Anti-Forensics?

The typical role of a forensic examiner is to find exculpatory information as designated by a discovery order.   It is common to receive a list of terms that are of interest to the attorney, and then the search begins.  But what happens when you need to find what isn’t there anymore ?

More importantly, why isn’t it there anymore ?

According to the Ohio Revised Code

2921.12 Tampering with evidence.

(A) No person, knowing that an official proceeding or investigation is in progress, or is about to be or likely to be instituted, shall do any of the following:

(1) Alter, destroy, conceal, or remove any record, document, or thing, with purpose to impair its value or availability as evidence in such proceeding or investigation;

(2) Make, present, or use any record, document, or thing, knowing it to be false and with purpose to mislead a public official who is or may be engaged in such proceeding or investigation, or with purpose to corrupt the outcome of any such proceeding or investigation.

Now why I am telling you, an attorney, that which you know so well?  Because there are a lot of ways to hide things that you may not be familiar with.

There are also quite a few ways to casually (or not so casually) destroy potential evidence.

I have been a forensic examiner for many years, and I have used many tools during that time to assist me in my job.  As the profession of computer forensics has become more widely known, it is no surprise that a group of tools would be created to thwart the efforts of the would-be examiner.  These tools, though seldom advertised as such, are known as “anti-forensics”.  Their very job is to destroy or obfuscate information so that it would be of no use in a legal proceeding.

This is a two-edged sword.  Whereas I have no problem with people using software designed to destroy information for the purpose of thwarting identity thieves, or protecting themselves from people that might be involved in industrial espionage, it is obviously a crime to use these methods, software, or hardware devices to alter or destroy information sought by the court.

Though ignorance of the law is not an officially accepted reason (for almost anything), it would be better to remove the specter of ignorance from a custodian’s claims by being specific in an order designed to elicit information

Litigation Hold (AKA “preservation orders” or “hold orders”), are designed to inform a party that they are to preserve any and all information regarding a potential discovery order.  Generally, the  Court Order is written in such a broad fashion as to cover any potentially discoverable information. What it never includes (at least as far as we have seen), is a prohibition from employing any software, hardware, or method,  that is “anti-forensic” in nature.  This is an important concern, because many potential Custodians employ their own software in a corporate environment which is designed to obfuscate their actions.  This software may be in use outside of the purview of the corporate IT department, and as such would fall outside the scope of a corporate retention policy.

Typical examples of common packages in use would be :

  • Window Washer
  • CCleaner
  • FileShredder

Software that is less common, but very powerful would be :

  • Tracks Erase Pro
  • Declasfy
  • Evidence Eliminator

By specifying the prohibition of any tools which could obfuscate or destroy data in the preservation order, you give yourself more tools should a case of spoliation occur, and you also aid the Custodian in understanding what is and what is not permissible.

Advanced forensic analysis is often able to uncover the use of such methods, however the investigator must be familiar with the “footprints” that these products often leave.  If you were to walk into a room where a couch was recently removed, there would be imprints on the carpet where the couch was.  In much the same way, when we are examining a hard drive, we are not only looking for what is there, we are also looking for the remnants of what USED to be there.

–Many thanks to my editor, Mark Kruse

twitterredditlinkedinmailtwitterredditlinkedinmail

What does my smart phone know about me? (And what do I know about it?)

As a Certified Computer Examiner, and a Mobile Certified Examiner, I have the opportunity to look into all kinds of devices looking for information which is responsive to a subpoena and has probative value.  I tend to forget that most folks don’t realize what is in their device.  I was asked to look at a website today to determine if I could tell when it was accessed and by whom.  Simple enough – I went to the access logs of the site, and found exactly what I was looking for.  Well, that seems straight forward enough, doesn’t it ?

I was a little surprised at the reaction of the attorney I was working with, until I realized that most folks don’t know what information that their Smart Phone is willing to give up.

I was able to tell the attorney :

  1. What type of phone the user had
  2. What browser they were using
  3. What they searched on their telephone to find the website in question
  4. and their GPS co-ordinates when the request was made.
twitterredditlinkedinmailtwitterredditlinkedinmail

Rule 26, Rule 37, HIKE!

Technical information to assist you in a Rule 26 Conference.

