A lot of times, we as digital forensic examiners get asked to examine computers, cell phones, USB drives or other data that are not owned by our client. Quite often these devices, or at least the data resident on these devices, are owned by an opposing party (or third party to litigation). If you think that your own forensic examiner looking around your computer makes you cringe, imagine how you might feel if someone else’s forensic examiner is looking at your computer. The purpose of this blog post is to lay out a method for examination that should alleviate those concerns while giving the requesting party the access and results to which they feel they are entitled.
When an individual has someone else looking inside of their hard drive, server, cell phone, etc. that individual is concerned with a couple of issues. First, they have confidential information that they want protected. Second, they may have privileged communications that they don’t want the opposing party to see. Third, they also may have personal or other non-relevant information that really doesn’t need to see the light of day. The individual wants these three categories of data to be protected, yet they need to comply with the requesting party’s desire to see the relevant information that is contained on their electronic media.
Years ago, Vestige devised a protective order that since has been used in multiple courts. In fact, we have even seen other forensic examiners use our protective order in cases which we were involved. The protective order has gone through some revisions over time, but its main purpose still exists. Protect non-relevant, confidential or privileged information while producing that which is relevant.
To understand our protective order, first you need to understand the two basic types of search or analysis that is done on electronic media.
The first type of search is the one in which most people are familiar, the content search. This search involves using a search strategy, typically keywords and phrases, to search for responsive documents whether those documents are active or deleted. The search would attempt to find emails, spreadsheets, memos, web pages, etc. The results of this search may contain data that would fall in that protected category.
The second type of search really isn’t a search but more of an analysis. It is what we call an artifact analysis. This analysis looks to see how a computer is used and may include some or all of the following:
- USB drives (thumb drives or external hard drives) attached to a computer
- Data wiping applications installed or used
- Deletion activity
- Determination as to when a computer was or was not used
- Files opened from the local computer or from other electronic media
- Web searches performed or websites visited
- Applications that were run
- When documents were created or modified
- Document revisions or edit time
- Hidden files, folders or virtual machines
- Logins to various secure websites (such as email)
- Evidence of emails, texts, instant messages or other communication being sent (but not the actual communication itself)
- Names of documents printed (but not the actual documents themselves)
I’m sure if given time, I can come up with other artifacts, but I’m sure you get the point.
The reason for the separation is because the two types of analysis are treated differently in the protective order. While the examiner working under the protective order gets his or her directions from the requesting party, the results of the content analysis are first provided to the producing party. The reason is that the content analysis, as stated above, may contain irrelevant documents that do not need to be produced. It may contain privileged documents which counsel for the producing party may decide to withhold. The content analysis may contain confidential information which the producing party may want to designate as such to control who has access to those documents.
The protective order specifies an amount of time that the producing party has to review the documents before they must produce those documents to the requesting party. The protective order also instructs the producing party to provide a log of the documents being withheld and the reason as to why. The format of that log and the amount of time that the producing party has to complete this task varies. The protective order also lays out a process by which the parties may remediate any disagreement as to whether certain documents should be withheld.
Now you may be asking, “well, if I’m the requesting party, how do I know that all documents are accounted for in the production or the log?” That is a really good question. Along with the content production (which is termed in the protective order as the Report of Relevant Content) an abstract is provided to both the requesting and producing parties. The abstract states the date that the content was provided and a reminder as to how long the producing party has to review the content in accordance with the protective order. Most important, though, is that the abstract contains an accounting of the number of documents, by type, produced for review as well as the number of pages for any report. So, there is the check. When the requesting party receives the production and the log, they count the number of documents and compare that with the abstract. One can even double check that they are getting the same number of Word, Excel, Acrobat or emails as was produced.
What about that artifact analysis? That analysis is provided in the Report of Relevant Artifacts. Since that report doesn’t contain any human generated content (emails, documents, spreadsheets, etc.) but instead contains computer generated content (albeit computer generated content as a result of human interaction), it is produced to both parties at once. One may argue that a website visited or the name of a file, items which may exist in an artifact report, could be items subject to protection, but as it stands now, the Report of Relevant Artifacts goes to both parties. It will not contain the contents of any email, spreadsheet, or document that existed on the electronic media analyzed.
You may be saying “to be on the safe side, why not produce the artifact analysis to just the producing party for review like you do the content”. We made this decision in our protective order in the beginning for a few reasons. First, when the most damaging information was reported in the artifact analysis (wiping of data in defiance of a spoliation letter or evidence of other devices that have not been produced) the producing party may decide to sit on it. Second, the relevancy of information in the Report of Relevant Content is in the eye of the beholder. One party may find completely relevant that someone Googled “how do I clean my hard drive” while the other may not. Third, the artifact analysis should not contain anything privileged or confidential and therefore why delay its production to the party seeking that information?
Some changes we made to our protective order over time include:
- Rolling productions. Quite often in the world of litigation things are fast paced. Attorneys and their clients want information fast. Furthermore, doesn’t it make sense to receive a few thousand documents at a time versus waiting for a giant data dump of tens of thousands of documents?
- Description of the acquisition process. Originally, in the early days of digital forensics and cyber investigation, people were unsure of the process that a forensic examiner may take to make a forensic image. Therefore we felt the need to describe the different methods. Today, there are more methods to preserve data from electronic media than I have t-shirts in my closet (trust me, ask my wife, I still have t-shirts from the 90s). So today the protective order simply states that industry standard procedures will be followed to make the forensic copy.
So there you have it, an explanation of our protective order in a nutshell and the reasoning behind it. The protective order is often tweaked here or there but the main purpose still exists. Protect the producing party’s data while providing the requesting party access to the information that they feel they have a right to see in discovery.
by Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations