EDD Update

Make no mistake: Traditional forensic imaging is the vastly preferred method for nearly all of the computer forensics work associated with e-discovery. You just can’t beat bit-for-bit electronic copies for safety, reliability, accessibility, portability and bitrate transfer speeds.

If not for the disproportionate growth of storage size versus data transfer rates, processing power and memory, we would still be working from bit-for-bit images taken from offline electronic storage media. Live file extraction would be limited to computer forensics investigations where whole disk encryption or volatile (e.g., RAM) activity is an issue.

Live file extraction is a term used to describe the application of computer forensics against data – usually hard drives – still connected to a controlling central processing unit. In other words, the computer, appliance or accessory is powered on and operational. How “operational” depends on the technical aspects of the target, any litigation hold strategies in place and the nature of the investigation.

If the target is an online retailer’s network, the network is still taking orders and processing data while forensic activity proceeds in the background. If the target is a delivery vehicle’s GPS system, the vehicle is probably parked but the GPS unit continues to overwrite internal log entries with positional data.

If the target is a Blackberry, the device is on but its radio receiver is, if the investigation allows, turned off. Desktops and laptops, from which data is being harvested in a non-adversarial process, may actually have thin clients onboard which use idle CPU time to search for delimited files or file types and await opportunities to transmit collected files to a mapped evidence collection drive or other destination.

The largest apparent advantage of live file extraction is that it does not require a producing party to shut down critical systems while a forensic investigation or extraction is underway. On the surface, this is appealing because it offers the prospect of a no fuss approach to e-discovery. Simply continue working. Invisible technicians will reach into your workstation remotely and remove all that is needful. You won’t even know they were there.

Another advantage is the practical ability to extract data from throughout a storage network. Modern storage systems may be distributed across many machines, and for efficiency’s sake, these systems organize files in a manner that makes sense only in the context of the entire network. Reconstructing a RAID-0 (a “striped” file storage pattern using more than a single drive) from hard drives imaged in the traditional manner is expensive, frustrating and time consuming.

Likewise, where a “virtualized” server straddles a dozen appliances, to forensically image such a server could require dozens of separate projects. For these and other reasons, a combination of live extraction and forced backup has been the typical approach to server data extraction for years. Traditional imaging of such appliances is long dead.

I would add that a third advantage is that the limitations of live file extraction set forth below encourage a measured, practical approach to electronic discovery. The same weaknesses that mean that not all data will be collected hide a silver lining. The death of imaging and the growing use of live file extraction as the sole alternative will lead to a broader acceptance of the reality that e-discovery, like its paper predecessors, is neither perfect nor complete. This in turn will lead to cost savings.

The disadvantages of live file extraction are the inverse of the advantages of traditional forensic imaging:

• It isn’t possible to make an electronic bit-for-bit copy of a hard drive that is operational. For example, Windows machines supplement their available Random Access Memory (RAM) with what is known as a page file in order to improve performance. The page file is stored on the hard drive. Its contents alter from second to second. Thus, the bit-for-bit appearance of the target drive will vary from beginning to end, and during any imaging attempt. Don’t be fooled by the misnomer live file imaging, which means the copying of selected files while preserving metadata.

• Though capable of working in the background, extraction applications and forensic viewers need processing time like any other piece of software. Giving priority to business applications may cause the forensic process to drag interminably. Boosting resources to forensic processes may crash business applications. Installed data retrieval software may have to battle with network security and antivirus alarms, leading to even scarier problems.

• Crashing your client’s business systems is bad enough. If you’re engaged in adversarial discovery with an extraction team on-site at the opposing party’s facility, it can be disastrous. Be ready for counterclaims, quashed Temporary Restraining Orders and sanctions. Naturally, vendors do not exactly flock to opportunities to undertake live adversarial extraction unless the fee justifies the risk. The first invoice will make you long for the good old days of true forensic imaging.

• Working live carries all of the usual risks that traditional imaging mitigates by minimizing contact with operational systems and deferring as much activity as possible to a lab environment. Static discharge, physical damage, data slurring, overwriting, malware, bugging, network security compromise, mistakes, the “observer effect” and other concerns all heighten the risks associated with live file extraction. In forensic imaging, back-up copies are stored safely elsewhere. When working live, the original files may be compromised.

• Live file extraction takes time and requires a broad set of IT skills. Every computer system is different and carries its own vulnerabilities. Extraction software that works perfectly on platform A may not work at all on Platform B. These factors lead to increased expense and increased risk that important documents may be missed.

• Extraction volume is limited. Data transfer rates are slow. Searching, even for broad categories of files or file types, is time consuming. Even if you use in-house IT staff or a vendor to undertake live file extraction, the pressures of time and expense will result in the extraction of fewer files.

Since live file extraction is the future, let me end on a positive note. All of these extraction limitations are well known, and the e-discovery industry has made enormous efforts to solve them. Don’t believe any vendor that claims there is such a thing as an error-free solution. On the other hand, as time passes, live extraction – and live searching – will continue to improve.