part two of the four part series Electronic data Discovery

Here is the second post on the four part series Electronic data Discovery

Beware the Forensics Label

Many sales people attach the label “forensics” to their security and compliance analysis tools, and that can be very misleading. In law enforcement circles, “forensics” means a well-defined set of discovery and investigative processes that hold up in court for civil or criminal proceedings. An enterprise that relies on these tools’ records or analysis in, for example, a wrongful termination suit, is probably in for an unpleasant surprise. “It may not hold up in court,” says Schwalm, a former Secret Service agent. “Very few vendors have an idea of what the requirements [are for proof, from a legal perspective]. They’re really providing just a paper trail. You should challenge what the vendor means by ‘forensics capability,’” he adds.

One gotcha of using ELECTRONIC DATA DISCOVERY tools for legal purposes is proving the inviolability of the data. Tools that keep or aggregate event logs may not provide access control that lets the enterprise prove that the underlying data is unaltered and accurate.

This issue is particularly critical because most vendors pitch their ELECTRONIC DATA DISCOVERY tools as a way of detecting internal threats. Yet an insider is in the best position to access and alter data to cover his tracks or deflect blame to someone else, making truly secure access control and data management policies a must to even consider relying on ELECTRONIC DATA DISCOVERY tools in a legal case. To thwart insider manipulations, critical functions such as setting up new vendors or changing payment destinations should require multiple levels of approval. “One person shouldn’t be minding the whole store,” says 2Checkout’s Denman.

A related concern is being able to go back to the original raw data, since most ELECTRONIC DATA DISCOVERY tools alter the original data to put it into a searchable database and to make formats from different types of monitoring appliances consistent. Such regularization is necessary to analyze the records, but to be legally effective, there must be a defensible way to show that it didn’t distort the original data, says Gartner’s Litan.

There are no broad standards for what constitutes acceptable forensics. Different courts and law enforcement agencies have their own standards, so the CIO should make sure his security experts consult with those organizations to find out what evidence they’ll require to pursue a case. 2Checkout’s Denman has done just that, working with the FBI’s cybercrime task force “to know what they look for.” For example, investigators prefer to make forensically sound copies of original data or the best available evidence; they never manipulate original data directly.



Contact us

(Free initial consultation – no spam)

Contact form (1)

"*" indicates required fields

This field is for validation purposes and should be left unchanged.