In This Issue:

	From the Bench: Judges Determine Protocol for Computer Examinations
	The Brill Files: How Quickly Can You Detect an Incident?
	Technology You Should Know: Incident Response - Technical & Legal Considerations
	News & Events

From the Bench: Judges Determine Protocol for Computer Examinations

Court Orders Affidavit Describing Computer Forensic Examination Details
Equity Analytics, LLC v. Lundin, 2008 WL 615528 (D.D.C. Mar. 7, 2008). In this suit, the plaintiff claimed the defendant, a former employee, illegally accessed electronically stored information after being terminated. The parties agreed a computer forensics examination was necessary to analyze the defendant’s computer, but could not reach agreement on how the examination should progress. To protect his privacy, the defendant sought to restrict the search by keywords and file type, but the plaintiff argued such would be under inclusive. Recognizing that the effectiveness of a particular search methodology requires expert testimony, Magistrate Judge Facciola required the plaintiff to submit an affidavit from its examiner explaining, inter alia, the limitation of the proposed search, how the search is to be conducted, whether a mirror image would be a perfect copy and whether there would be some reason to preserve the drive once imaged.

Court Sets out Detailed Protocol for Computer Forensic Imaging of Electronic Storage Devices
Xpel Tech. Corp. v. Am. Filter Film Distrib., 2008 WL 744837 (W.D.Tex. Mar. 17, 2008). In this copyright infringement claim, the plaintiff filed a motion for expedited computer forensic imaging of various electronic media. Finding the plaintiff had demonstrated good cause under Fed.R.Civ.P. 26(d), the court ordered the defendant to produce computers, servers and other electronic storage devices for bit-for-bit imaging by a specified forensic examiner. The court also ordered authentication of the images via comparison of their MD5 hash values to the originals.

Court Sets out Protocol for Appointment of Computer Specialist
Coburn v. PN II, Inc., 2008 WL 879746 (D.Nev. Mar. 28, 2008). In this gender discrimination claim, the defendants filed a motion to compel the plaintiff to provide supplemental answers to interrogatories and requests for the production of documents. Specifically, the defendants sought a forensic examination of the plaintiff’s home computers, and the plaintiff opposed the request as potentially violating her privilege, privacy and confidentiality interests. Finding the burden of compliance to be minimal, the court set out a protocol for appointing a computer specialist to conduct the examination, whose cost was payable by the defendants. The protocol contemplated agreement of the parties, whereby access to protected information would not result in waiver of the attorney-client privilege. Additionally, the parties were ordered to agree to a time and date for collection whereby the plaintiff’s attorney would maintain the sole copy of the mirror image of the computers.

The Brill Files: How Quickly Can You Detect an Incident?

A while back I received a call from an old friend who had just been appointed CIO at a large organization with nationwide operations. He told me that he was briefed on the company’s processes for log collection, aggregation and analysis. In the briefing my friend learned that the prior CIO had implemented a process of maintaining logs locally, and for only a short time, as he did not want to spend money “worrying about something that’s probably never going to happen.”

My friend, the new CIO, was aghast. “How,” he said, “would we ever know that there was a problem if we don’t maintain, consolidate and analyze the log files?” What purpose is served by collecting netflow data from the network if we almost immediately discard it? Even if we found out that something had happened, the data would probably already be gone!”

He also knew that traditional processes for setting up a Security Operations Center (SOC) or going through the process of contracting for a long-term outsourced data concentration and analytic facility would take substantial time, during which the company would be vulnerable to undetected attacks.

Luckily, my colleagues and I at Kroll Ontrack were able to help. We installed a hardware package, a “Quick Deployment Network Sensor Array and Monitoring Package,” otherwise referred to as a “SOC in a Box”, in each of the company’s two data centers. The “SOC in a Box”package permits us to very quickly pull together the data needed to provide security monitoring of the network, pre-process and compress it locally, and forward it over a secure data channel to a 24x7 monitoring center, where dedicated security analysts can monitor the data stream and look for problems. Any and all problems are immediately reported back to our client, who can take appropriate action, with the advice of the monitoring center. The monitoring center also has a portal through which data may be examined and drilled down to understand identified problems.

Within a short time, we deployed the “SOC in a Box” equipment and had it running. Within the first couple of days, the monitoring center detected a number of computers within my friend’s organization that had been compromised by malware and were busily attacking external organizations. It was also noted that highly confidential information supposed to be shared with certain business partners was being transferred in an unencrypted, insecure manner. Once identified, these issues were quickly solved. The company now has the option of continuing the monitoring through the “SOC in a Box” system, moving to in-house monitoring, or selecting another remote-monitoring alternative.

If you would like to explore the opportunity of world-renown forensics expert, Alan Brill, speaking at a conference you are supporting or organizing, please contact Kristin Husom at 952 516 3781 or at khusom@krollontrack.com.

Technology You Should Know: Incident Response - Technical & Legal Considerations

It is easy to underestimate the range of potential problems that arise when an organization is faced with a cyber-incident. A cyber-incident can range from a hacker situation to loss of intellectual property or identity theft; any instance where data is compromised through the use of a computer. It is important to realize that the issues arising from a cyber-incident involve both legal and technical consequences.

If you believe a cyber-incident may have occurred, the first step towards effectively dealing with it is to consider the technical aspects. Begin by answering the following questions:

• What happened or did not happen? While at first glance it may appear that an incident has occurred, do not assume this to be true without adequate confirmation. The fear of data loss may spark concern that is not necessarily due.
• How did it happen? One must understand the root cause of a breach to effectively remedy the situation. Start by collecting evidence of what happened through custodian interviews, technical inventories, or otherwise, while maintaining a log of your actions. Then, have the evidence analyzed by the proper person on your response team.
• Who was involved? A determination of who was involved will assist in correcting the incident and mitigating the possible damages.

A response team must also manage important legal aspects. These may include:

• What must be reported? Certain business arenas are legally obligated to protect non-public, personally identifiable information. In the event of a data breach, these organizations may be required to provide notice to the effected individuals.
• How should potential evidence be preserved? It may be the case that a breach gives rise to a private cause of action. If there is even a remote possibility that a court case may follow, parties must suspend routine data destruction practices and immediately issue a document preservation, or litigation hold notice. Your legal team will also need to follow-up to ensure proper preservation.
• What is an appropriate internal and external communication plan? In an effort to maintain business continuity, a spokesperson must be appointed who is trained in public relations and data breach situations.

Back To Top

NEWS & EVENTS

Kroll Ontrack Offers Redesigned Certification Course for 2008
The industry’s legal technology thought leader has revamped its E-Discovery Certification Course for 2008 with updated topics, additional speakers, and dual track, customizable sessions to appeal to beginner, intermediate and advanced learners. The redesigned course curriculum is ideal for legal and technical professionals of all levels, including in-house counsel, law firm attorneys, litigation support professionals, paralegals and IT staff. For more information and to register for an upcoming course, visit: www.krollontrack.com/certification-courses.

Meet our representatives at the following events:

Visit www.krollontrack.com/upcomingevents/ for more information on these events and others.

Back To Top

We Request Your Input

Our legal consultants, project managers, and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please contact us by writing to jshogren@krollontrack.com.

This newsletter is written by Joni Shogren, a Kroll Ontrack staff attorney with assistance from Gina Jytyla, also a Kroll Ontrack staff attorney. Ms. Shogren can be contacted by writing to jshogren@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or www.krollontrack.com.