CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE
LEGAL NEWS Issue 13
www.cclgroupltd.com
DATA SECURITY AND ELECTRONIC DISCLOSURE A BRIEF LOOK AT THE WAY IN WHICH E-DISCLOSURE IS CURRENTLY DELIVERED, AND WHETHER IT IS COMPATIBLE WITH DATA SECURITY BEST PRACTICE AND DATA PROTECTION LAW by Rob Savage
2013 was, like 2012, punctuated with examples of where corporate data security has failed. We are living in a world where any device connected to the internet is a potential target for attack and the more valuable the data contained within it, the more of a target it becomes. It is no longer just socially alienated teenagers sitting in their darkened bedrooms who are wreaking havoc on the world wide web; it has become both a corporate and government tool of espionage. A recent conversation with one of our clients revealed that they counted the number of weekly unauthorised attempts to access their network in the thousands. Thankfully, organisations appear to be waking up to this growing threat and many are taking steps to protect themselves, their infrastructure and their information. In many cases this is not simply born out of a desire to do right by their customers, or protect
their information, but instead to avoid the publicity of being the next highprofile casualty. It is very easy in the panic and melee of an investigation (or litigation) to forget the importance of data security. When disclosure of documents is required, it is not uncommon to copy great chunks of data and ship it off to a law firm or third party to wade through. Historically, this was often done with little consideration of data security, but corporates are again waking up to the risks that this presents. As a third party that regularly host this valuable data, we are often asked questions on our security. We, of course, have the layers of security one would expect to minimise the risk from ‘hackers’, but we go further and provide physical security that goes beyond that of other e-disclosure suppliers. We provide a GPS-tracked
IN THIS ED
ITION...
> Data se curity electronic d and isclosure > Though ts for the month > Challen ging other side’s the EDQ > Where’s my data? > CPD co urse > About C CL
courier service with a security cleared driver using a specially equipped van. We have a purpose-built laboratory, which is accredited to handle information up to ‘Restricted’ and most importantly, every CCL employee is security vetted. These are all good things, but we still find that in some cases our clients are unwilling to agree for their data to leave the safety of their building. To accommodate for this we have developed an on-site deployment model, which allows us to deploy technology and run a disclosure exercise from the client’s premises, giving them confidence on their data security. It is essential to have this infrastructure and flexibility, in order to provide effective e-disclosure services, whilst keeping data security at the top of the agenda and giving clients the reassurance that their data is in safe hands in these uncertain times.
1
GARETH BERNARD, Senior Digital Forensic Analyst - Research & Development Gareth is a Senior Digital Forensic Analyst at CCL, as well as being a member of the Research and Development team and a CCTV and video enhancement specialist. He has over five years’ experience in computer forensic analysis and now puts that experience towards creating tools to help CCL further develop business practices and continue to create professional and expert work. Gareth graduated in 2008 after studying Software Engineering and Intelligent Systems and has since been fully trained in many digital forensic tools and practices. During his tenure at CCL he has completed in excess of 200 cases for law enforcement and law firms, as well as providing expert assistance to corporate customers.
Gareth’s thoughts for the month There is no denying that in this day and age, everywhere you go, you are being captured on digital media; perhaps as you walk through the frame of someone using their smartphone or being recorded by shop CCTV as you purchase your favourite unhealthy snack. Whether you think of this as an Orwellian nightmare or just a sign that more advanced technology brings us closer together, the fact is that it’s here to stay and it is something that digital forensics can and should embrace. Despite the abundance of visual recording devices around today, we are still a long way from the sort of graphic and video enhancement techniques seen in such science fiction films as Blade Runner; especially with CCTV. A large proportion of CCTV footage is usually of such poor quality that enhancement can do little more than balance saturation and contrast. But can deleted data at least be recovered?! Well… sometimes. Most CCTV units store their footage in proprietary formats on a proprietary file system, resulting in it being very difficult to know exactly where and what to look for with regards to deleted footage. Being a digital forensic analyst and a member of the Research and Development team is very advantageous, as I’m able to interpret the data and then use this to create tools to carve it out into a usable format. This is however, a dark art and requires a great deal of understanding of data and further research in order to facilitate success; thankfully this is something that CCL provides. So the moral of the tale here is that if you have CCTV for anything other than a deterrent, it is always worth ensuring you have a high quality system; after all, you can’t make a silk purse out of a sow’s ear.
JASON DICKSON, Senior Digital Forensic & E-Disclosure Analyst Jason joined CCL in April 2008 and has conducted digital data investigations for over five years, on both computer exhibits and satellite navigation equipment, and has given evidence in court on a number of occasions. In addition, Jason has also written scripts to expedite the tabulation of records of software use (for example, records of DVD copying and burning in disk piracy cases) from software logs, the reconstruction of the use of online map websites and the recovery of encryption keys. Jason is part of CCL’s E-Disclosure Team and has experience in using both the Nuix and Clearwell platforms. Prior to joining CCL, Jason worked in retail management, in the licensed trade (in VAT calculation, gross profit calculation and payroll) and as a software tester for a major bank.
Jason’s thoughts for the month One area of development for the e-disclosure (ED) industry, which is already showing signs of germination, is the application of ED tools and procedures to law enforcement cases of the type which have so far been carried out solely by digital forensic (DF) investigators. Particularly with regard to company fraud and other financial offences, law enforcement agencies are starting to become aware of the fact that ED tools are, in many ways, a solution more suited to the handling of these cases than traditional DF tools such as EnCase or FTK. This is because, more often than not, the key evidence is usually to be found in sifting through collections of documents and emails culled from multiple computers and networks seized from business premises, encompassing potentially enormous amounts of data. It will be incumbent therefore, on all companies active in the digital data investigations arena to have procedures for scoping, quoting and conducting these DF/ED crossover scenarios, in order to be in a position to deliver a comprehensive service when demand grows in the investigation environment. It is also important for companies moving into ED to maintain their DF capability, in order to address specific issues raised by cases which cannot be dealt with by the use of ED platforms alone.
2
CHALLENGING THE OTHER SIDE’S EDQ by Rob Savage & Umar Yasin The Electronic Documents Questionnaire (Form N264) has been used as a scoping document for electronic disclosure exercises ever since Senior Master Whitaker first used his version of the EDQ in the case of Goodale & Ors v Ministry of Justice [2009] EWHC B41 QB. It has been part of Practice Direction 31B since October 2010. With the advent of the other changes in April 2013, the EDQ should be exchanged in all multi-track cases where there exist electronic documents. The EDQs form the basis of pre-CMC discussions between the parties, as well as providing the judge with a blueprint for any orders on disclosure at any subsequent CMC. With the wider changes to the CPR, from proportionality to CPR 3.9, as well as costs budgeting, we are seeing more and more cases where some parties are using exchanged EDQs to their tactical advantage. Couple this with cases that have electronic documents and are affected by proportionality pressures, as well as possibly being caught under the costs budgeting regime, and this can provide tactical opportunities for litigators. The most common battlegrounds we at CCL see are in relation to the scope of collection and suggested keyword searches. All a party is required to do is carry out a reasonable search for documents under CPR 31.7. But what if you think that they haven’t done a reasonable job? What if you believe that the exercise being proposed by the opposing party does not constitute a reasonable search, or conversely, is disproportionate to the case? We’ll be exploring these issues and the various tactical and procedural considerations over upcoming editions of Legal News. Some basic tips for sense-checking the other side’s EDQ are as follows. • Make sure that their date range aligns with your expectations and understanding of the matter. Going back and widening a date range at a later date can be costly, especially where the historic data exists on backup tapes or archived systems. • Does what they declare seem reasonable given what you know about their client? For example, a sizable business claiming not to maintain backups of their systems may seem unusual. • Is what they are requesting of you reasonable, or is it likely to increase costs and drown you in documents to review?
CASE STUDY Deception – mobile phone analysis THE CASE: A UK law enforcement agency were investigating a number of individuals suspected of taking part in a large deception, which involved the importing of stolen goods. Following a covert operation by the police, several suspects were arrested with a large number of mobile phones being seized. WHAT CCL DID: CCL was instructed to forensically examine the mobile phones to ascertain whether there were any calls made to, and received from, a specific number. THE OUTCOME: The mobile phones were analysed using a number of different tools and several call records relating to the specified telephone number were found. This information was extracted and a report was produced. The phones were then sealed and securely returned, together with the forensic reports, to the investigating authority for review.
