Forensic and e-Discovery Tools to Help Win Your Case

Digital Forensic Tools

Registry Recon by Arsenal Consulting

Registry Recon is a forensic tool that allows quick and organized access to a significant amount of historical data stored within a Windows computer system's databases. It includes both active and deleted “registry” information and data. (Windows registries are databases that contain hardware, software and user information identifying when files were accessed and applications were run and who attached removable storage devices.) Registry Recon works by rebuilding multiple registries from both allocated data and unallocated hard drive space existing over time. Allocated data is data that is saved and viewable on a computer. Unallocated hard drive space consists of deleted information and temporary space; data located in this area can be complete or in parts, depending on whether new data has overwritten portions of a file. Registry Recon presents such information in an easy to understand format, allowing for the efficient analysis of historical “keys” and their “values” (container objects similar to folders and non-container objects similar to files, respectively).

This application also allows the user to view registry keys at particular points in time in order to determine changes. The tool works with multiple evidence formats, including EnCase (.E01) and physically mounted hard drives.

Registry Recon can be used to obtain information about a particular person or system's actions and usage patterns. Information gleaned using Registry Recon can be utilized when creating a timeline of facts and events, as well as when deposing potential witnesses about certain actions on a computer. It's important to note that Registry Recon focuses on user activity and settings rather than content of documents.

Blade by Blade Forensics

Blade is a “smart” data carver. The name “carver” comes from the term of art in the digital forensic community referring to the act of locating and extracting deleted or partially deleted files. Essentially, this software recovers files out of forensic images whether they are active files or exist in unallocated space. It's “smart” in the sense that it has a variety of modules that go beyond the simple “start here and end there” carving that many tools use. It can carve a wide variety of familiar file types, as well as less common ones like shortcuts, SQLite databases, AOL client e-mail, etc. Experts can even set up customized carving profiles to single out specific proprietary files. Blade is a useful forensic tool when forensic search, restoration and export of original files is needed. Attorneys can work with forensic examiners to create and customize recovery profiles suited to the specific matter. For example, if an attorney needs to find all deleted ChemDoodle scientific drawings, he or she can instruct the expert to look for and recover such files. Blade will take the expert's input and search for instances of those files on a given hard drive. It is particularly useful in trade secret misappropriation cases or any matter where “did this file exist on this device?” is a driving question.

BlackLight by Black Bag Technologies

BlackLight is a multi-platform, forensic analysis tool optimized for use with Mac OS and iOS operating systems. Given the explosive adoption of iPhones, iPads, and Apple computers in the past several years, BlackLight's strength with these platforms makes it an indispensable forensic application. BlackLight is capable of not only imaging devices, but also parsing out different data from them, including documents, e-mails, text messages, movies, calls, voicemails, contacts, applications, GPS data, WiFi usage and even some cloud applications such as Twitter and iCloud. All evidence and metadata that is forensically collected by BlackLight can be reported in well-designed PDF reports or text format and can also be exported into a load file that is compatible with all major review databases like Relativity. BlackLight's focus on addressing unique Apple data structures and file types make it invaluable for experts.

EnCase Portable by Guidance Software

EnCase Portable is a forensic preservation/collection tool that is delivered on a USB flash device. It allows anyone (even those with little or no forensic collection experience) to quickly and easily collect evidence in real time off of Intel-based Apple and PC computers. The software also gives users the ability to customize what data they would like to collect from a particular machine if they do not need broad preservation. Most importantly, the EnCase Portable USB device can be configured by forensic experts prior to deployment to field teams (or even custodians) for data collection. This reduces the time, costs and risks of collecting data.

EnCase Portable is an extremely powerful tool that comes in an extremely small package. This application gives attorneys the ability to obtain forensic images at a fraction of the price of sending an expert to a location to take an image. Furthermore, it allows for data collection that does not significantly inconvenience the end user. It is advisable that attorneys or experts deploying these devices to custodians perform due diligence to ensure the custodian is properly collecting the data. EnCase Portable, combined with online screen sharing services, allows an expert or attorney to monitor, guide, and ensure proper preservation from afar.

4n6time by David Nides

4n6time is a cross-platform forensic tool that allows users to create and review timelines of stored data from forensic images. The timeline that 4n6 creates is presented graphically in an easy to understand format. 4n6 works by creating a timeline of activity that took place on a specific device or drive. This timeline can then be loaded into the 4n6 database to sort, filter, highlight, tag, search and report on various data fields. Another feature of 4n6 time is that timelines can be combined from multiple data sources so cross-source analysis and comparison can occur. This is especially helpful in cases with collusion or collaborating bad actors.

4n6time can be extremely useful for attorneys as they try to understand the facts and timing of events in a particular case. The timelines 4n6 creates can be much more useful than simple disk images. Attorneys can see activity in a sequential and easy-to-understand manner. For all of this value, 4n6time is provided free of charge, so clients can benefit from this unique piece of technology without bearing the significant expense traditionally associated with these types of products.

e-Discovery Tools

Relativity by kCura

Relativity is a fully integrated e-discovery platform that can be utilized from data processing through production. It is widely recognized as the industry's leading review platform and consistently scores high in user surveys. It is highly scalable and exceptionally customizable. It allows attorneys to easily search for, isolate, and review documents based on any number of user-defined criteria. Relativity can ingest raw data directly into its database and process it for review.

The document review function of Relativity allows for complex search terms to be applied to data to cull and limit the scope of document review. This culling has a significant impact on document review costs, which is by far the most expensive element of discovery. Beyond simple search and filtering, Relativity's advanced functionality can further reduce e-discovery expenses. Features such as text analytics, logical evidence file ingesting, computer assisted review, data visualization and pivot tables all work to create a more efficient and organized document review. For complex cases in which multiple parties need access to data, Relativity even allows for object-level security/access rights which help maintain different levels of confidentiality for different users or groups.

Relativity is available for purchase and deployment, or through third-party vendors that offer e-discovery services.

EnCase eDiscovery by Guidance Software

EnCase eDiscovery is a fully integrated electronic discovery solution that can be utilized from the time a legal hold is issued all the way through to production. The application includes a litigation hold management module that helps attorneys track and monitor litigation hold issuance, survey responses, updates, reminders and lifts. It first notifies custodians that they are subject to litigation holds and then collects, processes and analyzes electronically stored information subject to the hold notice from multiple device types and evidence sources (e.g., e-mail servers, shared network drives, cloud services, attached storage media, etc.). For audit purposes, the entire process of identification and collection can be monitored with a fully defensible chain of custody.

Beyond litigation hold management, EnCase eDiscovery helps attorneys negotiate better with integrated early-case-assessment capabilities. It allows experts to prepare “case screening reports” and keyword hit reports. Both can inform an attorney about the efficacy of filters being used to cull data. This information can be invaluable in preparing attorneys for meet-and-confer conferences and help deflect overbroad and unrealistic requests from opposing counsel.

Index Engines

Index Engines is a unified processing platform that can handle data from a wide variety of sources, including online networks, hard drives, forensic images and ' most importantly ' back-up tapes. Since all data is processed using the same platform, searching, de-duplication and filtering can be completed across entire data sets ensuring accuracy, defensibility and efficiency. Index Engines is also fast; it can process up to 1 TB of data per hour using a single processing engine if installed on adequate hardware. Data can be easily searched and culled within Index Engines before it is exported into a document review platform. This approach can help reduce data hosting costs, which can be significant in large, long-running matters.

Index Engines allows attorneys to use a single application to collect and process data in a fully auditable and defensible manner. After data is loaded and processed, attorneys can search across multiple data sources based on keywords or relevant custodians and time periods to ensure that time spent on document review is limited, focused and non-duplicative. Given the time and budget constraints often involved with modern litigation, Index Engines can be leveraged to provide a cost-effective and efficient processing solution.

Proofinder by Nuix

Nuix Proofinder is a low-cost application that allows users with limited amounts of data and resources to search data located on forensic images, in e-mail containers or even just folders or archive files. Proofinder uses the same powerful search and indexing engine present in the full Nuix offering, but costs a fraction of the price. Proofinder can process between 2 GB and 6 GB of data per hour. This processing speed enables users to identify relevant data in a reasonable time at low cost. As a trade-off for the extremely low cost, Proofinder is limited to 15 GB of data per case.

Conclusion

With the widespread adoption of electronic methods for conducting business and communicating, data sizes have necessarily grown in kind. Fortunately, tools now exist to combat this growing data bloat challenge, enabling experts and lay persons to locate, recover, process, search and prepare data for production. All of these tools save time, which ultimately translates into costs savings for clients. By familiarizing themselves with these tools and their functionalities, attorneys gain greater control over the discovery process. Nevertheless, it is important that attorneys recognize which tools are designed for their use, and those that should be left to subject matter experts.

Richard D. Lutkus is a senior associate in the Chicago office of Seyfarth Shaw LLP where he focuses his practice on information governance issues including e-discovery, digital forensics, information security, incident response and IT. Lutkus holds several industry certifications, including the EnCE, EnCEP, and CEH. We welcome him to the Board of Editors with this issue. He may be reached at [email protected].

Winning or losing your client's case often rests on your ability to prove facts that support your client's position. While that can be accomplished in myriad ways, subject-matter expert witnesses play a prominent role in interpreting the facts available to them and helping the trier of fact reach a conclusion on the meaning of such information. Forensic and e-discovery experts are no different than any other experts in that their opinions can only be as solid as the information they can find and analyze.

