Is there a place that you go to look for a computer forensic vendor? I saw a couple of days ago a posting from a listener asking, “Does anyone know a good computer forensic examiner.” How do find someone?

C: That’s a good question. I would say that you shouldn’t go to the Yellow Pages anymore than you would consider going to the Yellow Pages for a lawyer to be a good idea. You get good experts in computer forensics the same way you get good experts in any other discipline, which means you ask around to colleagues whose judgment you trust. Colleagues who have been using the discipline – who do you use, what do you like about this person, are they trustworthy, do they bill in a fair way, are they timely, how do they hold up in terms of credentials in terms of cross-examination? Then you look at their credentials and you check them. You call people. Even if you’re given references that are good references, I find that you can still tell a lot of bad about somebody by calling their satisfied customers. You’d be surprised by what can flip out. You check their credentials. If somebody says they have a degree and it’s key that they actually have it, you make sure that they’re in good standing. You make sure that if they’re required to have certain licensure that they have that licensure. If they’re self-taught, then you want to make sure that they have an appropriate certification or other ways that they’re going to qualify, that they’re going to meet the Daubert Standard, or other standards that are local to the court. You just don’t want to hang your hat on a computer forensic (technician) who took the weekend course, bought a tool and hung out their shingle, because they’re gonna get you crucified at trial. I am very concerned right now, Karl, about the decreasing caliber of the forensic (technician) that I am seeing in the area of computer forensics. I mean, there’s some lousy computer forensics folks out there and I’m seeing some reports that just blow me away in terms of the callous and rather ignorant way that people go about it, not to mention in some instances computer forensic (technicians) can be your worst enemy.

K: So, are there any certifications, or is this just the Wild West? The whole protocol for finding Special Masters seems to be who do you know, and this is sort of a similar area.

C: Yes and no. Obviously I came out of the personal injury trial practice. In that practice, you typically have what are called “guardians” and these are people appointed to resolve any perceived conflict between a parent acting on behalf of an injured child and so forth. There was a lot of cronyism in that area. It was often a former partner of the judge or a drinking buddy, what have you. So I’m familiar with the kind of worry that you’re raising. I think you’ll find with Rule 53 Special Masters – people who are brought in because they have particular expertise, there’s far less abuse that way. I think judges tend to be pretty careful in their selection of Special Masters, in fact many judges are very reluctant to appoint Special Masters. They do so either when they feel like it’s something that demands specialized knowledge, and computer forensics is certainly a good example as well as complex electronic discovery, or where the amount of work that is going to be needed and the immediacy of response parties will need in order to achieve the best, fairest, and lowest costs of the case demand somebody who can give that degree of focus. I don’t see the same abuse on Special Masters that you’re describing. Most of the Special Masters I know (and there are only a handful of Special Masters in the e-discovery and computer forensics arena) tend to be pretty conscientious folks.

K: Now, in your opinion, are forensic experts things you can find nationally or is this more of a local specialty area?

C: There’s really nothing about the practice that suggests an advantage to going locally. Yeah, I suppose there is a small cost savings if you’re doing a physical acquisition of a drive, to have somebody who doesn’t have to take a plane flight or make long drive to get to it. I think that you’ll find when it’s feasible to do so; it’s a lot less expensive to send the machine or the drive to the forensic (technician) rather than to bring the forensic (technician) to the machine. I have a national practice. I would find that relatively few of my clients overall are in Texas. They tend to be in other states with cities where there’s a lot of litigation and complex cases and so forth where forensics come into play. I’m as likely to be in California, Chicago, New York, and Florida as I am to be in Texas.

K: When you’re looking for a computer forensics expert, what can a forensics expert do for you and what can’t they do for you?

