Digital computer forensics creates new challenges for storage professionals.
By George Hall
The growing requirement for supporting digital computer forensics within the enterprise is a direct result of the use of computers in more than 80% of business communications today. However, the ability to discover, recover, and produce specific documentation often doesn’t fit into an enterprise’s existing backup/recovery or archival systems.
With good planning and a solid understanding of the requirements that computer forensics and litigation support requirements may place on the enterprise, storage professionals can design and build comprehensive storage architectures that can withstand the rigors of concurrent and overlapping backup, recovery, archiving, and digital discovery requirements. It is not enough anymore to simply have copies of “everything.” “Everything” needs to be organized, secure, and accessible in an automated fashion that allows digital data discovery requests to be handled in an automated fashion.
Let’s first review some items that can be demanded of an enterprise in support of a discovery motion filed in a court action and the potential impact to your storage infrastructure. In some cases an electronic data discovery (e-discovery) motion can compel the production of data records from personal, non-business-related computers. An example of what a discovery motion can compel is found in a Northwest Airlines case:
A Minnesota District Court Judge issued an order on discovery in the case. The order required all 43 named defendants, officers, and employees of a union to turn over both home and office computer equipment for purposes of examining and copying information and communications contained on all computer hard drives. The order also permitted the discovery of all data, including e-mail and other electronic communications.
On the basis of what was found by a third-party digital forensics firm in the ensuing examination of more than 80 computers, the defendants were fined, penalized by the court, and ordered to stop doing what they originally claimed they were not doing.
Discovery, some would say, is the “finding of things that are available to be found.” Case law is changing that paradigm rapidly, and storage professionals stand directly in the path of these changes. Today, digital discovery includes the presumption that if one or more parties in an action can produce an authentic digital document, then the likely result is that even if you cannot produce the document in discovery, the missing document could be deemed real, available, and therefore admissible.
There are a growing number of cases where a plaintiff has been able to produce an electronic document produced by a defendant enterprise, but the defendant enterprise cannot reproduce the documents from its own digital archives. The result has been stiff penalties for the defendants and the presumption that the document(s) should have been available. See this example:
Donald Arndt v. First Union National Bank, 2005 N.C. App. LEXIS 1080 (N.C. Ct. App. June 7, 2005) The court found that e-mail messages between an employee and his employers were sufficient to act as evidence of the existence of an oral contract regarding compensation. The court found that the employee supplied proof that the employers did not preserve the e-mail messages despite prior knowledge of its existence and relevance.
This is a bad situation to be in for the defendant enterprise and for the unprepared storage professional. To add fuel to the fire there is an accelerating trend toward fines, penalties, and even outright dismissal of cases where plaintiffs and/or defendants do not produce documents as the result of a digital discovery request. Requests for sanctions for failing to produce all requested electronic documents pursuant to a digital discovery request have arisen most often in tort and intellectual property cases, followed by contract and employment cases. In all, US Federal courts through 2004 granted sanctions for failure to produce documents through electronic data discovery 65% of the time, with defendants being sanctioned four times as often as plaintiffs.
How do you prepare for these unplanned requirements to produce material in support of a digital discovery request without disrupting the operating storage requirements of the enterprise? How do you comply with the requirements of a discovery request within the (usually short) time allowed and without interrupting operational activities?
There are two rules that will go a long way toward keeping you focused on designing and building storage systems to accommodate these requests while at the same time satisfying ongoing operational needs:
Rule #1: A little paranoia is a good thing.
Rule #2: Build as much automation, drill-down, and control into your storage solutions as possible.
There are four major components that should be included in storage architecture considerations: operations, backup, archive, and discovery. Of these four, archive and discovery are the most recent additions.
Archive is being driven by compliance, and discovery is being driven by the onerous prospect of litigation support. Thankfully, most enterprise storage architectures do not need to be replaced to accommodate archival-and-discovery requirements; they only need to be augmented, but in some cases significantly.
How do you take digital discovery into account when you are designing an enterprise storage architecture? Start with a clean slate and try to uncover the issues associated with the design of an improved architecture that can satisfy all four of the major components.
Rather than trying to define a set of universal hardware and software design standards for enterprise storage that include consideration for the new requirements of discovery, you should build a checklist, which, when followed, will produce the “how-to” of an architectural plan for enterprise storage design with the goal of reducing the burdensome requirements associated with discovery.
There are plenty of storage products available to address each of these design issues. Because of the great variability between enterprises and their storage requirements, consider the following 12-step program to define specific storage architectures that include the requirements of discovery:
- Does your storage environment currently collect backup and archive all data files and electronic communications in the enterprise?
- Are the enterprise’s collected data sets electronically and physically secure from both internal and external intrusion and tampering?
- Are your backup-and-archival data sets encrypted?
- Is your data archival retention system automated and transparent to users?
- Does your archival system parse and index all document content and metadata?
- Does your data retention system include all network-based applications, traffic, and log files, as well as data files such as e-mail?
- Do you have a means of entering key words in a search engine that is linked to your storage hierarchy, and can you search content of files and not just file names?
- Are your data retention policies up to date with the latest compliance and litigation support requirements and automated for your storage systems?
- Does your archival system have the ability to automatically tag and discriminate for data types with a high degree of granularity for specific purposes (e.g., legal, financial, human resources, executive, etc.)?
- 10. Does your storage staff have training in criminal or civil digital discovery and chain of custody practices and methods?
- 11. Does your staff have the ability to timely image and efficiently replace physical operating storage without interfering with the operational requirements of the enterprise?
- Is there a plan in place that will allow for the rapid, secure, and automated replication of select segments of large amounts of disk- and tape-based archival data?
The good news is that there are storage systems and software that can solve most of these problems. The bad news is that there are no unified solutions or “one-size-fits-all” answers to effective storage design for all four major requirements in the enterprise. The best policy is one that acknowledges the likely occurrence of extraordinary and, in some cases, non-recursive requirements to be able to preserve, index, and extract highly granular data sets from the enterprise storage environment.
In reviewing the costs associated with the changes to your storage infrastructure that the above list of questions could produce, keep in mind that being unable to handle digital discovery requests in support of litigation is not generally an acceptable defense in litigation. The imposed costs of not being able to adequately support these requests can be far greater in arrears than the costs in advance.
Most data storage architectures today do not address the need for supporting the collection and export of large volumes of custom, user-specified data sets. Unlike compliance reporting, where the reports themselves (including the content of those reports and their frequency) are predictable, discovery reporting can be far greater in scope and potentially more disruptive to the enterprise in pursuit of document production. This disruption is not necessary. Storage professionals should take into account the potential for these types of unpredictable actions to occur. The benefits of including the requirements of digital discovery in the planning and design of storage architectures can result in significant cost avoidance and labor savings, non-interruption of ongoing operations, and a more automated approach to compliance in support of litigation or compliance audits in the future.
George Hall is a senior partner and forensics expert with RidgeLLC, a storage security and computer forensic support services business. He can be reached at firstname.lastname@example.org.