Pinpoint Labs Blog

Each day, corporate IT managers, computer forensic examiners, and litigation support professionals are tasked with collecting relevant files which reside in file shares, on client systems, and other popular data sources. The content may include Microsoft Exchange mailboxes, departmental data, individual custodian files, internet logs, telephone logs, or other critical corporate content.

Just over a year ago, Pinpoint Labs released SafeCopy version 2.0 (SafeCopy 2) which alleviated several common problems encountered when using alternative copy utilities to collect client files. Here are a few of those problems that the SafeCopy 2 upgrade addressed:

• DOS-based utilities can be difficult to customize and replicate across multiple users
• Files located in paths with more than 255 characters are missed
• Unicode file and folder names may create verification issues
• Copied file contents are not hash verified (required to confirm that the entire contents were copied)
• Incomplete copy logs do not support accurate recording and validation
• Network outages halt file collections and can be difficult to resume

In January 2008, we released SafeCopy 2.0 Mobile (SC2ME), a U3 compliant version which enabled users to run SafeCopy 2 from a USB device without installing the application on a client computer or server. Due to this success and feedback from our clients, we decided to build SafeCopy 2 Server (SC2SE) which allows users to run SafeCopy 2 from a central location without installing the software on a local machine. There are three typical usage scenarios that illustrate the benefits of SafeCopy 2 Server:

1. ESI Collections – Accessing SC2SE from a server or shared resource simplifies and creates a more defensible process.
2. Network File Copy Projects – Both litigation support service bureaus and legal departments have to copy electronic discovery and imaging projects between network locations. SC2SE is faster than Microsoft Windows, Robocopy, XXCopy and other popular utilities. It also verifies the results and provides a chain of custody.
3. Source Media – Copying files from CD’s, DVD’s and hard drives for Electronic Evidence Discovery (EED) processing

We have a proven record of developing software applications to address our clients’ needs while we preserve, filter and collect electronically stored information for ESI investigations or EED processing. Check out our SafeCopy 2 Mobile and new SafeCopy 2 Server editions and experience the benefits!

When examining or processing the files on a hard drive, it is extremely important to retain the original file contents and time stamps. Many people don’t realize that just connecting a hard drive to a PC will alter the contents of the hard drive.  In order to preserve the original contents of the hard drive, it is important to implement a write blocking mechanism.

Law firm and service bureaus that process native files from hard drives should take the same care as computer forensic examiners. Today, CD’s and DVD’s will not be altered by common electronic discovery and litigation support applications. However, you should be aware that the process that burned the files to the disks most likely altered the original file system timestamps

There are several hardware devices that prevent the source media from being altered. There are also some recent software developments that are effective, more affordable, and provide faster throughput. If you need to purchase a write blocker, here are a few choices to review:

Hardware:
>Tableau
>WeibeTech
>ICS Drive Lock

Software:
>Safe Block XP

As you shop for hardware write blockers, you will find that you need to purchase multiple devices for different types of hard drive, flash or media cards and can easily spend over $1,000.  So we were pleased with our recent test of Safe Block XP from Forensic Soft Inc. Safe Block is affordable write blocking software ($219) that runs on Windows XP and allows users to block multiple media types. Additionally, Safe Block XP can provide a significant improvement in copy, deNISTing or imaging speeds because it works at the speed of the native interface.  Hardware write blockers can slow down the process and are often limited to a USB or FireWire connection.

Searching and identifying relevant content is a common process for both electronic discovery and computer forensic investigations. But some people don’t realize the challenges associated with indexing hundreds, or even thousands, of different file types and data structures. Mapping the data landscape may not immediately indicate where the textual “treasure” is located.  Twenty years ago, full text searching was pretty simple. We usually had transcripts, and eventually optical character recognition (OCR) that was pretty straightforward to use (except for the less-than-perfect OCR results).

Today electronic based discovery requires our full text search engines to be able to extract the desired text from a wide variety of different file types, email formats, or the contents of the unallocated space on a hard drive. A common process mistake is assuming that all files are searchable.  You hope to locate the relevant data by simply indexing the contents of a hard drive, DVD, or CD and performing a quick search on relevant keywords. Although sometimes it is this simple, there are several common exceptions that will prevent a complete search:

1. Encrypted and password protected files
2. Embedded files, sometimes at multiple levels
3. Archives (ZIP, RAR. and other compressed formats)  and mail stores
4. Deleted files (some fully recoverable, and some with only minimal artifacts)

Both computer forensics and electronic discovery applications rely on full text search engines to locate relevant evidence. However, the common exceptions need to be handled to ensure that the content is available to the full text search software. I’ve been a fan of dtSearch for many years because it handles large file collections of up to several terabytes, has extensive file type support, and great customer service. dtSearch is also integrated into several popular litigation support and computer forensic applications.

A couple weeks ago, I outlined what computer forensics and electronic discovery have in common and how they differ. I’d like to expand on this topic by identifying some common obstacles encountered when using popular computer forensic software for typical electronic discovery projects.

A typical computer forensic case may involve:

1. A small quantity of email and/or attachments
2. Recovered files, internet history, and user activity
3. Registry entries
4. Pre-fetch files
5. Portions of unallocated space

A typical electronic discovery project may involve:

1. Processing dozens or hundreds of custodian mailstores that results in thousands of potentially relevant emails and/or attachments
2. Indexing hundreds of gigabytes or multiple terabytes of data
3. Hosting data online so multiple parties can easily review, identify, and produce files
4. Converting relevant files to tiff, endorse, and build load files compatible with common litigation support applications
5. Deduping emails, attachments, and files across dozens of custodians

Generally speaking, the primary obstacles encountered when using off-the-shelf computer forensic software for electronic discovery are:

1. Inability to create load files from tagged emails, attachments, and other relevant data
2. No support for tiffing, endorsing, and assigning docIDs
3. Missing/incomplete links between email and attachments
4. No clear way to produce carved or partial files recovered from unallocated space

If you anticipate reviewing a large ESI collection using one of the common litigation support review tools, make sure that your service provider can process and produce compatible output files for production sets. Don’t assume that all computer forensic examiners are equipped to handle large scale ESI projects.  On the other hand, not all EED service providers have the appropriate tools to complete a thorough computer investigation.

One of the common requests we receive is to help a client determine when a document was created, or if it existed at a specific date and time, and when it was last modified. For example, an employment dispute may involve one of the following circumstances:

1. A memo was handed to an employee during a meeting but the employee denies s/he received the document. The document is presented but it is believed to have been created after the fact. Could the document have existed at the time of the meeting?
2. An employee produces a document that s/he claims was received from the manager, but management denies the allegations. Did the employee create the file? Can metadata provide any answers?
3. Bob, the sales manager for Acme Widgets Inc., was working for a competitor during his employment. How long did this go on? What does the metadata of the recovered files tell us? Can it help us track down files he potentially stole from the company?

Here are a few facts that should help to clear up many similar questions:

1. All metadata and timestamps can be altered. Don’t base your case on the ‘Date Created’ field of a Microsoft Word document alone. Free utilities can be downloaded that can alter this and other metadata fields.
2. If metadata was altered, it may conflict with other metadata or timestamps within the file, and such discrepancies could raise a strong suspicion.
3. Analysis of other areas of the computer that could support or deny a claim is often required. For example, in Microsoft Windows, the index.dat files contain records of when the user opens a document. Recovering and analyzing the file access activity in the index.dat could help support claims or metadata (file access dates/times) that suggests the file was created or revised at a specific date and time.

Feel free to download the Pinpoint Labs MetaViewer or MetaDiscover software and review the ‘No-Nonsense Metadata’ white paper. If you need assistance with an investigation, please email examiner@pinpointlabs.com.

Changes are underway in how electronically stored information (ESI) is processed and reviewed. These changes are due to the huge size of repositories - hundreds of gigabytes or multiple terabyte sizes - identified for collection and processing. Corporations and their legal counsel realize that it may not be feasible or affordable to collect and produce all the information identified in larger cases.

Several new software applications have been introduced that offer many of the same features included in popular electronic discovery software (indexing, file and email “de-duplication”, online review, searching and culling). The difference is they are designed to run as an “appliance” application on a corporate network.

What does this mean? It means collections that would have been sent out to a processing vendor are now being deduped, filtered, and produced internally. The culled native files may still be sent out for tiffing, endorsing, and building load files.  But it is a significantly reduced subset.