• Check that both the keywords they are suggesting to search for and what they are requesting you use (if any) seem reasonable. You don’t want to be drowning in false positive documents to review, neither do you want them to be running an overly tight exercise and missing relevant documents. Predicting the number of hits a keyword will yield is not an exact science and, in fact, impossible to do with any great accuracy. However, applying some common sense can help identify potentially problematic searches; please see the ‘Keyword Searching’ article in Legal News issue 7 for some guidance on this. In summary, it is worth taking the time to review the other side’s EDQ, and to ask yourself some questions. Engaging the services of an e-disclosure consultant can assist greatly in allowing you to sense-check the other side’s responses or suggested disclosure strategy, as well as providing you with a basis for any challenges to the other side’s disclosure or suggested disclosure, and, perhaps most importantly, clarity on costs for any subsequent e-disclosure exercise.
For more information on CCL’s e-disclosure support services, call us on 01789 261200 or email edisclosure@cclgroupltd.com
3
WHERE’S MY DATA? SOURCES OF ELECTRONIC INFORMATION FOR INVE THE CORPORATE NETWORK Historically, all of your client’s information would have been stored on their corporate network. In more modern times we are seeing less and less information stored ‘in house’. This is down to two reasons: the first being the increased availability of cost-effective off-site storage, commonly referred to as ’the cloud’, and secondly, the increase in ‘remote working’, meaning that more employees are assigned laptops and mobile devices. That being said, we still see significant volumes of information stored on-site, and this is also where the more complex data sources tend to exist.
OUTSIDE THE CORPORATE NETWORK – More and more companies are outsourcing their IT infrastructure into cloud-based services. An example of this is Office 365, which removes the need for organisations to purchase and maintain IT hardware to run their email system. This can be a quick and cost-effective way of satisfying the organisation’s IT requirements.
RISKS:
Your client should be aware of the volume of information that they hold. A recent exercise to scope the IT infrastructure at one of our clients revealed that they had over 100 IT systems running, each capable of creating and storing potentially disclosable information. Most organisations do not fully understand the extent of the information they are holding. This is a risk, as it would be quite easy to miss information pivotal to an investigation or required for disclosure as part of litigation.
TIPS:
• Encourage your client to take steps to become ‘forensic’ and ‘litigation’ ready. By being proactive and mapping the data that they hold as an organisation, they will be equipped to respond to any investigation or litigation quickly and cost-effectively. • Ensure your client understands their data retention and backup policies, and makes sure that these are sufficient and that processes are in place to prevent useful data being overwritten.
4
ERP
RISKS:
When dealing with a cloud-based environment it is important that your client appreciates that the data may not be under their full control. Firstly, it is worth your client exploring exactly where their data is being held. If it is on non-EU based servers, there may be data protection and data privacy issues to be considered. Also, your client needs to appreciate that it will not be possible to ‘turn off’
FILE SERVERS
FIREWALL & SECURITY LOGGING SYSTEMS
MANUFACTURING SYSTEMS
BI SYSTEMS
DESKTOPS
BACKUP/DR SYSTEMS
THE CORPORATE NETWORK
EMAIL SERVER
CRM
TIMEKEEPING SYSTEMS
ESTIGATIONS AND LITIGATION by Rob Savage THE CLOUD the device to ensure preservation. There is a risk that the data could be remotely accessed and tampered with.
TIPS:
• Encourage your client to have a response plan in place so that their IT team is able to respond to incidents quickly. • It is important that information
OUTSIDE OF THE CORPORATE NETWORK – EMPLOYEE CONTROLLED DEVICES
about who has access to what is readily available and that a procedure to revoke access is in place to allow an immediate response, should it be required. • It can be difficult to acquire data from cloud storage in a forensic manner. However, there are tools and expertise available out there which can assist. Simply copying this information in the traditional way may not be sufficient.
The evolution of technology and connectivity has driven an increase in the number of users working remotely. While this may have cost and other benefits to employers, it is inevitable that organisations will have to sacrifice a degree of control over their information. There tends to be perceived privacy amongst employees when it comes to user-issued devices, such as laptops and mobile devices. As a result of this, these are often a very rich source of information.
VIDEOS SHARE PICTURES
CRM DATA
DOCUMENTS
CONTACTS
FILES
RISKS:
EMAILS
Assigning devices to users is often a necessary step in order for them to do their jobs effectively. However, your client should be aware that any such allocation should be accompanied by a robust IT policy, making it clear that any data stored on the device is the property of the employer. Giving users control of devices does make a covert investigation more challenging, as it may not be possible for your client to gain access to the devices without the knowledge of the employee.
THE CLOUD
LAPTOP
MOBILE PHONES
REMOVABLE MEDIA
TIPS:
MOBILE DEVICES
SAT NAV
EMPLOYEE CONTROLLED DEVICES
• Investment in a remote forensics tool can often be worthwhile, especially for high risk industries and job functions. • A remote forensics tool will allow your client to collect and analyse data from their company-owned devices, even if they are not located in the building.
