- 28/06/2018
- Posted by: Alistair Ewing
- Categories: eDiscovery, Infosec, Legal
Businesses need to be proactive and improve their processes of storage and release of information rather than be reactive. It is better to have essential retention and storage policies in the event of litigation. We have performed too many collections where the IT department has no idea where the data is stored; this is usually the case in smaller firms where they outsource the IT department. Having well organised easily locatable ESI electronically stored information will not only save you money and time in the likely event of litigation it may also have other effects such as being able to source key IP intellectual property assets in the event of an employee investigation or disastrous loss as the result of rogue malware or hardware failures.
What Businesses Need to Consider Before an E-discovery Exercise
- Invest Time Preparing Now The amount of time spent organising a proper governance strategy and migrating to an E-discovery friendly office platform will significantly reduce costs in the future. It is a false economy not to invest time money and resources into this endeavour now.
- Record Trail Policies of must be in place, you must record when they were approved and by whom. Example “We back up the exchange server every eight months, it is stored in this location and is deleted after X amount of time.” This will display to litigators that you are well organised leading to them giving you less hassle as the case progresses.
- Deletion Policy It is not efficient to hold onto ESI forever, but you must adhere to retention that has met the regulatory requirement. The deletion should be documented by explaining why an archive was deleted and the action must conform to the particular need in your industry or country. Missing project emails, gaps in dates and undocumented deletions are all unacceptable.
- Intentional Withholding is Hiding or withholding information will cause you added hassle and undermine you organisations credibility. You must explain why specific emails were withheld from a date range or a custodian’s data has been deleted before the time that has been allocated. If a forensic preview discovers ESI that was not disclosed after the pre-collection questionnaire this, it undermines the credibility of the company and can lead to further financial losses. I have worked on a case where a denied an email was sent by an ex-employee. Other custodians that have left the company emails were archived, but this person’s emails were not available. I was presented with a drive that they said this individual used. They were bluffing as no user profile belonging to this person existed; they handed me a computer that was never used by this individual. Additionally, they stated that they migrated servers and didn’t bring forward the custodian in question but the other employees that had left the company before this custodian exited had their PST email archive files in the migration in a PST backup folder. I discovered that the custodians PST file was on the server at some point, it had been present after examining migration logs and other records. As a result, they received a hefty fine for hiding this information and had to pay back the claim.
- Standardisation of Backups I have worked on a case where sometimes emails were available on the server, others were in a backup folder, other on the custodian’s hard disk and even some in VHD disk clones. Having ESI in multiple areas is haphazard. Each forensic image had to have every archive and backup examined for case ESI. Users had the admin rights to take emails off the server when they backed up leading to fragmented loci of the documents and email files involved in the case. The outsourced IT firm engaged in the business had no backup policy in place. This leads to an expensive long drawn out investigation, extraction and comparison process to ensure I had the full range of emails and ESI. For the forensic collector, the process should be as simple as work files are stored on this location, backups here and the rest is on the server along with all the logs and audits. It should all be auditable and defensible. Only admins should be allowed to perform backup tasks and records must be kept to show a full transversal expired. If this isn’t the case, then the email system used should automatically retain all the emails sent and received regardless of the user actions.
- Using BYOD in an Organisation Allowing your staff to use their own devices not only opens up the door to security risks but leads to the embarrassing prospect of having to encroach on their privacy and investigate their device to source potential ESI that may be stored in personal Gmail or online Outlook accounts. This lowers staff morale and gives the impression of lax policy. Just look at the recent Hilary Clinton scandal where she used personal email for government matters. A leak here could cost your company embarrassment for the sake of not allowing them to use their home mobile phone or computer. Just fork out for the devices. Prep and provide digital work items for staff that have been selected for security and retention in mind. iPhones backup to iCloud this way ESI can be retrieved from the iCloud location using iPhone Backup Extractor and searched for ESI even if the phone has a forgotten code or the custodian is unavailable. Configure laptops to retain data and perhaps install monitoring software that tells you if a specific non-complaint action has occurred.
- Consider Migrating to Gmail or Office 365 for Business These cloud-based options reduce time in collecting ESI and retention can be performed via a click of a button in the settings. Make sure devices have two-step authentication and mobile devices synced with these services have decent passwords to enter your assets as you are exposed to the web using these services. In many ways, these webmail platforms can act as review tools in themselves allowing you to triage and keyword search specific projects involved in the case reducing preview time before a collection which can be done remotely. In some cases, this reduces costs for a manual data acquisition. It must be noted though these searches don’t recognise characters in documents and don’t have the raw power and options of tools like my personal favourite Nuix. The knock effect is this will improve efficiency and stability in your business compared to using something debunked such as Lotus Notes. The only drawback is your data is stored offsite in Google’s or Microsoft’s server this may go against clients wishes in specific sectors.
- Keep Asset Lists for Data Mapping A simple spreadsheet detailing hard disk serial numbers, locations of ESI, users assigned to a domain and if more than one user uses a specific computer cuts time when handed to an E-discovery company as needed. It additionally saves costly second collection attempts because of gaps in the contiguous layout of the ESI concerning date range. It may even be used to produce directory listings periodically of all your devices so one can quickly find where ESI is stored. This can work in harmony with your security audit as well. Early case assessments can then be conducted with precision and promptly. Compute Forensics can aid in this.
- Regional Issues Some multinationals have used a ‘one size fits all’ for all the countries they are based and have opened themselves up to litigation. The governance programme must be suited to the particular jurisdiction. It is worthwhile to consult a local lawyer to run through the nuances of that specific jurisdiction or industry.
Please contact me if you need any advice regarding this topic, a few days of consultation could save your firm a small fortune in the future. Add me as a connection a.ewing@compute-forensics.com. Like and share if you found this useful.