It is not always practical to take a forensic examiner to your Rule 26 Conferences – but if you can, we recommend it highly.  If you can’t however, there are some issues that you will want to include in your evidentiary requests.

You will undoubtedly ask for information from computers that are a target of the discovery process – however, did you know that you can also request a list of devices that were attached to that computer so that they can also be included in your discovery request ?  On Windows-based computers, the registry tracks the removable devices that have been attached to the computer – and in many cases, includes the serial number of the device.  So when you ask for all of the thumb drives, or external USB drives used on a computer, you will actually know if they are the ones requested, or if they were simply purchased earlier that day.

Certainly you will ask for any mobile phones that may contain valuable evidence, but did you know that most corporate email systems track the devices that attach to them to pull data ?  A simple request to the IT department for a list of all devices that a user used to attach to corporate resources takes the guesswork out of how many devices – personal or corporate – were used to access information from a protected source.

Backups are the bane of existence for many people and the companies that they work for.  With the advent of the Safe-Harbor clause in Rule 37, people can often declare that data does not exist because it was purged in accordance with corporate retention polices and therefore they are unable to comply with requests.  However, if the data purge that is in accordance with the corporate retention policy is unchecked and automatic, a litigation hold order might inadvertently be neglected.  It is wise to include the IT personnel of the company at the time to exclude or suspend the retention policy with respect to information sought.

Another item which must be considered is something called Shadow Copies.  With respect to Windows-based computers, Shadow Copies may exist on workstations which will allow you to “go back in time” to see revisions of documents.  This same technology may also be present on Macs using a built-in program called “Time Machine” which is an image based backup that often occurs automatically.  It is wise to query if a “Time Capsule”, or other such storage medium is/was in use.

Finally, copies vs. images is a topic that must be discussed.  Historically we refer to images as pictures, or graphics, however in the context of evidentiary discovery, it is something completely different.  If you are to request copies of documents in a proceeding, you will not have a lot of the information that you may require.  If, on the other hand, you request a forensic image,  the forensic examiner will create a complete “image” of the storage medium which will include deleted files, meta data, and other information that will not be found in copied documents.  As well, a qualified forensic examiner will create a hash, or digital fingerprint, of the device to ensure that the original drive and the forensic copy are identical, thus aiding in admissibility.

So if you can’t take your tech, take these suggestions with you.  It isn’t everything there is to know, but it might just be what you need to make your case.

twitterredditlinkedinmailtwitterredditlinkedinmail

BYOD – A Legal Perspective

BYOD, or “Bring Your Own Device” is a topic that is gaining all kinds of interests, though as of yet, there is very little case law referencing it.  However, that doesn’t mean that the prepared attorney has to wait for a judge to rule against your client.

The pros and cons of such an arrangement are discussed in our blog “BYOD – Bring Your Own Device,  or Bought Your Own Disaster …. ??”, which you can read here.

The thing is, you have clients to protect, and to do that we have to know what the options are.  At the heart of any workplace dispute is the corporate handbook which outlines the Acceptable Use Policy.  This is the policy that states that computing devices of the company are to be used strictly for the business operations of the company, and the employee acknowledges that all information contained on the computers of the company belongs to the company, and the employee should expect to enjoy no expectation of privacy.  Your clients have one of those right ??   I am sure that they will shortly if they don’t now.

The acceptable use policy is typically broad enough to cover all of the devices that are owned by the company, however the question becomes a little different if the company is expecting/permitting/requesting the employee to use their own personal equipment for corporate gain.

This is the time for a very specific outline of expectations and a reasonable and enforceable plan of action should the employment condition be altered by one party or another.

What many folks do not know is that most corporate electronic mail systems have the ability to remotely destroy all of the information on a corporately attached device.  This means that if your employee is getting their corporate email on their personal device, the Technology Department of your company likely has the ability to destroy that phone.  The idea is that, should a corporate executive with the secret sauce recipe of his company on his phone, lose the device in a New York cab, he can simply call the IT department and have them perform a remote “wipe” of the device.  This will destroy ALL information on the phone keeping the sauce recipe safe from prying eyes.  The ramifications of this ability, however, can be legally problematic if the employee is not notified that this ability exists, and acknowledges it through the acceptable use agreement.  Should the employee be terminated, the IT department may be instructed to destroy the device as it has sensitive corporate data on it.  The problem is that is may have also had the last text from a deceased relative that could never be replaced.