5
SUBJECT ACCESS REQUESTS – RESPONDING EFFECTIVELY AND PROPORTIONATELY by Umar Yasin It isn’t just litigators that have to grapple with what constitutes a ‘reasonable and proportionate search’ for documents, whether paper or electronic. Any organisation that controls data, whether public or private, large or small, may have to process a subject access request, and, depending upon the organisation and sector/ industry, these requests may be regular commonplace occurrences or sporadic exercises. Despite the different aims and objectives between processing a subject access request and disclosing documents as part of litigation, both litigators and data protection lawyers can learn from one another about how to deal with the disclosure as effectively, and as proportionately, as possible. In recent editions of Legal News, we’ve covered indepth the challenges facing litigators during e-disclosure exercises, from attempting to navigate the labyrinthine IT landscape of their clients, through to collecting and reviewing the most relevant documents, and then redacting and/or removing documents before ultimately producing the disclosable document set. The sheer volume of electronic data held within a typical IT landscape, the variety of this electronic data, including the ever-increasing sources of it, from the cloud to social media, as well as the more common servers and laptops, and the speed at which organisations are creating electronic data throws up real challenges. These range from how best to identify the relevant sources of information, to how efficiently and effectively irrelevant data can be culled-down, to how deadlines can be met. And, post-Jackson, perhaps the biggest challenge is how to carry out a reasonable search for documents, whilst ensuring the costs of disclosure remain as proportionate as possible. These challenges are also a key consideration for information and data protection lawyers when they are advising clients on how best to process a subject access request. Timescales for processing subject access requests are strict; the data controller has 40 days in which to respond to a request. These 40 days run from the time that the data controller has also ascertained that the person making the request is indeed the data subject. Further, the data controller is also entitled to ask the data subject for any further information that may assist in narrowing down their request for information, such as trying to understand exactly what the data subject requires information on. And as far as proportionality pressures go, the maximum amount that can be charged to process a subject access request is £10, (or up to £30 for education/health), which means it is even more important for data controllers to be able to respond to subject access requests as efficiently and as cost-effectively as possible. Over upcoming editions of Legal News, we will be exploring subject access requests in more detail, including a more detailed look at how technology and e-disclosure solutions can ensure a more cost-effective and efficient approach to dealing with SARs.
6
ICO spokesperson said:
‘At a time when organisations are collecting
more and more information about us, whether online or offline, subject access requests play an increasingly important role in helping us take control of our personal information. They can also benefit organisations by highlighting inaccuracies in their records and giving them the opportunity to update the information they keep about us.’
‘Our subject access code of practice will
help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers’ data and being open and transparent about the information they collect. This can only be a good thing for organisations and consumers.’ We have also published ten simple steps which organisations should consider when responding to subject access requests. 1. Identify whether a request should be considered as a subject access request 2. Make sure you have enough information to be sure of the requester’s identity 3. If you need more information from the requester to find out what they want, then ask at an early stage 4. If you’re charging a fee, ask for it promptly 5. Check whether you have the information the requester wants 6. Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing… 7. But do consider whether the records contain information about other people 8. Consider whether any of the exemptions apply 9. If the information includes complex terms or codes, then make sure you explain them 10. Provide the response in a permanent form, where appropriate.
