Earn,
I don't know of any other way to word things sorry.
Yes I will probably know the location of the hits unless they are UA (which a lot will prob be) to go in and take hundreds of paths to exclude and hope that there isn't a crash wont happen.
If there were a few hundred items and you could right click and exclude from case that's fine, but then what? You have all this data which you need to export (UA included to another external hard drive) Trying to copy out that much data crashes software, encase, FTK, x ways. And the time to try to input all those paths is not in the cards.
There is a simple fix somewhere here, hope that someone has run into this before.
"You can't preprocess and remove items because you don't know where they reside, I'm guessing a lot reside in emails or documents, maybe other places also. "
No idea where the files will reside, and guessing, they will reside all over, one here, one there, etc.
Have to be able to exclude hits in UA also but don't want to exclude all of the UA, just the ones containing the keywords.
I'm too new to know anything about python or writing a script, I know that various software has the functionality to take a list of words find all instances of those words and say here they are, the goal is how to get all the other 97% of the data exported without any of the keyword data being mixed in.
Once you run your keyword search you will know exactly where the files reside. It shouldn't really matter anyway if you are only "restoring" the files you want and not any that contain the hits you don't.
Greetings,
May I ask who imposed these restrictions on you and if you can go back and renegotiate with them?
It is very common, nay, it is an integral part of the ediscovery process to identify responsive, non-responsive, and privileged records and only produce the ones that are responsive and are not privileged. But trying to do this by redacting the privileged information in place is very difficult.
In addition to issues already raised, I'd add that while a particular string might be what triggers privilege concerns, the context is also important. This would mean that simply masking the string out of unallocated might not be sufficient, you might have to look at the context and that would be … interesting … in unallocated space.
If you don't need to produce unallocated, the problem is a lot simpler.
A really brute force method would be to blow the whole thing out to a new disk, mount it rw, delete the offending files based on hash values, and use a hex editor to zap the hits in UA.
-David
As other posters have suggested it's going to be really difficult to do this thoroughly. If you search for the terms in EnCase or FTK you may miss items in encrypted files which you are later able to decrypt or in other structures that your search method doesn't penetrate, such as text within pictorial content (e.g. scanned documents).
I'd suggest having whatever analysis is required completed by an independent third party to avoid the issue entirely. If there's no other option make sure you propose a detailed methodology and get the other party to agree to the methodology so your are not held accountable for any instances that slip through the net. I'd certainly insist that the first step in any agreed methodology is for a complete image to be made, sealed and held by an independent custodian regardless of what you're allowed to take away at that stage.
Thank you for the replies.
So to update, lets say the image is done, and we aren't worried about the encrypted part. A keyword search will be done and all relevant items will be listed. A stipulation is made that these listed items are what can be done given the circumstances, and that their removal will be considered acceptable.
What methods are suggested?
Bringing in a 3rd party is not an option and writing some script or using Python is not an option.
As other posters have suggested it's going to be really difficult to do this thoroughly. If you search for the terms in EnCase or FTK you may miss items in encrypted files which you are later able to decrypt or in other structures that your search method doesn't penetrate, such as text within pictorial content (e.g. scanned documents).
I'd suggest having whatever analysis is required completed by an independent third party to avoid the issue entirely. If there's no other option make sure you propose a detailed methodology and get the other party to agree to the methodology so your are not held accountable for any instances that slip through the net. I'd certainly insist that the first step in any agreed methodology is for a complete image to be made, sealed and held by an independent custodian regardless of what you're allowed to take away at that stage.
You say that bringing in a 3rd party is not an option. However, this is exactly the type of situation that would benefit the use of a special master (see Craig Ball's white-papers regarding this type of situation). An independent court/arbitrator appointed special master could take possession of image and progress within the parameters established by both sides for production. I am no attorney, but have been in these situations in the past and would be happy to give you insight/suggestions based on my experiences…if so, PM me.
Mjantal,
It's not an option. I tried to mention that before. There are experts on both sides, it's an issue where both parties are kind of stumped and just are looking for some guidance. Everyone at some point runs into issues which they just don't know the answer to and needs help.
We both are knowledgeable about special masters, and that was not the way to go with this case. In addition, the budgets are greatly limited after taking care of the current bills and charges as there are other type experts involved in the case, not just computer forensic. Once this issue is resolved each expert offers a specific skill-set which will help with this case. It is one problem which we thought that someone would have an answer for.
Along the lines of the step by step issue Kovar posted for excluding an item, does anyone have a suggestion on what to do now?
Please keep in mind that filtering each piece of data in the possible locations they reside in which could be all across the drive, is difficult due to crashes on multiple pieces of software and the amount of time to input each path for filtering. Looking for an exclusion method.
To simplify the matter, I'm trying to look at things on a post image level now as opposed to pre-image level.
Thanks.
You say that bringing in a 3rd party is not an option. However, this is exactly the type of situation that would benefit the use of a special master (see Craig Ball's white-papers regarding this type of situation). An independent court/arbitrator appointed special master could take possession of image and progress within the parameters established by both sides for production. I am no attorney, but have been in these situations in the past and would be happy to give you insight/suggestions based on my experiences…if so, PM me.
Greetings,
Given the limitations you're placing on the possible solutions - limited financial resources, no special masters, no custom scripting - there may not be any acceptable solutions available to you.
-David
I'm playing around with a few options on some old images to see if any of them work, if they do I will report back the results.
Checking back in to see if anyone came up with anything new to try.
You can't get there from here. Ignore unallocated. Ignore encrypted files. Ignore slack. Ignore all the weird crap.
Let's talk about email.
A can of Coke says that both sides care about responsive & privileged email. In fact, at the end of the day, the attorneys will probably spend far more time reviewing email than they spend reviewing anything else. Litigation always comes down to email.
So… how are you going to redact privileged emails inside of PSTs?
You're not.
The way to do this is to search for responsive items. Then you search that set for privileged items, being somewhat conservative, and let one side review the "potentially privileged" items while the remainder are reviewed by the other side. In both cases, you will end up making derivative PSTs or collections of MSGs.
What you almost certainly can't do is find everything inside of a PST, overwrite the hits, and have something usable. First, you likely won't find all possible hits searching the PST as a flat file. Second, even if you did, overwriting those hits is risky and may corrupt the PST. Third, and most importantly, it's not the search hit that makes the item privilege, it's the human understanding of the whole item–as rightfully pointed out by Mr. Kovar. Fourth… clawback gives you an out.
While it's nice to have a full image, it almost sounds like both sides in this matter would be better off agreeing to a logical collection of native files, via robocopy, and letting the defendant produce responsive email after privilege review.
Jon