Data loss and eDiscovery

Magnifying glass and files Unintended data loss is the order of the day, due to criminal / malicious activity or the actions of an unaware end-user. The complexity, variety and volume of data make it difficult to determine what has happened to all the relevant data.

Electronic discovery (eDiscovery) is one answer to this problem says Bert Snell from Comsec Consulting.

One definition of eDiscovery is:

'Electronic discovery (also called e-discovery or eDiscovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. E-discovery can be carried out offline on a particular computer or it can be done in a network. Court-ordered or government sanctioned hacking for the purpose of obtaining critical evidence is also a type of e-discovery.'

One of the advantages of eDiscovery is the fact that due to the nature of digital data, it is extremely well-suited for investigation. Digital data can be electronically searched, whereas hard-copy documents must be scrutinised manually.

Furthermore, digital data is difficult or impossible to completely destroy, particularly if it gets into a network. This is because the data appears on multiple hard drives, and also because digital files, even if deleted, can be undeleted. In fact, the only reliable means of destroying digital data is to physically destroy the hard drive on which the data is saved.

This, however, could also serve as a disadvantage, due to the fact that data is available in many unexpected places and thus easier to compromise. There is always a chance that an unknown copy of the original data is exposed to malicious entities.

Data of all types can serve as evidence. This can include text, images, calendar files, databases, spreadsheets, audio files, animation, websites, computer programs plus others. Even malware such as viruses, Trojans, and spyware can be secured and investigated. Email is a special, valuable source of evidence in civil or criminal litigation. The content of email contains a lot of inside information due to the fact that people are often less careful in these exchanges than in hard copy correspondence.

Computer forensics, also called cyber forensics, is a specialised form of eDiscovery in which an investigation is carried out on the contents of the hard drive of a specific computer. After physically isolating the computer from external interfaces, a one-to-one digital copy of the hard drive will be made. This copy is digitally signed and secured. All further investigations are done on the digital copy.

eDiscovery in all its aspects is an evolving field that goes far beyond mere technology. It gives rise to multiple legal, constitutional, political, security and personal privacy issues, many of which have yet to be resolved.

The privacy aspect is especially changing; laws demand strict rules on how to handle personal data. It is no longer the intention to behave according to regulations, an organisation needs to prove that all relevant measures are implemented and work properly. In case of non-compliancy a fine must be paid, and even licenses can be aborted.

eDiscovery is an issue that should be dealt with by a specialist that has past experience in eDiscovery and understands the technology behind the system under investigation. If carried out incorrectly, evidence can accidentally be destroyed or no longer useful. Each operating system and application handles and stores data differently. One needs to understand the various data storage and transfer capabilities for each system in order to retrieve data and learn from it.

Electronic data is the driving factor of the world; nearly all organisations are dependant on it. Malicious entities, internal misuse, criminal intentions, and so on are all causes of security incidents. eDiscovery is the basis through which security incidents can be investigated and learned from, and thus solved.

July 2008