Many people believe that if an employee does not sign a waiver which explicitly absolves the employer of damages for a remote wipe, that the employee has grounds for a lawsuit.

But these devices are not just phones.  iPads, iPods, Surface, Tablets, and laptops are all devices that could contain corporate information.  These all must be taken into consideration when crafting an Acceptable Use document, and any accompanying waivers of liability.

The other workplace concern is the access of confidential information on a personal OR corporate device by the police if the holder is arrested. The Supreme Court of California recently upheld the warrantless search of mobile phone text messages in People v. Diaz, 51 Cal. 4th 84 (2011). The decision places little to no restrictions on the data police officials may access when searching an arrestee’s devices This could open a world of problems should the information of the device be sensitive and unencrypted.

The subject in this case involved searching text messages on a phone,  however,  there is no limitation which would prohibit accessing confidential emails, documents, and voicemail messages that may contain private business or client information and/or information of a personal nature.  Telephone devices are not the only devices which may be at risk, flash drives, digital cameras, and laptops found on the person may also be searched.

In conclusion, the choices are very clear : either prohibit the use of personal devices to perform business operations, or write a very inclusive Acceptable Use Policy and waiver which the employee must sign.

twitterredditlinkedinmailtwitterredditlinkedinmail

BYOD – Bring Your Own Device, or Bought Your Own Disaster?

It seems that the talk of business is BYOD – employees don’t want to carry two phones – employers don’t want to buy phones for employees … what to do, what to do …

Here is a thought !  Lets bring our own devices, iPhones, iPads, Blackberries, and Droids to work and get our corporate email on there !

Here is a thought !  Lets tell our employees we will give them $ 25.00/month to use their own personal devices for corporate email and we won’t have to buy them phones !

And how wonderful that is, the win-win proposition of business.  What could be bad with that ??

Well – it may not be a bad thing at all, as long as the employees and the employer are both pleased with the employment arrangement that they have entered into.  But suppose, one day, the rose-colored glasses break, and it is time to change the employment arrangement. Most of the time, either the employer or the employee knows when this is going to happen before the other one does.  They both know, however, that some of the data on the phone is personal and some of it is corporate.

We now have a electronic data child custody battle.  I’ll bet you weren’t ready for this when the whole BYOD idea came up.

From a corporate perspective, the data on that phone needs to be wiped – but you can’t do that without wiping the whole phone, and those cute little pictures of the puppies the phone owner took this morning will be lost.  That will not go over well.

From a personal perspective, that phone belongs to me, and so does everything on it.  Im not tech-savvy and I don’t know how to back it up, but Im not asking my ex-company for help..

So, Solomon, the baby is in front of you … what do you do ?

It would not be uncommon for both sides to have attorneys to represent their interests – so what will you do ?  Will you, the employee, hand over your phone to be wiped and lose all of your personal information ?  Do you want them to see the texts that say that your boss is an idiot ?  Or perhaps the not-so-flattering pictures you took of a co-worker (who wants to continue being employed) when you were out last weekend ?

Will you, the company owner, be comfortable with the employee you fired saying “don’t worry, Im not upset over this, I’d be happy to erase all of your critical data that I have on my device” ?

No, there is no good answer in this situation.  How did we get here ??  Oh, that is right, we wanted a little more convenience and to save a little more money.

My advice is simple : don’t do it.  If you need your employees to have mobile devices, then provide them.  If they don’t want to carry two devices, then they can leave their personal phones at home, or in their car.  It might cost you an extra $ 50.00 / month, but your attorney bills will consume 3 years of that in one day of legal work.  As an employee, I value my right to privacy too much to allow corporate interests to infringe upon my personal life.  Yes, they would give me money per month to defray my data costs, but my rights are not for sale.

At the very least, when you are tempted to enter into such an arrangement, consult your attorney for legal advice.

twitterredditlinkedinmailtwitterredditlinkedinmail

Do you suffer from “Too Quick to Click” Syndrome?

