Yeah Sean, why dig to prove yourself wrong? Why take 30 rulings against spoliation when you can have one for it?
As far as attorneys go Craig Ball is ONE out of 10's of thousands. His opinion on ESI is just that, his opinion.
From The Bar Advisor (http//thebaradvisor.com) under Sample Production Letter
"For computers and other devices (including portable and home systems)identified you need to act to prevent modification, destruction or concealment of ESI due to deleting files, overwriting files, using data shredding and erasure applications, defragmenting, reimaging, encrypting, compressing or physical damage."
From the Alabama Council of School Board Attorneys Winter District Meeting on E-Discovery, slide 26 Litigation Hold Data Preservation item 5
Suspend routine auto-defragmentation of data on hard drive
From Kroll-Ontrack's Sample Interrogatories (as quoted in Electronic Evidence and Discovery What Every Lawyer Should Know Now, Lange, M and Nimsger, K)
I. Definitions
…
J. Spoliation Spoliation is the destruction of records that may be relevant to ongoing or anticipated litigation, government investigations or audits. Courts differ in their interpretation of the level of intent required before sanctions may be warranted.
IV. Spoliation of Electronic Evidence
…
E. Data Wiping For any server, workstation, laptop or home computer that has been 'wiped clean', defragmented, or reformatted such that you claim that the information on the hard drive is permanently destroyed identify the following
1. The date…
2. The method…
From the American Law Institute of the American Bar Association (http//ali-aba.org) Opposing Party Sample Preservation Letter
III. Suspension of Routine Destruction
You are directed to immediately initiate a litigation hold for potentially relevant ESI, documents and tangible things, and to act diligently and in good faith to secure and audit compliance with such litigation hold. You are further directed to immediately identify and modify or suspend features of your information systems and devices that, in routine operation, operate to cause the loss of potentially relevant ESI. Examples of such features and operations include
…
Executing drive or file defragmentation or compression programs.
From the Judges Journal V47, N 3, 2008, Large Recording Companies v. The Defenseless
If the hard drive does not suggest liability the RIAAA will not dismiss the case, but will instead try to claim that the defendent erased something from the hard drive, in one case pursuading the judge that an automatic defragmentation scheduler was somehow a basis for claiming spoliation of evidence.
From Golan & Christie's Tips To Avoid a Claim of Spoliation
2) Be aware of all activities that can change or destroy electronically stored information such as running anti-virus or spy-ware software, defragmentation, and system updates and patches.
I could go on but my point is simply that if defragmentation, even Prefetch fragmentation. was not a legitimate concern in the context of preservation of ESI, why is it that so many law firms, legal advocacy groups and litigation support teams make the point that failure to stop automatic defrags can lead to spoliation of evidence.
I certainly wouldn't want to tell my clients "Go ahead! Your chances of getting your wrists slapped are minimal!"
There isn't a hard, fast spoliation rule where defragmentation is concerned; at least not one that should be applied absent a fulsome consideration of the particular facts. Consider this range
Scenario 1 Windows periodically defrags both the prefetch area and the active data areas by default. The user neither knows nor should know this, isn't expressly told or warned of same and accordingly takes no action to forestall defrag during a time when the user was bound to preserve data.
1. Spoliation? Almost certainly not.
Scenario 2 User knows about periodic system defrag, but despite anticipation of litigation, no reasonable person in user's position would anticipate a forensic examination. User takes no action to disable periodic defragmentation.
2. Spoliation? Likely not. The duty to preserve triggered by anticipation of litigation isn't an unfettered obligation. It's a duty to preserve potentially relevant information. Absent an obligation to anticipate that UAC might contain relevant, discoverable data, there isn't a commensurate duty to preserve information of relevance only to a forensic-level examination.
Scenario 3 Opposing side moves for access to the machine for purposes of performing a forensic examination and, among other things, carving to recover deleted files. The motion seeks a preservation order compelling the user not to take any action to delete, wipe, alter or otherwise take steps to impair the efficacy of a forensic exam. Before the Court rules, user knows that he has previously configured his system to defrag monthly and takes no steps to disable the defrag routine.
3. Spoliation? Very possibly, and likely no Federal Rule 37(E) Safe Harbor because no diligence exercised in seeking to disable routine destructive practices.
Scenario 4 Opposing side moves for access to the machine for purposes of performing a forensic examination and, among other things, carving to recover deleted files. The Court grants the motion and, on the night prior to the examiner imaging the machines, user manually initiates a defragmentation routine, his first in ten months.
4. Spoliation? Absolutely. The awareness of the impending exam coupled with the intentional initiation of a routine with significant antiforensic impact demonstrates the evil state of mine that, combined with actual prejudice, justifies spoliation sanctions.
