The Truth Will Set You Free

Leveraging Forensic Technology to Achieve Intelligent Search

By Devin Krugly, Director of Corporate Development, AccessData Group

he value of computer forensic technology beyond criminal investigation is becoming widely accepted, as evidenced by a report published in December, 2010, by The Council on Library and Information Resources in Washington, DC. The same forensics software that indexes a criminal suspects hard drive allows the archivist to prepare a comprehensive manifest of the electronic files a donor has turned over for accession; the same software that allows the forensics investigator to create an algorithmically authenticated image of a file system allows the archivist to ensure the integrity of digital content once captured from its source media; the same data-recovery procedures that allow the specialist to discover, recover and present as trial evidence an erased file may allow a scholar to reconstruct a lost or inadvertently deleted version of an electronic manuscriptand

the reader how such an electronic discovery platform can augment your current processes and information management infrastructure.

Computer Forensics Does Not Require Full Disk Imaging

Contrary to the implications made by search vendors that dont have roots in computer forensics, search solutions built on computer forensic technology do not require full disk imaging. There are electronic discovery platforms built on industry-standard computer forensic technologies that have met the high standards required in a court of law, and while these solutions are able to forensically preserve an entire hard drive, they are designed to facilitate complex, targeted enterprise search and collection. These solutions are widely used for many purposes such as e-discovery,

Devin Krugly recently joined AccessData from the Exxon Mobil Corporation to guide the growth of the company, as well as product functionality and workflow design requirements. Prior Devin Krugly to his current role, Devin led several large multimillion dollar solution design and implementation projects for the worlds largest publicly traded company, Exxon Mobil Corporation. His most recent experience was a three-year effort to grow an in-house e-discovery team with proper tools to successfully execute data collection and processing related to litigation. The scope of that project included a year-long process to evaluate potential vendors which led to 24 months of assessing fit and purpose of an e-discovery team and design of an IT infrastructure to support the teams activities. His project team also supported the transition from current to future procedures in scope of the intended solution.

...solutions built on a forensic engine are not subject to the limitations of a non-forensic product.
do so with enough confidence to stake reputation and career.1 Today the realms of information management and digital investigations clearly intersect. Yet, there remains confusion around the idea of using a forensic solution for the purposes of enterprise search. The phrase computer forensics can be intimidating for those outside the IT department, and non-forensic search vendors are more than willing to perpetuate the confusion. However, forensic analysis capabilities are integral to achieving intelligent search, and there are solutions available that not only enable intelligent search, but provide a collaborative environment to facilitate information sharing, more effective early case assessment and more efficient compliance auditing. This article is intended to shed light on some common misconceptions regarding forensic technology and illustrate for compliance auditing and FOIA requests. However, the fact that a solution built on forensic technology gives you the option of full disk imaging is actually a good thing and provides value beyond just enterprise search, a concept that will be addressed later in this article.

Forensic Solutions Support Large-scale Auditing

The days of standalone computer forensics tools were over many years ago. The enterprise search and collection solutions designed by computer forensics companies have the ability to perform large-scale data audits, and are leveraged by government and commercial organizations to identify data leakage, perform PCI audits and to enforce records retention policies. In addition, organizations utilize the forensic-level auditing to facilitate early case assessment at the onset of litigation without having to collect any files.

This is of great value to organizations handling e-discovery in house, because it gives inside counsel and IT an accurate look at how many documents and emails will have to be collected. In addition, it allows for the testing and refinement of search terms prior to an e-discovery collection. Finally, the largescale, forensic-level auditing facilitates data mapping to aid in litigation preparedness. The underlying forensic technology enables the solution to expose the data an organization is looking for with greater accuracy than non-forensic tools. The forensic engine is quite literally extended with an architecture that allows network-enabled search and collection on workstations, laptops, network shares, email servers and structured data repositories. Due to the stringent requirements of contemporary forensics, these solutions further push the bounds of current enterprise search solutions by supporting search across all varieties of operating systems and hardware platforms. In addition, using a forensic enterprise search solution, it is even possible to search and collect from laptops that are not attached to the corporate network. Even if an employee is at a caf on public WiFi, technology exists that will enable search and collection from that persons laptop.

Forensics is Not Analysis Overkill

If the goal is to achieve intelligent, efficient and comprehensive search, wouldnt an organization want its solution to provide the most thorough search possible? Wouldnt the organization want to be able to have visibility into its deleted documents and emails, as well as any encrypted

