CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE
LEGAL NEWS Issue 17
www.cclgroupltd.com
INTERNAL VS OUTSOURCED E-DISCLOSURE
IN THIS ED
ITION...
> Internal vs outsource d e-disclosure > Thought s of the mo nth > Emails are forever > Waiting for Christm as? > The real CSI
by Rob Savage
> CPD co urse > About CCL
Let’s take disclosure back to basics. CPR 31.2 defines disclosure as ‘A party discloses a document by stating that the document exists or has existed’ with a document being defined by CPR 31.4 as ‘anything in which information of any description is recorded’. If documents only ever existed in hard copy form, the whole process of disclosure would be much simpler and we would be out of business. There is no definitive list of what constitutes a document and the definition is broad for a reason. Within the last decade technological innovation has exploded; never before has it been possible for an idea or innovation to permeate through society with such velocity. As a result, the way in which information is stored is fluid and constantly changing. This is one of the main challenges when identifying relevant documents for disclosure. The inclusion of electronic documents in the process of disclosure introduces an additional layer of complexity, so much so that there is an entire Practice Direction (31B) dedicated to it. To be clear, at no point in Part 31 or PD31B does it state that a third party should be instructed to assist with this process. If a party feels that it is able to satisfy the requirements of a reasonable search and the five principles of PD31B, this
is a totally valid approach. The five principles are: 1. Electronic Documents should be managed efficiently in order to minimise the cost incurred 2. Technology should be used in order to ensure that document management activities are undertaken efficiently and effectively 3. Disclosure should be given in a manner which gives effect to the overriding objective 4. Electronic Documents should generally be made available for inspection in a form which allows the party receiving the documents the same ability to access, search, review and display the documents as the party giving disclosure; 5. Disclosure of Electronic Documents which are of no relevance to the proceedings may place an excessive burden in time and cost on the party to whom disclosure is given. The difficulties that will be faced by most parties in attempting to undertake their own e-disclosure exercise is in handling and searching large volumes of data in a controlled manner. A common approach is to instruct each custodian to search their own data and provide a copy of
responsive files. Consider that a group of custodians each searching their data will all do so in their own way, each making their own decisions on what is and is not relevant, and it is easy to see how documents can be overlooked. Client-led e-disclosure can be a simple and cost-effective way of disclosing electronic documents, but clients should be aware of the risks of failing to provide adequate disclosure. In Earles v Barclays Bank Plc [2009] EWHC 2500, adverse costs orders were made against a party who failed to search and disclose relevant documents. We often say to our clients that instructing a third party should be considered in cases where: • There exists significant volumes of electronic documents • There exists significant disparate sources of electronic documents • The electronic documents to be disclosed are material to the case; or • The absence of electronic documents may be material to the case. Get in touch with us for more guidance on your e-disclosure needs.
1
DANIEL POLLOCK, Imaging Technician Daniel joined CCL in 2014 as an Imaging Technician, carrying out the imaging process and working with various types of digital media every day. Daniel graduated from Northumbria University in 2013 with a degree in Computer Forensics before moving to the Ministry of Justice as a Tribunal Clerk. Before joining CCL, Daniel had a brief contract as a QA Test Analyst for a software company that developed educational simulations for third party companies.
Daniel’s thoughts for the month Continuity and Integrity of Evidence: Whilst studying at university, the practice of continuity and integrity of evidence had always been theory work discussed throughout the investigation of mock cases. Since working at CCL, I have put that theory into practice for the first time in my digital forensics career. The sheer importance of continuity and integrity of evidence has become extremely clear to me; by continuity of course I mean that there are measures in place to ensure that the exhibit that is to be examined by one of our analysts is actually the exhibit that was originally seized at a known place, date and time, and is considered key to the investigation. The continuity aspect comes from there being a clear chain of custody so that the integrity of the evidence remains intact. This transition from theory to practice ensures I know that every exhibit I deal with is accountable for and that every investigation I am assigned to is not potentially sabotaged by uncaring behaviour. This vital work experience within CCL has taught me the value of maintaining the chain of custody and evidential integrity, to improve the quality of an investigation.