C: That’s a really good question. I think people need to have realistic expectations about just those things. What can you do with forensics and what can’t you do? Forensics won’t necessarily tell you whose hands were on a computer at a particular time. Forensics won’t be able to uncover, in some instances, every bit of deleted data. Forensics isn’t going to be able to recover information that has been thoroughly wiped and over-written. What forensics will be able to do, however, is to help you establish the basis for an adverse in, for instance a spoliation claim for the wiping of that drive. Forensics will be able to paint something of a second-by-second image of a machine to be able to see what information was moved around, what was touched, what applications were employed, and basically as I say, translate those electronic footprints into human behavior and to hopefully tell a story. I view as a kind of mind reading in the right cases. You can get an insight to what a party was actually thinking and planning. It’s not unusual at all for me to examine a machine and see a pattern such as this. The individual will receive a demand for preservation of their computers or for forensic examination. Many times that will prompt the person to first do a little bit of legal research to see what all the big words are about and then you see the research change as I analyze their internet usage and what files they download and touch. I start to see them investigating how to make data go away and what tracks do they leave behind. I may see them purchase a data wiping or data destruction application and then use it. I really can see the gears turning in their mind like a rat in a trap – how do I get out of this? Then, frankly, a person who destroys evidence is my best friend from this standpoint. Most people do it so badly that it’s as though they took a yellow highlighter to a voluminous document and just highlighted all of the things that they were most afraid of me finding. I don’t advocate people destroying evidence, especially from this standpoint Karl, which is nothing I have ever found destroyed on a computer was as bad as the impression that was left by the effort to make it go away. The hole left behind by data destruction is much worse than whatever once filled it.

K: Okay. One of the areas that I’ve written a bit about is sort of the collaboration issue in e-discovery. It’s not between parties or other sides – it’s within your team. One of the things I’ve seen in broad e-discovery is you’ve got people that host your data that help you set-up the software, the lawyer and maybe staffing people. They’re all sort of independently working in their specialty area, and that can create problems of communication. Is forensics an area where you independently hand off, or is it an area where the lawyer and the forensic examiner are, (well) there’s a supervisor role or collaborative role?

C: I think there should be something of a collaborative role. It’s not that I necessarily expect the lawyer to be looking over my shoulder as I’m examining the data, but I need to know a lot about…I mean, there’s a great amount of information on almost any drive today. I rarely look at just one drive. I’m usually looking at quite a number of drives, maybe a whole department or 3-5 machines that were used by an individual. Although there’s some drives, cd’s, and external hard drives the volumes routinely get into the tera bytes about now. With that in mind, I need the lawyer to help me understand what the case is about. My being a lawyer has proven to be a huge advantage. I feel I can get up to speed pretty quickly about what it is they need and (I) sometimes advise them if they’re interested in what I think I can find that will assist them before they even thought about it. That’s the collaborative role – I need to know what they’re trying to accomplish. I often ask a client “look, do you want the evidence, or do you want the sanctions.” My methodology will be the same. I want to know what you’re looking for and I want to try my darndest to get this information back in e-discovery or (by) using forensics, or if what this really is about is sanctions. I don’t tend to like to work in the secondary. I want people who want the evidence as my clients. As that’s said, I do think that I need a timeline from the lawyers. I need the dates of the issues, names, keywords, I’m gonna need that process from the lawyer to help me streamline in what I’m doing and know what I’m looking for. Unless they have an unlimited budget, I just can’t say to them, “Well okay, give me the computer and I’ll find everything that might be relevant.” Nobody can afford that and nobody should want that. We work together. I report what I am finding; I get direction from a lawyer when I think further work is kind of a dead end. I advise them where I think we’re applying some fertile ground and we need to really dig in and have all my I’s dotted and my T’s crossed to be ready to testify about it. I talk to them about what they’re looking for in the way of a form of a report. I get a lot of feedback from lawyers. I think the one thing that lawyers need to do and have no hesitation is (to) ask me to explain things. I don’t care if you have me explain it 10 times so long as the lawyer wants to learn it and is interested, I’m thrilled to talk about these things. I think lawyers need to get over the idea that they’ve got to be the smartest person in the room in every setting. Let’s close the door and acknowledge to me (that) you don’t know what the heck you’re doing in this area (and) I’ll be quiet about it. Now let’s each get each other up to speed so we’re both comfortable helping each other achieve the best results for the client.

K: Actually, that was one of Judge Scheindlin’s points on last week’s podcast – either do it right or speak up. Don’t be stuck in the middle and get hammered by fumbling your way through it.

C: Well your problem of course is fumbling your way through it has worked so well for so many years that people aren’t ready to find that it’s not working very well anymore.

K: In terms of collaboration, I guess one of the areas where you’d be working with the lawyers (and the client because they’re paying for this) is, how do you pick what to examine?

