Archive for July, 2010

I have seen the future of Electronic Discovery

Friday, July 23rd, 2010

Today I was having a discussion with someone who manages in-house Electronic Discovery for a large firm, and for pretty much the first time, I laid out my take on where eDiscovery will go over the next 5 years. Like many practitioners of the digital evidence field, I’m well acquainted with the Electronic Discovery Reference Model (EDRM) and I was looking at how this firm used 2 different products to deal with eDiscovery. One was CT Summation, and the other was a well respected eDiscovery tool. The big issue with most ED tools is that they don’t remotely cover all 9 parts of the EDRM model. The tool that this firm was using only covers the middle parts: Processing, Review, Analysis and Production. It doesn’t help you manage your information, nor identify sources of potentially relevant data, not help you perform a litigation hold, nor a collection.

The future of eDiscovery is a single end-to-end solution and if I had to bet, the first company to produce such a solution is going to be AccessData. I came to this conclusion based both on discussions I’ve had with friends of mine who work at AD, by which I’ve gleaned some insight into their driving ambition, and also by the recent merger of AccessData and CT Summation. (I’d probably categorise it as a buyout rather than a merger since the core management team from AD is running the new AccessData Group.)

I’ve used AccessData software for about 7 years now, and other than a brief period with FTK2 being RS (that’s an old army expression for basically unusable) AD is the clear leader in the development of the technology of digital evidence. From the point of view of the EDRM, AD’s toolset covers everything from litigation hold to production. But my prediction is that the next big thing in eDiscovery will address that nebulous far left part of EDRM: Information Management.

The big thing for corporations with a substantial involvement in litigation (any company that has deep enough pockets to be a target) will be a 2 part eDiscovery focused IM feature.

Part 1 will be real time indexing. Under current methodologies, indexing usually happens after identification of potential sources, either after the collection as part of the processing phase, or as part of a quasi-live collection effort, albeit with a delay between pushing the indexing agent out to the custodian and the completion of the indexing to pre-qualify data for collection.

Part 2 will be an implementation of reasonable retention policies. Many cases where sanctions occur could have been avoided if the offending party had established reasonable retention policies, and followed them, or where a retention policy in implementation didn’t protect against accidental destruction of data from regular processes. This implementation will ensure that data is held for the requisite time by either restricting untimely deletion, or by reminding the user of their obligations prior to permitting an early delete and logging the exception. This 2nd part can also be combined with the preservation function by allowing additional retention rules to go into effect upon receipt of a litigation hold, such as extending the retention period globally, or extending retention on a class of data (email, docs) or a source of data (specific users) and/or raising the security level required to delete files.

So that’s my thoughts. I’d be interested to hear feedback and I’ll try to raise some discussion at some digital evidence forums I frequent.

IACIS votes to open Certified Forensic Computer Examiner to the public

Thursday, July 22nd, 2010

The official announcement is here.. There will be a requirement to pass a background check as part of the application process.

I made a post on Forensic Forums about this and I’m answering some questions there as well.