Access to Computer Hard Drive Images Not an Inherent Right During Litigation

Although parties to litigation have a duty to preserve electronic data, they may not be required to produce the data that has been preserved. In a recently published article, Access to Computer Hard Drive Images, Fordham analyzes two decisions where courts have denied production of the entire hard drive. (See, Peskoff v Faber, 2007 WL 2416119 (D.D.C.) and Calyon v Mizuho Securities USA, Inc., Slip Copy, 2007 WL 1468889 (S.D.N.Y.)) “Essentially these courts have taken the position that production and discovery of imaged hard drives is not an inherent right of the requesting party even if the data is easily accessible,” Fordham said…”Whether data is producible still turns on its relevance to the case as well as other factors,” says computer forensics expert Greg Fordham of K&F Consulting.

With the advent of decisions like Peskoff and Calyon, Fordham says litigators are likely to encounter greater resistance to production of entire computer hard drives unless the requesting party can effectively justify their requests by showing:

– discovery “discrepancies and inconsistencies”; or
– a nexus between the computer hard drive and the act initiating the
lawsuit; or that,
– the producing party was not capable or willing to produce the requested
information.

The full text of his article, including citations, is available and may be downloaded at no cost from www.knfcon.com/access2images.pdf. Fordham writes extensively on e-discovery matters and the Georgia Bar Association has approved his e-discovery presentation for CLE credit.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Although the first two criteria cited in Calyon v Mizuho should be easily understood by both requesters and courts, the third criteria is more involved and Fordham provides suggestions in his article.

“In the end, there may be no substitute for production of the entire hard drive. In those cases, the requester will simply need to be persistent and use every opportunity to incrementally convince the court of the merits of its requests and gain access to the evidence so crucial to its case,” Fordham says.

About K&F Consulting

With offices located in the metro Atlanta area, K&F Consulting services a nationwide clientele. The firm provides a variety of e-discovery, damages quantification, and computer forensics including database forensics and software forensics services. For more information on K&F Consulting visit www.knfcon.com or call 770-642-0311.

SOURCE K&F Consulting

http://www.knfcon.com

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...