By Toby Duthie, founder and partner, Lukas Bartusevicius, business development analyst and Kiran Patel, project manager, Forensic Risk Alliance
With increasing cyber-security and data privacy concerns in the post-Snowden world, corporates have been investing heavily in IT. In the context of electronic discovery and forensic investigations, traditional eDiscovery methods have concentrated on collecting data from the targeted organisation's IT system and then transporting it to the vendor's data centres for processing, filtering and document review; those data centres are often located in foreign (especially US) jurisdictions. Today there is increasing scrutiny about how and where data is collected, processed and hosted. Shipping data across borders can undermine the integrity of an investigation and pose significant financial, legal and reputational risks. This is especially relevant in matters involving criminal law where, for example, a US Securities & Exchange Commission subpoena is served on a company based in France. As an international forensic consultancy we have had an increasing number of requests to implement bespoke approaches to forensic data collections and investigations. We would therefore like to share this case study in which a team led by our project manager Kiran Patel provided a unique mobile solution.
Mobile Solution
We were asked to help a client responding to an investigation by a regulator with global reach. They faced allegations of corruption and were based in a civil law European jurisdiction. The project entailed retrieving several hundred gigabytes of data for around a dozen custodians from a number of sources such as computers, mobile phones and emails and network shares.
Of these custodians, several had VIP status in the company and there was increased sensitivity about their data. Furthermore, the jurisdiction of the project had data privacy and blocking statute issues. This meant all data had to remain in-jurisdiction for the purposes of the review. Our team responded by designing a mobile digital forensic and eDiscovery solution that provided a fully robust but also data privacy-compliant approach. As per our client's concerns the data had to be collected, processed and filtered on their premises. The client's legal team also wanted to retain a level of supervision before results could be shipped to one of our in country data centres for hosted document review.
These requirements presented several challenges. First, we had to ensure data integrity to fit with the regulator's requirements. Second, we had to devise a solution that would allow data processing and culling onsite, while allowing the review of the reduced data population to take place in our hosted data centre. The data collection was conducted in accordance with industry best practice. Forensic images were captured and duplicates of the source data were created and securely retained. The data was then processed using an industry-standard processing tool. All resulting metadata was transferred to our bespoke data staging environment where it was analysed and culled. We performed customised analytics to exclude private material. All of this work was conducted in a fully deployable eDiscovery solution, ensuring a forensically sound environment could be created on out client's premises.
The solution we developed contained Dual Intel Xeon-6 core processors, 256 GB of RAM and 6 TB of redundant Solid State storage. The system ran Windows Server 2012 R2 with Hyper-V. The server had access to 24 processing cores. This kind of solution can be setup anywhere in the world. The second challenge was that internet protocols were locked down as the client wanted to make sure no data could be inadvertently transferred offsite. As the mobile solution was on the client's site they were able to place it behind their firewall. We were only permitted to remotely monitor the process using a special protocol.
For security reasons the mobile solution consisted of virtual servers on an isolated network. The only access was via a console login to the mobile solution or from our internal network. Once data was ready for export it was copied onto an industry-standard Fl PS-encrypted device and couriered by FRA staff.
Third, as the processing and filtering component was conducted using our mobile solution we had to ensure compatibility with the technology in our data centre. We used a standardised workflow process across all locations.
Finally, our team was required to conduct a forensic analysis on the VIP custodians' computers and this had to be done onsite. This was accomplished using the mobile solution, as the machine was preloaded with forensic investigation tools. Also, since the mobile solution had enough CPU power and RAM, it effectively allowed for forensic analysis work to be conducted while eDiscovery data was being processed and filtered.
Once again our experts worked on copies of the physical forensic images.A physical forensic image is a bit-by-bit copy of a hard drive which includes the accessible and deleted data. The forensic images were then uploaded to the mobile solution.
As we were allowed remote access and utilise pre-installed software, our team was able to connect to the solution and conduct the analysis of these images as required. Using this approach, the data did not leave the premises and did not violate any jurisdictional data privacy regulations.
Read the article here:
.png)