The perils of being “too quick to click”…

We have all gotten them – those familiar looking emails from banks, facebook, twitter, that all turn out to be less than genuine.  The tactics that they use are things designed to make you act quickly : someone has compromised your account, someone made a withdraw, YOU have cancelled your facebook account.  These outrageous claims are designed to make you want to correct the problem IMMEDIATELY.  That is exactly what these ne’er-do-wells are seeking to do, get you to CLICK HERE before you think.

I am an advocate of knowledge.  To quote a movie icon, “knowledge is good”.  Unfortunately, the evil people of this world watched another movie quoting that “greed is good”.  Knowledge will win in this arena.

When I showed an email to someone this morning, she made the comment “If these criminals ever get to the place where their English is good, then how will people know they are being scammed?”

It is a good question.  There are still some good indicators that will tell you, and there are some FINE rules that you should employ.  They may seem like common sense, but to be honest, good sense is not common – it only seems that way if you are sensible in the arena being analyzed.  You would not want to rely on my common sense in a brain surgery scenario.

  1. NEVER respond to an email from your bank.  Call them.  Do NOT use the provided phone number in the email.  It is on the back of your credit card, AND information (411) has the branch number.
  2. ALWAYS look at the FROM and TO addresses.  It if is from elfdevil@wearecrooks.com, then it should be avoided.  The good ones will try security@facebook.com.euro.net ß this is NOT an address at facebook.  ALWAYS read the address from right to left.  The last two items are the domain it came from. In this instance – EURO.NET – they can put anything that they want to add to the left of the domain.  So just because it has the word facebook in it, that means nothing.
  3. Look at the TO address.  Is it yours ??  If it isn’t, discard it.
  4. Check the grammar – many of these emails are poorly written.  You may not have gotten an A in English, but these are pretty hard to miss. “You account have be disabled” is not something you would expect from your vendor.  If they really write this way, move your money.
  5. IF there is a link in a suspicious email, don’t use it.  It takes only a minute to look up the correct address of the institution in question.
  6. And finally, if you WERE really related to a Royal Family in Africa, you would have heard about it by now … don’t fall victim to bank transfers and the promise of instant wealth.

So there you have it, a small dose of “common sense”… don’t feel bad if you didn’t know it before, instead be happy that you do now !!

twitterredditlinkedinmailtwitterredditlinkedinmail

Windows 8 – WHERE THE H#LL IS MY START BUTTON ??

Funny the thing people notice most.  In Windows XP we got the START button.  How great, we knew where to start.  In Windows 7 it was replaced by the Windows Button – it didn’t say START anymore, but we all knew what it really was.

Now we have no button … or do we ?

I really didn’t want to take the work of anybody else, I mean, with the election and all, I’ve had my fill of what other people were telling me was true.  They had an agenda.  I do not.

Let’s be real clear about this.  I do not care what tool you use to compute.  I use a lot of different tools, because I find that I must be facile in a variety of environments.  That being said, please resist telling me “just use a mac” … I already do.

Since I have a natural distrust of new things from ANY manufacturer, I wanted to try it myself.  I took an extra hard drive (because I have that sort of thing lying about), and plugged it into my laptop.  I loaded Windows 8 and here is what I found :

10:30am : begin load
10:33am : verify time, date, and keycode
10:37am : begin installation
10:48am : booting into O/S
10:49am : reboot
10:53am : 4 attempts at the CAPTCHA query before succeeding
10:54am : preparing PC (Pretty screen colors)
10:55am : installing APPS
10:56am : LET’S START
10:59am : setup mail account from my exchange server
11:00am : testing

SO, in 30 minutes, I was able to format a drive, install Windows, and start using it. Kudos to Microsoft for making that part faster.  But getting to someplace new quickly isn’t always what it is cracked up to be.

I can’t help but mention this, though.  I understand CAPTCHA challenge boxes (you know, type these two words that look like grafitti painted by a dog hyped up on coffee), but why do we need them while installing an operating system ??  Are we really that concerned that a computer is going to automate this process and leave us mortals out of the mix ?? (which might be cool, by the way).  Note to Microsoft … STOP IT<>

Lets talk about the interface.  Do you like Windows Phone ?  You will love Windows 8.  Do you like the idea of an APP store and iCloud ?  You will love the Microsoft APP store and SkyDrive.