CHRIS LINFOOT, Principal Consultant and Chief Technology Officer Chris has been a Principal Consultant with CCL since 2010, and in 2014 became the company’s Chief Technology Officer. Chris joined CCL after a lengthy and successful career in senior IT leadership, serving as both CIO and IT Director in a number of complex, international and multinational organisations. He has led numerous consulting engagements for CCL across a wide range of client needs including: strategy and strategic alignment, information governance, cyber security, specification and selection of IT software, services and suppliers, mentoring and coaching, and expert witness. Chris graduated in Applied Physics at the University of Durham more years ago than he is happy to admit. He then spent several years in production management and delivery roles in the manufacturing industry, before moving into IT management. Chris’ approach to consulting engagements draws heavily on the resulting combination of scientific discipline and real world experience as an IT user.
Chris’ thoughts for the month The focus of many IT departments is shifting away from the old on-premises approach towards the selection and deployment of service based offerings, including Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS). Frequently, organisations continue to operate conventional on-premises deployments for some applications while also adopting SaaS or IaaS for others. While many benefits arise in this hybrid on-premises and service based model, it is inevitable that complexity increases as a result. This, among other things, can have an impact on an organisation’s ability to find and disclose electronic documents when required. In response to this, companies need to develop robust information governance, in order to ensure they can react swiftly when it comes to disclosure of electronically stored information for litigation or regulatory requests. Good governance ensures strong alignments between IT delivery and the company’s strategic objectives, provides high-quality information to support business decisions, underpins operational excellence, contains risk at an appropriate level, optimises costs and supports legislative and regulatory compliance. The importance of good information governance when it comes to the e-disclosure process has also now been reinforced by the latest version of the EDRM, where information governance features prominently at the beginning of the process ‘to show that every well-managed e-discovery process should start and end with sound information governance’. CCL has a wealth of experience in helping organisations put in place the correct policies and procedures to enable them to react swiftly when needed.
2
EMAILS ARE FOREVER
by Léon Atkins, Chief Compliance Officer, UDG Healthcare plc
Léon Atkins discusses how easy it is to recover deleted emails and warns of what this means for e-disclosure in litigation It seems that I am reaching a certain respectable age; my early workplace memories are starting to predate the coming of age of a number of my colleagues - in some cases, even the dates on which they were born. But if I really wanted proof, I only have to think just how much has changed in the way we communicate since I embarked on my career, when instant messaging would have meant a fax or telex. I proudly announce that once I had to get by with no internet, no emails, no mobile devices (unless you counted portable typewriters). But despite this, I have embraced our digital age and all the advantages it brings. Although having the perspective of life without it also highlights the price that sometimes has to be paid. Take a look at email. As a means of communication it has transcended the telephone. It is estimated that by the end of 2014 there will be 1 billion corporate email accounts with each, on average, receiving or sending 119 emails every day[1]. That’s 60 billion business emails every day - ten for every person on the planet. It is no wonder that emails have spearheaded a decline in the formality of written business communications. Lawyers are well aware of this laissez faire attitude and the associated disaster or triumph for their clients that a particular email might bring. So, when we ask the question ‘Where are the emails?’ the casual response: ‘We deleted them’, very much belies the truth. Of course, emails are not like paper based letters or memos, and this is both their advantage and their risk. Let me illustrate by showing how a single email proliferates and how easily it can be found, even if you don’t know what you are looking for, and even if it has been deleted.
