Get documents about "Expert Insights_ Computer Forensics
Document Sample
Computer Forensics
- Why it Makes Sense March 9, 2011
Presented by: Craig Reinmuth CPA,CFF, MST, EnCE
President, Expert Insights, P.C. Scottsdale, AZ
(480)443-9064 www.expertinsights.net
Friday, January 04, 2013 Gammage & Burnham P.L.C. 2
Overview
Distinguish “E-discovery” from “Computer
Forensics”
Using CF in every stage of litigation process
Benefits of Pursuing/Risks of Not Pursuing CF
How to Convince Your Clients to Use CF
Where to Look: Computer forensics is now
“Digital” Forensics
Case examples throughout
ESI Build UP –
Recent Landmark Cases
Zubulake – “Virtually all cases involve the
discovery of electronic data”; attorneys to
educate their clients on e-discovery
Qualcomm – Attorneys also face sanctions; risked
losing license/livelihood
Pension Committee of U of Montreal defining
“negligence” for purposes of sanctions
323 e-discovery decisions in 2010 (including
every Federal District) *
4
* Based on year-end study by Gibson Dunn
93% of information is created
on computer
Litigation Support Services
E Discovery
Legal hold, collection and preservation
Preserve in place
Collect to preserve
Preserve data integrity
Provide metadata
Processing
Filter
De-duplication
Decompressing compound files
Decryption
Exclude known files
Provide documents within timeframes, file types
Provide documents containing certain search terms
Indexing
Hashing
Delivering in a chosen review platform (e.g. Summation)
Review
Hosting/prepare for attorney review
Computer Forensics
(Beyond E-Discovery)
• Recover/analyze deleted files; • Programs – when run
search unallocated space • Operating system changes
• Uncover spoliation
• CD Burning Activity
• Detect use of external
• Internet Browsing History
devices/USB history logs
• File signature/renaming
• Recent files
• Determine user intent/ • Recover web-based email
Timeline analysis • Social Networking data
• Review “restore points” • On-line chatting data
• Documents printed/when • All ESI (cell phones, PDA, etc)
Sample USB Report
November 4, 2010 Arizona State Bar
Computer Forensics
(Beyond E-Discovery)
• Recover/analyze deleted files; • Programs – when run
search unallocated space • Operating system changes
• Uncover spoliation
• CD Burning Activity
• Detect use of external
• Internet Browsing History
devices/USB history logs
• File signature/renaming
• Recent files
• Determine user intent/ • Recover web-based email
Timeline analysis • Social Networking data
• Review “restore points” • On-line chatting data
• Documents printed/when • All ESI (cell phones, PDA, etc)
Case Example –
Without Digital Forensics
7/14 (evening) Human Resource Department
receives email from EE indicating he/she wants to
meet with boss the next day
7/15 Terminates employment
Timeline with Computer
Forensics
6/6 Warm fuzzies re: business r/ship (gmail)
6/11 Go to social event together (gmail)
6/15 Forwards resume to competitor (gmail)
6/17 Competitor invites EE to meeting on 6/19 (gmail)
6/19 EE attends meeting at competitor office (gmail)
6/20 (Sat) Install 1TB Backup storage device (USB)
6/20 Accesses company projects on server(recent)
6/20 (eve) Accesses company projects on server(recent)
6/20 (eve) Goes to Google documents account (cookie)
6/21 Apple computer in EE possession (deleted email)
6/22 Proprietary project files sent to competitor (gmail)
Timeline with Computer
Forensics (continued)
6/22-6/28 Employment negotiations (gmail)
6/25 EE connects USB thumb drive in LT (USB)
6/25 EE accesses server/files from home laptop (recent)
7/8 EE connects card reader for first time (USB)
7/8 Empties trash (recover deleted files)
7/14 (evening):
– EE connects same backup drive to laptop (USB)
– EE accesses project files from server (recent)
– Email indicating EE wants to meet with boss (gmail)
– EE communicating with b/friend re: computer on BB (phone)
– EE access web mail account; forwards “opportunities” file
(internet activity)
7/15 Terminates employment (from client)
Computer Forensics
(Beyond E-Discovery)