One place I see examiners get in hot water is their inability to distinguish between a prefetch defrag (which the user doesn't control and which has little, if any, antiforensic impact) and a user-initiated defrag of all active data via the GUI. The former will be seen on the machines of anyone whose approach to preservation falls short of a complete system shutdown. It's a no harm, no foul event. The latter should not occur once there is a cause to reasonably anticipate forensic acquisition and analysis. The failure to shut down a pre-configured systemic defrag routine in anticipation of litigation falls somewhere in between, and you can't apply a hard, fast rule to it apart from the, "what did you know and when did you know it" information. It may be innocent, negligent or guileful. As ably noted, it depends.
P.S. Yes, I am only one of hundreds of thousands of U.S. lawyers, but I like to think that somewhat fewer than that number devote themselves exclusively to electronic evidence and are trained and certified as computer forensic examiners. There are many more adept commentators on the lists, and I don my trousers one leg at a time. My opinions are just that–one guy's opinions. No one should agree with me simply because I say something. I hope they'll come to agree because they test my arguments–and the science and law behind them–and then arrive at the same conclusions.
Thanks for the undeserved-but-much-appreciated heart surgeon comment.
Craig Ball
craig@ball.net
@seanmcl
Please be accurate when you quote someone, you attributed me comments actually coming from forensicakb.
Whether those comments are nonsense or not, it's a problem bewtween you and forensicakb.
jaclaz
One place I see examiners get in hot water is their inability to distinguish between a prefetch defrag (which the user doesn't control and which has little, if any, antiforensic impact)
Craig, I agree with you on almost all of your points, but in the case of the above I would add a caution.
Yes, a single Prefetch defrag would have limited effect. But depending upon other actions on the part of the user, 10 prefetch defrags a month can be significant. I looked at a couple of machines on our network for a period of six months and the Prefetch defrags did not always end up in the same locations. While I would not go so far as to say that allowing Prefetch defrags to run for six months would be the equivalent of wiping, given the fact that
1). It is easy to disable.
2). It is easy to create and preserve forensic copies of the media in question in anticipation of litigation.
a party would be remiss if they did not take some action to preserve relevant data.
As to the issue of forensic versus "readily available" examination, while the Courts have been inconsistent on which is generally preferable (with a tendency toward "readily available" in most cases), what is discoverable versus what must be preserved are two different things. One of the "thresholds" for "readily available" is the hardship to the producing party and as others on this list have pointed out, forensic examination is not necessarily a "hardship' given existing technology. When I look at our rates for forensic preservation and limited examination (to confirm dates and times, usage, etc.), we are very competitive with simple eDiscovery services.
With technologies such as F-Response, it is no longer necessary to perform black box forensics and I can do a lot of enterprise exams for the cost of EnCase Enterprise and similar solutions.
So I guess what I am trying to say is that if it is not a hardship to create a forensic image of the subject media at the time at which legal action is anticipated, whether forensic examination may be performed or not, what reasons exist not to do it?
In this setting, letting the user continue to use the system, with Prefetch defrags, antivirus scans, Windows updates (where do you draw the line?) seems like a risky proposition.
@seanmcl
Please be accurate when you quote someone, you attributed me comments actually coming from forensicakb.
Sorry. Bitten by the Windows clipboard!
As to the issue of forensic versus "readily available" examination, while the Courts have been inconsistent on which is generally preferable (with a tendency toward "readily available" in most cases), what is discoverable versus what must be preserved are two different things. One of the "thresholds" for "readily available" is the hardship to the producing party and as others on this list have pointed out, forensic examination is not necessarily a "hardship' given existing technology. When I look at our rates for forensic preservation and limited examination (to confirm dates and times, usage, etc.), we are very competitive with simple eDiscovery services.
Sean, I think you are meaning to say "reasonably accessible" rather than "readily available," at least insofar as that is the standard in Federal Courts employed when describing the thresholds of undue burden or cost.
I'm not shy about recommending forensically-sound acquistion when warranted or, minimally, a disk swap after active data imaging with sequestration of the source (the last being less than optimum, but it's fast, cheap, sufficient in most instances and requires no more expertise than already exists in enterprises with IT personnel).
That said, it's an uphill battle to establish a standard that demands forensic imaging of all potentially responsive, reasonably accessible media. Absent good cause to anticipate the particular evidentiary significance of unallocated clusters or other justification for a cautionary, higher-than-normal level of preservation (e.g., C-level employees or cause to anticipate intentional/foreseeable data destruction), it's just not going to be a routine practice.
The truth of this is only compounded by the emergence of 1.5 and 2 TB drives at the $100 price point. Our imaging technology can't keep up with the demands we face. Has anyone found a way to acquire and authenticate a bitstream of a 2TB drive in under 4 hours?