THE REAL CSI: TABLET FORENSICS by Sarah Turner Picture the scene: 06:37: The Lieutenant sits in his black Chevrolet, across the road from a seedy café in central Miami. The early morning sun rises over the tall city tower blocks and office buildings, as smartly-dressed executives and other early birds make their way to work. Gazing through his shades, the Lieutenant watches as his suspect - one of these smartly dressed executivetypes, fitting in perfectly with the early morning commuters - walks into the café, sits down, takes out his tablet computer and starts to work. The Lieutenant gets on the walkietalkie to his lead officer who is waiting just around the corner:
He’s in the café. We’ve been onto this guy for months, he’s made over $1 million from his counterfeit goods scam – we know he’s the guy behind this, we just need to get the evidence. Another transaction has just gone into the bank account! Storm the café! The officer and three of his team charge into the small café sending tables, chairs and crockery crashing to the floor. Pinning the suspect to the ground, they handcuff him and grab his tablet computer. One of the officers starts looking through the device: ‘I can’t find anything obvious on here boss, let’s take it back to the lab’. Back at the glass-partitioned lab, the tanned Technical Specialist plugs the tablet into his computer and watches as various files and documents appear on the large wall-mounted monitor – neatly ordered into emails, documents, bank transactions, etc. The Technical Specialist effortlessly moves them around the screen by swipes of his hand, zooming in on potential evidence…
So, how does this compare to the reality of the forensic analysis of tablet computers? While entertaining to watch, rather unsurprisingly, the analysis of a tablet computer is not quite this simple. In reality, the forensic analysis of a tablet is actually more similar to the analysis of a smartphone, than a computer. Computers are forensically examined by removing the hard drive and taking a forensic image of it. It is this image that is then examined rather than the content of the machine itself, to ensure evidential integrity. Imaging a computer hard drive in this way is generally the same process every time. Tablets, by contrast, do not have a hard drive which can be removed and imaged. Instead tablets use flash memory and there are different methods of extracting a full image of the disk depending on the make and model of tablet. This can range from the JTAG method (connecting pins directly to the circuit board), a bootloader method or it may just be limited to a logical extraction via the operating system where a full image of the disk is not possible. One crucial mistake our friends in Miami made in the story above was looking through and not switching off the device as soon as they got hold of it. By leaving the device on, there is the potential for it to remain connected to a network and continue receiving new data, which could potentially overwrite any useful or incriminating evidence. In addition, if the suspect is particularly tech-savvy, he or one of his accomplices could remotely wipe the memory of the device if it is still connected to the network, deleting all data, including anything incriminating. Therefore, before any kind of investigation can be carried out on the device, even before switching it back on, it needs to be placed into a Faraday box. Switching the device on within a Faraday box prevents the device from connecting to a network and enables analysis to begin.
In the story above, our friends in Miami focussed on files and emails as their likely sources of potentially incriminating information. However, there are many more potential sources of useful intelligence on a tablet, such as: web history, cookies, bookmarks, images, geo-tagged photos and a wide variety of apps, especially messenger applications. CCL worked on a case where an individual was dealing in stolen electronic goods, including iPhones. The web history obtained from his tablet played a key role in the case against him. It showed that he had searched the internet for certain terms directly related to his suspected activities, such as ‘how to remove an IMEI number from an iPhone’, which formed part of the case against him. The forensic analysis of tablet computers and the amount of data that can be extracted from them varies greatly according to the make and model of the device and how they store data. However, in every case it is the process and procedures by which the evidence is obtained that ensure its integrity. As ever, this always means that the reality is a lot more complex and thorough than simply looking through the device or just ‘plugging it in’.
7
ABOUT CCL CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we setup our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one accredited to the ISO17025 standard for our computer, mobile phone and Sat Nav laboratories. We provide digital forensics services to a broad range of organisations, ranging from law enforcement agencies, civil and criminal law firms to corporate clients. CCL has been in the e-disclosure market since 2009 and has completed over 220 e-disclosure cases to date.
OUR SERVICES
CPD COU R ‘Electroni SE c evidenc e and e-dis closure’ CCL prov ides CPD
courses fo These co r lawyers. ver every thing you about ele n eed to kn ctronic ev ow ide electronic ally stored nce and disclosure of informatio n. Delivered by our inhouse co course wil unsel, ou lg r CPD electronic ive you an underst anding of evidence and its im and your plications clients. for you CCL’s ‘ele ctronic ev idence an course co d e-disclo vers: sure’ • Introdu ction to e e-disclosu lectronic evidence re and • Practic e Directio n 31B and t • Contro he EDQ lling cost s • Tools a nd techniq ues • Key ca ses
• Part 31 e-disclosure services • Digital forensics - All operating systems - Smartphones/mobile phones - Tablets
Scan the QR code with your smartphone for more content.
- Sat Nav analysis
Missed an issue of Legal News? Don’t worry, all issues are available on our website at
www.cclgroupltd.com
- Cell site analysis - CCTV analysis • Collections • Part 25 search and seizure orders • Part 35 expert witness services
THE NUMBERS
COMING UP NEXT MONTH: Social Media Cyber security – where are the threats and how to prepare Costs exemption
CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed: • 220+
e-disclosure cases
• 4250+
digital forensic (PC) cases
• 55000+ mobile phone cases
8
• 2200+
consultancy engagements
• 750+
civil and criminal cases
• 475+
expert witness assignments
For more information call Rob or Umar on
01789 261200
email edisclosure@cclgroupltd.com or visit: www.cclgroupltd.com