Tag Archives: Guidance Software

June 7, 2016 · 9:21 AM

Full Disk Imaging is Expensive Overkill for eDiscovery Collection

Early in my tenure as co-founder at Guidance Software (EnCase), we commercialized full-disk imaging circa 2001 with EnCase Forensic edition, which was the first Windows-based computer forensics tool. EnCase Forensic enabled broader market adaption of computer forensic drive imaging, but the tool was originally designed for law enforcement to perform criminal computer evidence seizures. We were thinking more CSI than ESI.

However, soon a funny thing happened. For a two to three year period in the mid-2000s, a majority of standalone forensic software purchases came from eDiscovery service providers. Law enforcement represented a sizable minority during this “surge period” of commercial sector purchases, but we eventually realized that the eDiscovery services community was in the process of standardizing on full disk imaging as their default collection practice.

I have a few theories on why this trend occurred, but suffice to say that one of the many reasons that full-disk imaging is burdensome is because the process often involves service providers traveling out to the individual custodians, which is very disruptive to employees, not to mention time consuming. Additionally, as eDiscovery processing and hosting fees are usually calculated on a per-gigabyte basis, costs are increased exponentially. In a word, this is overkill, with much more effective and efficient options now available.

However, many eDiscovery practitioners continue to collect or direct the collection of Electronically Stored Information (ESI) through full disk forensic “images” of targeted media as a routine practice. Full disk images capture every bit and byte on a hard drive, including system and application files, unallocated space and a host of irrelevant user-created data. While full disk images may be warranted in some limited situations, the expense and burden associated with the practice can be quite extensive, particularly in matters that involve multiple custodians.

The Duty to Preserve Only Extends to Relevant Information

It is established law that the duty to preserve evidence, including ESI, extends only to relevant information. Hynix Semiconductor Inc. v. Rambus Inc., 2006 WL 565893 (N.D.Cal. Jan. 5, 2006) at *27. (“The duty to preserve evidence, once it attaches, does not extend beyond evidence that is relevant and material to the claims at issue in the litigation.”)  As noted by the Zubulake court, “Clearly [there is no duty to] preserve every shred of paper, every e-mail or electronic document, and every backup tape…Such a rule would cripple large corporations.”  Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217 (S.D.N.Y. 2004) (“Zubulake IV”).

The vast majority of ESI on a full disk image will typically constitute irrelevant information. As stated by one court, “imaging a hard drive results in the production of massive amounts of irrelevant, and perhaps privileged, information.” Deipenhorst v. City of Battle Creek, 2006 WL 1851243 (W.D.Mich. June 30, 2006) at *3.  In noting that the “imaging of computer hard drives is an expensive process, and adds to the burden of litigation for both parties,” the Deipenhorst court declined to require the production of  full disk images absent a strong showing of good cause. See also, Fasteners for Retail, Inc. v. DeJohn et al., No 1000333 (Ct. App.Ohio April 24, 2014).

Similarly, in Zubulake v. UBS Warburg LLC, 2004 WL 1620866 at *8 (S.D.N.Y. July 20, 2004) (“Zubulake V”), Judge Scheindlin suggested that eDiscovery could be more manageable for producing parties but still defensible by taking advantage of the development of technology like X1 Distributed Discovery, which would be capable of conducting distributed keyword searches.  She anticipated that, due to the expansion of eDiscovery in coming years, counsel “must be more creative” because:

[It may not always] be feasible for counsel to speak with every key player, given the size of a company or the scope of the lawsuit, counsel must be more creative. It may be possible to run a system-wide keyword search; counsel could then preserve a copy of each “hit.” [FN75] Although this sounds burdensome, it need not be. Counsel does not have to review these documents, only see that they are retained. For example, counsel could create a broad list of search terms, run a search for a limited time frame, and then segregate responsive documents. . .

FN75. It might be advisable to solicit a list of search terms from the opposing party for this purpose, so that it could not later complain about which terms were used.

The recommended collection and preservation approach described by Judge Scheindlin is a far cry from obtaining full-disk images of the hard drives of each potential custodian, and in fact maps directly to the capabilities of X1 Distributed Discovery.

Courts do require that ESI be collected in a forensically sound manner, which does not mean a full forensic disk image is required, but generally does entail that metadata is not altered and a documented chain of custody is maintained. Historically, eDiscovery collection efforts not involving full disk imaging would often result in the loss or alternation of metadata. More advanced enterprise class technology, such as X1 Distributed Discovery, can accomplish system-wide searches that are narrowly tailored to collect only potentially relevant information while preserving metadata at the same time. This process is better, faster and dramatically less expensive than manual disk imaging. As with the Zubulake V decision, which advocates employing technology to perform “system-wide keyword searches”, courts recognize that advanced computer software can be deployed to limit the scope of computer searches and thus support reasonable discovery efforts.

With X1 Distributed Discovery (X1DD), parties can perform targeted search collection of the ESI of thousands of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%). This method is sound from an evidentiary standpoint as the collected data is preserved in its native file format with its metadata intact. X1DD features a solid chain of custody and robust logging, tracking and reporting.

The authorities cited above establish that effective technology can enable corporate counsel to establish a highly defensible process that at the same time minimizes cost. Routine full-disk imaging, over collection, and high eDiscovery costs are symptoms of an absence of a systemized process.  By establishing a scalable and system-wide eDiscovery process based upon the latest technology, large organizations can save millions while improving compliance.

Leave a comment

Filed under eDiscovery

Tagged as , , , ,

March 11, 2014 · 8:51 AM

X1 First To Offer Social Discovery Certification

by Barry Murphy

Education, training, and certification programs are foundational elements of any profession.  When it comes to relatively new functions like social media discovery, the importance of good training and certification options is amplified.  There is a dearth of expertise coupled with the need for corporations and law firms to address challenges quickly – that combination creates an immediate need for formal and effective training.

The activities within the eDiscovery profession tend to be specialized.  For example, forensic disk imaging requires a specific skill set that is very different from the skill set required to run predictive coding review workflows and projects.  As a result, generic eDiscovery certifications have yet to gain mainstream traction in a meaningful way.  This is not to say such programs are not valuable; they are.  However, given the lack of a standards board or independent third-party that has published a treatise on what it means to be qualified to perform “eDiscovery,” it is difficult for any one certification to be an industry standard.  Further, the eDiscovery profession is a sum of many tasks, most of which are performed by various team members (as opposed to one person being responsible for, or capable of performing, all).  What I hear from eDiscovery professionals when it comes to certification is that there is simply not enough definition as to what it means to be a certified eDiscovery professional.

One type of certification that is more important than ever is vendor-specific (or tool-specific) certification.  Previous eDJ Group research had validated the fact that training and education programs are critically important for the practice of eDiscovery.

Vendor certifications

Click on image to enlarge

For years, it has been critically important that forensic investigators be certified on the tools they use – such as Guidance Software’s Encase (EnCE, EnCEP) or AccessData’s FTK (ACE).  Likewise, the Relativity Certified Administrator credential (RCA) from kCura has gained significance in the hosting and review market.  As such, upon joining X1, I was very pleased to hear that the company will offer certification for our X1 Social Discovery tool.  Why is certification for the Social Discovery tool so important?  First, social media is now ingrained in our business lives.  eDJ Group research from September 2013 shows that almost two-thirds of workers now use external social networks like Facebook or LinkedIn for business purposes.

Social Media Part of Business

Click on image to enlarge

Second, social discovery is still fairly new and requires in-depth training.  With X1 Social Discovery, users need to understand how MD5 hash values of individual items are calculated upon capture and maintained through export. They need to understand the automated logging and reports that are generated. They need to be educated on the key metadata unique to social media & web streams that are captured through deep integration with APIs provided by the sites and how this metadata is important to establishing chain of custody and authentication.  Given these new challenges, a certification program just makes sense.  Even better, X1’s Social Discovery tool will be the only one on the market with a certification program in place.  That will be an important distinction in the market, especially given the large amount of law enforcement customers for the product (doing things by the book is extremely critical in law enforcement investigations).

The X1 Social Discovery Certification course, offered by DigitalShield, will cover:

  • Introduction to the foundational skills and knowledge needed to understand social media collection, analysis, review and delivery
  • Best practices for locating and collecting social media
  • Providing investigators, digital forensic examiners and eDiscovery practitioners with the technical skills to use X1 Social Discovery
  • Hands-on training using X1 Social Discovery to collect, manage, and analyze data from Twitter, YouTube, Facebook, webmail and websites

To sign up for the training or to learn more, click here >  

______________________________________________________________________

1 Comment

Filed under Social Media Investigations, Training and Certification

Tagged as , , , , , , , , , , , , , , , ,

January 15, 2014 · 8:22 AM

eDiscovery Software Industry Faces Transition

changes aheadRecently, the eDiscovery and litigation support field has seen many developments reflecting a significant shift in the eDiscovery software industry. Greg Buckles and Barry Murphy of The eDiscovery Journal report in several articles and notes in the past few weeks that they see a palpable transition away from software back towards services by corporations seeking to address their eDiscovery requirements. So not surprisingly, there had been various reports indicating reductions in force at several of the top eDiscovery software providers.

Not to pick on Guidance Software, my former company, but they are publically traded and recently disclosed their aggressive cost-cutting measures. In their PowerPoint presentation, Guidance states that the eDiscovery software field “is maturing…not as many large deals available there” resulting in a strategy for the company to refocus on core computer forensics and computer security, and to pivot toward profitability over topline revenue growth. And I don’t think what Guidance is experiencing is much different than from what many other eDiscovery software firms in the space are going through.

And neither does industry analyst Barry Murphy. “Based on what I see, KCura with their Relativity product is doing well, and I think there has been some good growth in the mobile forensics space, and X1 has done well with X1 Social Discovery in terms of growth and customer acquisition. Other than that, it seems that the remaining eDiscovery software companies are either contracting or experiencing only very modest growth.”

Part of the problem is that many aggressive enterprise eDiscovery deployments never achieve their promise of global scalability. A little over a year ago, the CEO of another eDiscovery and forensics software firm publicly claimed that enterprise-wide Autonomy implementations for eDiscovery, in his opinion, never really worked that well from what he could see. Without commenting on or taking a position on the accuracy of that assertion, the article does reflect broader frustrations I have heard from IT and in-house counsel about eDiscovery software in general that claims to be an end-to-end solution for aggressive and enterprise-wide deployments. As a result, many corporate legal departments and corporate IT have opted to continue to outsource eDiscovery to service providers over attempting to implement enterprise-wide solutions.

On the other hand, and reflective of this trend, services firms in this space are apparently doing quite well and their numbers are growing. There are clearly hundreds, if not over a thousand consulting firms, in North America providing eDiscovery consulting services. In just one metric, two years since we launched X1 Social Discovery, nearly 200 eDiscovery and computer forensics firms have become paying customers, and many more are currently evaluating. Some firms have a single license of X1, many have multiple, even dozens. I think those figures reflect both the number of service providers in this space and the aggressive spending behavior from the providers.

I also think, and of course being biased, that with X1 Social Discovery gaining over 400 paid install sites in just two years since the launch of the product, with 250 percent increase in annual sales in 2013, is quite an accomplishment especially given the status of this market. I think that reflects both the quality of X1 Social Discovery as well as the compelling use case of the collection and preservation of social media data for discovery and investigative purposes. So I want to take this opportunity to thank our customers for making 2013 a great year for us and driving the further development and enhancements of our products.

I’m looking forward very much to Legal Tech New York this year, both to meet with our customers old and new, and to speak with some fellow executives about how they are adapting to the changes in the eDiscovery market and opportunities in 2014. I hope to see you there!

Leave a comment

Filed under eDiscovery & Compliance, Enterprise eDiscovery, Social Media Investigations

Tagged as , , , , , , , , , , , , , , , , , , , , , , , ,

June 4, 2012 · 5:31 PM

Judge Peck: Cloud For Enterprises Not Cost-Effective Without Efficient eDiscovery Process

Hon. Andrew J. Peck
United States Magistrate Judge

Federal Court Magistrate Judge Andrew Peck of the New York Southern District is known for several important decisions affecting the eDiscovery field including the ongoing  Monique da Silva Moore v. Publicis Group SA, et al, case where he issued a landmark order authorizing the use of predictive coding, otherwise known as technology assisted review. His Da Silva Moore ruling is clearly an important development, but also very noteworthy are Judge Peck’s recent public comments on eDiscovery in the cloud.

eDiscovery attorney Patrick Burke, a friend and former colleague at Guidance Software, reports on his blog some interesting comments asserted on the May 22 Judges panel session at the 2012 CEIC conference. UK eDiscovery expert Chris Dale also blogged about the session, where Judge Peck noted that data stored in the cloud is considered accessible data under the Federal Rules of Civil Procedure (see, FRCP Rule 26(b)(2)(B)) and thus treated no differently by the courts in terms of eDiscovery preservation and production requirements as data stored within a traditional network. This brought the following cautionary tale about the costs associated with not having a systematic process for eDiscovery:

Judge Peck told the story of a Chief Information Security Officer who had authority over e-discovery within his multi-billion dollar company who, when told that the company could enjoy significant savings by moving to “the cloud”, questioned whether the cloud provider could accommodate their needs to adapt cloud storage with the organization’s e-discovery preservation requirements. The cloud provider said it could but at such an increased cost that the company would enjoy no savings at all if it migrated to the cloud.

In previous posts on this blog, we outlined how significant cost-benefits associated with cloud migration can be negated when eDiscovery search and retrieval of that data is required.  If an organization maintains two terabytes of documents in the Amazon or other IaaS cloud deployments, how do they quickly access, search, triage and collect that data in its existing cloud environment if a critical eDiscovery or compliance search requirement suddenly arises?  This is precisely the reason why we developed X1 Rapid Discovery, version 4. X1RD is a proven and now truly cloud-deployable eDiscovery and enterprise search solution enabling our customers to quickly identify, search, and collect distributed data wherever it resides in the Infrastructure as a Service (IaaS) cloud or within the enterprise. While it is now trendy for eDiscovery software providers to re-brand their software as cloud solutions, X1RD is now uniquely deployable anywhere, anytime in the IaaS cloud within minutes. X1RD also features the ability to leverage the parallel processing power of the cloud to scale up and scale down as needed. In fact, X1RD is the first pure eDiscovery solution (not including a hosted email archive tool) to meet the technical requirements and be accepted into the Amazon AWS ISV program.

As far as the major cloud providers, the ones who choose to solve this eDiscovery challenge (along with effective enterprise search) with best practices technology will not only drive significant managed services revenue but will enjoy a substantial competitive advantage over other cloud services providers.

1 Comment

Filed under Best Practices, Case Law, Cloud Data, Enterprise eDiscovery, IaaS, Preservation & Collection

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,