• Recover/analyze deleted files; • Programs – when run
search unallocated space • Operating system changes
• Uncover spoliation
• CD Burning Activity
• Detect use of external
• Internet Browsing History
devices/USB history logs
• File signature/renaming
• Recent files
• Determine user intent/ • Recover web-based email
Timeline analysis • Social Networking data
• Review “restore points” • On-line chatting data
• Documents printed/when • All ESI (cell phones, PDA, etc)
Defense Side
Computer Forensics
Is your client telling you “the whole truth”
Be Proactive
Up-front strategy
Information on your clients’
computer they did not put there
Assist with demands of opposition
Turn claims into counter claims
Working knowledge of case law
Rebuke opposing experts’
credentials/methodology/findings
Deposition line of questioning
Computer Forensics is now
Digital Forensics
Smartphones
(Blackberry, Droid, iphone)
On the Device Other items uncovered
• Call logs • Remote access programs
• Text/Instant messaging (e.g. Log Me In, VNC,
• Pictures Homepipe)
• SIM card information • Web based email – specific
providers
• Emails and attachments
(e.g. Outlook) • Where else to go to get info
• Phone directories
• Internet history
• GPS tracking
Cellphones and Pictures
Smartphones
(Blackberry, Droid, iphone)
On the Device Other items uncovered
• Call logs • Remote access programs
• Text/Instant messaging (e.g. Log Me In, VNC,
• Pictures Homepipe)
• SIM card information • Web based email – specific
providers
• Emails and attachments
(e.g. Outlook) • Where else to go to get info
• Phone directories
• Internet history
• GPS tracking
iphone GPS Tracking
20
GEO Logging – GPS tracking
21
Computer Forensics is now
Digital Forensics
Computer Forensics is now
Digital Forensics
Get Head Into the Clouds!
Cloud Computing
Cloud Computing Tools
MyDropbox MegaUpload
Docs.google Yousendit
Skydrive Idiskme
4shared Carbonite
Box.net ibackup
Mozy My account
Streamload Idrive
Drop.io Kineticd
Livedrive Datadepositbox
sugarsync Flipdrive…… 26
HomePipe Remote Access
27
Social Networking Obtainable Data
Computer Forensics in Each
Stage of Litigation Process
Case Strategy Discovery Analysis Testimony
• Data preservation • Attend Meet and • Getting all data • Defendable
• Identify Electronic Confer needed to Reports
Evidence Sources • Types of Electronic represent client • Understandable
• Assist with Cost/ Evidence to Request • Determine user Testimony
Benefit Discussions • Secure Collection & intent • Integrity of
with Clients Preservation • Restoration of Data
• Interrogatory • Detect use of Deleted Files • Vulnerability
assistance Storage Devices/ • Review all Assessment
• Avoid Exposure to Data Downloads relevant ESI • Opposing
Sanctions • Motion to Compel • Printing/burning Expert Cross
• For defense, view • Opposing Expert – activity Examination
what is/is not on Deposition/Rebuke • Internet activity • Prior Experience
computer Findings • Spoliation of Reputation
• TRO • Attend meetings Evidence
with Judge • Knowledge of
November 4, 2010 Arizona State Bar case law
How to Convince Your Clients to
Use Computer Forensics
Zubulake – “Virtually all cases involve the discovery of
electronic data”
Getting the data needed to represent your
properly represent clients
Enhance Chances for Winning
Avoid exposure to sanctions
(at client and attorney level)
Case dismissal potential
Professional fees potentially paid
Potential for turning claims into
counterclaims
Summary
ESI/E-discovery/Computer Forensics are here to stay
Benefits of pursuing can far outweigh risks of not
Should be considered in all types of litigation
(including Defense) and at every stage
Consider all locations for computer/digital information
The technological world continues to evolve
– Smartphones are mini-computers and data sometimes does not
go any further than palm of the hand
– Cloud computing is here to stay and will grow in size
Recall example presented and the types of information
that can only be obtained via computer/digital forensics
Expert Insights
Dependable
Defensible
February 12, 2011
