1 / 43

E-Discovery and Digital Forensics in the Cloud

E-Discovery and Digital Forensics in the Cloud. By Amelia Phillips Chair, Pure & Applied Science Division CIS and Computer Science Departments Highline Community College. Objectives. Define the Cloud Digital Forensics vs. E-Discovery How does e-discovery differ from digital forensics?

haruko
Download Presentation

E-Discovery and Digital Forensics in the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-Discovery and Digital Forensics in the Cloud By Amelia Phillips Chair, Pure & Applied Science Division CIS and Computer Science Departments Highline Community College

  2. Objectives • Define the Cloud • Digital Forensics vs. E-Discovery • How does e-discovery differ from digital forensics? • Can forensics software be used to teach e-discovery? • What happens when the “cloud” enters the picture? • What laws, policies, etc affect how you approach e-discovery and digital forensics in the cloud? • AWS – an inexpensive approach • An E-Discovery / Digital Forensics Curriculum • Summary

  3. Basic Framework Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

  4. Definition • Five Essential Services • Three Service Models • Four Deployment Models

  5. Five Essential Characteristics • On-demand self service • Broad network access • Resource pooling • Rapid elasticity • Measured Service

  6. The Cloud as Defined by NIST • Three Service Models • SaaS • PaaS • IaaS • Four Deployment Models/Methods • Private • Public • Community • Hybrid

  7. Models and Methods

  8. Define Digital Forensics • The application of forensics techniques to collect and analyze digital information • May be used for civil, criminal, or administrative investigations • May be inculpatory or exculputory

  9. Define E-Discovery • The process of applying the traditional legal discovery process to electronic evidence • Discovery is the compulsary disclosure of data, facts and documents in civil and criminal cases. • Electronic evidence encompasses any electronically stored information (ESI) • Civil, criminal, bankruptcy cases

  10. Whose Perspective?

  11. Four General Perspectives • The legal expert, an attorney or a paralegal who understands the law but may or may not have been exposed to e-discovery or digital forensics • The e-discovery expert who comes from a corporate perspective. • The digital forensics expert who understands forensic standards and software and the procedures involved. • The IT expert who knows where things are stored on the OS and NOS but may have no (or very limited) legal knowledge

  12. Digital Forensics Tools • EnCase • AccessData’s FTK • ProDiscover • X-Ways • SleuthKit / Autopsy • Variety of others

  13. AccessData’s FTK

  14. Showing Header Info

  15. An Effective Digital Forensics Tool • Create a forensically sound device image • File hashing • Searches (DTSearch) • Data carving • Deleted files, file fragments • Registry information, logs, encryption, metadata • Activity Logging

  16. E-Discovery Tools • Concordance • Discovery Assistant by IMAGEMaker • @LegalDiscovery • Catalyst CR • AD Summation iBlaze • Nextpoint Discovery Cloud • Sherpa Software Discovery Attender • And more

  17. An Effective E-Discovery Tool • Searches (DTSearch) • De-duping • Convert data/documents to TIFF or PDF • OCR for indexing • Bates Numbering for tracking • Exporting • Activity Logging

  18. Reverse Funnel Method

  19. Discovery Attender

  20. Finding email

  21. Choose Search Criteria

  22. Search Results

  23. De-Duping

  24. Comparison

  25. Dealing with Multinational Corporations • Every country must deal with email, mobile business and devices, data, ecommerce, Black Berries, and PDAS • Privacy laws vary from country to country. • Chain of custody • Qualifications of examiners • Process and procedure HCSS44

  26. EDRM • Electronic Discovery Reference Model • Created by George Socha and Tom Gelbmann(an attorney and a former CIO of two law firms) • Based on the Sedona Principles • Participating companies include AccessData, Guidance Software, Deloitte, Avantstar, Chesapeake Energy, IBM, LexisNexis

  27. From http://www.edrm.net

  28. Sedona Principles • Guidelines for handling electronic documents • Native format • Converted to TIFF or PDF • 14 guidelines • 1. Electronically stored information is potentially discoverable under Fed. R. Civ. P. 34 or its state equivalents. Organizations must properly preserve electronically stored information that can reasonably be anticipated to be relevant to litigation.

  29. Sedona Principles • 2. When balancing the cost, burden, and need for electronically stored information, courts and parties should apply the proportionality standard embodied in Fed. R. Civ. P. 26(b)(2)(C) and its state equivalents, which require consideration of the technological feasibility and realistic costs of preserving, retrieving, reviewing, and producing electronically stored information, as well as the nature of the litigation and the amount in controversy.

  30. Sedona Principles • 3. Parties should confer early in discovery regarding the preservation and production of electronically stored information when these matters are at issue in the litigation and seek to agree on the scope of each party’s rights and responsibilities. • 4. Discovery requests for electronically stored information should be as clear as possible, while responses and objections to discovery should disclose the scope and limits of the production.

  31. Growth of E-Discovery • A 2009 study by McKinsey & Company • electronic discovery requests were growing by 50% annually. • Growth in e-discovery spending from $2.7 billion in 2007 to $4.6 billion in 2010, according to a Socha Consulting LLC survey. • Taken from George Lawson http://searchcloudcomputing.techtarget.com/feature/Cloud-computing-crime-poses-unique-forensics-challenges

  32. Laws in the Cloud • Laws cannot keep pace with technology • Common law countries such as the US, UK, South Africa, Namibia use Case Law • Civil Law countries use statutory law • Objectives – Digital Forensics • Evidence obtained hold up in court • The examiner holds up under scrutiny • Multinational Companies

  33. Privacy Laws • USA citizens take the expectation of privacy for granted • Privilege “according to UK common law … allows a person to refuse to testify on a matter or to withhold information” • Includes self incrimination • Legal counsel privilege • Statements made without prejudice • China and Japan (and other non-English speaking nations) have laws that are significantly different Presented at HICSS 44 HICSS44

  34. Privacy in the Cloud • State vs. Bellar, Oregon Court of Appeals Judge Timothy Sercombe wrote, "Nor are a person's privacy rights in electronically stored personal information lost because that data is retained in a medium owned by another. Again, in a practical sense, our social norms are evolving away from the storage of personal data on computer hard drives to retention of that information in the 'cloud,' on servers owned by Internet service providers. That information can then be generated and accessed by hand-carried personal computing devices. I suspect that most citizens would regard that data as no less confidential or private because it was stored on a server owned by someone else." http://searchcloudcomputing.techtarget.com/feature/Cloud-computing-crime-poses-unique-forensics-challenges

  35. Whose Laws / Jurisdiction? • Very little case law exists • How is jurisdiction determined? • Country of accused or responding party • Country of accuser or requesting party • Where the servers are located?

  36. Multi-tenants in the Cloud • Unless you specify and pay for no neighbors, you / your company share the hardware with others • Do you know who they are? • Implies shared logs, metadata, registry, etc • Cloud Service Providers (CSPs) may have to create an infrastructure to address how to efficiently respond to requests

  37. Taken from http://searchcloudcomputing.techtarget.com/feature/Cloud-computing-crime-poses-unique-forensics-challenges • The U.S. government has also attempted to expand the scope of data that can be lawfully requested without a warrant through a National Security Letter (NSL). • In August, the Obama administration requested to add "electronic communication transaction records" to the data included in an NSL, • Require providers to include the addresses a user has emailed, the times and dates of transactions, and possibly a user's browser history. • Have to ensure that the provider's infrastructure can deliver on these requests in a timely manner.

  38. E-Discovery / Digital Forensics Curriculum • Bridging the gap between legal and IT students • Study of terminology • Differences in process • Add a legal class to the curriculum

  39. Using Forensics Software for E-Discovery • Students must understand the difference • Privacy issues • Proprietary information • Time and cost constraints

  40. Students in the Cloud • Cloud University • Free certification (may change) • http://www.rackspace.com/knowledge_center/cloudu/ • Amazon Web Services • http://aws.amazon.com/education/ • Offers a grant of $100 of free time per student registered

  41. Case Study A • A multi-national company with 70% of their data in the cloud is being sued • The CSP by happenstance moves the data to their servers in Brazil • Have the students find the applicable laws for a civil and a criminal case for retrieval of the data

  42. Case Study B • Create three servers in the academic cloud • Assign them names to track • Plant data on each • Using standard load balancing techniques have the data move each day • Assign either a criminal forensics case or civil e-discovery case to the students and have them apply the correct procedure or law based on the country

  43. Summary • E-discovery is here to stay • Not a hard transition for curriculum • Some cost factors • New frontier

More Related