Pinpoint Labs Blog

We will be attending LegalTech New York and I wanted to invite you to come by and visit our booth. We will be in booth #429 on the 1st floor of the exhibit hall. There are several updates to our software applications that we will be demonstrating, and if you attend, I would appreciate the opportunity to meet with you.

I’ve been participating in LegalTech shows for more than ten years, and it’s a great way to see how computer forensics has filtered into the litigation processes. File collections, electronic discovery, and review have been increasingly influenced by computer forensics due to the large amounts of electronically stored information relevant to litigation cases.

When I first attended the LegalTech shows in the mid 90’s, the initial popularity of imaging (paper scanning) and managing paper based documents electronically was evident. A new breed of software emerged to handle the demands, to create full text searchable versions of the images, to endorse the documents (electronic bates numbering), and to create load files so the information could be imported into litigation support databases and review tools.

Towards the end of the 90’s, “electronic discovery” began to take shape. An increasing proportion of relevant documents were files and emails on computers versus paper stored in filing cabinets. A new wave of applications appeared that could convert the files directly into images (print to TIFF).  Harvesting metadata of file contents and indices also emerged, along with creating searchable databases.

Now it is a decade later, and we can see that the majority of relevant documents are electronic and the means to preserve them have become widely recognized.  The Federal Rules of Civil Procedure were amended to accommodate the new electronic world we live it. The requirements to properly preserve electronically stored information (ESI), establish timelines, examine metadata and recover user activity, deleted files and emails, and several other critical tasks has created the need for computer forensics and electronic discovery professionals to work together to conduct electronic based litigation.

Wow! - The last 15 years have been packed with some drastic changes in the way we collect, filter, and review documents. This new era that requires litigation support and computer forensics professionals to work hand in hand is challenging and rewarding. Our professional goals include developing products, services, and educational materials that help guide legal departments, service bureaus, and computer forensics experts through this changing environment…

If you are in New York next week, please drop by our booth (#429) so we can visit. LegalTech New York runs from February 2-4 at the New York Hilton and Towers.  By working together and sharing our knowledge and experiences, we will continue to improve the processes and support tools available.

‘Imaging a hard drive’ is a phrase that is commonly used for preserving the contents of a custodian hard drive or server. It can also be used to describe when a custodian hard drive is cloned. It is worth taking some time to understand the differences and the advantages and disadvantages of each process.

Forensic Imaging
A forensic image or evidence file container (such as EnCase, DD, Expert Witness, and SMART) is often created using software that is running on a computer forensic examiner’s laptop or lab computer. The examiner will connect the drive to a write blocker and use software to create a forensic image of the entire contents of the source drive on a separate target hard drive. The process may also capture multiple forensic images to a single hard drive.

Hard Drive Cloning
Cloning a hard drive during collection uses a target drive to make an exact duplicate (bit stream copy) of the original hard drive. This process is normally completed using hardware referred to as hard drive cloning equipment.

A primary difference between imaging and cloning is that the files in a forensic image can’t be accessed by common litigation support applications or electronic discovery software (such as LAW PreDiscovery, Discovery Cracker, and IPRO) or litigation support databases (such as Concordance, Summation, and Ringtail).

Forensic images are designed to be accessed by computer forensic software (such as Encase, FTK, Winhex, and ProDiscover). If you need to access the original custodian information in a forensic image without using computer forensic software, then you will need to have it restored to a hard drive in the original native format. You could also look into purchasing the Mount Image Pro software (http://www.mountimage.com/purchase-forensic-software.php) that will allow you to view the contents of a forensic image without converting or restoring it to the native format.

Cost and Redundancy Considerations
If you want to compare the cost of different computer examiners, keep in mind that the lowest hourly rate doesn’t mean the lowest total price. An examiner using hardware-based cloning equipment can usually complete the process faster than using software to create a forensic image.

If you rely on a single forensic image or hard drive clone and find out later that there was a problem, you probably won’t have a second chance to preserve and collect the information. It’s well worth the additional cost to create a 2nd backup of the source hard drive. When comparing examiner rates, you will need to compare the hourly and per drive costs to determine the total price. Also, consider what you will be charged to restore a forensic image to a new drive, because this may have to be completed before the custodian files can be processed.

It’s important to understand that deleted email is not recovered or indexed using common litigation support or electronic discovery software. These applications only process email that is still visible within the email software.

