Managing 30(B)(6) Issues with iSEEK


Published on

iSEEK is a computer forensics tool that is used for the collection and preservation of electronically stored information (ESI). iSEEK allows users to target specific data stored on machines with defined parameters, then pre-process the data before it is deposited into a review tool.
More information about iSEEK at
Click the link below to watch the iSEEK animation video:

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing 30(B)(6) Issues with iSEEK

  1. 1. October Managing (30)(B)(6) Issues with iSEEK White Paper In this whitepaper, we address subject matters that pertain to testifying parties who could require the use of the computer forensic tool, iSEEK, to target and process electronically stored information within a corporate partnership or other legal entity for presentation as evidence in a Federal matter. Innovative Litigation 13
  3. 3. WHITE PAPER: Managing 30(B)(6) Issues with ISeek 3 The subject matter expertise required of the potential witness or testifying party is exactly the same under the use of ISeek as with any other method for the Electronic Discovery Reference Model (EDRM). A witness of business transaction processes that uses any targeteddata collectionmethod, such as computer forensics or indexing systems,has the same responsibilities but more precise testimonial elements. This is true in isolation of data, disconnected systems, or at computer domain management systems comprising large domain levels. The acquisition of the data and the methods of acquisitionare what differentiate ISeek from any other existing method of early stage Electronic Discovery. In companion tests to index solutions, ISeek actually finds much more data simply due to the fact that indexing solutions are so replete with intractable errors in their solutions, due in part to the inability for indexing to reach the equivalency of searching. Using iSEEK: Leveraging Programs and Functions for Efficient E-Discovery ISeek is built around core fundamental forensic principles that insure a fully independent acquisition of data without regard to human intervention or decision processes after the interrogation commences. It is unlike other methods in that it is an automaton and is described as such in the patent letters. iSEEK’s design methods are directed toward empowering the automaton with instructions (the configuration file); it then executes without regard to any other factor externally to its runtime impact with the exception being made only for location access. The witness is not responsible for understanding the process of data acquisition within the ISeek application itself, they are only responsible for the business record description of the culmination of an ISeek search of a system containing electronically stored information. The output is the same in terms of the final resting place of data and all records targeted by ISeek would be the same records – if they could be found – by using any other process, which is automatically used to target responsive material. ISeek acts independent of the ISeek Execution Operator, and critically, since it operates without any possible contamination or alteration of the selection criteria. ISeek allows users to target ESI from the outset of the mission, without any witness, custodian, proxy, or investigator’s knowledge of the results or the criteria used to select ESI. ISeek is solely based on a critical functionality, which guarantees independence by virtue of the fact all selection criteria are set and protected in an encrypted configuration file that is only accessible to those who create it. This “actions” file, also known as ISeek.config, directs the tool – independent of the operator of the process, to conduct exclusive processed searches by processing data on the end point data store. In addition, the iSeek configuration file is designed to perform without “pulling back” data to any location; any data can be examined. Data is examined and processed in its
  4. 4. WHITE PAPER: Managing 30(B)(6) Issues with ISeek 4 original location, not indexed in place or moved for other functions. It is processed where it lies, and then searched in place in order to find the criteria set by the creator relative to the matter at hand. Differences in Production Methods Since there is no Rule 6 requirement that the business entity produce the "most knowledgeable" witness, only that the person testifying "shall testify as to matters known or reasonably available to the organization," then the production method of ESI used in ISeek does not require any extra knowledge of the witness to begin with. The ISeek interrogation output of an ESI system lies in the descriptive requirement knowledge of the witness, but only in so far as they would have to have the exact same knowledge requirement of any record custodian using any other method. The difference is the corpus result set. To summarize, the output method is the same as any other end process generally, but it is the output method at the small end of the pipe that is different. That method is a post-process method, not a pre-process one. ISeek only circumscribes the directives it received at runtime from the ISeek.config file. It does allow for user-defined locations if necessary at runtime, but there is no possible way for the initiator of an ISeek query to actively interact with the ISeek process once it is run. There are no criteria visible and none can be redacted. The criteria specified are completely invisible to the custodian and the collection agent. The criteria specified are also invisible to the proxy or initiator during runtime. For example, if there were 10 custodians, each managed by one “collector” (for instance, an IT admin),then the IT admin would not prepare the configuration file. Counsel or an otherwise appointed party would or could be responsible for that preparation. Instead, users could simply present the configuration file criteria to the IT admin, who would then execute the process against the 10 custodians. In this setup, the IT admin has no idea what is processed or gathered or what any selection criteria are (nor does the custodian). The data that is targeted and processed is then, at that point in time and on into the future, solely under the domain and control of Counsel or their appointed proxy. The data circumscribed by the ISeek method is 100% encrypted in Advanced Encryption Standard 256(AES-256) from that step forward and throughout the entire lifecycle unless the creator elects to remove that protection. ESI Protection Methods: Alleviating Liability Concerns Because ISeek works using a different paradigm than any other tool or indexing based system, the results file (a file with the extension .isk) is only available to the initiator of the ESI gathering ‐ whether it is for an active case or a legal hold matter. If the initiator is counsel for the entity, thenheis in full control of the criteria and conditions under which the data was gathered from the 10 custodians. No custodian or IT Admin need have this
  5. 5. WHITE PAPER: Managing 30(B)(6) Issues with ISeek 5 knowledge at any point in the data lifecycle. Once the initiator decides to open and view, or extract the ISeek file data envelope, he alone controls the distribution and dissemination of that data.From that point on, everything done in terms of control focuses on the initiator. He can share that control or not, depending on the matter at hand. This relates directly to 30(b) because the matter relevancy is less of an issue than the security and containment of the data. Regardless of what is gathered, the 30(b) witness has no new or different data to look at or support than they would otherwise. Glaringly, this method protects the entity in many respects because the 30(b) witness is no longer subject to conjecture and vague general questions regarding contingent issues. Those questions are not within the knowledge of the expert because he only represents the ESI produced from the matter, not what could have been produced otherwise. To repeat, it is the method that has changed – not the data. iSEEK Defensibility ISeek also protects the corporate entity by enforcing an unbending rule: only ESI that is sought can be found. In addition, collateral damage to the ESI containment is disallowed because, by default, ISeek excludes any ESI that is not clearly and positively defined in the configuration. An example here further articulates this point: since the standard for ESI acquisition is defined by FRCP as information of “reasonable particularity”, then the subject matter may come from a variety of sources within the overall entities’ ESI container systems. This ISeek artifact method provides a reasonable deterrent to accusations that may come from opposing counsel such as: the ISeek interrogation avoided files or information by type, place, or time which was probative, when in fact, ISeek does just the opposite by default. By default, ISeek does not omit anything from being processed and searched. Only the initiator can absorb that restriction or change iSEEK’s default responsibility features. Therefore, opposing parties cannotaccuse the process method of not being totally impartial in as much as any file at any ESI location is going to be subject to the exact same criteria for inclusion in the corpus gathered. This “lock-box-throw-away-the-key” concept has demonstrable value to counter allegations of intentional avoidance by opposing counsel since it does not use an indexing methodology at any level to find data. iSEEK uses the processes gatheredfrom 20 years of forensics to methodically examine any ESI for relevancy. This process fully leaves the primary responsibility for defining relevancy to the initiator of the ISeek method and the criteria he elects. The categorization of ESI then, has no parallel to the method because no exclusions or waivers of any ESI exist within the borders of the ISeek method. Putting in place selection criteria to limit what is analyzed and what is not, have almost no impact on time to mission, although it may impact end costs of the operation. A witness
  6. 6. WHITE PAPER: Managing 30(B)(6) Issues with ISeek 6 proponentof the method is again, not the party who defined the criteria – at least he does not have to be – so his knowledge of what was investigated, as opposed to what was gathered, is of little consequence in terms of testimony. Hewill have a printed document before him showing the ISeek criteria which confines the testimony at the outset. The ISeek method does not arbitrate any ESI system and cannot do so otherwise. It is impartial and independent no matter how where or when it is run. In sum, the witness to the production is under no more requirements to supply expertise to an ISeek Discovery than he would be to the same information in paper form or from using any other method. One example of this impartiality would be an email claim of relevancy where only selected emails that were probative were all that ISeek was directed to secure. In the non-ISeek method, an entire 100 GB PST file would have to be processed, then indexed to delineate the specific emails (a questionable guarantee of success in any index system). Now assume that there are only 7 out of 800,000 emails that are relevant and probative to the issues in that one matter. Key Considerations: The New EDRM with iSEEK Continuing on this example, In non ISeek methods, the entire 100 gigs of email has to be secured, transported, thenprocessed resulting in 800,000 emails of output which have to be further analyzed for relevancy in an attempt to find the 7 emails that are in fact the point of the matter. It is pointed out here that the time and costs of that processing now bring in undocumented variables beyond anyone’s control – pre-coding, de-duping and user requirements now must be documented throughout any such process. In effect, the business entity now has created an enormous corpus of data subject to further review, just in order to find 7 known relevant items. That data, all 800,000 emails, is now subject to further review and subpoena– needlessly anddangerously we add, in some cases. ISeek is the reversal of this historical EDRM approach. ISeek, by itself on the endpoint target machine, processes the entire 800,000 emails in the 100 GBPST file but only targets the 7 relevant emails, and only encapsulates those 7 emails into an emailreadyresponse. ISeek has not produced an open-ended datamass for the witness to testify to at all. Since the witness is only required to be the responsible party that can address those 7 emails, there were no decisions required beforehand because the witness does not have to have implicit knowledge of any corpus data outside the bounds of those 7 emails. The witness becomes a subject matter expert, not a subject method expert. The ISeek method fully ascribes the rules requirement that the witness must testify as to matters known or reasonably available to the organization. The data was available if it was found by ISeek; it is otherwise unavailable to the methods ISeek employed and as
  7. 7. WHITE PAPER: Managing 30(B)(6) Issues with ISeek 7 long as those methods were not intentionally constructed to mislead any party, they can stand any sanction test. Here, it is informative to give a contrary opposite example: Suppose in the previous example, it is known that OST files are used for disconnected email storage in an organization, but within ISeek’s configuration for this same matter, OST files are intentionally excluded from processing. That would result in no data being found by ISeek at all, and likewise it would result in a defensive position having to be taken later on regarding that decision process. But, those same means and methods and decisions are well known to be the cause of action in any matter of ESI acquisition, and are still excluded out of hand from the responsibility of the witness to a 30(b) deposition. Perlustro and the disclosed patent itself, stand behind the method in public review. The acceptability of the method is then, limited to the criteria of the matter, not the criteria of the approach. The 30(b) witness is required to have, as noted in the rules and case law, familiar knowledge of what is produced, not familiar knowledge of what could have been produced, or what was not produced. This inures benefit to the business entity in that it provides a restrictive umbrella to the witness in addition to the data envelope. ISeek targets ESI with complete independence and total objectivity, but it is not, without the guidance of a responsible official, impervious to failures to find ESI data. For example, a custodian who secretly downloads Bestcrypt and keeps data unknown to the business process within that container, would possibly be able to “hide” relevant information from ISeek with the container unmounted. But using ISeek, it is also very possible and likely that the reverse will be true. The custodian, without any knowledge that ISeek is running on their machine, might open the Bestcrypt container and make that information subject to an ISeek interrogation. As a result, data never before seen, can now found. This data in most known cases would be missed in any other data collection method. ISeek keeps all data in process, targeted and 100% encrypted at all times on the client machine. There is no necessity to re-encrypt data at any point in its life. There is also no need to use any further encryption mechanism to move the data once it has beenencrypted to any place in a network, to a public cloud or even isolated to a physical disk attached to a client machine. Data can be retrieved from any place on earth without any necessity to consider security envelopes at any point in the process. Without entering the password keyinto ISeek Configurator, a person in simple or stolen possession of the ISeek container has the possession of a digital brick. No loss of either fidelity or information will exist unless the managing user reveals the password key to another party. Even the configuration file that is encrypted creates the automaton effect. The password to the container can be different from either the data warehouse password or the configuration password. The only modality for interception lies in a memory mechanism that would have to exist on the client end when data is processed,
  8. 8. WHITE PAPER: Managing 30(B)(6) Issues with ISeek 8 but such likelihood can only determine the ISeek process space, not the password used to encrypt the container contents. Once the container leaves the machine either by email summary form or in whole data form, the access to the data is further limited by the ISeek server component, which will only unlock configurations already licensed. This mechanism prevents theft of the data because only legitimate users would have a licensed server component. Authentication Aspects of ISeek Findings ISeek authenticates the data source from many different points of view including logged on users, ACL’s Drive serial numbers, CPU numbers, Network interface descriptors, and many others. The manager of the ISeek configuration file can also further describe the custodian by name, any proxy or intermediaries or others including notes of the process intended separately by use of encrypted fields in the configuration files. This data can be attached automatically to data warehouse processes without the need for further annotations to support chain of custody issues. The process also includes verbose logging which is time based during a process. Jim Baker is the President of Perlustro LP, a privately held computer consulting firm that specializes in forensic software development, such as the computer forensic tool, iSEEK. Jim was a special agent with the Criminal Investigation Division of the IRS for 31 years; he also served as the Chief Technical Advisor to the Director of Electronic Crimes. During his tenure at the IRS, Jim partnered with Microsoft to develop and implement the standard and primary desktop platform for IRS Criminal Investigation’s client desktop systems.