Our starting point is an email that Mr White (a manager employed by the client) might have written to his colleague Ms Brown. All we know is that it’s in the context of a bi-lateral agreement with a competitor (Acme). What we do know is that Mr White would have written it in the last couple of years and has deleted it. Firstly, if he did write an email, how many copies are we looking for? You might believe there are only two, but the simple act of sending an email can create tens of copies, almost all of which will have been outside of Mr White’s control. Let’s say that he wrote the email we are looking for from his laptop. Mr White’s laptop automatically stored a ‘local’ copy of the email on its hard drive, to facilitate access to it when not connected to the internet or network. On hitting ‘send’ a copy was stored in Mr White’s sent items folder, not only on his laptop but also on the client’s email server (3 copies). Mr White also has a work mobile and so, within seconds, a further copy had been automatically downloaded to this (4 copies). On receiving the email, Ms Brown’s employer’s email server directed the email into her email inbox, stored on an email server (5 copies) and immediately ‘pushed’ a copy down to her work mobile (6 copies). As soon as Ms Brown connected her laptop to her company network, it contacted the email server and downloaded all new items, including Mr White’s email. So now we are up to 7 copies.
CASE STUDY Location data – sat nav unit analysis THE CASE: CCL has seen a great many makes and models of sat nav passing through its labs over the years – but occasionally an unusual model of device is submitted as part of a case. Recently, one of our analysts was required to analyse a sat nav, the make and model of which had not previously been submitted. It formed part of a criminal case, however it was not made by one of the common manufacturers, and little information was publicly available about it. WHAT CCL DID: With support from CCL’s dedicated R&D team, the analyst was able to extract and decipher, in only a few hours, the address storage record for the device. Using this, the analyst recovered not only the ‘live’ (i.e. undeleted) records on the device, but a substantial number of deleted records too. THE OUTCOME: The majority of locations recovered tied in with what was expected, and added valuable evidence to the case.
…continued on page 6 [1] Radicati Group, Email Statistics Report 2010
3
WAITING FOR CHRISTMAS? by Umar Yasin The rhetorical question in the headline is posed only half in jest. Unfortunately, the other half is in all seriousness. The changes ushered in by the Jackson Reforms place the emphasis on litigators to treat each case as a project, and properly manage each aspect and phase. The post-Jackson environment brings these changes to the fore, whether due to the overriding objective and the emphasis on active judicial case management and proportionality, or costs budgeting purposes, as well as the changes to disclosure. With disclosure specifically, by introducing both the menu option under Rule 31.5A and the pre-CMC discussions on disclosure, Jackson LJ intended litigators to deal with disclosure, whether paper or electronic, at the start of a case, rather than towards the end. Yet, over a year later, it is surprising to see how many last-minute instructions and enquiries we still receive from law firms, with the worst-case scenario being an enquiry exactly seventeen days before disclosure lists were due to be exchanged. In this case, both law firms had exchanged EDQs and had discussions pre-CMC without any assistance at all from an e-disclosure provider, despite both firms never having dealt with an e-disclosure exercise post-Jackson. It quickly became apparent in the time from when CCL received the enquiry to the first four days, that neither side were going to be able to meet disclosure deadlines. Our side had over
1.2 terabytes worth of email correspondence and data from file shares, as well as over 60,000 pages that needed scanning and OCR’ing. We made a start on collecting and pre-processing the electronic data, whilst the lawyers worked on getting an extension for a month, which was granted. As we were pre-processing and uploading key responsive documents for immediate review, the law firm discovered certain documents that severely undermined their client’s case. Having weighed up the cost of collecting, processing and then reviewing a significant amount of documents from their disparate and unorganised information landscape, our client decided to settle, rather than proceed to defend the claim. And that brings us back to our rhetorical headline and Christmas. Had the law firm, or indeed the client’s own in-house legal team, considered disclosure at the start of their case, as soon as a claim was issued and they were preparing their defence, if not earlier, a considerable amount of cost could have been saved. In Nichia Corp v Argos Ltd [2007] EWCA Civ 741, a seminal case regarding the scope of disclosure, which concerned the alleged infringement by Argos of patented Christmas lights, Jacobs LJ suggested ‘Indeed, it is hard to think that
Suggested Pathway to the First CMC
PARTIES EXCHANGE EDQS
DISCLOSURE DISCUSSION
(To kick-start the dialogue process)
(Requirement: no less than 7 days before CMC Nb: the disclosure discussion should take place significantly before this)
4
PARTIES AGREE PROTOCOL
FILE REPORT & EDQ
(Requirement: no less than 14 days before CMC)
even before launching proceedings such as these, a claimant has not carried out, in its own interests, such a review of its own documents as will in all probability have already met, or all but met, the requirements of a reasonable search for the purposes of standard disclosure.’ Particularly with the volume of electronic documents showing no signs of abating, along with all the reasons discussed above, there certainly is a lot to be said for the early consideration of disclosure, even if it is for your own fact-finding purposes, and very little reason to wait until the last-minute.