Do you like change ?  That would be helpful.

Windows 8 has icon tiles instead of menu items.  Some of them, like the weather are live icon tiles and will show you current conditions.  This is not unlike the same feature on your iPhone.  Conicidence ?  nahhh.

You may not like some of the icon tiles – no problem, right click it and a toolbar will appear at the bottom of the screen where you can unpin it (or uninstall it).

If you move your mouse to the RIGHT side of the screen you will get another menu  that will appear that will let you modify your screen settings and some of the computer.  It seems like there is something new in each of the sides of the screen.  The more compelling issue, however is if you RIGHT click where the START button USED to be.  THEN you will get a menu of things that you will find helpful. If nothing else in this article will help you, THIS WILL.

Ok, that was fun.  Time to shut down. Counter-intuitive as it used to be, we are used to clicking the START button when it is time to stop.  Microsoft has fixed that problem by removing it.  However it might be nice to end this session.  Don’t hit the power button yet .. there is a right way to do this.

  1. Mouse over to the lower right corner of the screen. (You can also move your mouse cursor to the upper left corner; same result. Or, you can press Windows-C on your keyboard.)
  2. In the slide-out menu (known as the Charms Bar – ostensibly because it looks like charms from a charm bracelet) that appears, click Settings.
  3. Click the Power button, and then click your desired action: Sleep, Shut down, or Update and restart.

On our next time together, we will install some apps …

Micro Systems Management’s opinion on Windows 8:

  • It appears to be faster than Windows 7 and also requires less resources to run.
  • Windows 8 boots faster than Windows 7 and hosts a variety of new tools.
  • This is brand new, version of Windows that was designed for people using Microsoft phones & tablets (touch screen enabled), and does not look or function at all like previous Windows versions.

In summary, we suggest that you wait a couple of months before purchasing.  But if you can’t wait and want to sit down with one of our staff and get a personalized tour, call and we will setup an appointment!

twitterredditlinkedinmailtwitterredditlinkedinmail

The New Internet has come – are you ready for it?

(this article originally published on 6/27/12)

The internet has just evolved in a really important way that’s going to affect your business. People are even going so far as to call IPv6 “The New Internet” because it’s completely revolutionizing the way the world transmits and receives information online – and yet, most of your everyday users will never hear about it or notice that anything’s different. And if you’re a tween who only uses the internet to play World of Warcraft, or a sorority girl who thinks of her Macbook as a “Facebook machine” – that’s probably fine. However, if your business or professional life relies on the internet, you’re going to want to pay attention.

IPv6 stands for “Internet Protocol Version 6.” Most of the online world is running on Internet Protocol Version 4, which, believe it or not, has been running since the late 1970’s, unlike your beloved El Camino. (Don’t ask what happened to Version 5; the answer’s really boring.) As you might guess by the use of the word “protocol,” IPs are basically the rules that dictate how anything with an internet connection gets and sends out information. Of course, they used to just apply to computers, but now we have smartphones, Androids, tablets, gaming consoles, netbooks, e-readers – heck, I bet you could find cookware with an internet connection, if you looked hard enough. I love to use metaphors, so, if we think of the internet as a series of roads and highways, it now has more “cars” – internet-using appliances – on it than ever before. Internet usage has absolutely exploded in the past decade or so, to the point where, apparently, even the entire royal family of Nigeria has gotten email accounts. With increased “cars” (and therefore increased “traffic”) has come a number of problems that didn’t exist when the internet was just boring old DARPAnet back in the day.

The biggest problem with IPv4, in essence, is that there simply aren’t enough “license plates” to go around. Anything that communicates on the internet has to have what’s called an IP address, which, like the license plate on your Camry, is a series of numbers that allows the vehicle to be identified. An IP address is a way of identifying who’s doing what on the internet, which is a vital element for technological security these days. But, whatever it is you’re doing on the internet, your device has to have one or it won’t work. So they’re pretty important, and, unfortunately, they’re running out. In fact, if you go to IPv6Forum.com, you’ll see something on the left-hand side labeled “IPv4 Exhaustion Counter,” which is simply a doomsday-like countdown until all the IP addresses in a given geographic region are going to be used up, and there will not be room for even one more smartphone to get on the internet. Anyone who buys a smartphone after that line has been crossed will be destined to accidentally eat at poorly-Yelp-reviewed restaurants for the rest of their days, and there’s nothing they can do about it. Unless they want to move to Antarctica. (Good luck finding any restaurants there.)

