First, I hope this is an employer, not a contract situation.
I would walk away from this if it was a contract job. You are the expert. If you say "this is the process" then that should be taken by your attorney as gold. (Of course the process better be gold! D)
. . . There are tools out there that can take any type of file, including dd and look for string and replace the string, as some have already mentioned. It was also mentioned that in some cases such "replacement" can corrupt files.
Are you saying you need to do something like this? . . . or am I totally still under the weather oops
hash original
create dd image of image-master from original
hash image-master
compare hash of original to hash image-master
create dd image of image-working from original
hash image-working
compare hash of original to image-working
grep for string pattern across image of image-working
record findings
associate finding with files, slack, open space, etc (presuming image was searched as raw binary)
replace findings in image-working
use image-working for whatever . . .
It is possible that if it's a PST file it can be done, so the "you're not" part is not really correct.
I'm not new to this field, I am just a person with a question like a lot of others here.
Noticed that you use words like "can't, always, "you're not" First day of the first forensic class I ever took said stay away from those words, it can be the end of credibility when an opposing attorney, the attorney who hired you, a judge, or other expert picks apart just one of those no no words, you can find yourself struggling to save face.
I'll report back when the work is done to let everyone who helped out know what happened.
You can't get there from here. Ignore unallocated. Ignore encrypted files. Ignore slack. Ignore all the weird crap.
Let's talk about email.
A can of Coke says that both sides care about responsive & privileged email. In fact, at the end of the day, the attorneys will probably spend far more time reviewing email than they spend reviewing anything else. Litigation always comes down to email.
So… how are you going to redact privileged emails inside of PSTs?
You're not.
The way to do this is to search for responsive items. Then you search that set for privileged items, being somewhat conservative, and let one side review the "potentially privileged" items while the remainder are reviewed by the other side. In both cases, you will end up making derivative PSTs or collections of MSGs.
What you almost certainly can't do is find everything inside of a PST, overwrite the hits, and have something usable. First, you likely won't find all possible hits searching the PST as a flat file. Second, even if you did, overwriting those hits is risky and may corrupt the PST. Third, and most importantly, it's not the search hit that makes the item privilege, it's the human understanding of the whole item–as rightfully pointed out by Mr. Kovar. Fourth… clawback gives you an out.
While it's nice to have a full image, it almost sounds like both sides in this matter would be better off agreeing to a logical collection of native files, via robocopy, and letting the defendant produce responsive email after privilege review.
Jon
Pretty cool Jhup, thanks.
Whatever the process ends up being, it will come with caveats and I believe both sides are aware of that.
I think the I would walk away part would be dependent upon how much you were being paid. Are you telling me that if someone came to you and said we'd like you to work this out and we are paying 175k you would say walk away? Or, Yes, I will get right on that and start working out possible solutions.
First, I hope this is an employer, not a contract situation.
I would walk away from this if it was a contract job. You are the expert. If you say "this is the process" then that should be taken by your attorney as gold. (Of course the process better be gold! D)
. . . There are tools out there that can take any type of file, including dd and look for string and replace the string, as some have already mentioned. It was also mentioned that in some cases such "replacement" can corrupt files.
Are you saying you need to do something like this? . . . or am I totally still under the weather oops
hash original
create dd image of image-master from original
hash image-master
compare hash of original to hash image-master
create dd image of image-working from original
hash image-working
compare hash of original to image-working
grep for string pattern across image of image-working
record findings
associate finding with files, slack, open space, etc (presuming image was searched as raw binary)
replace findings in image-working
use image-working for whatever . . .
It is possible that if it's a PST file it can be done, so the "you're not" part is not really correct.
How do you make the privileged context go away just by string replacing a hit? This sounds almost more like a PII-sanitation effort than privilege redaction.
I'm not new to this field, I am just a person with a question like a lot of others here.
Noticed that you use words like "can't, always, "you're not" First day of the first forensic class I ever took said stay away from those words, it can be the end of credibility when an opposing attorney, the attorney who hired you, a judge, or other expert picks apart just one of those no no words, you can find yourself struggling to save face.
True, but we're not on trial. The best advice I can give you, like others here, is to find a different approach, rather than bear through this one. I've handled many weird situations like this, coming up with the script to do this or that, and in almost all cases all parties would have been better off with a standard process. Absolutes make this advice clear.
But if you're going ahead anyway, just use find/replace in a hex editor.
Jon
Hmmm…
Some call me sick. They suggest I have undiagnosed OCD about certain things. Such as when I get pricing. I make weighted matrices with pros, cons, costs, benefits, etc. I am an "excel jockey". My spreadsheet workbooks are so intertwined, only I and the spreadsheet grasp it. mrgreen
There could be scenarios where I would walk away. 175K sounds really nice, but if it takes over 3 months of man-hours, suddenly it isn't that much money, specially when two things come into play - 1) annoyance, irritation, disrespect beyond tolerable level, and 2) high potential of failure in results or in court which can harm credibility.
