Category Archives: Best Practices

Aside

Analysis of The Sedona Conference’s Publication on Social Media

images - sedonaThe Sedona Conference® has published for public comment a key document: The Sedona Conference® Primer on Social Media. Sedona is a highly influential organization so this is an important development further underscoring the importance of social media evidence. According to Sedona, the Primer “provides best practice guidance on the corporate use and management of social media, as well as their preservation, collection, and production in the form of electronically stored information (ESI).”

The document is publicly available for download here.

The Primer is a good read and the section II in particular highlights the discoverability of social media, its importance and necessity for best practices technologies such as X1 Social Discovery.

I have extrapolated some of the key quotes, adding headings to segment them by subject, with my comments to some in italics:

On the Scope of Social Media Usage:

“Hundreds of millions of individuals now use social media to communicate and to build online communities…Social media is also increasingly important for business organizations and the legal community—the former largely because of their marketing potential, and the latter as yet another source of information to be regulated, managed, and ultimately preserved and produced during investigations or litigation. Twenty-two percent of Fortune 500 companies now have a public-facing blog that has received at least one post in the last 12 months.”

-Page 1

On the Court’s Increasing Trend to allow Liberal Discovery of Social Media:

 “As the case law continues to develop in the area of social media and privacy, the trend appears to be that courts will not recognize or protect privacy interests of those who voluntarily engage in social media communications. Although initial cases addressing this issue arise in the context of labor and employment, family law, and personal injury matters, where unique considerations broadly implicate the sort of information found on social media sites, the opinions indicate that, in the future, social media and privacy could likely become mutually exclusive concepts in the law.”

-Page 22

“Various courts have already found that social media content that is relevant to litigation is discoverable.  For example, one court found that social media might be relevant to understanding the emotion, feeling, or mental state of claimants in a sexual harassment suit. And sanctions are possible for spoliation of social media content, as with any sort of relevant information. Thus, it is clear that social media content that is relevant to reasonably anticipated litigation must be preserved.”

-Page 34

On Defensibility of Collection and Preservation Processes:

“simply printing out social media site data could result in an incomplete and inaccurate data capture that is hard to authenticate…Also, social media sites can contain data and information, such as video content, that cannot be properly collected in the form of static images (i.e., screen shots and .pdf images).”

-Page 38

Comment: This is a key point emphasized many times on this blog. Screenshots are not only questionable in terms of defensibility and incompleteness, but also prevent any scalable investigation process.

“Third-party providers are developing solutions that go beyond capturing static and single point in-time images from a specific social media site, and instead allow certain content to be downloaded or collected in a way that better preserves the content and captures the unique metadata fields associated with social media data. Properly captured, these metadata fields can assist with establishing the chain of custody and with authentication, and help to facilitate more accurate and efficient data processing and review. Currently, the full range of metadata associated with social media data can only be collected with specialized e-discovery software designed for that purpose.”

-Page 39

Comment: We could not have said this better. Sedona is essentially describing X1 Social Discovery, in our opinion.

“Social media sites can, and some do, publish rules and specifications that allow application programming interfaces (APIs) to interact with the social media site in order to capture social media site data by automated means. Because these products integrate with the APIs published by the providers, they are better able to filter data and collect social media data in a more defensible manner, including by collecting all available metadata fields for individual social media items and by generating MD5 hash values for collected social media items. The products are multiplying rapidly and undergoing refinement, spurred on by the need to fill the new regulatory niche, with flow-on effects for e-discovery. When properly developed, these products are registered and approved by the provider and their use is subject to specific terms of service for developers.”

-Page 39

Comment: Again, we could not have said this better. Only software specifically designed to collect social media evidence for judicial purposes can collect social media evidence in a manner consistent with the functionality described by Sedona. 

Leave a comment

December 24, 2012 · 12:21 PM
October 26, 2012 · 8:36 AM

The Challenge of Defensible Deletion of Distributed Legacy Data

According to industry studies, it is common for companies to preserve over 250,000 pages and manually review over 1,000 pages for every page produced in discovery. However, when companies cull down their information through systematic execution of a defensible retention schedule, they dramatically reduce the costs and risks of discovery and greatly improve operational effectiveness. The challenge is to operationalize existing information retention and management policies in an automated, scalable and accurate manner, especially for legacy data that exists in many different information silos across larger organizations that face frequent litigation.

This is much easier said than done. Most all archiving and information systems are built on the centralization model, where all the data to be searched, categorized and managed needs to be migrated to a central location. This is fine for some email archives and traditional business records, but does not address the huge challenge of legacy data and other information “in the wild.” As leading information management consulting firm Jordan Lawrence pointed out on our recent webinar, organizations cannot be expected to radically change how they conduct business by centralizing their data in order to meet information governance requirements. Knowledge workers typically create, collaborate on and access information in their group and department silos, which are decentralized across large enterprises. Forcing centralization on these many pockets of productivity is highly disruptive and rarely effective due to scalability, network bandwidth and other logistical challenges.

So what this leaves is the reality that for any information remediation process to be effective, it must be executed within these departmentalized information silos. This past week, X1 Discovery, in conjunction with our partner Jordan Lawrence presented a live webinar where we presented a compelling solution to this challenge. Jordan Lawrence has over 25 years experience in the records management field, providing best practices, metrics and deep insights into the location, movement, access and retention of sensitive and personal information within the enterprise to over 1,000 clients.

In the webinar, we presented a comprehensive approach that companies can implement in a non-disruptive fashion to reduce the storage costs and legal risks associated with the retention of electronically stored information (ESI). Guest speaker attorney and former Halliburton senior counsel Ron Perkowski noted that organizations can avoid court sanctions while at the same time eliminating ESI that has little or no business value through a systematic and defensible process, citing Federal Rule of Civil Procedure 37(e) (The so-called “Safe Harbor Rule” and the case of FTC v. Lights of America, (C.D. Cal. Jan. 2012)

Both Ron Perkowski and Jordan Lawrence EVP Marty Provin commented that X1 Rapid Discovery represents game-changing technology to effectuate the remediation of distributed legacy data due to its ability to install on demand virtually anywhere in the enterprise, including remote data silos, its light footprint web browser access, and intuitive interface. X1 Rapid Discovery enables for effective assessment, reporting, categorization and migration and remediation of distributed information assets by accessing, searching and managing the subject data in place without the need for migration to the appliance or a central repository.

> The recording of the free webinar is now available here.

Leave a comment

Filed under Best Practices, Information Management

Tagged as , , , , , , , , ,

September 25, 2012 · 8:19 PM

National White Collar Crime Center Launches Certified Training for X1 Social Discovery

This past month, the National White Collar Crime Center (NW3C), an internationally recognized leader in education and support in the prevention and prosecution of high-tech crime, announced a strategic partnership with X1 Discovery to provide training and support to local, state and federal law enforcement agencies worldwide, as well as to legal, corporate discovery and risk professionals. The partnership will focus on promoting best practices and advanced techniques for website and social media evidence collection and analysis, based upon the X1 Social Discovery software.

Training and certification on a computer investigation process is very important to help bolster the qualifications of a testifying witness. A great example of this is the “on point” case of State v. Rossi, where an Ohio appellate addressed the issue of authentication of social media evidence and involved the expert testimony of a police detective, where the defense unsuccessfully challenged his qualifications as a computer forensics expert. Here is the key quote from the court:

“Det. Roderick testified that he received forensic computer training from the FBI and National White Collar Crime Center. Accordingly, the trial court did not err by
allowing Det. Roderick to testify as an expert in forensic computer investigations.” (Emphasis added)

As State v. Rossi tackles social media evidence, best practices for its collection (which were not followed by the defense), the issues of training, expert testimony, and the credibility of NW3C, the case serves as “Exhibit A” for the importance of the NW3C and X1 Discovery relationship.

NW3C has now posted their first schedule of classes online, available here. The classes are open to both law enforcement and private sector professionals. The training curriculum will provide best practices and new methods to collect, search, preserve and manage social media evidence from social media networking sites and other websites in a scalable, instantaneous and forensically sound manner. Participants will learn about specific cases involving critical social media data; find out how to collect and index thousands of social media items in minutes; understand and identify key metadata unique to social media; learn how to better authenticate social media evidence in a safe and defensible manner; and more. Attendees who complete the course will received a certificate of authorized training on the X1 Social Discovery software, which is designed to effectively address social media content from the leading social media networking sites such as Facebook, Twitter and LinkedIn. In addition, it can crawl, capture and instantly search content from any website.

The cost of the 1-day training is $595, which is a great investment in your credentials and career as an expert witness and computer investigation professional.


 > Learn more about this “hands-on” training in our live webinar

Leave a comment

Filed under Best Practices, Social Media Investigations

Tagged as , , , , , , , , , , , , ,

August 30, 2012 · 12:47 PM

Police Embrace Social Media as Crime-Fighting Tool (CNN Article)

Recently, CNN published an article illustrating how law enforcement agencies are using social media to help solve their cases.  CNN reporter Heather Kelly, states, socialpolice“leveraging Facebook is just one of many ways law enforcement officials are gleaning evidence from social media to help them solve crimes.”  According to a recent survey performed by LexisNexis on federal, state and local law enforcement officials who use social media, 4 of 5 used social media to gather evidence during investigations. Kelly states, “Half said they checked social media at least once a week, and the majority said social media helps them solve crimes faster.”

Read complete CNN article

Visit X1 DISCOVERY

Leave a comment

Filed under Best Practices, Case Law, Social Media Investigations

Tagged as , , , , , ,

June 27, 2012 · 2:50 PM

Authenticating Internet Web Pages as Evidence: a New Approach

By John Patzakis and Brent Botta

In recent posts, we have addressed the issue of evidentiary authentication of social media data. (See previous entries here and here). General Internet site data available through standard web browsing, instead of social media data provided by APIs or user credentials, presents slightly different but just as compelling challenges.

The Internet provides torrential amounts of evidence potentially relevant to litigation matters, with courts routinely facing proffers of data preserved from various websites. This evidence must be authenticated in all cases, and the authentication standard is no different for website data or chat room evidence than for any other. Under Federal Rule of Evidence 901(a), “The requirement of authentication … is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” United States v. Simpson, 152 F.3d 1241, 1249 (10th Cir. 1998).

Ideally, a proponent of the evidence can rely on uncontroverted direct testimony from the creator of the web page in question. In many cases, however, that option is not available. In such situations, the testimony of the viewer/collector of the Internet evidence “in combination with circumstantial indicia of authenticity (such as the dates and web addresses), would support a finding” that the website documents are what the proponent asserts. Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154. (emphasis added) (See also, Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and referencing MD5 hash values as an additional element of potential “circumstantial indicia” for authentication of electronic evidence).

One of the many benefits of X1 Social Discovery is its ability to preserve and display all the available “circumstantial indicia” – to borrow the Perfect 10 court’s term — to the user in order to present the best case possible for the authenticity of Internet-based evidence collected with the software. This includes collecting all available metadata and generating a MD5 checksum or “hash value” of the preserved data.

But html web pages pose unique authentication challenges and merely generating an MD5 checksum of the entire web page, or just the web page source file, provides limited value because web pages are constantly changing due to their very fluid and dynamic nature. In fact, a web page collected from the Internet in immediate succession would very likely calculate two different MD5 checksums. This is because web pages typically feature links to many external items that are dynamically loaded upon each page view. These external links take the form of cascading style sheets (CSS), graphical images, JavaScripts and other supporting files. This linked content can be stored on another server in the same domain, but is often located somewhere else on the Internet.

When the Web browser loads a web page, it consolidates all these items into one viewable page for the user. Since the Web page source file contains only the links to the files to be loaded, the MD5 checksum of the source file can remain unchanged even if the content of the linked files become completely different.  Therefore, the content of the linked items must be considered in the authenticity of the Web page. X1 Social Discovery addresses these challenges by first generating an MD5 checksum log representing each item that constitutes the Web page, including the main Web page’s source. Then an MD5 representing the content of all the items contained within the web page is generated and preserved.

To further complicate Web collections, entire sections of a Web page are often not visible to the viewer. These hidden areas serve various purposes, including metatagging for Internet search engine optimization. The servers that host Websites can either store static Web pages or dynamically created pages that usually change each time a user visits the Website, even though the actual content may appear unchanged.

In order to address this additional challenge, X1 Social Discovery utilizes two different MD5 fields for each item that makes a Web page.  The first is the acquisition hash that is from the actual collected information.  The second is the content hash.  The content hash is based on the actual “BODY” of a Web page and ignores the hidden metadata.  By taking this approach, the content hash will show if the user viewable content has actually changed, not just a hidden metadata tag provided by the server. To illustrate, below is a screenshot from the metadata view of X1 Social Discovery for website capture evidence, reflecting the generation of MD5 checksums for individual objects on a single webpage:

The time stamp of the capture and url of the web page is also documented in the case. By generating hash values of all individual objects within the web page, the examiner is better able to pinpoint any changes that may have occurred in subsequent captures. Additionally, if there is specific item appearing on the web page, such as an incriminating image, then is it is important to have an individual MD5 checksum of that key piece of evidence. Finally, any document file found on a captured web page, such as a pdf, Powerpoint, or Word document, will also be individually collected by X1 Social Discovery with corresponding acquisition and content hash values generated.

We believe this approach to authentication of website evidence is unique in its detail and presents a new standard. This authentication process supports the equally innovative automated and integrated web collection capabilities of X1 Social Discovery, which is the only solution of its kind to collect website evidence both through a one-off capture or full crawling, including on a scheduled basis, and have that information instantly reviewable in native file format through a federated search that includes multiple pieces of social media and website evidence in a single case. In all, X1 Social Discovery is a powerful solution to effectively collect from social media and general websites across the web for both relevant content and all available “circumstantial indicia.”

Leave a comment

Filed under Authentication, Best Practices, Preservation & Collection

Tagged as , , , , , , , , , , , , , , , , , , , , , , , ,