Legal Technology News - E-Discovery and Compliance Blog

« FRCP Preservation Rule Update | Main | What Do These People Have In Common? »

April 06, 2012

Ball in Arkfeld's Court: Notes on Forensics

Racket_ballCraig Ball, computer forensics and EDD special master and author of LTN's "Ball in Your Court" column, was guest lecturer for the latest session of Arkfeld's Online E-Discovery and Digital Evidence Course. In addition to fielding questions and comments, he delivered a fast-paced and informative PowerPoint primer on computer forensics and electronic evidence.

Here are some quips and insights:

• Sometimes there's no loss of "information payload" producing images in .tiff, especially for "unsophisticated clients who have a lot of money to waste ... if you don't mind the bloated format."

• When Arkfeld mentioned that even when both sides agree under Rule 34 to produce in PDF or .tiff, many courts still frown upon it. Ball offered his own Rule 34 observation, "Just because two lawyers agree they can fly doesn't mean they should head for the roof."

• Why do e-discovery when "It's just a car wreck"? The moment the air bag deploys, the car's event data recorder logs info such as the speed at which the vehicle was traveling and whether a seat belt was in use.

• Computer forensics is "the crunching of specialized data to hone in on the information to tell a story." Like mind reading, "forensics finds the human drama in the bits and bytes. What people hide, steal, think." A drama in which the computer is "an instrumentality in some form of malfeasance" brought into play.

• What does a computer forensics investigator need to know to talk about cost? "What is the machine? What is the capacity of the storage media? What operating system does it use? Then I can give an estimate." Other questions will involve whether it's done onsite or at the lab. Ball gave the example of making a mirror image of a terabyte of data: "No one can speed the path of data." If this is done onsite, an expert is going to have to sit there and watch the process as the hours go by. This could cost up to $5,000 to for a disk image.

• A student asked what can be done if the entire machine is encrypted, a full-disk encryption using TrueCrypt or a similar software. Ball said the best method in a civil case is to "smile at the judge" and try to get a court order.

• What about a registry encrypted using ROT-13, also known as the "Caeser cypher," in which you replace each letter with one 13 places further down the alphabet? Ball asked the class why he was demonstrating this method of encryption, which he described as the "lousiest encryption scheme." Answer? An entry encrypted using ROT-13 cannot be found using a keyword search.

For more from Ball on keyword searches, read this month's column in LTN's current issue, "Gold Standard," in which he demonstrates how "If counsel get their hands dirty with the data, as by personally exploring representative samples using desktop or hosted tools, the parties could work quickly, effectively, and cooperatively to zero in on relevant material."

Image by Clipart.com

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345280a669e20168e9b418f1970c

Listed below are links to weblogs that reference Ball in Arkfeld's Court: Notes on Forensics:

Comments

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.

This weblog only allows comments from registered users. To comment, please Sign In.

Sign Up for the E-Discovery and Compliance Newsletter

An Affiliate of the Law.com Network

From the Law.com Newswire

Sign up to receive Legal Blog Watch by email
View a Sample



Contact EDD Update


Subscribe to this blog's feed



RSS Feed: LTN Podcast

Monica Bay's Law Technology Now Podcasts are also available as an RSS feed.

Go to RSS Subscribe page




March 2013

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Blog Directory - Blogged