Some email recovery software can also fall short when restoring deleted email records. Why is that? Because they are designed to undelete email records that still have an entry in the mail store index. Unfortunately, many mail stores will remove those entries once the database is compressed. So many people believe that email cannot be recovered once the mail stores database has been compressed. However, this isn’t always the case.

Deleted email content may still be intact and recoverable. By using software tools designed to ‘carve’ email data, it is still possible to recover the original content. Using the following steps, email can often be recovered even after typical recovery tools fail.

1) Use Winhex, EnCase or other file recovery tools that can recover email fragments
2) Import recovered files (MBOX) through Aid4Mail into Paraben’s Email Examiner
3) Export email and attachments to msg, pst and other formats

Using the same approach to recover email as deleted files can often provide better results than doing a recovery on the individual mail store. As mentioned above, when performing recovery on Mozilla Thunderbird mail stores and others, many programs only recover what is still listed in the index files. If these files are missing, corrupted, or no longer contain the email record, you can try Zmeil from Zero Assumption Recovery
(http://www.z-a-recovery.com/zmeil-email-recovery.htm). Zmeil doesn’t rely on the mail store index; it parses the data files and is a great tool to use for additional verification of recovered email data. Zmeil works great as an inexpensive standalone email recovery tool.

Email communication is often a critical piece of the electronic discovery puzzle. Deleted email doesn’t get fully processed with common electronic discovery software. If you believe you may miss critical evidence because a custodian deleted important emails. then a specialized recovery process should be performed by someone with the appropriate training and knowledge of the process.

Copying corporate data and using it at a competing company (intellectual property/corporate asset theft) is a common and serious concern for companies and their legal counsel. When employees leave companies, there are often questions about the security of the information they previously accessed. Will they use the contacts, forms, or product details as a competitive advantage in their new job?

I had previously written about how to use the file activity records located in the index.dat file to identify when files were accessed. This can help determine if files were copied from a corporate file server. I want to expand on a couple of additional artifacts that can be used and then provide an illustration. There are three primary artifacts that can be used to help determine if someone accesses and copies specific files using an external drive, CD/DVD, flash device, or other storage media.

1) USBStor Registry Entry – Microsoft Windows uses its registry to track information about the computer’s users, operating system, hardware, applications, security, and other relevant information. When USB devices are plugged into a computer, several key artifacts are captured including the make, model, serial number (if available), and when the device was plugged in.

2) Index.dat Access Record – Microsoft Windows uses the index.dat file to track website activity in Internet Explorer. It also contains when and from where files were accessed. We often have to recover deleted or purged activity using programs like NetAnalysis to do a thorough analysis. NetAnalysis can often recover hundreds of thousands of records that are no longer available in the index.dat files on the system.

3) Link File (.lnk shortcut) – Shortcuts can be created by a user and are commonly stored on the desktop. Microsoft Windows also automatically creates shortcuts for files that are accessed in .lnk files. These files store a wealth of information about the source document, including the path, date and time created, written, last accessed, size, volume serial, and several others. This information is encoded and requires special software to display it in a format that is useful.

By using the above artifacts, it is possible to determine that files located on a company server or client machine were copied or accessed after a specific date and time. Note that this doesn’t provide the contents of the file and a thorough review would be necessary to make sure it is the same file. However, if the file name and other relevant metadata is a match, it does appear suspicious and may be enough to construct a solid argument that the employee did copy or burn files, access the contents, or used the information. This may lead to criminal and civil charges around possibly benefiting a future employer or a new company that the employee decided to start.

USB Artifacts Illustration (Download PDF here)

Recovering data from a hard drive is one of the most common tasks during a computer investigation. Here are a few of the artifacts which computer investigators may retrieve from unallocated (free) space to assist in a case:

* MS Office documents
* Acrobat files (.pdf)
* Email messages and attachments
* Images in various formats
* Internet history (pages visited, searches)
* Registry files (current and past)
* File access records (when and where files were opened)
* Pre-fetch files (when a specific program was ran)

Many cases revolve around correspondence, work products, whether or not files were stolen or manipulated, and to what length the suspect went to cover up his or her activities. A common misconception among attorneys and litigation support professionals is that all relevant data from a computer hard drive is recovered during electronic discovery processing. The truth is that off-the-shelf electronic discovery software doesn’t index or search data that was deleted and resides in unallocated space. A considerable amount of valuable information is available on computer hard drives, but it resides in an area of the hard drive that may not have been collected from or was not searched during a typical electronic discovery project.

