Computer Forensics & E-Discovery Specialist : Electronic Evidence Retrieval L.L.C. : Data Recovery, Hard Drive Retrieval, Deleted Files : New Orleans, Louisiana

Interactive data  is a technique for allowing readers to find key elements in a report quickly and easily.  It works by inserting tags around relevant data items; the user can then search for the tagged data.

The SEC recently recognized two issues in financial reporting: 1) financial reports are hard to read and specific data are hard to find and 2) it is costly for organizations to generate their publicly financial report from their massive internal systems.

To address both problems in May 2008 the SEC unanimously voted to require all "…all U.S. companies to provide financial information using interactive data beginning next year for the largest companies, and within three years for all public companies."

Why do we care?  From a forensic point of view, this raises many questions.  Can the tags carry information about their source?  If they do, such data may be used to try to hack into computer systems, or to gain confidential information.  Certainly any forensic investigation of these documents or the companies that produce them will be easier.  Can companies knowingly or inadvertently mistag data and mislead the reader?

If requiring interactive data becomes a trend, will courts require electronic filings to use interactive data?  Only time will tell.

• Email This
• Print
• Comments & Questions
• Trackbacks

The first step in a forensic investigation, and in some e-discovery responses, is to get a copy of the hard drive(s) and other storage devices that may have the data you are looking for or that is responsive to discovery requests.  But using Windows' traditional "Copy and Paste" isn't forensically valid.

First of all,  starting the computer alters what's stored on it.  The copy process itself will alter the evidence (changing the metadata and dates)…and there goes your chain of custody.  Furthermore, Windows keeps all sorts of little "pockets" of information that the typical user can't see but that may contain valuable evidence.  The copy procedure doesn't gather all these little "goodies."

A valid forensic image or just image is an exact, bit-by-bit copy of the storage device including all the little goodies.  The forensic software that creates such images bypasses the operating system, accesses all the locations where the operating system hides data, and uses a mathematical procedure to start and assure the chain of custody.  From that point on, the analysis is done on the image, again with software that assures chain of custody.

An image is sometimes called a "mirror,"  but I urge clients to avoid that term because it has two different connotations  The confusion has caused at least 2 clients unnecessary time and expense with prior consultants.

Who should make a valid forensic image?  You need a trained forensic specialist with the proper hardware and software tools to make an image.  Special hardware is needed to keep the operating system from making any changes to the original data, thereby preserving the original evidence. Forensic software is needed to bypass the operating system (to get the goodies) and assure chain of custody.  It is human nature to ask the IT department to come in and take a look.  No one wants to make false accusations.  But that "looking around" can destroy the very evidence that you are seeking.  One attorney who has retained me several times says to his clients, "Shut down and get Johnette in there!"

How long does it take?  The time required to make an image is dependent on the size of the device.  But generally speaking, it requires hours not days or weeks.  Fortunately, there is new technology that allows us to make images of servers while they are in use, thereby disrupting business as little as possible.

In another post I'll talk about the objections opposing counsel are likely to make and how you can address them.  If you have had experiences with making or using images, please post a comment on your experiences.  There is always more to learn.

• Email This
• Print
• Comments & Questions
• Trackbacks (1)

In trademark infringement litigation (Autotech Techs. Ltd. P’ship v. Automationdirect.com, Inc., 248 F.R.D. 556 (N.D. Ill. 2008)), Autotech produced a document, "EZTouch File Structure," and included three items:

1. A .pdf version of the document
2. A paper version of the document
3. A revision history detailing all changes since the document's inception

After reviewing the production, the defendant then asked for the EZTouch document in its native format so that the metadata would be available.  They claimed to be able to determine when the document was created, when modified, and when designated "confidential."

The judged ruled that the .pdf and paper versions were sufficiently usable and pointed out that they had not previously asked for metadata.

The metadata may have not been useful for determining when it was marked confidential anyway.  If the document was written in Microsoft Word and only the content changed, the metadata would not show the change to confidential. 

So in crafting discovery requests, be clear.  Know what kinds of metadata are available in the applications you know, or suspect, the opposition has.  Include it in your discovery requests.

• Email This
• Print
• Comments & Questions
• Trackbacks

Most people have had the experience of trying to open a document with a .pdf extension and having their application say "Cannot open document, does not begin with pdf."  That happens because all applications keep information about the document within the document itself.  Such metadata may tell a lot about you, how you work, and even about your clients or friends.

In actuality, there are two kinds of metadata: that kept by the operating system and that kept by the applications themselves, such as Word and WordPerfect.  The system metadata includes the original author and various dates.  You can usually see all this type of metadata by right-clicking on the document and looking at the properties.

Microsoft Word, in versions prior to 2007, keeps information about the last 10 times a document was saved including the document name and directory structure.  Suppose you use a boilerplate document and modify it for each client.  If you then save it with the client name as part of the file name, the metadata will record that information and reveal the names of past clients for whom you have used this boilerplate.

It is surprisingly easy to see the metadata in a Word document.  From inside Word, choose open and for the file type, choose "Recover Text From Any File" in the pull-down menu at the bottom of the window.  All the metadata will appear at the bottom of the document.  To get rid of Word metadata, convert to the .pdf format.  Or, save as .rft format; reopen in Word; and save in a .doc format.  With either technique, the system metadata will be retained, but the Word-specific metadata will be gone.

If you are emailing Word documents to colleagues and clients, take care!

• Email This
• Print
• Comments & Questions
• Trackbacks (2)