I stand by my position that the prefetch defrag isn't worth losing sleep over. It's just a routine part of the Windows landscape, and we have too many material threats to evidentiary integrity to keep us awake at night without losing sleep over the prefetch defrag. Just my sense of it. Thanks for your comments.
Has anyone found a way to acquire and authenticate a bitstream of a 2TB drive in under 4 hours?
4 hours actual, no. 4 hours billable, yes, so long as you don't mind getting your drive back the following day. 2TB spread across 4 x 500GB drives in 4 hours actual, yes.
I agree that the increasing size of drives is posing an issue for clients, but it's mostly limited to server systems that they can't take down.
I'm interested to hear why you suggest that a disk swap after active imaging is less than optimal? Is it because they likely aren't using a writeblocker? I would have thought that under the rules of evidence, that the original hard drive would be the best possible evidence so long as you conduct the usual system checks at the time of imaging and maintain a proper documentation and security of the exhibit.
Sean, I think you are meaning to say "reasonably accessible" rather than "readily available,"
Craig
That is what I get for trying to do too many things at once.
That said, it's an uphill battle to establish a standard that demands forensic imaging of all potentially responsive, reasonably accessible media. Absent good cause to anticipate the particular evidentiary significance of unallocated clusters or other justification for a cautionary, higher-than-normal level of preservation (e.g., C-level employees or cause to anticipate intentional/foreseeable data destruction), it's just not going to be a routine practice.
I don't disagree, completely, however, the problem is that the potential producing party may not be completely aware of what the allegations might be and/or what the judge will permit on discovery. And, again, we are not talking about a forensic examination, but preservation. I found, literally, hundreds of documents from various legal sources advising against runnng AV scans, Prefetch defrags and Windows update until after steps have been taken to preserve the evidence so as not to risk spoliation.
As for routine practice, I agree (again) that forensic examination will not be the standard practice unless the case warrants it, but that is different than saying that one shouldn't be proactive.
As an example, in a case that I worked on in 2006, the judge issued an adverse inference instruction to the jury on the basis of the fact that the user, after experiencing a BSOD, ran two AV scans and did not turn off Prefetch defragmentation. The allegation was that an ex-employee had made off with trade secrets. Even though there were NO traces of any of the plaintiff's IP on the system, an adverse inference instruction and/or summary judgement is a pretty steep price to pay relative to the $100 or so for the duplicate media. The argument made by counsel for the opposing party was that the documents in question were so small that it was not inconceivable that they had been overwritten by the continued use of the computer and that was enough to convince the judge.
Note, also, that the preservation order merely forbid the deliberate deletion of alteration of responsive files on the system and did not prohibit continued business use yet the judge was not swayed.
As I noted, the producing party may have appealed this had the case gone to trial but it settled before that happened.
As a result of this case, the law firm that retained me now makes it SOP to secure ALL computers that may be involved in litigation and get forensic images as soon as is possible. At a cost of a few hundred dollars per desktop/laptop, that is a drop in the bucket compared to what could be at risk were a another judge to make the same determination.
And while we are on the subject of costs, the cost to litigate just the spoliation charge was well over $100k per party, including attorney fees and witness fees. It would have cost less than $500 to image an 80Gbyte laptop drive. It cost more than that for the defendant's attorney to write the response.
Sometimes winning is less important than what you can cost your opponent. I leave nothing to chance insofar as my clients go.
I agree that the increasing size of drives is posing an issue for clients, but it's mostly limited to server systems that they can't take down.
Actually, I am seeing an increasing number of preservation efforts where the client expects to get the system back the same day that it has been handed over for imaging. That can be tough even for some of the fastest hardware forensic duplicators.
For example, while the Solo III Forensic specs talk about "exceeded 3 Gbytes/minute" in my real world experience, I'm lucky to get close to half that. Add to that hashing of the duplicate drives, I can easily expect 4+ hours.
And if you don't wipe the working copy drives ahead of time, you have to add to that the time that it takes to wipe the remainder of the disk.
I haven't looked at the newest Voom or ICS devices because, frankly, with new SATA and USB specs, shelling out now for these seems a bit pointless.
As we know, degragging collects file sectors and joins them into a contiguous string. Guess what's usually in that last sector? Yes, boys and girls, slack space!
And guess what sometimes resides in that same slack space? Incriminating data! Data, such as cookies, chat transcripts, etc.
Defragging does not wipe the original sectors; it just brings the "pieces" together.
I've worked cases where the subject defragged their HD and shot themselves in the foot as a result. The defrag process created a new copy of the slack space info and left the original elsewhere on the drive.
Gotta love it!
D