We do not have the luxury in our line of work to mess up. We do not get second chances. 😯
As for the PST, that is no big deal in my opinion. Unless the individual messages are encrypted (versus the regular PST encryption), it can be dumped into plain text, like .eml and search accordingly. twisted
Pretty cool Jhup, thanks.
Whatever the process ends up being, it will come with caveats and I believe both sides are aware of that.
I think the I would walk away part would be dependent upon how much you were being paid. Are you telling me that if someone came to you and said we'd like you to work this out and we are paying 175k you would say walk away? Or, Yes, I will get right on that and start working out possible solutions.
I hope I understand your question…. and building on what Jon said…
Start with active files. Have your counsel give you a list of keywords they feel meets responsive criteria and those that they feel meet privileged criteria.
Use DTSearch or FTK to pull out both sets of files - keep them separate.
Give them to Counsel - have then review "responsive" files to make sure they are germane to the case and they can forward them to opposing counsel.
Have Counsel review privileged and if there are some that are in that pile but meet responsive criteria, they can decide to forward to counsel.
Depending on your case, the unallocated areas may not even be an issue.
Hope that helps….
I agree Jhup, we are all talked down to by counsel who see us as overpaid for nothing even though we make their cases for them.
While I don't know everyone in the business, the several people I have met would love to have a single year making 175 let alone one job, but I do understand the disrespect issue and the I want it now vs wait a few and get it the way it is supposed to be.
I find it nice that people stuck with me on this issue and continue to offer up help and solutions understanding that in this one instance giving up is just not an option, and moving forward information has now been obtained to alleviate problems like this happening.
Hmmm…
Some call me sick. They suggest I have undiagnosed OCD about certain things. Such as when I get pricing. I make weighted matrices with pros, cons, costs, benefits, etc. I am an "excel jockey". My spreadsheet workbooks are so intertwined, only I and the spreadsheet grasp it. mrgreen
There could be scenarios where I would walk away. 175K sounds really nice, but if it takes over 3 months of man-hours, suddenly it isn't that much money, specially when two things come into play - 1) annoyance, irritation, disrespect beyond tolerable level, and 2) high potential of failure in results or in court which can harm credibility.
We do not have the luxury in our line of work to mess up. We do not get second chances. 😯
As for the PST, that is no big deal in my opinion. Unless the individual messages are encrypted (versus the regular PST encryption), it can be dumped into plain text, like .eml and search accordingly. twisted
Pretty cool Jhup, thanks.
Whatever the process ends up being, it will come with caveats and I believe both sides are aware of that.
I think the I would walk away part would be dependent upon how much you were being paid. Are you telling me that if someone came to you and said we'd like you to work this out and we are paying 175k you would say walk away? Or, Yes, I will get right on that and start working out possible solutions.
Tricah2 -
Curious to know what method you ended up employing on this and how things worked out. Can you fill us in when you have a minute? Thanks!
Greetings,
This was in response to a post well back in the thread. I somehow missed that the thread had continued well beyond the post that I was referring to. Please ignore this one….
-David
Greetings,
The post that you cited doesn't really relate to your problem.
Search the disk.
Mark any file with a hit that you want to exclude.
Invert your selection so now you've marked all files except ones with hits.
Copy/unerase these, or create a new logical image of these files.
Now, for unallocated. You could make a copy of unallocated, find all the hits in it, replace all the hits with a string of the same length. That'd address your stated need, but the context of the hits would still be available. You might need to agree with the other party that you'll mask off 200 bytes on either side of a hit. You risk eliminating useful information, of course.
-David
Greetings,
Now, for unallocated. You could make a copy of unallocated, find all the hits in it, replace all the hits with a string of the same length. That'd address your stated need, but the context of the hits would still be available. You might need to agree with the other party that you'll mask off 200 bytes on either side of a hit. You risk eliminating useful information, of course.
-David
Sounds like a plan, but that would only mask the hits, not the context of the hits. That would theoretically mean that there are still parts of the data you want to filter, only they are corrupted (say "Johnson" is partly written over, and now says "Johnsox"). Moreover, there are things like scanned images (tiff, pdf, etc) that can contain the data you want to exclude in image form (eg. a fax or scanned letter). I haven't found a solution for dealing with these in a quick and thorough fashion.
I've seen situations like this, and they are often caused by legals who have little clue about forensics or e-discovery. If you have the chance to change the rules, great. If not, expect a very botched investigation, and people blaming you for it afterwards.
-Roland