But not so fast, says IPv6, cape billowing in the breeze, for I have enough IP addresses for all! (3.4×1038 of them, in fact, which means that every single person of the world’s 2011 population [7 billion] – individually – could have 4.8×1028 of them. Holy exponential numbers, Batman!) Preventing IPv4 address exhaustion is the main reason why IPv6 had to be invented, but it does a lot more than just provide more “licenses” for the growing number of “cars.” It’s created a whole new set of data transmission capabilities that never existed before, and it’s made some of IPv4’s preexisting capabilities much faster and more efficient. If you’re interested in the technical jargon, you can show off to your friends and say it allows for things like new routing capabilities (including route aggregation), makes renumbering an existing network for a new connectivity provider MUCH easier, and it has improved multicasting abilities with new bells and whistles. (And even if you don’t know what those things are, they do sound impressive, don’t they?)

What you probably don’t know is: IPv6 is already here. June 6, 2012, was the World Launch Day, which means that there are a chunk of the world’s internet devices out there that have already been transitioned from v4 to v6. The world’s largest internet service providers, hardware manufacturers, and web content providers have already begun transitioning the world’s main data centers and routes of data transmission to v6.>

Here’s the part where you come in, so pay attention! The world, at a point in the not-too-distant future, is going to be using IPv6 on the vast majority (if not the entirety) of their internet devices. But you will need to manually convert your servers, DNS servers, routers, and etc. to IPv6 if you want to be able to communicate with the rest of the world. You may have heard it said that routers and computer devices “talk” to one another, in a manner of speaking, and you’re going to need your devices to be able to “speak” and “understand” both IPv4 and IPv6 systems (what we would call backwards compatibility). For instance, if your router hasn’t been converted from IPv4 to IPv6 compatibility, it isn’t going to be able to communicate with any device bearing an IPv6 address (which will be most of them, pretty soon, because, as we mentioned earlier, there aren’t many more IPv4 addresses to be had).

Now, manually converting your devices sounds like work, and it is (sorry), but it’s not really optional if you’re making any attempt at network security. The transition has already begun, and if your devices aren’t actively transitioned with it, they’re going to be security risks for your networks, devices, and data. Routers and infrastructures that have been designed around IPv4 technology have new vulnerabilities, because they’re now less advanced than the systems they’ll be runni8ng. Because the very format of IP addresses has changed with IPv6, this also means that legal tools for tracking IP addresses (and safeguards within your routers and servers) will need to be redesigned as well.

twitterredditlinkedinmailtwitterredditlinkedinmail

Predictive coding: the future of electronic discovery?

(this article originally published 6/20/12)

If you keep up with news of the legal technology world, you’ve already heard about something called predictive coding, and about why it’s a game-changer in the field of eDiscovery (electronic discovery). And with recent legal cases both showing federal support of the technology and attempting to regulate its use, the judicial system seems to assume it’s here to stay.

And why shouldn’t it?

Why We Love It

Let’s say ne’er-do-well John E. Guilt got caught embezzling company funds and is being brought to court for it. He doesn’t much like the idea of jail time and is claiming innocence, the greedy rascal. Prosecutors are now faced with the task of sifting through all his personal and company emails from the last five years to look for evidence, which wouldn’t be so bad if there weren’t 3 million of those to go through before the case against him can be fully prepared (a relatively normal figure). And, with recent legal events like the rulings of Judges Peck and Carter in da Silva Moore v. Publicis Groupe (which supported a preference for the use of current predictive coding software over manual review techniques) and the US v. Metter et al ruling (which limits the amount of time prosecution can take to analyze and present electronic evidence), the prosecutors handling Mr. Guilt’s case are most likely going to turn to predictive coding to help them churn out their evidence on time.