The sheer quantity of data present in a modern litigation matter can be daunting for even the most skilled experts. Manual search and review is tedious, expensive and, in some cases, impractical. Some enterprising software developers have answered the call, aiding forensic and e-discovery service providers in reducing the amount of tedious work involved in certain aspects of their analysis. Other developers have focused on helping organize, visualize or preserve data.

Most attorneys will never see, let alone use, some of the tools below. However, awareness of each tool's usefulness and application to cases can help attorneys better service their client's needs when selecting a vendor offering these (or similar) tools.

Digital Forensic Tools

Registry Recon by Arsenal Consulting

Registry Recon is a forensic tool that allows quick and organized access to a significant amount of historical data stored within a Windows computer system's databases. It includes both active and deleted “registry” information and data. (Windows registries are databases that contain hardware, software and user information identifying when files were accessed and applications were run and who attached removable storage devices.) Registry Recon works by rebuilding multiple registries from both allocated data and unallocated hard drive space existing over time. Allocated data is data that is saved and viewable on a computer. Unallocated hard drive space consists of deleted information and temporary space; data located in this area can be complete or in parts, depending on whether new data has overwritten portions of a file. Registry Recon presents such information in an easy to understand format, allowing for the efficient analysis of historical “keys” and their “values” (container objects similar to folders and non-container objects similar to files, respectively).

This application also allows the user to view registry keys at particular points in time in order to determine changes. The tool works with multiple evidence formats, including EnCase (.E01) and physically mounted hard drives.

Registry Recon can be used to obtain information about a particular person or system's actions and usage patterns. Information gleaned using Registry Recon can be utilized when creating a timeline of facts and events, as well as when deposing potential witnesses about certain actions on a computer. It's important to note that Registry Recon focuses on user activity and settings rather than content of documents.

Blade by Blade Forensics

Blade is a “smart” data carver. The name “carver” comes from the term of art in the digital forensic community referring to the act of locating and extracting deleted or partially deleted files. Essentially, this software recovers files out of forensic images whether they are active files or exist in unallocated space. It's “smart” in the sense that it has a variety of modules that go beyond the simple “start here and end there” carving that many tools use. It can carve a wide variety of familiar file types, as well as less common ones like shortcuts, SQLite databases, AOL client e-mail, etc. Experts can even set up customized carving profiles to single out specific proprietary files. Blade is a useful forensic tool when forensic search, restoration and export of original files is needed. Attorneys can work with forensic examiners to create and customize recovery profiles suited to the specific matter. For example, if an attorney needs to find all deleted ChemDoodle scientific drawings, he or she can instruct the expert to look for and recover such files. Blade will take the expert's input and search for instances of those files on a given hard drive. It is particularly useful in trade secret misappropriation cases or any matter where “did this file exist on this device?” is a driving question.

BlackLight by Black Bag Technologies

BlackLight is a multi-platform, forensic analysis tool optimized for use with Mac OS and iOS operating systems. Given the explosive adoption of iPhones, iPads, and Apple computers in the past several years, BlackLight's strength with these platforms makes it an indispensable forensic application. BlackLight is capable of not only imaging devices, but also parsing out different data from them, including documents, e-mails, text messages, movies, calls, voicemails, contacts, applications, GPS data, WiFi usage and even some cloud applications such as Twitter and iCloud. All evidence and metadata that is forensically collected by BlackLight can be reported in well-designed PDF reports or text format and can also be exported into a load file that is compatible with all major review databases like Relativity. BlackLight's focus on addressing unique Apple data structures and file types make it invaluable for experts.

EnCase Portable by Guidance Software

EnCase Portable is a forensic preservation/collection tool that is delivered on a USB flash device. It allows anyone (even those with little or no forensic collection experience) to quickly and easily collect evidence in real time off of Intel-based Apple and PC computers. The software also gives users the ability to customize what data they would like to collect from a particular machine if they do not need broad preservation. Most importantly, the EnCase Portable USB device can be configured by forensic experts prior to deployment to field teams (or even custodians) for data collection. This reduces the time, costs and risks of collecting data.

EnCase Portable is an extremely powerful tool that comes in an extremely small package. This application gives attorneys the ability to obtain forensic images at a fraction of the price of sending an expert to a location to take an image. Furthermore, it allows for data collection that does not significantly inconvenience the end user. It is advisable that attorneys or experts deploying these devices to custodians perform due diligence to ensure the custodian is properly collecting the data. EnCase Portable, combined with online screen sharing services, allows an expert or attorney to monitor, guide, and ensure proper preservation from afar.

4n6time by David Nides

4n6time is a cross-platform forensic tool that allows users to create and review timelines of stored data from forensic images. The timeline that 4n6 creates is presented graphically in an easy to understand format. 4n6 works by creating a timeline of activity that took place on a specific device or drive. This timeline can then be loaded into the 4n6 database to sort, filter, highlight, tag, search and report on various data fields. Another feature of 4n6 time is that timelines can be combined from multiple data sources so cross-source analysis and comparison can occur. This is especially helpful in cases with collusion or collaborating bad actors.

