You Lost Me at Gigabyte: Electronic Forensic Protocols and Working with Computer Forensic Examiners

Texas Bar Webinar - May 17, 2016

Craig Ball, John T. Myers, and Kasi Chadwick

What we will Cover…

PAGE 3

Overview• Drafting and execution of electronic forensic

protocols.

• We will walk through the lifecycle of a protocol.

• Best practices for completing a forensic examination.

What is an Electronic Forensic Protocol

PAGE 5

What is an Electronic Forensic Protocol?

• An electronic forensic protocol is a set of procedures through which the harvesting, review, and (sometimes) the destruction of electronic content is conducted.

• Agreed forensic protocols can be drafted pursuant Rule 11 of the Texas Rules of Civil Procedure and/or in conjunction with injunctive relief.

• Alternatively, court-ordered forensic discovery can be issued—generally to remedy discovery abuses.

PAGE 6

• Be careful when seeking to deploy a found or form protocol.

• Each case presents unique considerations for forensic assessment.

• Each requires a protocol tailored to the needs, sources, parties and risks attendant to the matter.

PAGE 7

Why an Electronic Forensic Protocol?

Agree Forensic Protocol• Generally speaking, executing an agreed forensic

protocol is a way to fast-track the discovery processes.

• Provides a mechanism through which the parties may expeditiously locate and collect allegedly misappropriated data.

Court Ordered Forensic Protocol• Provides a way to access data that has not been

produced through discovery.

Agreed and Court-Ordered Forensic Protocols

PAGE 9

In re Weekley Homes, L.P.• Alleged discovery abuse Trial court ordered a forensic

protocol

• In re Weekley Protocol: Four forensic experts identified. Experts to take an evidentiary image of the hard drives in

question using “procedures that is generally acceptable as forensically sound.”

From the images, experts would search for deleted emails from the relevant year using specified search terms.

Owner of data then had opportunity to review the responsive data.

Responsive data was to be provided to requesting party.

• Responding party sought mandamus relief.

PAGE 10

• Supreme Court concluded the trial court abused its discretion.

• Made this finding because the requesting party’s “conclusory statements that the deleted emails it seeks ‘must exist’ and that deleted emails are in some cases recoverable is not enough to justify the highly intrusive method of discovery the trial court ordered…”

• In order to obtain a court-ordered forensic protocol, more must be shown.

• Case-by-case analysis.

In re Weekley Homes, L.P.

PAGE 11

In re Weekley Homes, L.P. - Dicta

• The Supreme Court contrasted their decision with In re Honza, 242 S.W.3d 578, 583 (Tex. App.—Waco 2008).

• The Supreme Court distinguished In re Weekley from Honza: Honza sought forensic review to obtain the metadata

for a document. No question of document’s existence. There was a direct relationship between the hard

drives sought and the plaintiff’s claims. There was extensive testimony as to the forensic

expert’s experience and qualifications prior to granting the forensic review.

Legal Standard for Court-Ordered Electronic Forensic Protocols

PAGE 13

In re Weekley Homes, L.P.

• Per Rule 196.4 of the Texas Rules of Civil Procedure:

• Employing Rule 196.4, the In re Weekley outlined the legal standard for a court-ordered electronic forensic examination sought to remedy an alleged discovery abuse.

Agreed Forensic Protocols

PAGE 15

Agreed Forensic Protocols

• If the parties agree to execute an agreed forensic protocol, there is more freedom to craft the review.

Selecting Your Forensic Expert

PAGE 17

Selecting Your Forensic Expert

• Selecting a qualified forensic expert is critical. Qualified and experienced forensic experts help ensure

proper collections and processing of data. In the world of forensics, there are many way to skin

the cat. Using an inexperienced expert can cause omissions of

critical evidence—and in some cases—destruction of the evidence altogether.

• Per In re Weekley, your expert’s credentials are important in obtaining a court-ordered forensic protocol.

PAGE 18

• Important to involve forensic expert as early in process as possible. Protocols put in place without expertise often create unrealistic expectations with respect to the practical limits of forensic analysis. You can't order an examiner to fly.

• Optimum outcomes are achieved using a neutral examiner, abetted by input and consensus from partisan experts from each side.

• Clear delineation of examiner's ethical responsibilities is essential. Obligations to Court and opposing party should be made manifest, where applicable, to avoid inherent conflicts.

Selecting Your Forensic Expert

PAGE 19

Selecting Your Forensic Examiner

• No company is skilled at digital forensics. Examiners are individuals, and no affiliation guarantees competency. Look closely at the examiner, not the company.

• Referrals from colleagues helpful.

• Know what licensure requirements apply to the examiner.

• Examiners should be experienced in writing intelligible reports. 

Costs

PAGE 21

Costs

• Be sure it is crystal clear who must pay the examiner and by what date. No contingent fees ever.

• Set interim reporting requirements with reasonable limits on time and cost. Do not let yourself be surprised by the cost.

• Generally, the requesting party will pay.

What are we Examining?

PAGE 23

What are we Examining?

• How will target information be identified?

• We need to consider: The potential custodians of information, What types of files will be extracted, and How the potentially responsive data will be culled for

review.

PAGE 24

What are we Examining?• Where is the target

information kept?

• While forensic examinations of cell phones and cloud-based accounts do not normally produce reviewable documents, these extractions can provide important clues to the rest of the puzzle.

PAGE 25

What are we Examining?

• The easy targets: Computers (personal and company devices) External storage devices

• The more complex: Cell phones Cloud-based storage systems (e.g. cloud-based e-mail

accounts, DropBox)

How will we be Examining?

PAGE 27

Methodologies

• Specific methodologies should be agreed upon, where feasible; else, range of and limits upon investigator's discretion must be expressly addressed in the protocol.

What will be Pulled from the Target Devices?

PAGE 29

What will be Pulled from the Target Devices?

• Question: What is the universe of data to be extracted?

• Will the forensic expert be harvesting: Active Files (e.g. .docs, .pdfs, .xls) Deleted file identification Device connection log Internet Artifacts

What will be Provided to the Requesting Party?

PAGE 31

What will be Provided to the Requesting Party?

• Once the universe of data to be harvested is defined, the next important consideration is how identified files will be reviewed by the parties.

• Many experts believe absent gross misconduct, a party and a partisan examiner should not be afforded direct access to an opponent's ESI and devices absent agreement of the parties.

PAGE 32

Two Approaches

Inclusive Entire file

listing/extraction with all personal/privileged data removed produced to both parties.

Culled Require requesting

party to propose search terms to cull data prior to production of file listings.

Additional Front-End Drafting Considerations

PAGE 34

Additional Considerations to be Decided Before Execution

• Who will hold the devices while the protocol is executed? For how long will the devices be sequestered? How will the devices be kept secure?

• How will the forensic images be maintained?

• Confidentiality? Confidential designations? AEO designations?

PAGE 35

Additional Considerations to be Decided Before Execution

• Consider an iterative process to keep the case moving forward. A few key issues examined first, then a few more. Don't boil the ocean.

• Address whether the examiner can assess the integrity of the evidence. If the digital books have been cooked (e.g., drives swapped, wrong machine supplied, drive wiping seen, etc.), can the examiner address this as a threshold matter?

Harvesting the Data

PAGE 37

Harvesting the Data from the Target Devices

• After the protocol is executed by the parties, the forensic expert’s work comes into play.

• Selecting the right expert is critical. There are a number of tools forensic experts can use.

The forensic expert’s expertise is important here.• Example: Different data extraction programs work

best on different devices. Incorrect collection methods or incorrect tools can

destroy critical metadata (e.g. creation date, last accessed date).

Data Review

PAGE 39

Review of Target Information

• File listings and extractions are generally produced in .xls format.

• Listings can be thousands of pages long.

• .xls proficiency is critical.