CASE STUDY Deleted call records – mobile phone analysis e force was THE CASE: A UK polic investigation conducting an internal between two relating to allegations ed to establish officers, and they need y relevant whether there was an ed victim’s evidence on the alleg mobile phone. taken a The client had already one. This physical read of the ph and a second was sent to both CCL er, in order for digital forensics provid t comparison the client to get a direc CCL could e between what evidenc other provider recover and what the could find. was sent an WHAT CCL DID: CCL ng the physical encrypted CD containi one. The client memory read of the ph ords, however wanted deleted call rec structure they were unsure of the particular s of the call record on thi did not have y model of phone, as the . ge the specialist knowled
FILE FORM H (IF APPLICABLE)
(Requirement: no less than 7 days before CMC)
CMC
kes and CCL has seen many ma e over the models of mobile phon specialist th years, providing us wi pular and po knowledge of both the L used CC . more obscure devices ed Python lop ve specialist in-house de ery of ov rec scripts to automate the records us eo on call records. Once err ives, sit po se were removed (eg. fal re than mo er) no proper phone numb the to d nte se 1000 records were pre ge ssa me ed client. These also includ of ord rec a in nta log records, which co nt se re we y the SMS messages, who d time, and to and at what date an ls. other important detai run the Python It took two minutes to it would ipt script. Without the scr s. thi have taken days to do client was very THE OUTCOME: The amount ge impressed with the lar over rec to of data CCL was able abled en ta da from the mobile. The ht to ug bro the investigation to be the me co be a close, and CCL has lier pp su red fer client’s unofficial pre for digital forensics.
5
EMAILS ARE FOREVER …continued from page 3 As companies often do, the client took backups of its servers, which is stored on tape. This includes the email server, so unbeknown to Mr White, further copies of his email. It is not unusual for a company to take daily backups overnight and keep them for a period of a week (7 further copies). One would expect the client to have taken monthly backups and kept these for a period of a year (12 more copies). Also, yearly backups are usually retained for several years, so at least 3 more copies exist. In total this means that at any one time 22 copies of Mr White’s email exist on various backup tapes. The same is likely to be true for Ms Brown’s employer where some 22 more copies exist, which when added to our original 6 copies, means we could now have more than 50 copies of the email. The more copies you have, the easier it is to find, however, that number could easily reduce. Assuming we don’t have access to any of Ms Brown’s copies, we are left with only 25. We know that Mr White deleted the email, maybe a year ago. So there won’t be a copy on the weekly backups (minus 7 copies) or the monthly ones (minus 12 copies), and we wouldn’t expect to find it on the most recent annual backup (minus another copy). Let’s say the copy on both the mail server and his mobile device have gone because he deleted them (minus 2 copies). This leaves us with the 2 yearly backups and Mr White’s laptop. Let’s say that someone has misplaced the 2 annual backups and, as we know, Mr White
has also deleted it from his laptop, so short of requesting one of Ms Brown’s 25 copies, it looks like Mr White’s missive no longer exists. But we have digital forensics experts on our side, who say that deleted data can be recovered. They also say that the quickest route to retrieving deleted data from within a corporate environment is almost always via the backups. This was originally true in our example, but no longer. Mr White thinks he has deleted his email, but on his laptop his emails are stored within a single mailbox file. Let’s imagine that this file is a library, with each email a book with its own unique reference and its own unique (but random) location within the library. The librarian is lazy, so when the user asks for a ‘book’ to be permanently removed from