C: You know, it depends on what the case is about, but it’s not that hard. If the case involves the behavior of particular individuals, you look at what they did and what tools they used. Were they laptop people on the road, were they desktop people, did they work through an intermediary like a proxy, an assistant or someone? Particularly older users have a tendency to rely upon proxies for their work. Are they Blackberry people? Are they very wired? Do they work at home a lot? Do they use Gmail v. an exchange server? Once you begin to learn what they know and how they do business, the media just kind of jumps out at you. If you know what you’re doing you’ll be better prepared to look for this stuff. Of course, looking at one piece of media almost invariably points to other media. When I look at a laptop I’m going to be able to see what other media or systems this laptop has connected to and I can begin to identify a path I can go down to track certain data because when data’s stolen, it may come out of the former employer on an external hard drive or a thumb drive. Maybe emailed out, but it’s gotta go in somewhere. I’m going to be looking at machines that the new employer (at home or elsewhere) where that media came in and them I’m going to follow that trail as far as it leads or as far as the budget allows.

K: How do you gather forensic information without ordering a party to stop using its systems? Isn’t this fairly intrusive?

C: It doesn’t have to be. It depends upon what it is you’re trying to achieve. Forensic analysis of a server (which tends to be the mission-critical part of system – the thing that they at least want to shutdown) is often a fruitless effort. Servers are optimized in a way that you tend not to get much from the allocated clusters (or from looking in the areas of deleted data) where data would reside. There, you don’t have to necessarily shutdown. You may be able to do an active acquisition (while the machine is still doing its job) and get the information you need. If it’s a laptop that somebody depends on (or a desktop), you get them to do something else for a few hours while you image it or do it overnight, which is not terribly unusual for me to do. It’s called a “black bag acquisition” where you come in after business hours and you grab the data that’s owned by the employer. You analyze it and the employee may be none the wiser that their machine was examined. You can do it without being unduly disrupted if the parties are willing to work together reasonably and (this is most important, Karl) you can assure yourself that the delay is not being used to reinvent history, delete data, or change data.

K: Sometimes when you talk to a technologist that maintains a system, they’ll talk about getting a ghost image. Is that the sort of thing that works within the field of forensics for e-discovery or do you have to do more than that?

C: Ghost has many strengths and many weaknesses, but it is not essentially a forensically sound collection tool. The reason for that is that though it is feasible, you run Ghost under dos, which means it’s going to run very slowly. You can use command line instructions (that are somewhat obscure) to actually obtain the unallocated clusters and space of a drive. You can get a forensically sound image. You have to turn off Ghost propensity to alter the drive – to basically mark the drive with its own signature. So, if you know what you’re doing you can use it. Unfortunately, almost nobody knows what they’re doing and the image that they get using Ghost is not an image in the sense that forensicists use it where it’s a file or series of files that hold the information (and are often self-authenticating) but it is really a clone. Use of a clone presents a lot of issues in forensics as soon as you connect that clone to another Windows machine if it’s not right protected using special hardware or software that data is going to be marred in some fashion. I always advise against using Ghost for forensic collection. It simply is not efficient, it’s not that cost-effective, and it does a terrible job. In fact, Ghost used normally is an empty forensic tool. It not only changes the data, but it strips away the unallocated clusters and the slack space, so what you get is substantially less usable as a forensic image or otherwise as a source of forensic examination. I hate to give this little tidbit away, but I’ll tell you the truth of the matter is I get a lot more value doing a forensic evaluation of active data than I do from unallocated clusters most of the time. There’s so much active data that’s so revealing – even when people are trying to make a lot of go away that you really can get a lot of great stuff even if you don’t have the unallocated clusters, but if you’re going to do a competent examination you have to have all three. You’ve got have the slack space, the active data and the unallocated clusters. Ghost is typically not going to give you that.

K: One of my favorite cases (or quotes) is Facciola’s quote in the McPeek case where he criticizes lawyers for asking what they want, or if they ask for what they think they want, they might get what they need. I’m thinking about the difference between a forensically sound acquisition and a forensic examination. You’ve talked at times about the difference between the two. What’s your advice in this area?

C: Well, a forensically sound acquisition or forensic examination are as different as saying take a cheek swab and do a DNA test. One is grabbing the evidence in a way that makes your examination reliable and the other is how to look at it using tools and techniques that allow you to define what that information has to tell you. I’m not sure if that’s the distinction you were seeking, but I do think this – I find the word “forensically sound” is abused. Forensically sound, in my judgment should be reserved solely to the collection in a bit-stream manner of all of the bits and bytes sequentially from a piece of media in a way that it can be authenticated against that media. That you can get a hash match, a digital fingerprint that proves the copy you’ve made is a complete and unaltered duplicate of the original evidence. Anything less than that and I think you abuse the word “forensically sound”.

