Can you tell us something about your background before joining Guidance Software? Why did you decide to focus on technology law?
After law school I practiced commercial litigation for about 8 years before joining Guidance Software in 1999. During my pre-1999 litigation days, when we conducted paper-based discovery or oversaw internal investigations for a client, I always wondered about the information on the workstations and email servers. Why wasn’t there a good process to recover that data? Where was the law that governed all the various issues concerning computer-based evidence? It was a relatively uncharted area of the law that presented an exciting challenge. So when the opportunity to work with Guidance arose, it was an easy decision.
Broadly speaking, how knowledgeable is the legal profession with regard to computer forensics?
I think this is a very important question because we’ve seen a dramatic shift in the past two to three years.One notable metric involves the published cases in United States Federal and State Courts that discuss computer forensics in detail. We have an automated case search routine on Westlaw where the legal databases are searched daily for any new decisions that mention the topic. About four years ago, I would see maybe one or two alerts a month on new cases, mostly in the law enforcement context. Today, we see at least two to three new cases each day, and they are evenly split between cases involving criminal prosecution and civil litigation matters.
One of the major reasons for the increased awareness of computer forensics within the legal community is the explosion of electronic evidence discovery (“eDiscovery”) that involves computer forensics in varying degrees. The Amendments to the Federal Rules of Civil Procedure, which went into effect December 2006, address issues of preservation and underscore the importance of a defendable process. These aspects of the rules have reinforced the importance of computer forensics, particularly as an enterprise process. In general, eDiscovery tends to involve a “computer forensics light” approach, if you will, where aspects of traditional forensics such as chain of custody, metadata recovery and preservation, documentation and reporting and an overall defendable process are central requirements. Aspects of traditional forensics that are generally not as important include full disk imaging, deleted file and file fragment recovery, and deep dive analysis involving various artifacts. Generally however, we see computer forensics experts who can effectively add eDiscovery and litigation consulting to their skill sets to be the most effective and most marketable. So in this aspect, knowledge of computer forensics in the legal community has really skyrocketed.
We also see a natural convergence of traditional internal investigations and eDiscovery. Many litigation matters stem from an internal investigation, where traditional forensics is far more prevalent. For instance, IP leakage and trade secret theft by insiders has hit the executive radar and most corporate lawyers responsible for that risk area are now familiar with the importance of computer forensics. Additionally, Sarbanes-Oxley, which at its core is an anti-fraud statute, has also significantly raised awareness of computer forensics in the legal community.
It’s a tremendous opportunity for the forensics community because we are seeing salaries for computer forensics experts with the right enterprise/legal consulting skills top $200,000 (US) in many areas of the country. We are also seeing professionals in corporate IT who were relatively small players a few years ago on the security team and are now being seen by corporate legal as a highly strategic asset, with all the promotions, increased visibility and budgets that come along with that. Ideally the forensic expert should become versed with executive-level consulting or enterprise skill sets in order to best take advantage of this enormous opportunity.
What trends do you see in forensic computing and what new challenges do you envision in the future? How will EnCase evolve to meet these challenges?
The biggest challenge we see is scalability – and this challenge goes hand-in-hand with two very important trends: 1) Increased data storage/volumes and 2) Increased prominence and reliance upon computer forensics as a core executive-level process by large government agencies, corporations, and law firms. Your readers know better than anyone that storage is getting cheaper and the volumes of data in their forensics investigations are increasing each year.
At the same time, and what is exciting about the current state of computer forensics, is that every day in the world somewhere a senior executive at a large government agency or corporation is calling that organization’s computer forensics lead into their office and informing them that either the company’s network has been compromised, or that the organization has been subpoenaed in a major legal action, or that the board of directors has ordered a high profile fraud investigation, and thus a major enterprise-wide computer investigation is required right away. We now routinely see such scenarios where hundreds if not thousands of workstations and servers need to be analyzed and collected from in short order. So the question becomes: how is this accomplished in a reasonable timeframe, while maintaining proper and defensible protocols, without costing millions of dollars? That is a question we think about a lot and why our enterprise approach relies on the power of the company’s network infrastructure. In such a now-common scenario, computer forensics investigators often address many terabytes of data in a single investigation. Unless you want to take 6-12 months, dramatically disrupt operations and run up millions in costs, all those terabytes should not be collected. Instead, the data needs to be triaged at the point of collection to quickly identify what is relevant, and what is not relevant. This can be accomplished through hash and verified file signature analysis, keyword searches, and other search protocols at the point of collection.
We want to make sure the computer forensics lead in that organization is empowered with the right capability to address such critical challenges. Because it is clear that these executives are looking to address these challenges one way or another. In fact, one disturbing and very recent trend is that some organizations are being told they can solve all their investigation problems by “simply” migrating all their data to a central location. At one organization I am aware of, the CIO thought he could solve all – not part, but all – of his security and legal computer investigation needs through email archiving and centralized records management repositories. Of course, such solutions can play a supporting role, but the idea that records management repositories and archives are the grand panacea for computer forensics investigations is pure science fiction. The point here is that these high-level decisions are being made and it is important that computer forensics professionals are a key part of that decision making process. And it is our job to ensure they have scalable technology to answer the call.
Validation of a particular methodology or tool is clearly of paramount importance when presenting evidence in court. What is the current status of EnCase? Does this differ from state to state within the US? What is its status abroad?