the library (by pressing delete), all the librarian does is delete the reference card. The book is still there. Also, the librarian’s equally lazy cousin works in the mobile device library, so the same ‘book’ could still be found there. Fortunately, digital forensic analysts have ways and means of finding the ‘book’ without the need for a reference card. All they need is access to the relevant machines and devices, a selection of relevant keywords, details of the sender, recipient and some date ranges. So here we will identify ‘Acme’, and ‘agreement’ as our keywords. We also know the sender, the recipient and when the email was sent. Generally speaking, the longer an email has been deleted, the less likely it is to be recoverable. The library is
a finite size and eventually as more emails are written, the lazy librarian will have to get up and take the deleted ‘books’ off the shelves to allow the new ‘books’ to be filed. It is only then that the email gets permanently deleted but that can be several years after the ‘delete’ button was originally pressed. In our case, the ‘book’ is still in the library and only a few ‘books’ responded to the keywords. And we have been provided a copy of the responsive emails including the email we need. Digital forensic analysis or e-disclosure is very efficient and makes the process appear easy. Recently I needed to find emails I thought might exist to help support an offensive position on prospective litigation. Within a week of first instruction not only the emails I thought existed had been found, but a whole raft of other emails, which were highly supportive of our position. The ever increasing ease of recovering lost or unknown emails (or any other electronic documents) as part of disclosure may not be as prohibitive, either in time or cost, as might first be thought. Consequently, the common law lawyer cannot simply dismiss the requirement for a thorough e-disclosure exercise due to reasons arising from the ease, accessibility and expense of retrieving documents, even if the belief is that all relevant documents have been deleted. It is too easy to cite many examples of court actions whose paths have turned because of what has been found during a thorough e-disclosure process, and often because an email was written in haste. The email has truly created a mostly positive and fundamental shift in the way in which we work. For the lawyer, it has proved a double-edged sword. But for the client, it has created a potential minefield, which many have yet to even begin successfully negotiating. But if there is one word of advice, it’s this: an email is forever.
Léon Atkins is a solicitor qualified in England & Wales and Ireland. He was General Counsel of UDG Healthcare plc until 2014, where he is now Chief Compliance Officer. 6
THE REAL CSI: COMPUTER FORENSICS – DELETED DATA by Sarah Turner Picture the scene: 21:15: The Lieutenant sits in a dingy city bar, gun holster hidden under his jacket, shades on the bar, half watching the ball game on the large TV in the corner. Ten minutes later his informant walks in, sits next to him at the bar and orders a beer. I’ve found the headquarters of the smuggling ring you’ve been watching. He whispers They’re right here in Miami. They’ve been bringing in drugs through the city docks. I think they’ve got a big shipment coming in tomorrow. The Lieutenant finishes off his drink and gazes into the middle distance, considering his options. He gets on the phone to his lead officer… An hour later, a team of burly, unfeasibly muscular officers storm into the building identified as the gang’s headquarters. They enter the old factory building, breaking through doors and smashing windows, but find the building deserted. They notice some computers have been left behind. They turn them on and have a look for any useful intelligence. There isn’t anything on them. They must’ve deleted everything before they left! Shouts the lead officer. On the end of the phone the Lieutenant replies: Get them to the lab, we’ll see what we can get from them. Back at the lab, the uber-tanned Technical Specialist plugs in the computers and switches them on.
