Archive for the ‘Electronic Discovery’ Category

I have seen the future of Electronic Discovery

Friday, July 23rd, 2010

Today I was having a discussion with someone who manages in-house Electronic Discovery for a large firm, and for pretty much the first time, I laid out my take on where eDiscovery will go over the next 5 years. Like many practitioners of the digital evidence field, I’m well acquainted with the Electronic Discovery Reference Model (EDRM) and I was looking at how this firm used 2 different products to deal with eDiscovery. One was CT Summation, and the other was a well respected eDiscovery tool. The big issue with most ED tools is that they don’t remotely cover all 9 parts of the EDRM model. The tool that this firm was using only covers the middle parts: Processing, Review, Analysis and Production. It doesn’t help you manage your information, nor identify sources of potentially relevant data, not help you perform a litigation hold, nor a collection.

The future of eDiscovery is a single end-to-end solution and if I had to bet, the first company to produce such a solution is going to be AccessData. I came to this conclusion based both on discussions I’ve had with friends of mine who work at AD, by which I’ve gleaned some insight into their driving ambition, and also by the recent merger of AccessData and CT Summation. (I’d probably categorise it as a buyout rather than a merger since the core management team from AD is running the new AccessData Group.)

I’ve used AccessData software for about 7 years now, and other than a brief period with FTK2 being RS (that’s an old army expression for basically unusable) AD is the clear leader in the development of the technology of digital evidence. From the point of view of the EDRM, AD’s toolset covers everything from litigation hold to production. But my prediction is that the next big thing in eDiscovery will address that nebulous far left part of EDRM: Information Management.

The big thing for corporations with a substantial involvement in litigation (any company that has deep enough pockets to be a target) will be a 2 part eDiscovery focused IM feature.

Part 1 will be real time indexing. Under current methodologies, indexing usually happens after identification of potential sources, either after the collection as part of the processing phase, or as part of a quasi-live collection effort, albeit with a delay between pushing the indexing agent out to the custodian and the completion of the indexing to pre-qualify data for collection.

Part 2 will be an implementation of reasonable retention policies. Many cases where sanctions occur could have been avoided if the offending party had established reasonable retention policies, and followed them, or where a retention policy in implementation didn’t protect against accidental destruction of data from regular processes. This implementation will ensure that data is held for the requisite time by either restricting untimely deletion, or by reminding the user of their obligations prior to permitting an early delete and logging the exception. This 2nd part can also be combined with the preservation function by allowing additional retention rules to go into effect upon receipt of a litigation hold, such as extending the retention period globally, or extending retention on a class of data (email, docs) or a source of data (specific users) and/or raising the security level required to delete files.

So that’s my thoughts. I’d be interested to hear feedback and I’ll try to raise some discussion at some digital evidence forums I frequent.

Free e-discovery seminar on Metadata

Friday, July 31st, 2009

Patrick Computer Forensics Inc. is offering a free electronic discovery / computer forensics seminar for attorneys and their staff in Memphis. This half hour presentation is entitled “Metadata, what is it, and how does it win cases?”. As well as explaining metadata in easy to understand terms, the seminar will show examples of sources of metadata, and case studies where metadata was pivotal.

North Carolina licensing of Computer Forensic Examiners (result)

Sunday, April 19th, 2009

Larry Daniels has reported via the ForensicFocus forums that North Carolina will now exempt forensic computer examiners from licensing in North Carolina. That’s 2 good results in the same week.

Montana Computer Forensic Examiner – PI Licensing

Monday, April 13th, 2009

A win for sanity today when the Montana legislature passed HOUSE BILL NO. 354. Refer to section 3(k). This new bill exempts those who perform forensic examination in Montana from licensing as a private investigator, so this is wider than just exempting those in the digital evidence field.

Jimmy Weg, of the Montana DCI who assisted with the bill (independently, in regard to his private practice, offered to work with the licensing agency if they feel that a separate licensing scheme for Computer Forensic Examiners is necessary.” However, concerning criminal matters, Weg says he is “is unaware of any forensics-certified examiners in MT who do criminal defense work, so the implications of PI licensing could have a chilling effect on the ability of defendants to obtain qualified assistance”.

Hopefully the Montana legislation can be used to help other state legislatures in the crafting of their PI licensing requirements as they effect the forensics field.

North Carolina licensing of Computer Forensic Examiners (update)

Thursday, April 9th, 2009

I’ve just been informed that the hearing on Bill S584 is now calendared for Thursday April 16. It has been changed a couple of times already, so consider this subject to change.

North Carolina licensing of Computer Forensic Examiners

Wednesday, April 8th, 2009

Yesterday was supposed to be the reading and feedback day for the North Carolina bills to require licensing of Computer Forensic and Electronic Discovery professionals. Essentially, they plan to lump our profession in with Security Guards and gumshoes.

My colleagues in NC inform me that the reading was canceled due to a conflict with a budget hearing. Initial reports indicated tomorrow Thursday April 9th as the day, but the most recent advice I’ve received is that it won’t be tomorrow and will more likely be next week.

Senator Fletcher Hartsell coordinates the presentation of bills in the Senate Judiciary Committee. His office number is (919) 733 7223.


As I indicated in my FAQ page, the American Bar Association is against licensing of Computer Forensics professionals as Private Investigators. Joe Howie wrote a great piece called “Impact of State Licensing of Private Investigators on Digital Forensics” in the ABA’s Law Technology Today journal, June 2008 edition.

He does a great job of differentiating Computer Forensic Examiners from PIs. (He refers to as Digital Forensic Examiners or DFEs.)

First he addresses the methods PIs use to obtain evidence:

When a client hires a private investigator (“PI”) to investigate a third-party or a specific incident, the PI may employ various means, none of which will involve giving the third-party the right to be present, telling the third party that the investigation is underway or telling the subject of the investigation the names of those being contacted. In an undercover or clandestine investigation the PI may talk with or record the subject or make observations regarding the subject at the subject’s home, place of business or worship, or while engaged in civic or associational activities, all without notifying the subject that his or her discussions or actions are being noted for possible use later on.

Then he differentiates Computer Forensic Examiners

Digital forensics and litigation support can both involve the gathering, analysis and presentation of data that is secured with the full knowledge and consent of the owner of the data or of data that was obtained pursuant to judicial process where the owner of the data was aware of the inquiry and had the opportunity to raise any objections or concerns in a court of law prior to producing or making the data available.

The major difference between how I operate, and how a PI operates is that I always operate either with the consent of the owner of the computer systems, or under a court order which the owner is aware of. I have not performed a covert acquisition since my early days with the police, and I have no intention of doing one as a non-government examiner.

N.B. No disrespect is intended to PIs and Security Guards. You perform a valuable service. It’s just that requiring a PI license for a Computer Forensic Examiner is like requiring an Aviation Mechanic to have a pilot’s license.