FishNet Security

FishNet Security

E-DiscoveryBenjamin Stephan

CISSP CISA EnCE PA-QSA QSA [email protected]

FishNet Security Overview

Over 12 years of experience delivering enterprise solutions and comprehensive service offerings

Established relationships with “best-of-breed” information security partners and vendors

A full-suite of information security services provided

Respected national presence - Focused local support

Committed to security excellence, FishNet Security is the #1 provider of information security solutions that combine technology, services, support, and training. FishNet Security solutions have enabled over 3,000 clients to better manage risk, meet compliance requirements, and reduce costs while maximizing security effectiveness and operational efficiency.

Office Locations

About FishNet Security

Atlanta, GABoston, MACharlotte, NCChicago, ILColumbus, OHDallas, TXDenver, CODetroit, MIFt. Wayne, IN

Houston, TXIndianapolis, INKansas City, MONewport Beach, CANew York City, NYOmaha, NEPhoenix, AZSan Francisco, CASeattle, WA

St. Louis, MOSt. Paul, MNTallahassee, FLTampa, FLWashington, D.C.West Palm Beach, FL

Cambridge, UK

Overview

Introduction Computer Forensics vs. e-Discovery Federal Rules of Civil Procedures E-Discovery Reference Model Early Case Assessment Products & Services Sample Cases

Disclaimer: -Speakers opinions are just that – opinions-Not offering legal advice, just discussing principals

Technology Age Rapid Communication

E-mail Cell Phones Instant Messaging

Digital Information Electronic Media Documents, Spreadsheets, PowerPoint, Databases CD, DVD, Blu-Ray

Data Capacity 90’s – Megabytes 00’s – Gigabytes 10’s – Petabytes 20’s – Zettabytes

Introduction

Document Type Avg. Pages / Doc Pages / GigWord 9 64,782

Email 1.5 100,099

Excel 50 165,791

Lotus 1-2-3 55 297,317

Powerpoint 14 17,552

Text 20 677,963

Image 1.4 15,477

Documents Per Gigabyte

*Discovery Services | Fact Sheet; Lexis Nexis

Data that used to be stored on paper or physical media is now stored on digital media.

Emails*

Introduction

*Email Statistics Report, 2010; The Radicati Group, Inc.

Computer Forensics vs. e-Discovery

Computer Forensics: The acquisition, preservation and analysis of digital information that meets the requirements of evidence for court presentation.

e-Discovery: refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.


Forensics vs. e-Discovery: E-discovery is the process of analyzing data that is accessible without the need for additional tools or applications. Whereas, Computer Forensics is the process of analyzing data that can only be accessed with proper training and tools.


Federal Rules of Civil Procedures(FRCP)

Key Date: December 1, 2006 The FRCP is amended to more accurately address digital information. Amended Rules: 16, 26, 33, 34, 37, 35

Electronically Stored Information (ESI; Rule 26.a): ESI is all information stored on electronic media. Examples:

Email Voicemail CD DVD Hard Drive Thumb Drive Computer in your car Fragmented files PS3 / WII / Xbox 360 Mobile Devices

Federal Rules of Civil Procedures

ESI – Lifeblood of all Companies

BusinessBusinessIntelligenceIntelligence

Company Data

Epicenter of Epicenter of RiskRisk

FRCP Rule 26

Requesting party must submit: Information on people Information on the ESI

Only information requested is allowed (26.s). Meet and confer “gottchas” (26.f):

Must occur 120 days from request Most attorneys want 30 days to review Most attorneys wait 30 days to provide

Litigation Holds “Clawback” (26.b)

Inadvertent disclosure of ESI Privileged information

FRCP Rule 26

Identify sources of ESI Sample information

Validation of sources Exclusion of sources

Reasons for exclusion: Not relevant Excessive burden

Both parties should agree on ESI Court makes final decision

Determine who is responsible for payment

FRCP Rule 34 & 37

Establish protocols of production Requesting party can set format

“Safe Harbor” Minimize the potential of loss data Data deleted as part of everyday processes is acceptable Must have defined data retention policies

E-Discovery Reference Model(EDRM)

E-Discovery Reference Model

EDRM is a project of multiple organizations to establish set protocols, guidelines, recommendations, and procedures to assist individuals involved with a discovery request.

Information Management: The process of maintaining structure and organization around ESI. Some organizations implement products to allow for pre-capture of

potentially critical ESI. Such as collection of all email both ingress and egress. The email is then

indexed and archived. When a request for discovery is initiated then the emails can be processed easily.

Pre-collection of critical data allows for ESI to be archived and indexed prior to a discovery request.

Pros: Data is pre-indexed Minimal interruption

Cons: Substantial storage space requirements Can be expensive Some solutions provide online hosting which would require additional

bandwidth


Identification: The process by which ESI is categorized and marked for potential necessity in a discovery request. ESI profiling

Custodians are correlated with ESI based on the level of access to data.

A primary matrix is kept to easily correlate the potential ESI sources based on the discovery request.

Data classification Data is classified according to sensitivity

and access controls. By creating a data classification structure

ESI is more easily segmented and

controlled.


What’s My Data?

Develop a data classification plan. Develop a data retention policy. Assure data is appropriately marked.

Where’s My Data?

ESI may be stored in many places: File servers Laptops Blackberries Thumbdrives

Who Has The Data?

Custodian to information matrix Also know as an ACL matrix

Custodian to system matrix How many systems does your Administrator access? Data access history Physical Access controls Access and Audit logs

Mapping of sensitive data classification Determination of risk of data compromise

Citation of evidence of exfiltration Interpretation of exfiltration potential

Assist in determination of notification potential Identification of sensitive data storage

PCI HIPAA PII SOX Financial records

Data Classification

Sensitive Data Flow

Preservation Data must be preserves in its native format. Alterations to the data can lead to spoliation, contamination, and

potential sanctions

Collection Data must be collected by trained

professionals Failure to collect the data in the correct

manner can lead to dismissal of the evidence “The most expensive piece of evidence

is the one you can’t use.”


Collect & Secure any data in a forensically sound way Targeted collection vs. forensic image Tools used to carry out the collection exercise

• Encase• FTK• Write blocker

Time for initial culling?• De-Nist• Hash sets• System files• Filter in/out

Analyze the data Produce culled data set for the processing phase

Preservation & Collection

Both computer forensics and e-discovery require professional expertise in collecting the data.

Computer Forensic Collection & Investigation• Imaging

PCs/laptops, USB devices & mobile phones

• Investigations Corporate theft/leakage HR issues Data deletion & concealment Breach analysis Incident response

• Experienced practitioners• Expert witness for civil and criminal matter

Evidence Collection

Evidence Collection

Evidence Handling & Chain of Custody• Chain of Custody

• Secure storage• Evidential integrity and continuity

“Chain of custody refers to the chronological documentation, and/or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic”.

http://en.wikipedia.org

Processing E-Discovery processing uses sophisticated mapping, indexing,

and heuristical software to create a relationship structure from all the ESI collected.

Often keywords, document types, conversational topics, and other criterion are used to filter the ESI into a smaller dataset.

Filter can happen on multiple levels to help reduce the amount of data to be reviewed.


Taking the collected data from different sources• Digital

• Hard copy

• Audio

Entering the data into one controllable database Whittle down the size of the data by:

• Keywords

• Date ranges

• Custodians

• De duplication

• File types

Produce a responsive data subset to go to review phase.


Review Document review is often a critical portion of the litigation process.

The efficiency of the review can be maximized by decrease the review set to allow more time for accurate analysis.

Tools The efficiency of ESI review can also be improved by leveraging

advance tools. Query tools can leverage multiple methodology to review the ESI

such as: Conversational de-duplication Content pivoting Boolean logic dtSearch


Review Following a reduction of data via the

processing phase the review phase prepares the data for a legal review.

Many utilities allow for reviews to view, tag, mark up any documents, emails, attachments or any data found to be relevant.


Review One key step in the review process is

redaction. Redaction: The process of reviewing multiple

documents and extracting key pieces of data from the original content.

In litigation cases the redaction process is applied to remove client attorney privileged information from ESI prior to provision of evidence to opposing counsel.

Redacted information must be logged and explained such that if any discrepancies arise then the reason for the redaction can be supported.


Analysis Throughout the e-discovery process ESI is analyzed using

multiple criterion. While analysis falls after review in the EDRM the analysis actually

occurs throughout the discovery. Analysis help to: Minimize the ESI data set Determine relativity of data Identify potential ESI sources Create ESI sets for manual review


Production: The process of organizing ESI into a format that can be delivered to legal counsel.

After the ESI has been reviewed by legal counsel and is ready for delivery to opposing counsel, the ESI must be “produced”.

Production of ESI in a litigation case can be a crucial step. The FRCP mandates that the means of production be fully delineated by both parties. Failure to produce ESI according to the agreed upon means can

lead to fines and sanctions. ESI must be produced in its “native format”.

Rule 34(b) allows that the requesting party may specify the format for production.


Finding the responsive and reviewed data set then converting into a production set ready for disclosure.