They’re right. There’s nothing on these machines. They must’ve deleted everything. But we can get it back. The Technical Specialist plugs a small device into each computer and punches in a few commands. Effortlessly, once deleted files come zooming onto the huge, wall-mounted monitor – documents, spreadsheets, emails all neatly file themselves according to file type and chronological order of when they were created, enabling the Technical Specialist to easily look through them for any intelligence on the gang’s movements. One document contains details of an address in Jacksonville. Boss, looks like the gang may have a hideout in Jacksonville. So how does this compare to the real world of digital forensics? Is it really this easy to recover deleted files? When a user deletes a document from a computer, this does not mean that it is completely erased from the hard drive, as you may expect. In reality, when a file is deleted (and removed from the Recycle Bin), it is actually just the reference to the file that is removed from the device’s index. The file itself still exists on the hard drive, but the computer can no longer see it and so there is no way for the average user to access it anymore. So, in order to access deleted documents, you need to be able to look at the hard drive itself, ignoring the index. However, the first step when forensically examining a computer for data – whether deleted or not (and which our friends in Miami missed) – is to take a forensic image of the hard drive. It is this image that is then examined, rather than the content of the machine itself. This ensures that nothing on the
machine is altered or affected by the forensic examination, and so means that any evidence will stand up to court scrutiny. There are many file recovery programs available, many of them for free. However, these are not forensic level tools and may not have gone through all the tests and checks required for forensic tools that deal with evidence that could potentially be used in court. CCL has a number of forensic level tools to help us obtain deleted data from computers. However, time is a crucial component when it comes to extracting potentially useful deleted files. When a file is deleted, as well as the reference to it being removed, the index also marks it as available space on the hard drive – so there is the potential for it to be overwritten by new files as time passes. The more time that elapses since a document was ‘deleted’, the greater the chance of it being overwritten on the hard drive. So it is possible to recover files that have been deleted by the user, but only while the file itself has not been overwritten. However, it is not quite as simple as may be portrayed on glossy cop dramas like the story above. It requires robust processes and methodologies to ensure that evidence is recovered in a forensically-sound, court admissible way. It is also worth bearing in mind that it may not always be possible to recover the particular file you are after, as it may have already been overwritten. For more information on computer forensics, or any of CCL’s products and services, please call us on 01789 261200, email edisclosure@cclgroupltd.com or visit www.cclgroupltd.com
7
ABOUT CCL CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we set up our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one accredited to the ISO17025 standard for our computer, mobile phone and Sat Nav laboratories. We provide digital forensics services to a broad range of organisations, ranging from law enforcement agencies, civil and criminal law firms to corporate clients.
CPD COURSE ‘Social Media and The Cloud’
professionals need This course covers what legal ng social media to know when it comes to usi onically stored evidence, and obtaining electr information from the cloud. m, you will gain Delivered by CCL’s in-house tea al opportunities, an understanding of evidenti storage as well as legalities, collecting data and media monitoring live demonstrations of social and investigation tools. Cloud’ CPD training CCL’s ‘Social Media and The course covers: and the cloud • Introduction to social media • Applications social media • The legalities surrounding evidence ions • Case study and demonstrat
CCL has been in the e-disclosure market since 2009 and has completed over 220 e-disclosure cases to date.
Missed an issue of Legal News? Don’t worry, all issues are available on our website at
www.cclgroupltd.com
OUR SERVICES • Digital forensics and investigations - All operating systems - Smartphones/mobile phones - Tablets - Sat Nav analysis - Cell site analysis - CCTV analysis - Remote forensics - Social media forensics • E-Disclosure services • IT consultancy • Information security • Digital forensics hardware and software • Early case assessment tools • Data collections • Training • Search and seizure orders • Expert witness services
8
THE NUMBERS CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed: • • • • • •
220+ 4250+ 55000+ 2200+ 750+ 475+
e-disclosure cases digital forensic (PC) cases mobile phone cases consultancy engagements civil and criminal cases expert witness assignments
For more information call Rob or Umar on
01789 261200 email: edisclosure@cclgroupltd.com or visit: www.cclgroupltd.com