John, the last time you were interviewed at Forensic Focus you were the Vice Chairman and Chief Legal Officer at Guidance Software. Now you’re the founder and CEO of X1 Discovery – tell us about that move.
I am proud to have been a co-founder and part of the senior team at Guidance Software for ten years. The early days at Guidance were exciting as we sowed new fields, just as we are doing now at X1 Discovery. At Guidance, we first pioneered Windows-based forensics, which was the new paradigm and represented an order of magnitude improvement over Dos-based forensics. Then circa 2004, we introduced and championed the concept of enterprise in-house eDiscovery, a strategy that ended up being Guidance’s main force of growth leading to our IPO in 2006.So after leaving in 2009 and engaging in consulting projects through 2010 I began discussions with X1, an Idealab Company that I always thought had excellent search technology for both the desktop and the enterprise. At first the intent was to sit on the board as an investor but then I learned about the IP they were developing for social media, and I also became excited about the promise of X1’s enterprise server to be a very robust eDiscovery early case assessment and first pass review solution. So to make a long story short, the board at Idealab – which is our parent company – offered to have me head up X1 Discovery as a spin-off to X1 Technologies, with ownership of all our intellectual property. It was a great opportunity and the Idealab board has been very supportive and enabled me to recruit some outstanding talent and assemble a great team.
What does X1 Discovery do? What makes it different from the other eDiscovery companies which have entered the market in the past few years?
At X1 Discovery we are pioneering the new fields of forensics and eDiscovery of social media and cloud-based data. I have always been interested in where the puck is going as opposed to where it is now, and we believe the X1 Discovery’s disruptive technology is already years ahead of the field. We accomplished this by leveraging our vision and industry experience to effectively build on the patented X1 Search Technology.
Tell us more about your products, X1 Social Discovery and X1 Rapid Discovery.
X1 Social Discovery, launched in October 2011, is basically like EnCase or FTK for social media and website collection. It is a desktop application specifically designed for computer investigators and legal professionals that we believe is the clear market leader in its class. X1 Social Discovery’s two core benefits are scalability and defensibility. It can collect tens of thousands of social media items in a few hours and up to millions in a few days, and then instantly search and filter those items with the patented X1 fast-as-you-type indexed search. X1 Social Discovery is very defensible as we are establishing a chain of custody with case management, evidence segregation, logging, and MD5 hashing of all collected items. Also, social media sites are accessed read-only, which is important as visiting a live Facebook page can easily cause changes to the page and its metadata. Finally, we collect all available metadata on social media sites. A Facebook item alone has over two dozen unique metadata fields and we preserve and collect all of them.
Our other product, X1 Rapid Discovery is a proven, and now with the release of version 4, a truly cloud-deployable, eDiscovery and enterprise search solution that enables users to quickly identify, search, and collect distributed data wherever it resides in the IaaS cloud or within the enterprise. Just this past week we were the first eDiscovery company accepted into the Amazon Web Services (AWS) Solution Provider program. Importantly, its a non-appliance software solution that is very easy to install and configure. So in addition to the cloud, X1 Rapid Discovery is quickly deployed in the field on the investigator’s own hardware to collect data from servers and/or to index, cull and search through up to terabytes of collected data.
Let’s talk careers for a moment. Not that long ago digital forensics graduates faced a fairly well defined career path, perhaps starting as a junior analyst being tasked with basic disk imaging duties before moving into a more analytical or management role. These days “eDiscovery” is frequently in the headlines and some students are confused as to whether it represents a separate discipline or if their existing training qualifies them to work in the field.
What’s your take on the training required to work in eDiscovery and the career opportunities out there?
To answer the last part first, there are a multitude of career opportunities in eDiscovery. The demand for qualified eDiscovery technicians in North America, Australia and much of Europe is not being met so it is a very lucrative market for those with a background and expertise in computer forensics. I would estimate (admittedly on a non-scientific basis) that roughly 40 percent of the technical professionals in the eDiscovery field migrated from a computer forensics background. Many other eDiscovery practitioners who cut their teeth in traditional litigation support subsequently developed a proficiency in computer forensics through training and tool familiarity.
There are three general steps to the eDiscovery process: 1) collection and preservation, 2) processing or early case assessment and 3) review and production. There are of course sub-categories in the model, but those are the main elements. Computer forensics experts can generally support the first two steps after a fairly brief transition period. Proficiency with evidence collection, reporting, documentation and defending the process through court testimony are qualifications of a computer forensics professional that are highly valued in the eDiscovery realm.
It is also important to note that the two fields are really becoming more integrated. For instance, the US Courts through The Joint Electronic Technology Working Group are developing proposed eDiscovery protocols for criminal cases, adapting many of the provisions of the Federal Rules of Civil Procedure that govern electronic evidence discovery in civil cases. Additionally, with data sets growing larger and larger, eDiscovery methodologies such as large data set processing and analytics are now employed in many criminal investigations. There is a lot more to say on this topic, but the main point is that the two fields, while always related, are now trending toward an even wider intersection.
In your opinion, what is the biggest single challenge currently facing those in the forensics world who also take on eDiscovery services?
I think the biggest challenge is adjusting to the more consultative nature of eDiscovery. Computer forensics experts tend to have a little more autonomy and creative license in their investigations as they explore the deep recesses of hard drives for clues and bits of evidence that can lead the investigation in different directions. In eDiscovery, you are for one often faced with pressing and sometimes unreasonable time constraints. Then you must take direct orders from an attorney who may or may not really know what they need or what direction is required to obtain their result. So if a young associate attorney directs the eDiscovery consultant to run hundreds of non-inclusive keywords across many gigabytes of data, the consultant needs to be able to tactfully suggest alternative approaches, all while managing expectations and aggressive deadlines. The flip side of this challenge is that the experts who are able to combine their technical forensics capabilities with adapted professional consulting and project management skills are the ones whose careers rapidly advance, often to the managing director level of major consulting firms.
What does the future hold for X1 Discovery? What can we expect to see in the next year or so?
I’m actually very excited about our upcoming point release – version 2.6 – of X1 Social Discovery in a few weeks. We are expanding our website capture to include full website crawling and scheduling. The scheduling feature will allow for re-capturing webpages that have changed since the previous capture. Version 2.6 will also have full search federation so that if you have hundreds of thousands of Twitter, Facebook and Linkedin items as well as hundreds of captured webpages in your case, you can instantly search across them and immediately review the aggregated results. And that is what you can expect from us going forward – rapid and innovative development to keep our products on the cutting edge. Look also for announcements in the coming weeks about partnerships with forensics organizations as well as cloud providers.
Finally, when we spoke last you’d recently taken up scuba diving as a hobby – how did that go?
I’ve managed to avoid the decompression chamber, so I guess it has gone reasonably well! I’ve logged about 40 dives so far but would like to get in the water more – it’s a lot of fun.