Convergence of forensics, ediscovery, security, & law.

• Author: Jorgensen, Serge
• Position: Electronic Discovery and Digital Evidence

INTRODUCTION

Moore's Law, an observation first made in 1965, predicts that the number of transistors on integrated circuits will double approximately every two years. (1) For technologists, an extension of this means that everything that relies on integrated circuits, from computer speeds to the resolution of digital cameras, will also double every couple of years. (2) For lawyers and consumers, this means that technology is not going to stop changing any time in the near future. Technological advances will bring new challenges and new considerations at an ever faster pace as data processing and storage reach into unforeseen areas of our lives. Agreements, or arguments, about native versus TIF formats of production pale in comparison to issues such as forensics and data discovery on neural networks, (3) "big data," (4) or crowd-sourced solutions architected and adopted by companies including Facebook, Unilever and Netflix. (5) There are currently a staggering seven billion-plus cell phones for the 4.7 billion people between the ages of fifteen and sixty-four in the world. (6) The possibilities for connectivity and data creation created by this fact alone are staggering. Start adding other potential discovery sources, such as larger computers, digital cameras, automobile navigation systems and the Internet of Things (IoT), (7) and there is a mess of data. Trying to adequately secure, acquire, examine and produce related data, let alone determine legal relevance, is becoming an increasingly daunting task. The proposition that one can still "look through the filing cabinet" for legally relevant electronically stored information (ESI) or discoverable data is simply untrue. We now need to know what to keep, where to keep it, and how to look for it when the need arises--and in order to have a chance of finding what we are looking for, we need to know these things before we know we need the data.

As society develops and incorporates new technologies, it will become obvious that the law must move to a more proactive stance, instead of the current reactive stance. The challenges of ESI Forensics, Discovery, and Security in the distributed, scalable, shared computing infrastructure commonly called "the cloud" are in a large part a result of our prior failings to proactively consider compliance and legal matters before adopting these new technologies. This is not an argument for new laws, but rather to apply existing laws and current solutions to these new technologies. We otherwise risk tossing aside years of experience and knowledge. Current statutory and common law legal authority is well equipped to deal with many, perhaps even all, legal questions that might arise from the use of new technology. In most cases, a clear similarity can be found between the physical world of houses, floors, walls, doors, and windows and the logical world of networks, infrastructure, routers, firewalls, and packets. Privacy, ownership, access, control, responsibility--all of these concepts and many more exist in both physical and logical worlds.

The following discussion will provide some basic definitions of various terms and components, review tools and resources available, and offer a glimpse of upcoming technological advances and the associated convergence between legal and technical considerations as those technologies develop.

This Article is not meant to provide exhaustive descriptions of each area, but will cover some foundational concepts and suggest a path where lawyers and technologists can coexist in a symbiotic, instead of an antagonistic, relationship. Lawyers are generally risk-averse, and (at least to technologists) have gained a reputation over the years as impediments to progress and innovation. First-adopters of available technologies (inventors, entrepreneurs, and the like) are less risk-averse, or even risk-seeking, and generally leap before looking. This risk-oriented culture has been responsible for creating new and innovative ways to collect and share information. Without anticipating and building in some forethought protections, such innovations pose currently-unaddressed and techno-centric legal issues that affect each of our lives to an increasingly insidious extent.

1. DEFINITIONS

   An effective discussion on the subject of convergence must first clear up confusion regarding some terms and usages common in the industry. Technologists and attorneys frequently get themselves into trouble by using presumed (and at times incorrect) definitions of terms that mean different things to each group. For the purposes of our discussion, the reader is asked to generally accept the following descriptions of forensics, electronic discovery and information security. These are not meant to be complete, nearly-complete, or even permanent definitions, but rather, foundational overviews that will provide the groundwork for a further discussion on some areas of convergence between these areas and the legal world. While it would be easy to argue that the offered definitions are overly simplistic and cover but a fraction of the areas of expertise involved in each, the alternative would be to write a series of books on each subject by itself.

   1. Forensics

      "Computer forensics" is a term commonly used to describe the in-depth analysis of ESI. (8) Even that definition, however, is open for interpretation and can result in confusion. Consider "the computer." This is generally understood to mean a collection of components made up of a processor, some volatile memory (RAM), some non-volatile memory (hard disk drives or HDD), a keyboard, screen, mouse, power supply, DVD drive, and various other parts. (9) While one could expect that the data on the HDD is the key component, a forensic analyst might also consider:

      * the Service Tag on the case of the computer to determine if the HDD is the original equipment;

      * SMART information to evaluate power-on cycles and other internal information; and even

      * the placement of dust inside the case to assess other physical access to the system.

      Similarly, when scrutinizing data on an HDD, a forensic expert knows that there is data in allocated space, unallocated space, slack space and manufacturer-controlled spaces and data repositories. (10) Moreover, chain of custody, best-evidence and provenance are all forensic considerations when examining a potential source of information.

      For the purposes of this discussion, forensic analysis of "the computer" generally includes review of some sort of data repository (e.g., a HDD) and the information placed on that HDD by an operating system (OS). Difficulties can arise when evidence moves from the physical to the virtual world--or from local to the remote locations. In years past, "the computer" contained one or two HDDs and was located under someone's desk. It is increasingly common for computers to contain multiple drives with terabytes of storage and to be located in some location or locations remote from the user. Virtualization technology makes it possible, and even likely, that one physical HDD contains many more than one virtual environment (OS and user experience). Cloud technology and cheap high-speed internet access make it probable that there is more data stored in a remote location (e.g., SkyDrive, iCloud, GoogleDocs) than on the local computer. (11) Any forensic analysis that fails to at least consider these other data repositories is both inadequate and incomplete, and testimony based on such analyses is susceptible to easy impeachment.

      Two major components of a forensic investigation are the Preservation and the Analysis of data. (12) In order to discuss data preservation, it is necessary to fully understand the process of the creation and usage of the data. Once the forensic analyst understands this data creation and usage, the appropriate techniques can be brought to bear on the various data repositories. Live, offline, virtual, remote, and snapshot acquisitions each have their place and value, and each have their advantages and disadvantages. Depending on the data and environment, partial preservation may be the "best efforts" (13) of a party and work will need to be done on a live system. This is most often the case in mobile devices (i.e., smartphones) where full forensic acquisition is often impossible due to manufacturer constraints on access to the raw data repositories on the devices. A brief convergence discussion will aid in understanding the need for counsel to appreciate the complexities and limitations of the various collection and preservation options. Failure to take the time to adequately understand the methods and limitations will easily result in widely differing definitions of the words "everything" and "all" with the near certainty of an associated negative outcome. Promising or agreeing to preserve "everything" without careful research and a clear understanding of capabilities and options can be disastrous.

      Once preservation has occurred, or access methodologies have been agreed upon, the analysis can commence. Analysis, from the earlier example, can include both physical and logical work and spans a wide range of skills. Once past a cursory inspection, analysis of the logical environment generally consists of collecting and reviewing surrounding information as much as the data in question. Translating this into the physical world, a CSI agent would spend as much time examining the space around the dead body as on the dead body itself. Likewise, a good computer forensic analyst will develop information about the system metadata, (14) computer usage patterns, registry information (15) and various other indicators before focusing on the specific data that might be the "focus" of the analysis.

      For a short review of a forensic analyst's work, consider as an example a simple Microsoft Word document created in a Windows operating system and saved on a local hard drive. Taken together, the information contained would...