• Most time-intensive activity.

PAGE 40

Review of Target Information

• Spreadsheets of extracted metadata are increasingly ill-suited as a form of production for review because of row limitations.

• 1,048,576+ Excel rows sound like a lot until you realize that more than that number of discrete items are routinely seen on a single device (after processing compressed and container files). 

• Alternatives?

PAGE 41

What are we Reviewing?

• Files– Names– Sizes– Creation dates– Last accessed dates– Last modified dates– Whether files are deleted

and– Whether a file is

overwritten

• Web Information– Browser history– Web bookmarks– Cookie history

• Mobile Devices– Call logs– Text messages– SMS messages– Applications– Contacts

With the careful review of a listing or extraction, we can see:

PAGE 42

Best Practices for Data Review

• Be wary of the examiner seeking support for your theory. You want an impartial skeptic, not an advocate on a mission to please you.

• Request a “timeline” be extracted from the target device.

• Once you have found files of interest create a separate listing which only includes those files.

PAGE 43

Culling Responsive Data - Identifying “Identified Files”• What is “responsive data?”

Should be defined in the protocol. Generally defined as data the opposition believes in

good faith to be their information.

What to do with Identified Files?

PAGE 45

What’s Next?

• Once the requesting party has identified the files for review, the parties should collectively review the identified files.

• The forensic expert is instructed to pull the files from the forensic image. (Normally, devices are returned to the custodian after imagining.)

PAGE 46

Review of Identified Files

File Review MeetingSchedule a meeting with between the parties to review the files.

Independent Production to Both PartiesHave the forensic expert directly provide the identified files to the parties for review.

– Two-Step Process – Responding party is first provided the files for review and then respondent provides to the requesting party.

PAGE 47

What are we Searching for in our Review of the Identified Files?• Who’s data is it?

• In the protocol, the parties should identify what files/data will be subject to deletion.

• The protocol should also provide what to do if the parties cannot agree as to the proper classification content of the file/data. Who is responsible for motion practice concerning the

data?

Deletion of Identified Files

PAGE 49

Deletion Considerations in Your Protocol

• In the deletion process, it is important that your protocol provides that an image of the original file listing be maintained.

• The expert should only be instructed to delete the data from the device—not the device’s image.

• Spoliation.

• May need image to prove use and/or damages.

Additional Notes

PAGE 51

Spoliation

• Because a file listing can show the life and death of a file, improperly preserved evidence can present significant problems to a responding party.

• Whether a deleted file is recoverable dictates the degree of any spoliation implications.

PAGE 52

International Collections

• Because we are searching for electronically misappropriated information, it is common for target devices to be located in different countries.

• International Collections Kits On-site collections

• Compliance with international laws EU laws are different. Sometimes, if the information is personal in nature, the

information belongs to the employee, even if the information is located on the employer’s devices.

There are exceptions.

PAGE 53

Defend Trade Secret Act of 2016

• The DTSA was signed into law by President Obama last week.

• The DTSA creates a “civil seizure” mechanism to collect and sequester electronic storage devices believed to contain a stolen trade secret soon after filing suit.

• The DTSA—and the “best practices” expected to be created under the DTSA—may have implications on how forensic discovery is conducted in the future.

Additional Resources

PAGE 55

Additional Resources

• http://www.craigball.com/LIT_FebMarch14_EDiscBulletin.pdf

• http://www.craigball.com/Ball_Becoming_a_Better_Witness_on_Digital_Forensics.pdf

• http://www.craigball.com/CF.pdf

• http://www.craigball.com/What_Judges_Computer_Forensics-200807.pdf

PAGE 56

Questions?

Kasi ChadwickBoyarMiller

kchadwick@boyarmiller.com(832) 615-4290

John T. MyersChorus Consulting

john.myers@chorusconsulting.net(713) 203-5743

Craig BallAttorney and Forensic Technologist

Certified Computer Forensic Examiner

craig@ball.net512-514-0182