Options to consider when doing a batch print:• Endorse (i.e. bates number),

• Annotations & Coding

• Document redaction

• Watermark

• Export

• Convert documents to PDF, TIFF or both

Production

Presentation: The results of the discovery process must be presented in such a format that all parties involved are able to understand the results. ESI is often presented in “image” format. The image format allows

for easy view of the ESI and corresponding data. Images are often in TIFF or PDF format

Expert witnesses can be critical to the presentation of the ESI. The expert witness interprets, explains, and details the results of the discovery process.


Early Case Assessment

Strategic Scoping “Meet and Confer”: Leverage the meet and confer meetings to

establish an exact means of scoping. Ensure discovery requests address specific custodians, data flows, data classifications, and technical architecture.

Targeted Collection Live collection Logical Evidence File (LEF) Keyword Triage

Keyword crawlers GREP 7phrase


ESI Profiling Custodian to ESI Matrix

Legal Hold Ambiguous Too comprehensive Overly Burdensome

Pre-process Data Culling Keyword filtering Boolean expressions

Data Pivoting Visualizing data statistics Graphical analysis of trending and anomalies


ROI of Early Case Assessment

1st Instanceof Incident

Discovery Collection / Review Presentation

1st Instanceof Incident

Cllctn. / Rvw.Presentation

• Early identification of scope

• Rapid collection and review

• Fewer required resources• Rapid presentation

Time/cost

Uncompromised endpoints Scope of compromise

scop

esc

ope

Time/cost

Resources

BE

FO

RE

AF

TE

R

Products and Services

Flexible• Custom workflow• Multiple parties or multi-stage review• Tracking, e.g. timelines or chain of custody

Secure• Role based• Folder-level• Document –level• Field-level

Scalable• Millions of documents• Hundreds of concurrent users• Multiple delivery options

Foreign Language Support• Fully Unicode compliant.• Language identification

Relativity Analytics• Cluster similar documents

Relativity Pivot• Data analysis functionality

Hosted• Via Legal Gateway

Enterprise e-Discovery Native file review

Online tiff conversion for redaction Local file review

Concept Searching Review and search documents based on “concepts” or subject

matter terms. dtSearches

Relativity Pivot Graphical analysis of search statistics and metadata

Online review Provide access to opposing counsel

e-Discovery Services

Relativity Pivot

New e-Discovery services support virtually any mobile device

Secured review Power of e-Discovery anywhere Redaction at your fingertips… literally

Mobile Review

Nexidia

Audio eDiscovery• Nexidia

• Speed of search• Reduces cost of review• Accuracy

In house e-Discovery Collection

Pre-collection Analytics

Preservation Early Case Assessment & Review

Legal Hold Automation Web based Validation Email delivery

User Friendly User defined tagging Email & conversational searches

EnCase e-Discovery

EnCase e-Discovery

EnCase e-Discovery

EnCase e-Discovery

Define: Create search criteria for relevant sensitive data

Identify: Automatically search systems for sensitive data

Assess: Map data found to data policies

Enforce: Collect and/or wipe sensitive data from unauthorized locations

Sample Cases

Pricing Examples• Single Laptop/Desktop

Description Units Unit Cost Total

Forensic Consultancy 3 $300 $900

Data Processing 5 $175 $875

Consultancy 8 $300 $2,400

Hosted Review (month 1) $3,500

Total $7,775

Hosted Review (on-going) $2,000

Pricing Examples• Three Laptops & Email Data


Forensic Consultancy 8 $300 $2,400

Data Processing 21 $175 $3,675



Total $13,475


Pricing Examples• Six Laptops, Email & File Data


Forensic Consultancy 16 $300 $4,800

Data Processing 148 $175 $25,900



Total $49,900


Questions?

[email protected]

Benjamin Stephan:Benjamin Stephan has over 10 years of experience in software development, computer forensics, digital investigations, regulatory compliance, security assessments, computer programming, and risk management. Benjamin has been with FishNet Security for over 2 years and during that time has dedicated himself to PCI compliance, breach investigations, and computer forensics. At FishNet Security, Benjamin helped develop and implement the methodology for both FishNet Security’s Incident Management and PA-DSS practices. Benjamin also helped lead efforts enabling the company to become a Visa Qualified Incident Response Assessor (QIRA) and MasterCard Qualified Forensic Investigator (QFI). Prior to his employment at FishNet Security, Benjamin helped develop, implement, and maintain the computer forensics division for a leading security company in Arizona. Benjamin’s current efforts include oversight of high profile QIRA investigations, quality assurance review of QIRA investigation, and management of the Incident Response practice. Benjamin received his Bachelor’s of Science degree in Electrical Engineering from Arizona State University. Benjamin has also achieved the following certifications: EnCase Certified Examiner (EnCE), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), PCI DSS Qualified Security Assessor, and PA DSS Qualified Security Assessor.

*All logos, images, trademarks, are owned by their associated reference. Images provide by public websites and documentation.