4n6time can be extremely useful for attorneys as they try to understand the facts and timing of events in a particular case. The timelines 4n6 creates can be much more useful than simple disk images. Attorneys can see activity in a sequential and easy-to-understand manner. For all of this value, 4n6time is provided free of charge, so clients can benefit from this unique piece of technology without bearing the significant expense traditionally associated with these types of products.

e-Discovery Tools

Relativity by kCura

Relativity is a fully integrated e-discovery platform that can be utilized from data processing through production. It is widely recognized as the industry's leading review platform and consistently scores high in user surveys. It is highly scalable and exceptionally customizable. It allows attorneys to easily search for, isolate, and review documents based on any number of user-defined criteria. Relativity can ingest raw data directly into its database and process it for review.

The document review function of Relativity allows for complex search terms to be applied to data to cull and limit the scope of document review. This culling has a significant impact on document review costs, which is by far the most expensive element of discovery. Beyond simple search and filtering, Relativity's advanced functionality can further reduce e-discovery expenses. Features such as text analytics, logical evidence file ingesting, computer assisted review, data visualization and pivot tables all work to create a more efficient and organized document review. For complex cases in which multiple parties need access to data, Relativity even allows for object-level security/access rights which help maintain different levels of confidentiality for different users or groups.

Relativity is available for purchase and deployment, or through third-party vendors that offer e-discovery services.

EnCase eDiscovery by Guidance Software

EnCase eDiscovery is a fully integrated electronic discovery solution that can be utilized from the time a legal hold is issued all the way through to production. The application includes a litigation hold management module that helps attorneys track and monitor litigation hold issuance, survey responses, updates, reminders and lifts. It first notifies custodians that they are subject to litigation holds and then collects, processes and analyzes electronically stored information subject to the hold notice from multiple device types and evidence sources (e.g., e-mail servers, shared network drives, cloud services, attached storage media, etc.). For audit purposes, the entire process of identification and collection can be monitored with a fully defensible chain of custody.

Beyond litigation hold management, EnCase eDiscovery helps attorneys negotiate better with integrated early-case-assessment capabilities. It allows experts to prepare “case screening reports” and keyword hit reports. Both can inform an attorney about the efficacy of filters being used to cull data. This information can be invaluable in preparing attorneys for meet-and-confer conferences and help deflect overbroad and unrealistic requests from opposing counsel.

Index Engines

Index Engines is a unified processing platform that can handle data from a wide variety of sources, including online networks, hard drives, forensic images and ' most importantly ' back-up tapes. Since all data is processed using the same platform, searching, de-duplication and filtering can be completed across entire data sets ensuring accuracy, defensibility and efficiency. Index Engines is also fast; it can process up to 1 TB of data per hour using a single processing engine if installed on adequate hardware. Data can be easily searched and culled within Index Engines before it is exported into a document review platform. This approach can help reduce data hosting costs, which can be significant in large, long-running matters.

Index Engines allows attorneys to use a single application to collect and process data in a fully auditable and defensible manner. After data is loaded and processed, attorneys can search across multiple data sources based on keywords or relevant custodians and time periods to ensure that time spent on document review is limited, focused and non-duplicative. Given the time and budget constraints often involved with modern litigation, Index Engines can be leveraged to provide a cost-effective and efficient processing solution.

Proofinder by Nuix

Nuix Proofinder is a low-cost application that allows users with limited amounts of data and resources to search data located on forensic images, in e-mail containers or even just folders or archive files. Proofinder uses the same powerful search and indexing engine present in the full Nuix offering, but costs a fraction of the price. Proofinder can process between 2 GB and 6 GB of data per hour. This processing speed enables users to identify relevant data in a reasonable time at low cost. As a trade-off for the extremely low cost, Proofinder is limited to 15 GB of data per case.

Conclusion

With the widespread adoption of electronic methods for conducting business and communicating, data sizes have necessarily grown in kind. Fortunately, tools now exist to combat this growing data bloat challenge, enabling experts and lay persons to locate, recover, process, search and prepare data for production. All of these tools save time, which ultimately translates into costs savings for clients. By familiarizing themselves with these tools and their functionalities, attorneys gain greater control over the discovery process. Nevertheless, it is important that attorneys recognize which tools are designed for their use, and those that should be left to subject matter experts.

Richard D. Lutkus is a senior associate in the Chicago office of Seyfarth Shaw LLP where he focuses his practice on information governance issues including e-discovery, digital forensics, information security, incident response and IT. Lutkus holds several industry certifications, including the EnCE, EnCEP, and CEH. We welcome him to the Board of Editors with this issue. He may be reached at [email protected].