S4

KMWorld May 2011

documents or even documents that have been hidden or obscured? If intelligent search is the goal, shouldnt the solution include the ability to retrieve content from social media outlets or chat applications whenever possible? As confirmed in a recent Deloitte survey and several court decisions, social media is a growing risk and it is becoming necessary for organizations to update their procedures2. Finally, when performing e-discovery for the purposes of litigation, isnt it of considerable importance to have the ability to locate and collect files and emails that are open and in use? Small and large organizations alike inherently disguise these obstacles in the course of normal business. It isnt until they are compelled to provide or obtain access to encrypted files or uncover deleted documents that they realize the need for forensic-level search. Electronic discovery solutions built on a forensic engine are not subject to the limitations of a non-forensic product. Forensic technology is able to handle a broader variety of file types, as well as embedded files, deleted files and encrypted files. Furthermore, documents and emails that are open and in use are not skipped over when leveraging forensic-level search. This deeper visibility into the data is due to the fact that computer forensic technologies were designed many years ago for criminal cases, where ALL evidence on the drive is in-scope. They have been developed and honed to not only look at every part of every file, but also every part of the drive in question. These products continue to evolve in the highly scrutinized environment of criminal law and are held to much higher performance standards. When you combine large-scale data auditing functionality with the depth and breadth of analysis that comes with a battletested forensic technology, you not only get a search solution, but you get an enterprise investigations solution that can benefit a variety of departments, all of which require some form of enterprise search to meet their obligations. Investment in an electronic discovery product with forensic analysis capabilities can be leveraged to address data leakage, early (litigation) case assessment, FOIA requests and internal investigations addressing issues, such as intellectual property theft, harassment and fraud. In addition to breadth and depth of analysis, forensic-level search and collection solutions offer broader reach without requiring expensive infrastructure enhancements. Organizations are able to perform large-scale audits or forensic collection on hundreds, even thousands, of assets to include workstations, laptops (on or off the corporate network), network shares, structured data repositories and email servers. The enhanced reach an organization gains with such a solution is one of several unique

benefits stemming from the investigative nature of the underlying technology. Many will find that an electronic discovery solution with forensic capabilities is actually the same cost, frequently less, than non-forensic solutions. Therefore, why would an organization want to invest the same or more money in a solution that does not provide this additional accuracy and visibility?

Intelligent Search and Forensic Technology

To quote the co-chair of the e-discovery committee at a top-five communications company, There was no way to tell legal counsel how many hits a search term had within the universe of documents, unless the search term was very simple. The problem is search terms are never simple. This was in reference to an attempt to identify relevant documents and emails using a non-forensic search and collection technology. Clearly, the goal associated with intelligent search is to locate all relevant files wherever they may live. Given the exponential growth of electronically stored information, as well as the increasing complexity of IT infrastructures, it is imperative that an enterprise search solution provide advanced and targeted search and collection, as well as comprehensive reporting. Using forensic-level search and collection gives an organization the ability to use complex search terms and generate comprehensive search reports, as well as the ability to overcome the obstacles presented by complex, encrypted and deleted files, structured data repositories and traveling custodians. Leveraging an enterprise search platform built on forensic technology, an organization is able to access its entire corpus of data and gain greater control over its information assets. Furthermore, this technology can be used to address a wide range of obligations spanning multiple departments. Given the enhanced precision of forensiclevel search and the value such a solution presents beyond typical discovery or investigative operations, it makes financial and operational sense to employ a forensic-level solution. It is clearly the intelligent approach to enterprise search. T
AccessData Group has pioneered digital investigations and litigation support for 20+ years. The companys AD eDiscovery product addresses the e-discovery lifecycle from litigation hold to the generation of load files for common third-party review tools. Clients also leverage its large-scale data auditing and forensic analysis capabilities to address a variety of enterprise search and investigative needs. 100,000+ users in corporations, government agencies, law firms and law enforcement worldwide rely on AccessDatas software solutions. In the 2010 e-Discovery and e-Disclosure report conducted by The 451 Group, AccessData was cited more than any other e-discovery vendor by respondents planning to purchase e-discovery software in the next 12 months. For more information, visit www.eDiscoveryWithAccessData.com 1. Kirschenbaum G., Matthew, Ovenden, Richard and Redwine, Gabriela. 2010. Digital Forensics and BornDigital Content in Cultural Heritage Collections. Council on Library and Information Resources. Washington DC. 2. E-Discovery: Mitigation Risk through Better Communication, Deloitte Forensic Center, 2010

Specialized Training is Not a Prerequisite

The need for forensics vendors to effectively address enterprise-class search has been clearly established. Investigations conducted in the complex realities of a 21st century computing environment (SAN storage, mobile phones, removable media, etc.) can require expertise from multiple parties. And because these solutions are used by a variety of people with varying levels of proficiency, the design of these solutions is intended to allow non-technical parties to be able to use them as easily as a 12-year computer investigations veteran.

Many will find that an electronic discovery solution with forensic capabilities is actually the same cost, frequently less, than non-forensic solutions.
Some electronic discovery solutions based on forensic technology have simplified Web interfaces, and even a built-in wizard and popup help bubbles to guide users through creating a search. Within that Web interface, the user can view the data in a way that he or she can easily understand. In effect, solutions like this provide customized windows into the data geared toward the different types of users. For example, IT personnel can use the forensic interface to perform deeper analysis. However, a paralegal or records retention manager can view the data within the Web interface and navigate through the search results, just as they would using Windows Explorer.

KMWorld May 2011

S5