E-Discovery for System Administrators

Russell M. Shumway

Russell M. Shumway, CISSPruss@aerstone.com

Admin

• I am not a lawyer

• This is not legal advice

• Interrupt me if you have questions

• IANAL

Our Goals Today

• Understand the eDiscovery Process• Identify Ways to Make the eDiscovery

Process More Cost Effective and Efficient• Learn What you can do to Save Money and

Reduce Burden in the Future• Learn how to avoid common pitfalls• Understand the need for cooperation

between IT and counsel

Discovery, generally

– Discovery process provides opportunity to both parties in litigation to acquire information in support of its case

– BUT – more than just litigation! Government subpoenas, CIDs, etc.

– -Rules developed, historically, based on paper records

Discovery: “the ascertainment of that which was previously unknown…[t]he pre-trial devices that can be used by one party to obtain facts and information from the other party in…preparation for trial.”

- Black’s Law Dictionary

E-Discovery

– Courts struggled with how to handle electronic information, but (most) have become a lot more savvy and judges are more educated.

– E-discovery has surpassed paper:

• 95% of business records exist in electronic form

• E-Discovery includes document metadata When it was created or modified When an email was sent and to whom

Sanctions

• Cost Shifting• Fines• Administrative actions• Ethical sanctions (e.g., disbarring)• Legal sanctions (contempt of court order)• Adverse inference• Directed verdict

Let’s Talk the Same Language

• Where might information hide?– Usually (not always!) in three “buckets” – network data, local data and email– Network (Home) Drives– Shared Network Drives– Desktops/Laptops– Mail servers – Databases

• Other Helpful Terms– ESI– Native Format– Metadata– TIFF/PDF– Review Platform– Readily Accessible

Discovery Process

1. Litigation (or investigation) is anticipated2. Counsel issues litigation hold3. Parties meet and confer4. Data is extracted from various sources5. Review

– Responsiveness– Privilege– Confidentiality

6. Data is produced to opposing counsel7. Repeat 3-6 as necessary

Litigation Hold– Identify potentially relevant custodians– Issue written litigation hold to all potential custodians– Interview key custodians to obtain information regarding data

storage habits and to ensure compliance with legal hold

– Figure out where the data resides– Understand backup and autodelete functions– Collect and preserve potentially relevant evidence

Preservation

Acquisition

• Method may vary with custodian • Refer to custodian interviews so you know where to look

– Photos on cell phone? Documents on iPod? Flash drives?• Self collect or outside consultant?

– This will depend on nature of case, extent of discovery and your resources

– Understand chain-of-custody requirements– Potential appearance of bias

Pre-Processing for Review

• Keyword Searches– Consider agreeing on these with opposing counsel– Consider separate search for privileged documents

• De-duplication?– Understand vendor’s method of de-duplication to ensure

defensibility • Sampling?• Concept searching?

Attorney review is overwhelmingly the most expensive part of electronic discovery – more effective processing can reduce attorney review costs by focusing the relevancy of the review material

Forensics and Discovery

– Forensics process provides digital evidence based on digital media

– May be used in litigation (criminal or civil) or administrative actions

– Very strict procedures and processes help ensure repeatability

Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis

- Kruse & Heiser, Computer Forensics

Convergence

• Both eDiscovery and forensics involve the extraction of data from electronic media

• Both must be repeatable• Both may involve personal testimony as to the

process• Both may use the same or similar tools and

techniques

Divergence

• Inaccessible files• Deleted data• Data location and/or context• Duplicate copies• Data format

Concerns

• Deleted files– Deleted– Overwritten– Recycle Bin– Deleted emails

• Unallocated and slack space• Temporary files (web cache)

Tools, general

• Indexing search tools– May or may not include desktops– Typically handle common mail formats (Exchange)

and common file formats– Typically do not handle proprietary formats or

apps– Cost

• Location (server, personal folders, cloud)• Format for extraction• Format for production• Attachments• De-Duplication

• Native utilities (exmerge)• 3rd party tools (PowerControls)• Other utilities (dtSearch)• How to handle the cloud?

Email

• Microsoft Office and similar– Easily viewed– Printable

• Location• Format• Extraction

• Native utilities (grep)• 3rd Party tools (indexing and non-

indexing)

Documents

Others

• Databases– Canned or custom reports– Paper output– May require assistance and/or software

• Custom applications– Paper output– May require assistance and/or software

• Location

• Native utilities (grep)• 3rd Party tools (indexing and non-indexing)

Questions?