1. e-Discovery

2. Agenda
• Computer Forensics Vs e-Discovery
• Case-studies
• Terminology
• EDRM ( Electronic Discovery Reference Model)

3. Speaker’s Profile
MALLA REDDY DONAPATI
Security Enthusiast, Forensicator and Trainer
M.Sc Information Security & Computer Forensics
dmred1
http://infoseclabs.blogspot.in/

4. e-Discovery
“ Electronic discovery (also called e-discovery or ediscovery) refers to any process in
which electronic data is sought, located, secured, and searched with the intent of using
it as evidence in a civil or criminal legal case”
Data are identified as potentially relevant by attorneys and placed on legal hold.
Evidence is then extracted and analyzed using digital forensic procedures, and is
reviewed using a document review platform. Documents can be reviewed either as
native files or after a conversion to PDF or TIFF form. A document review platform is
useful for its ability to aggregate and search large quantities of ESI.

5. Why e-Discovery ?
• 90 % documents created today are in electronic format
• 90 billion or above the number of business emails sent and received each day
• majority of information these days is electronic and can potentially be sought as
evidence in a court of law
• Additionally, with the sheer amount of data available and regulatory and legal
compliance requirements continuing to evolve, organizations face new challenges
when it comes to information retention and governance.

6. e-Discovery
• The primary focus of standard e-
discovery is the collection of active
data and metadata from multiple
hard drives and other storage
media. Litigation can be supported by
active data (information readily
available to the user, such as e-mail,
electronic calendars, word processing
files, and databases), or by metadata
(that which tells us about the
document’s author, time of creation,
source, and history)
Computer Forensics
• The goal of computer forensics is to
conduct an autopsy of a computer
hard drive – searching hidden folders
and unallocated disk space to identify
the who, what, where, when, and
why from a computer. A significant
amount of evidence is not readily
accessible on a computer; when this
occurs, a computer forensic
examination is necessary

7. Bank of America fined $10 million, 2004
Following an investigation into trading by Bank of America and a former employee, the SEC
(Securities and Exchange Commission) ordered Bank of America to pay a fine of $10 million after
they “repeatedly failed to promptly furnish” email and gave “misinformation”
Coleman Holdings v. Morgan Stanley, 2005
Morgan Stanley was ordered to pay over $800 million in damages when they repeatedly failed to
produce emails in a timely manner. The judge in this case stated that “efforts to hide its emails”
were evidence of “guilt”.

8. Terminology
• ESI (Electronically Stored Information)
• Custodian
• Harvesting
• De-duplication
• Metadata
• Spoliation
• Legal Hold
• Document Retention Policy

9. ESI – Electronically Stored Information

10. What forms ESI Take ?
• Text based - .doc .pdf .txt .wpd .xls .ppt .html
• Images - .bpm .gif .jpg .tiff
• Moving Images - .avi .mov .flv .mpeg .swf .wmv
• Sound - .au .mp3 .mp4 .ra .wav .wma
• Web Archive - .ar .mhtml .warc
• Email - .pst .ost .msg .dbx .eml .mht

11. Data and Metadata
• Data – content of an email or document
• Metadata – encompasses all the information about a document that is not visible to
the user
• ESI Created
• ESI modified
• Custodian
• To, From, CC, BCC
• Date & Time email was sent
• Subject
• Date or Time received

12. EDRM

14. EDRM ..
• Identification
• Locating potential sources of ESI & determining it’s scope, breadth and depth
• Preservation
• Ensuring that ESI is protected against inappropriate alteration & destruction
• Collection
• Acquisition of ESI from computers, servers, etc. for further processing and reviewing it for
anticipated litigation or government investigation

15. EDRM . .
• Processing
• Involves pre-processing to reduce large sets of collected ESI for further review, production
and subsequent use
• DNISTing
• De-duplication (removing duplicate ESI)
• Filtering by key word
• Data or metadata extraction
• Reducing the volume of ESI and converting it, if necessary, to forms more suitable for
review & analysis.
• Review
• Evaluating ESI for further relevance and privilege

16. • Review
• Evaluating ESI for further relevance and
privilege with or without technology
assisted review platforms

17. EDRM. .
• Analysis
• Evaluating ESI for content, context including
patterns, topics people and discussion
• Production
• Delivering ESI to others in appropriate forms
& using appropriate delivery mechanisms

18. Presentation
• Displaying ESI before audiences (at depositions,
hearings, trials, etc.), especially in native &
near-native forms, to elicit further information,
validate existing facts or positions, or persuade
an audience.