At 02:13 PM 7/5/2001 +0100, Michael D. Barwise, BSc, IEng, MIIE wrote: Hi Patrick Your approach would certainly make sense if [1] you knew exactly what you were looking for Some notable cases to back up theorem # 1. Daewoo Electronics Co. v. United States, 650 F.Supp. 1003, 1006 (Ct.Int'l Trade 1986) The normal and reasonable translation of electronic data into a form usable by the discovering party should be the ordinary and foreseeable burden of a respondent in the absence of a showing of extraordinary hardship. Easley, McCaleb & Associates, Inc. v. Perry, No. E-2663 (Ga. Super. Ct. July 13, 1994) Plaintiff's expert allowed to recover deleted files on defendant's hard drive First Technology Safety Systems, inc. v. Depinet, 11 F. 3d 641 (6th Cir. 1993) Trial court can issue ex parte electronic evidence seizure order Gates Rubber Co. v. Bando Chemical Industries, Ltd, 167 F.R.D. 90, 112 (D. Colo. 1996) Site inspection and evidence preservation order. "Expert" criticized for procedures. A party has "a duty to utilize the method which would yield the most complete and accurate results." Pearl Brewing Co. v. Joseph Schlitz Brewing Co., 415 F. Supp. 1122 (S.D. Tex. 1976) Entire system documentation required to be produced PHE, Inc. v. Department of Justice, 139 F.R.D. 249, 257 (D. D.C. 1991) Objection to discovery being burdensome denied [2] the files were still "current" i.e. not deleted &c. More in the case of email.... Playboy Enterprises, inc. v. Terry Welles, 60 F. Supp 2 1050; 1999 U.S. Dist. LEXIS 12895 (S.D. Cal. 1999) Court can appoint neutral expert to recover deleted email Bourke v. Nissan Motor Corp., No. B068705 (Cal. Ct. App. July 26, 1993) Employees had no reasonable expectation of privacy in their company email Smyth v. Pillsbury Co., 1996 WL 32892 (E.D.Pa. 1/23/96 Weiner J.) Employee had no reasonable expectation of privacy in company email The problem really arises when the forensically relevant data are in deleted files or slack space in used clusters/sectors. Then, you have two problems: [a] the native file system cannot deliver the data for analysis [b] VM and temp file usage may destroy the data while you are examining the drive Santiago v. Miles, 121 F.R.D. 636, 640 (W.D.N.Y. 1998) "A request for raw information in computer banks is proper and the information is obtainable under the discovery rules." Seattle Audubon Society v. Lyons, 871 F. Supp. 1291 (W.D. Wash. 1994) Simon Property Group v. mySimon, Inc., 2000 WL 963035 (S.D. Ind) court ordered special master for electronic discovery Hence the need to *do nothing* to the original except read sectors onto another medium. The various levels of paranoia needed when making an image have been well covered in this thread, and there are obviously several different opinions based on personal experience. Forensics is not an exact science, as it is about making highly technical issues accessible to non- technical minds with an axe to grind! Michael D. Barwise BSc, IEng, MIIE Computer Security Awareness "Addressing the Human Equation in Information Security" > From: pat.beardmoreat_private > Date sent: Tue, 3 Jul 2001 09:42:09 +0100 > Before I give my own opinions, has anyone come across the practice of > previewing a drive and then taking off the relevant files rather than > doing a full image. Does anyone want to comment on the advantages and > disadvantages of this methodology? > > thanks, > > Patrick Beardmore > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 16:12:18 PDT