Mr. Guilt’s prosecutors use a well-known predictive-coding software like Recommind’s Axcelerate, plug in Mr. Guilt’s emails, babysit it for the first few trial runs, then sit back and wait for their results to pop out. It gets through them in a few days (rather than the months a team of poorly-equipped manual reviewers might have taken), organizes those results for efficient access, cross-lists pieces of related information, avoids the false positives and negatives that generally come from manual review, automatically prioritizes documents by importance, and does it all 60-90% faster and cheaper than the team of unmotivated, underpaid interns who would have done the job using clumsy keyword-based searches in years past. The cherry on top? Axcelerate does it all with higher consistency and quality than any manual review team armed with a notepad and Google-type search engine ever could. What’s not to love?

Why We’re Not Pinning Our Hopes and Dreams On It

Your much-abused interns (and, especially, the third-party computer-forensic investigator that you’ve hired to help nail Johnny Guilt) have more going for them than you may realize. While companies like Recommind are quick to point out that manual review misses 25-50% of documents, they don’t claim it’s perfect, either – in fact, as Recommind’s Craig Carpenter puts it, “perfection is not the goal” compared to improvement over manual review. And the aforementioned court rulings aren’t wholehearted endorsements of it, either. Judge Carter from the da Silva appeal wrote, “There simply is no review tool that guarantees perfection…. [t]here are risks inherent in any method of reviewing electronic documents.” We tend to agree, and for a couple of important reasons.

First of all, predictive coding is absolutely perfect…for the honest criminal who knows he should go to jail, feels really really bad about what he did, and wants to make it up to society by gift-wrapping all the incriminating evidence for them. (We’d really like to meet one of those, but we’re also still holding out for proof of unicorns and leprechauns.) More than likely, your tech-savvy criminal is going to want to hide or destroy (spoliate) electronic evidence if he knows he’s been caught, so there’s a good chance he’s going to try to get rid of it or, barring that, to encrypt it. Encrypting electronic evidence is unexpectedly successful when it comes to predictive coding, because the software often can’t read encrypted files and won’t list it in search results. The software might have noticed something unreadable was there, but it’s probably not going to tell you about it. And sometimes, your really tech-savvy criminal will be able to remove evidence and leave only an indicator that something was deleted. Unfortunately, your predictive coding software isn’t going to find that, either.

In addition to encryption and deletion, there’s also the option to simply hide the stuff you don’t want the lawyers to find, and predictive coding software won’t always see it. For instance, there’s something called alternate data streams which allows you to hide a document within the structure of another document. Your software might find the outer “shell” document, which is a flier for the homeless shelter where you’ve been volunteering twice a week, but it won’t see the embedded document, creatively titled “My Scheme to Take Over the World.” For the especially devious, there’s also the option of hiding documents in completely unrelated file formats (steganography) – like hiding a document in an image file. Once again, predictive coding will find the picture, but not what’s hidden within it.

And, last but not least, there’s the issue that some criminals are intimately familiar with predictive coding software, and they know how to defend themselves against it (anti-forensic technology). It’s the reason why you may not want to put one of those “Protected by ADT” signs in your front yard if you have an ADT home security system – if you’re targeted by a criminal who used to work for ADT and knows how to get around it, there’s a good chance he’ll rob you blind, expensive security system or no. If predictive coding technology is ruled legally sufficient for all methods of electronic discovery, criminals will be able to accurately predict the methods which will likely incriminate them, and they can learn how to avoid them. It’s much more difficult for a criminal to know the methods of examination and analysis that, say, a forensic investigator would use, because he’ll use a wider range of tools (some of which use predictive coding, and some of which don’t).

Are we trying to start a blood-feud with all advocates of predictive coding technology? Not at all. We think predictive-coding softwares are great tools, but people are often quick to assume that they can replace the whole toolbox. So what method has the efficiency of predictive coding without losing the intelligence and problem-solving abilities of a human examiner? As you’ve probably guessed, we say that nothing can beat a forensic computer investigator. The right investigator has experience, certifications, the “imagination” to think of outside-the-box solutions, a thorough knowledge of the capabilities of hardware and software, expertise in a wide range of popular and lesser-known investigation tools, and the ability to put himself in the shoes of another computer expert. Best of all, you never have to pay to download his newest update. You can find the one we recommend here.

twitterredditlinkedinmailtwitterredditlinkedinmail