K: What I was going at more was getting more intrusive than you have to – asking for the world. I’m not sure if you see that happen in heavy-duty litigation where people go crazy with acquisition requests.

C: I do. I find that the old expression, “If the only tool you have is a hammer than the world looks like a nail”, I find some of that with people who have used forensics and really gotten a great result from it in a case that makes sense and then kind of all of the sudden they want to use the forensic approach to everything. That’s not cost-effective and it’s not warranted. As we talked about earlier, forensics has its place in certain kinds of cases. In those cases, it’s essential – it’s a case breaking, case making technology. If there is such a thing as a run-of-the-mill e-discovery case where the data hasn’t been corrupted, the data hasn’t been deleted or hidden, etc. then probably forensics is massive overkill. I think that you have an abuse problem there of people demanding a level of forensic preservation far beyond where that should matter to them. As we said at the very start of this call, they should anticipate forensics in every case. They should anticipate or consider is this a custodian whose conduct is so critical to this case that we can’t even afford the risk of a charge of spoliation or non-preservation. Maybe we’ll make a decision as an insurance policy of the sorts to make a preservation for this person. If they have messed up and they have gotten rid of something (the CEO for example) we want the ability to mitigate that immediately and be able to say to the court or judge, it is no problem. We have a forensic level preservation and we’ve set it aside and we can fix that. I think the other issue is meta data. It’s become something of a buzzword. It’s an area in which I have a tremendous amount of interest. I’ve written about it ad nauseum and I think people still continue not to get an understanding of meta data. Meta data’s just data about data. It’s all of the logs and information about the system meta data like modified, access, created date. The name of a file is meta data. Most files don’t know their own name. The location of a file, the custodian of a file – these are all things outside of the data but which bear significantly on understanding the data and making sense of the data. I hear people say, “Well I want you to produce all of the meta data.” They don’t even know what they’re talking about. Do they mean application meta data, system meta data, etc. There are hundreds of hundreds of meta data fields that may exist with regard to certain kinds of files. Do they even know what they’re asking for and would they know what to do with that car once they chase it and catch it?

K: I’m going to try to reign the topic in here at the end into a couple of key points, but what would you say (and we’ve covered a lot of ground here) the most challenging issues are facing the computer forensics field?

C: That’s easy. I think there are a couple. One of them above all is volume. A couple of years ago, it would have been rare for me to have seen anything larger than an 80 GB hard drive for analysis in a business setting. Today it is not unusual for me to see 500 GB and up. You can now buy a tera byte hard drive for $100.00. We’re going to see tera byte drives becoming pretty much standard issued in new desktop purchases and in no time, we’re going to see 500 GB the standard in pretty much cheap laptops. You know, with active data, you can just look at the parts of that that are used. If somebody buys a tera byte drive (if they’ve been busy with it) maybe it has 100 GB on it. With forensics, you’ve got to acquire the entire tera byte because you have to get the unallocated clusters, too. That means that hours go into the acquisition. In order to search that information and process that information, the software tools have to work their magic over a much bigger canvas. That means that forensics becomes much more expensive without necessarily delivering a lot more information. The other challenge we face is going to be the proliferation of on-disk encryption/automatic encryption built into hard disks that’s built into devices. Hard-encryption is essentially unbreakable for all-intense purposes. Particularly in the criminal arena, as we see hard drives automatically encrypting the data, we’re going to see people getting away with more because we won’t be able to look at their information.

K: What would you say are the biggest mistakes being made in forensics today (and you may have already covered it)?

C: I have barely scratched the surface. I think that there are several; one that comes to mind is people jumping to conclusions. It’s so easy to want to be the hero when you’re the computer forensic examiner. It’s so overwhelmingly strong – the desire to find the smoking gun, to effectuate the intent of what your clients want. Even in good faith (and) with good intentions, it’s very easy to look at a set of facts, to look at a set of last access dates on file and go, “Aha – we’ve caught the person! The blackard has been nailed!” when really a more dispassionate, a more careful look at the information (in context) will often reveal that what you think the information means isn’t what it really means. I think jumping to conclusions, poor training, the sense of “push button” forensics as if you could buy a tool and hit the evidence button and all of a sudden (you don’t even know how it’s going about it) that it’s going to roll off with all this stuff that’s going to make you look good in your report. Let me tell you something, there is no tool that can do that. Forensics is as much of an art as it is a science. It’s about understanding what you see, understanding what it means and making sense of that information. That’s not how I’m seeing a lot of computer forensitists go about it. They are looking at few places that in a book they were told to look, they are interpreting things in whatever way it occurs to them, and then they are writing reports that just seem to satisfy the client. I think we’re seeing some abuses in that regard. I’m talking the civil arena right now; I’m not talking about the criminal arena as much. I wrote recently about some abuse of computer forensic issues in a broad post that I did on the EDD Update blog (which I hope people will take a chance to look at) – www.eddupdate.com .