However, this is not to say that outsourcing will cease.  But in the years ahead, there will probably be a reduction in the amount of EED/ESI processing that is outsourced. Additionally, once a corporation has invested in the “appliance” software and training to collect, filter and produce their collections, they will probably use it on smaller cases as well that were previously outsourced.

Systems that require a computer forensic investigation, or need to be collected by a third party, will still require individuals with the appropriate skills and credentials’ to image or clone media, and then analyze the contents as we do now. However, an increasing amount of electronic discovery processing will be performed at the client site with automated assistance to save time, money, and handle larger projects.

The CCE (Certified Computer Examiner) is a certification obtained through ‘The International Society of Forensic Computer Examiners’ (ISFCE). I’ve noticed that many CCE training facilities are geared towards criminal investigations so they don’t necessarily address civil litigation processes and ESI (Electronically Stored Information) requirements. This is because the CCE was originally designed for law enforcement and criminal cases involve child pornography, narcotics, stolen property, counterfeiting, and homicide, just to name a few.

Many CCE’s do work with law firms and understand their needs, but it’s because they gained this from their own experience or have a litigation support background. The CCE is a well respected certification; however, don’t assume that all CCE’s understand civil litigation, ESI procedures, electronic discovery and load files.

The MD5 Group, ran by Jason Park, offers CCE training and is a certified CCE testing facility, located in Dallas, Texas. Jason is a veteran litigation support professional and he does an excellent job covering how computer forensics relates to civil litigation. If you or someone on your staff is looking for a strong computer forensics certification and you want a balanced approach that covers civil and criminal investigations give Jason a call.

 In my previous post, I identified several primary differences between computer forensic investigations and electronic discovery processing. Next, I’d like to identify some general case categories and tasks that involve a computer forensic investigator.

Case Categories:

·    Employment disputes

·    Misuse of company computer involving pornography, gambling, blackmail and fraud

·    Embezzlement

·    Breach of contract

·    Software licensing

·    Intellectual property theft

·    Insurance fraud

·    Sexual harassment

Typical Tasks:

·    Recovering deleted files and emails

·    Internet activity analysis

·    Cell phone and smart phone analysis

·    Metadata analysis

·    Providing results, recommendations, and action plan

Even if a civil or criminal investigation doesn’t fall within these case categories, you may still need to involve a computer forensic investigator. Why? Because it is no secret that computers are used as a primary source for communication, work product, and research. The listed tasks could apply to investigating almost any suspect involved in a civil or criminal law suit.

Electronic discovery and computer forensic investigations often go hand in hand. The challenge for many in the legal community is how to identify what ESI (Electronically Stored Information) requires more than typical electronic discovery processing.

First, computer investigations are technically electronic discovery, and the line between the two disciplines will continue to blur. Several key differences are:

1. The qualifications and skills required by the individual performing collections and computer investigations
2. Computer investigations typically recover and analyze areas of the suspect media unavailable through popular electronic discovery software
3. Electronic discovery processing often involves a significantly larger amount of data
4. Most computer forensic applications do not create load files or produce tiffs or electronic bates numbers
5. Computer forensic investigations often require extensive detailed reports of the processes and findings, as well as appropriate affidavits, before the work can begin and then must describe the findings

In my next post, I will discuss the types of cases and suspect information that differentiate computer forensic investigations and typical electronic discovery processing.

There are three common scenarios in which you may want to recover deleted images:

1. Images accessed from web sites
2. Images downloaded by a user or obtained through file sharing applications
3. Photos stored on a computer hard drive, camera or memory card

During a computer forensic investigation, it is common to recover tens of thousands of images from a user’s hard drive. The majority of the images will be irrelevant, because they include icons, application images, toolbar pictures, advertisements from web pages, and windows default pictures. Images on web pages visited are cached (automatically downloaded) to a computer, then cleared or purged after a period of time or by the user who chooses to clear them. Images and web content are automatically cached so that the web page will load faster the next time a user visits the website. This information can be recovered and used to recreate web mail (Yahoo, Gmail, Hotmail, etc.) and pages visited.

Valuable artifacts may be included in the large collection of irrelevant images related to the websites that a user visited and images or pictures that were downloaded. Computer forensic examiners employ powerful recovery tools that can restore images from a variety of media.