I don’t believe that every project warrants a complete computer investigation. I just want to clarify that if the computers of certain individuals involved in a lawsuit require a more thorough analysis, then a forensic image or hard drive clone is required. In this case, a computer forensic investigator with the skills and appropriate software tools needs to be hired to search deleted items which aren’t typically reviewed during the electronic discovery processing phase.

What is unallocated space? I have provided an illustration that helps show the different states for the physical area of a file, before it was deleted, and then once it is deleted, the different stages of retrieval possible from unallocated space.

UNALLOCATED SPACE ILLUSTRATION (Download PDF here)

Each day, corporate IT managers, computer forensic examiners, and litigation support professionals are tasked with collecting relevant files which reside in file shares, on client systems, and other popular data sources. The content may include Microsoft Exchange mailboxes, departmental data, individual custodian files, internet logs, telephone logs, or other critical corporate content.

Just over a year ago, Pinpoint Labs released SafeCopy version 2.0 (SafeCopy 2) which alleviated several common problems encountered when using alternative copy utilities to collect client files. Here are a few of those problems that the SafeCopy 2 upgrade addressed:

• DOS-based utilities can be difficult to customize and replicate across multiple users
• Files located in paths with more than 255 characters are missed
• Unicode file and folder names may create verification issues
• Copied file contents are not hash verified (required to confirm that the entire contents were copied)
• Incomplete copy logs do not support accurate recording and validation
• Network outages halt file collections and can be difficult to resume

In January 2008, we released SafeCopy 2.0 Mobile (SC2ME), a U3 compliant version which enabled users to run SafeCopy 2 from a USB device without installing the application on a client computer or server. Due to this success and feedback from our clients, we decided to build SafeCopy 2 Server (SC2SE) which allows users to run SafeCopy 2 from a central location without installing the software on a local machine. There are three typical usage scenarios that illustrate the benefits of SafeCopy 2 Server:

1. ESI Collections – Accessing SC2SE from a server or shared resource simplifies and creates a more defensible process.
2. Network File Copy Projects – Both litigation support service bureaus and legal departments have to copy electronic discovery and imaging projects between network locations. SC2SE is faster than Microsoft Windows, Robocopy, XXCopy and other popular utilities. It also verifies the results and provides a chain of custody.
3. Source Media – Copying files from CD’s, DVD’s and hard drives for Electronic Evidence Discovery (EED) processing

We have a proven record of developing software applications to address our clients’ needs while we preserve, filter and collect electronically stored information for ESI investigations or EED processing. Check out our SafeCopy 2 Mobile and new SafeCopy 2 Server editions and experience the benefits!

When examining or processing the files on a hard drive, it is extremely important to retain the original file contents and time stamps. Many people don’t realize that just connecting a hard drive to a PC will alter the contents of the hard drive.  In order to preserve the original contents of the hard drive, it is important to implement a write blocking mechanism.

Law firm and service bureaus that process native files from hard drives should take the same care as computer forensic examiners. Today, CD’s and DVD’s will not be altered by common electronic discovery and litigation support applications. However, you should be aware that the process that burned the files to the disks most likely altered the original file system timestamps

There are several hardware devices that prevent the source media from being altered. There are also some recent software developments that are effective, more affordable, and provide faster throughput. If you need to purchase a write blocker, here are a few choices to review:

Hardware:
>Tableau
>WeibeTech
>ICS Drive Lock

Software:
>Safe Block XP

As you shop for hardware write blockers, you will find that you need to purchase multiple devices for different types of hard drive, flash or media cards and can easily spend over $1,000.  So we were pleased with our recent test of Safe Block XP from Forensic Soft Inc. Safe Block is affordable write blocking software ($219) that runs on Windows XP and allows users to block multiple media types. Additionally, Safe Block XP can provide a significant improvement in copy, deNISTing or imaging speeds because it works at the speed of the native interface.  Hardware write blockers can slow down the process and are often limited to a USB or FireWire connection.

Searching and identifying relevant content is a common process for both electronic discovery and computer forensic investigations. But some people don’t realize the challenges associated with indexing hundreds, or even thousands, of different file types and data structures. Mapping the data landscape may not immediately indicate where the textual “treasure” is located.  Twenty years ago, full text searching was pretty simple. We usually had transcripts, and eventually optical character recognition (OCR) that was pretty straightforward to use (except for the less-than-perfect OCR results).

Today electronic based discovery requires our full text search engines to be able to extract the desired text from a wide variety of different file types, email formats, or the contents of the unallocated space on a hard drive. A common process mistake is assuming that all files are searchable.  You hope to locate the relevant data by simply indexing the contents of a hard drive, DVD, or CD and performing a quick search on relevant keywords. Although sometimes it is this simple, there are several common exceptions that will prevent a complete search:

1. Encrypted and password protected files
2. Embedded files, sometimes at multiple levels
3. Archives (ZIP, RAR. and other compressed formats)  and mail stores
4. Deleted files (some fully recoverable, and some with only minimal artifacts)

Both computer forensics and electronic discovery applications rely on full text search engines to locate relevant evidence. However, the common exceptions need to be handled to ensure that the content is available to the full text search software. I’ve been a fan of dtSearch for many years because it handles large file collections of up to several terabytes, has extensive file type support, and great customer service. dtSearch is also integrated into several popular litigation support and computer forensic applications.

A couple weeks ago, I outlined what computer forensics and electronic discovery have in common and how they differ. I’d like to expand on this topic by identifying some common obstacles encountered when using popular computer forensic software for typical electronic discovery projects.

A typical computer forensic case may involve:

1. A small quantity of email and/or attachments
2. Recovered files, internet history, and user activity
3. Registry entries
4. Pre-fetch files
5. Portions of unallocated space

A typical electronic discovery project may involve:

1. Processing dozens or hundreds of custodian mailstores that results in thousands of potentially relevant emails and/or attachments
2. Indexing hundreds of gigabytes or multiple terabytes of data
3. Hosting data online so multiple parties can easily review, identify, and produce files
4. Converting relevant files to tiff, endorse, and build load files compatible with common litigation support applications
5. Deduping emails, attachments, and files across dozens of custodians

Generally speaking, the primary obstacles encountered when using off-the-shelf computer forensic software for electronic discovery are:

1. Inability to create load files from tagged emails, attachments, and other relevant data
2. No support for tiffing, endorsing, and assigning docIDs
3. Missing/incomplete links between email and attachments
4. No clear way to produce carved or partial files recovered from unallocated space

If you anticipate reviewing a large ESI collection using one of the common litigation support review tools, make sure that your service provider can process and produce compatible output files for production sets. Don’t assume that all computer forensic examiners are equipped to handle large scale ESI projects.  On the other hand, not all EED service providers have the appropriate tools to complete a thorough computer investigation.

One of the common requests we receive is to help a client determine when a document was created, or if it existed at a specific date and time, and when it was last modified. For example, an employment dispute may involve one of the following circumstances:

1. A memo was handed to an employee during a meeting but the employee denies s/he received the document. The document is presented but it is believed to have been created after the fact. Could the document have existed at the time of the meeting?
2. An employee produces a document that s/he claims was received from the manager, but management denies the allegations. Did the employee create the file? Can metadata provide any answers?
3. Bob, the sales manager for Acme Widgets Inc., was working for a competitor during his employment. How long did this go on? What does the metadata of the recovered files tell us? Can it help us track down files he potentially stole from the company?

Here are a few facts that should help to clear up many similar questions:

1. All metadata and timestamps can be altered. Don’t base your case on the ‘Date Created’ field of a Microsoft Word document alone. Free utilities can be downloaded that can alter this and other metadata fields.
2. If metadata was altered, it may conflict with other metadata or timestamps within the file, and such discrepancies could raise a strong suspicion.
3. Analysis of other areas of the computer that could support or deny a claim is often required. For example, in Microsoft Windows, the index.dat files contain records of when the user opens a document. Recovering and analyzing the file access activity in the index.dat could help support claims or metadata (file access dates/times) that suggests the file was created or revised at a specific date and time.

Feel free to download the Pinpoint Labs MetaViewer or MetaDiscover software and review the ‘No-Nonsense Metadata’ white paper. If you need assistance with an investigation, please email examiner@pinpointlabs.com.