K: I have one last question, but then I have a couple of questions from the audience actually which aren’t bad. Where can a listener look to learn more about forensics? You mentioned the blog post that you just contribute (to), but where else?

C: There is a great site that I think is called www.eevidenceinfo.com . Hold on just a second, I have it linked but I have to find it. It’s the e-evidence information center and it is www.e-evidence.info . This is a professor in New York who just maintains a wonderful link list. Christine’s list is where I go to see what people are writing. You can go to this site and find ways to get trained, what universities are offering training…you can find virtually everything that’s ever been published on forensics that’s available on the web. It’s just a wonderful feast of information. If somebody really wants to dig in, this is a great place to start.

K: This might be a scary question given what you said (about) loose forensics practice, but what software tools are out there for computer forensics and how much of it is available for people who are not governmental organizations or security professionals?

C: Most of it is available out there. Very little of the tools are reserved exclusively to law enforcement, in fact, there used to be a tool called ILook that was available to law enforcement, but even as late that has become an available tool. The leading tools in computer forensics – the leading suites (and by the way, you don’t just use one tool, there is no Swiss Army knife no matter how people want to market it) of the one thing that does everything the best. The best-known tool is Guidance Software’s EnCase. Another tool is Access Data’s Forensic Tool Kit. Technology Pathways has a tool for investigation, and my particular favorite (the one that I use more often than any other) is a tool by a company called X-Ways Forensics. I find their forensic tool is something that I turn to first. It seems to do what all the others do just about as well but it costs less. As I said, you don’t use just one tool. A good forensitist crosschecks key findings using different tools and you also use tools that are best suited for the application. It may be that the process email, the tools I’ve mentioned, are not your best choice. Maybe you’ll use a command line tool (or) maybe you’ll use a little tool developed in-house or a script that you’ve written yourself. The goal is to have a utility belt of tools – a tool kit, that you can use so that you can have confidence in what you’re finding. I learned forensics by using a hex editor or a disc editor. To me, I’m still old-fashioned. I believe you’ve got to learn to do it down, down, down on media before you start buying any high-pollutant expensive tools to make your job easier.

K: How dangerous would you say it is to use Gmail?

C: I don’t find Gmail dangerous at all. I think Gmail is the greatest thing since slice bread. I think your security exposure is minimal on Gmail, and I don’t find it to be in any greater exposure than any other web-accessible resource. If you think about it, most people who run their own exchange servers also support some level of web mail. Anybody who has login credentials can get in. If you have a user i.d. and a password (or you haven’t protected your password very well), you’re getting into almost anything. I don’t see Gmail being particularly more vulnerable to that, in fact, I think Gmail has got so much better of a spam filter that I think it does a better job at email than most of the exchange servers and Outlook installations I’ve seen. I’ll tell you, I got rid of my email infrastructure – my server and so forth, and I’ve completely virtualized using GOOGLE apps.

K: That’s good. I’m a big fan of cloud tools as well (as were working right now in the clouds).

C: And of course, the cloud is an emerging challenge to electronic discovery, as are the empowerment and growth and sophistication of the handheld devices. We’re seeing people moving off to doing most of their work on the related Iphone and platforms. That creates new challenges to forensics because all of these devices tend be very proprietary. Karl, do you mind if I add one more where do you go for information about forensics?

K: Sure.

C: I’m modest, but I’ve spent a lot of time writing about forensics and writing particularly for a lawyer audience who is uncomfortable with technology and hopefully making is accessible so people will stop by my website where there are a number of free papers which is www.craigball.com .

K: And we’ll think to that as well once the site’s up and that will be on www.esibytes.com . Well this has been very informative, Craig. I appreciate your spending some time delving in this area. We went a little long but it doesn’t matter. This is an area that I think people are very interested in and I appreciate you spending the time.

C: It’s my pleasure. Thank you for including me in your interview.

K: This has been another edition of the ESI Bytes Show. You can find more shows listed at www.esibytes.com . Don’t get bit by e-discovery…get involved (and) learn about it. That’s basically it. Thanks again.

Recorded 03/24/2009


Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *