by Manfred Riepe
If the public prosecutor comes knocking with an order to seize company data carriers, you better be ready, forensically speaking that is. Modern e-discovery is a challenge, one that IT and legal departments should be well prepared to face.
EDiscovery specialists have different areas of application – from day-to-day document security and document review to criminal investigations.
Data forensic specialists concentrate on two central tasks: Theft of intellectual property and the detection of digital evidence related to antitrust violations.
Companies must be able to submit their electronic documents for external or internal review or for use as evidence in legal proceedings. This requires systematic sorting and searching.
A bank operating on an international scale comes under suspicion: Money laundering, insider trading. The investigating judge orders a raid to seize hard disks, laptops, smartphones and data tapes containing countless documents from recent years. For cases involving large claims, the authorities usually have their own IT specialists carry out seizures of this kind. As the defendant cannot provide possible evidence in support of the company’s internal investigation, and in order to avoid self-incrimination, a new field of activity is emerging for private service providers at the crossroads of the IT sector and the legal department: e-discovery (electronic discovery).
E-discovery in criminal law
The work of e-discovery specialists is usually done behind the scenes. Discretion is the name of the game. The public at large tends to become aware of their unseen efforts only when the criminal dispute strike a chord. For example, the incident involving a radical Islamist terrorist, who murdered 14 people in the U.S. city of San Bernadino before being killed in a shootout with police. Prosecutors suspected that data on the perpetrator’s mobile phone could be relevant to the investigation of financial backers and accomplices. The FBI requested that Apple Inc. create software to unlock the perpetrator’s iPhone. But the company refused, fearing that a tool of this kind could end up going public and rendering it impossible to guarantee the security of all Apple devices. The press later reported that the FBI had found a way to access the data on the shooter’s mobile phone using “an outside party”. Media channels soon began circulating the name of Israeli service provider Cellebrite. The company declined to comment on the speculations.
This company’s name claimed public attention once again following the murder of student Maria L. by a refugee in Freiburg, Germany, in October 2016. In this case, judges were able to establish the particular severity of the alleged perpetrator’s guilt because the analysis performed on the accused’s iPhone was admitted to evidence. Cellebrite’s cyber forensics were allegedly applied in the e-discovery process. German law enforcement makes extensive use of the tools designed by these specialists. According to a response submitted to IT specialist service Motherboard: “The federal police use forensic specialist tools by the company Cellebrite (…). For reasons of principle and tactic, further information on police investigatory methods and tools will not be provided.”
E-discovery in routine work
The day-to-day work of forensic data detectives is carried out very discreetly, not only in spectacular criminal investigations. Since the Siemens corruption case in 2006, document security and document review have been on the rise in Germany, according to Michael Becker, Head of the e-discovery provider Consilio in Germany. “We’ve observed in recent years how ‘data hungry’ the EU Commission has become during merger control proceedings and how e-searches/e-discovery procedures are being carried out within very tight timeframes. This puts our clients under considerable pressure,” says Becker. “We work closely with many of our clients and conclude framework agreements specifically in this area. And our computer forensic experts remain in close contact with the client’s IT department.”
Most businesses will be confronted at some point with an administrative order or court order for a digital search. The main problem revolves around making available electronic documents for external or internal review, or for use as evidence in court proceedings. But where should the search begin in the ever growing daily flood of data? How can important information be efficiently separated from the irrelevant? Service providers such as Consilio, FAST-DETECT, BSI Group or KLDiscovery Ontrack help to solve these problems.
The two main tasks of data forensics
Data forensic experts mainly concentrate on two areas. According to Daniel Heinrichs, Business Development Manager at KLDiscovery, “theft of intellectual property” is a common issue. For example, illegal data transfers from one company to another occur when an entire development department leaves a company. In cases like this, the employees believe that what they have developed is also “their baby”. The task of e-discovery is to secure evidence of illegal data transfers for a court of law, to track it down and to deliver it for legal evaluation.
Another task involves uncovering digital evidence related to antitrust violations. Have two or more companies entered into illegal price-fixing agreements? If there are signs of collusion between competing market players, the authorities will start looking for evidence: Have employees of competing companies exchanged e-mails? Did they meet at a hotel? If they did, then their smartphones would have been connected to the same WLAN. Forensic data analysis secures tell-tale tracks of this kind.
Metadata is critical
This process mainly involves the metadata generated when people communicate via the internet. This machine-readable information can be used to clarify who communicated with whom, from where, for how long and how often. Information restored to the deleted sector of a hard drive is also considered metadata. In summary, e-discovery involves:
- recovering deleted files
- information on internet searches and browser history
- Windows Registry analysis
- USB device history
- preparing logged file access
- determining most recent access, most recent change or the creation of data and files
- web-based email recovery
- securing proof of data erasure or file destruction
- comparative examination of opposing expert opinions
- chat, SMS and other on-demand/mobile communication protocols