Validation of the EnCase software is as strong as ever. An important recent development on this front involves the case of Sanders v. State (Texas), where the Texas Court of Appeals reaffirmed the reliability and accuracy of EnCase Forensic software after the defendant challenged the evidence on the pro forma assertion that the State failed to show that the software they used during their investigation was reliable and accurate. While there are several published cases now in the books that reach the same conclusion, two things are very notable about Sanders. For one, the Sanders court took judicial notice of prior court cases which validated EnCase software. This means that the court accepted the prior determinations of other courts in finding that the EnCase software was reliable and met all the requirements under the Daubert/Frye test.
The second unique aspect of Sanders is that the Defendant ultimately appealed the case to the United States Supreme Court. One of the stated grounds of appeal was a challenge to the appellate court’s judicial notice finding regarding the reliability of EnCase. In January 2007, the Supreme Court denied to hear this appeal (Certiorari petition), thus allowing the Texas appellate court’s decision to stand. The Supreme Court’s denial of the Defendant’s certiorari petition gives even stronger weight (beyond just Texas but arguably to all courts in the US) to this important decision regarding the established acceptance and reliability of the EnCase Software.
As far as international decisions, we have several published decisions in Commonwealth countries that favorably mention EnCase in varying contexts. For instance, in a Canadian decision, the question before the court was whether the defense should be given a copy of EnCase for discovery purposes. In laying the foundation for the discussion, the court explains that EnCase is a widely used computer forensic software application.
These US and international decisions are discussed in detail in the EnCase Legal Journal (we just released an updated version in April 2007). The journal can be accessed at: www.encase.com/support/legalresources.aspx
A common criticism of EnCase and other GUI-based forensic suites is that examiners, especially those new to the field, may become overly reliant on the software and its feature-set at the expense of a deeper appreciation of what is going on “under the hood.” How valid are these concerns?
First and foremost, it is always important that a computer forensic examiner obtain as much training as they are reasonably able to. Software tools are only as effective as the examiners driving them and the more training and experience the better. We offer over a dozen different types of training courses, and part of the training in our core forensic courses address the fundamentals such as the inter-workings of file systems, how deleted files are recovered, the details of the EnCase Evidence File and many other issues. There are many other courses available from private colleges, vendor and government providers as well.
EnCase software is designed to be an effective and powerful tool that gets the job done. Again, our goal here is scalability while being true to the forensic fundamentals. In actuality, when it comes to collection and authenticating computer evidence, the law favors an automated process that is repeatable, systemic and thus amenable to audit and review. For instance, U.S. Federal Rule of Evidence 901(b)(9) provides a presumption of authenticity to evidence generated by or resulting from a largely automated process or system that is shown to produce an accurate result. This rule is often cited in the context of computer-processed evidence.
One of the many drawbacks to manual processes is that results from the examiner’s search and recovery process are often subjective, incomplete and variant, and thus difficult to duplicate. There is an important recent case: Lorraine v. Markel American Insurance Company, 2007 WL 1300739 (D.Md May 4, 2007), which serves as an excellent guide to authenticating electronic information in evidence in the civil litigation context. The case addresses Rule 901(b)(9) and the idea of systematic use of file hashes to authenticate large volumes of computer evidence. The focus of the court is all about establishing and documenting a methodical and systemic process for authentication as opposed to using manual tools. (Please feel free to email me at [email protected] if you would like a copy of the decision.)
One of the questions we’re often asked at Forensic Focus is “how do I get started in a computer forensics career?” What advice would you give?
The key to entering this field is proper training. As the technology advances and the industry matures, the requirement for additional training and education are absolutely essential for the digital evidence practitioner to be ultimately successful.
While there are a number of free or inexpensive training resources for law enforcement personnel, the consultant/investigator digital practitioner is slightly less advantaged and must seek out commercial training or college programs to receive the necessary education to qualify as an expert. Guidance Software, Access Data, Wetstone Technologies and Paraben have tool training and some provide a certification process to prove a level of expertise with a computer forensic tool. Additional training and certifications can also be found from professional organizations, such as the SANS Institute and the EC-Council. Non-profit organizations such as the High Technology Crime Investigation Association have international, regional, and local training events for educating practitioners. Last, but not least are the colleges and universities who have recognized the demand for training and education from undergraduate and graduate programs fine institutions, such as Champaign College, George Mason University, and University of New Haven, to mention just a few. (Special thanks to Bill Siebert for augmenting this information).
What do you do to relax when you’re not working?
With work and family, including my 4 and 7-year old daughters, its difficult to find free time, but recently I’ve taken up scuba diving.
John Patzakis joined Guidance Software at the end of 1999 as General Counsel and held the position of President and CEO from 2001 to 2004. Patzakis now leads Guidance Software’s legal and regulatory strategy. As Vice Chairman and Chief Legal Officer, Patzakis employs his combined legal and technical experience in computer investigations and regulatory frameworks to educate the market and support customers on computer evidence and compliance matters related to computer security, electronic evidence discovery and corporate governance.
Prior to Guidance Software, Patzakis practiced law for eight years in Los Angeles, focusing on business litigation and technology law. Previously a partner and founder of the law firm Corey & Patzakis, Patzakis received his Juris Doctorate from Santa Clara University School of Law and his Bachelor of Arts degree from the University of Southern California.
Patzakis frequently lectures and is extensively published on computer forensics, electronic evidence and corporate governance issues. He is author of the EnCase(r) Legal Journal, a widely read publication focusing on issues surrounding computer forensics and electronic evidence. Patzakis is a member of the High Technology Crime Investigation Association (HTCIA), The National Association of Corporate Directors (NACD) and the Information Systems Security Association (ISSA). He is also a member of the steering committee for the ISSA’s Generally Accepted Information Security Principles (GAISP) project.