I’ll also be doing a redux of last year’s presentation, Statistical Analysis and Data Sampling, at this year’s CEIC with Jon. We’re on at 4:30 PM on Monday in the eDiscovery Lab track. You can find the description on the CEIC website:

Ever worked on a matter where you wanted to validate that the search terms were working correctly? What about when a judge requests that you testify on your procedures for this validation process? This session will show you how to take culled evidence from the EnCase eDiscovery solution and create a representative random set of data to be used in the validation process. The options demonstrated will be: the number of items to review and the percentage of accuracy. Once a random sub-set has been created, this session will show how the EnCase eDiscovery solution can be used to manually tag the items and provide reporting.

The presentation will be updated with some new features on predictive coding and recent rulings. If you’re interested in how sampling can be used to reduce review time and improve keyword results, you should come check us out.

Unfortunately we’re up against Craig Ball and Chris Dale who will be rockin’ with “The Future of Social Media in E-Discovery.” Craig recently wrote a good piece for Law Technology News entitled Gold Standard – A true gold standard for keyword search incorporates both precise inclusion and defensible exclusion. He touches on keyword precision in the article, and that’s one of our primary goals with our talk – how to get the best bang for your buck with a little extra testing.

Most technical and semi-technical fields have two basic types of certifications: vendor application specific and vendor neutral. I’ve seen several vendor exams for eDiscovery certifications. While those can be important for users of a specific application, they’re not always portable between organizations as there are so many different products prevalent in the market. Many of them are very specific to the functionality of the tools, and less focused on overall eDiscovery knowledge. Passing means you know how to run the application, but not that you necessarily understand the reasoning behind the actions you perform. I currently hold a vendor certification for forensics which attempts to remain balanced between general industry knowledge and tool-specific information, but the focus is definitely on the tool.

Vendor neutral certifications for eDiscovery, such as CEDS from ACEDS, don’t worry about how any specific tool tries to tackle eDiscovery. They aim to verify knowledge across multiple areas in a given discipline, without relying on how one tool functions. If you’re interested in learning more about the certification, check out the ACEDS website: What The Exam Is About. For other sources: Gabe Acevedo with Above The Law has a great analysis written just after last year’s ACEDS Conference. Dennis Kiker with LeClairRyan also wrote a well-reasoned article describing eDiscovery certification as the logical next step, and rebutting some recent criticism.

I can say from my own experience hiring forensic and eDiscovery professionals that certification is not a panacea or guarantee when choosing a candidate. What it does demonstrate, though, is that someone is interested in investing time in themselves and their chosen career field. In the case of CEDS, it shows that they care about advancing in the field of eDiscovery.

ACEDS is prepping for their annual conference at the beautiful Westin Diplomat in Hollywood, FL, April 2 – 4. The line-up is absolutely stellar. Topics include: addressing catastrophic eDiscovery events; timely items such as social media; often overlooked project management; eDiscovery malpractice risks; and of course, exam prep courses.

If you’re planning on attending the conference, enter discount code “BLACK” when you register to receive $150 off the already very reasonable conference fee. Don’t wait too long, though – the discount code expires soon!

Full disclosure: I serve on the ACEDS Advisory Board, lending my perspective on technology in eDiscovery and the intersection of eDiscovery and Forensics.

New GUI

EnCase 7 is the first major release of Guidance Software’s flagship forensics product in four and a half years (depending on the actual release date) and there are lots of changes, so let’s dive in! The new GUI eliminates the standard File / Edit / View menus in favor of a menu system that gives you quick access to things you use most. Notably, the beloved EnScript pane (which also housed Conditions and Filters) is gone as those have all moved to the top menu bar. I think we were viewing a resolution of around 1280 width and there seemed to be room for all the menus, though, I can’t say that will hold up if more are added.

Old and busted (v6):


New hotness (v7):


The new Home screen which has a web feel to it, showing a list of Recent Cases (with relevant details), New Case, Options, etc. It also has a Logon button, which will presumably be used to customize settings and templates present throughout the new UI for specific users. Not much to say here, but should mean slightly easier access to cases being worked on frequently.

Once a case is opened, the top menu buttons take over: Case, Evidence (Add / Process / Browse), Search, Report. It should be noted that in the demo, cases opened very quickly and there was no apparent re-parsing of past work. This was a promise that Guidance had made in the past for v7 – that investigators wouldn’t have to wait for EnCase to redo all the work they had previously done (resolving search hits, Internet history, etc.). I think they’ve delivered, but the final verdict must be held until beta (or release). Though it wasn’t mentioned in our demo, other blogs have stated that it is using a Btrieve database or a B-tree data structure for the case data. Which it really is… who knows. It was stated in our session that everything gets stored in LEFs (I’m not sure if this was confusion on the presenter’s part and everything is being stored in their new database or in LEFs): expanded compound files; index results; records. I would tend to think it’s getting stored in a structure that allows fast data retrieval, but I won’t speculate on what they’ve decided to use. In any case, the result is that a lot more storage space is required, but things should be more stable and much faster. They’re no longer trying to load everything into memory, which should fix lots of issues with previous versions. I can hear people groaning about the increased storage space now, but I agree with this approach based on their current limitations – storage is cheap (relatively speaking), time is not.

Evidence Processor

Next I should note the new Evidence Processor (replaces Case Processor). This is, of course, an EnScript that executes various modules to perform processing over case evidence. The interface isn’t all that much different that the existing Case Processor, though things are moved around a bit and there are some new options. The focus is on doing more up front and doing it more easily. You can acquire evidence in the Processor, and – Hooray! – drive letters are now associated with physical device numbers. Acquisition can be made using E01 or the new evidence file format, Ex01, which provides native encryption. Interestingly in our session Guidance said the encryption was AES-256, while in other sessions they said AES-128 (“because it was faster than AES-256″), so we’ll probably have to wait to find out. At least this time, the Ex01 will be an open format which Guidance will publish. A bold move from an historically closed company, but welcome nonetheless. Evidence processor will include indexing, which has always been a sore subject since it was introduced in EnCase. No one really used the previous indexing capabilities because they were so unwieldy. This interface makes things a lot easier, but I’ll get more into Search further on. Output of all modules can also be indexed so that you can easily search the results of modules. This might be nice if it’s not too buried. They’re pitching the index as an end all be all link / relationship analysis engine, but I’m not clear on how they see that working in reality.

Evidence Processor includes a list of predefined tasks, and users can setup a template of things they use most often with settings already configured. This is a step forward, albeit a small step. As others have mentioned, processing will be multi-threaded, which is a welcome addition. Some new tasks here are “Thread Email” and “Create Image Thumbnails,” the results of which are stored in LEFs (maybe… see above). Of note, Guidance is working on an integration with Passware, so if you run the Protected File Analysis module in the Processor, and it finds something password protected, it can automatically send the file off to Passware to have it analyzed / cracked. Guidance is claiming it will work with all versions of Passware, but that may change. This will be something with the potential to reduce manual work for investigators. Also, Guidance is supposedly going to make it easier for people to write and plug in custom Processor modules. I sincerely hope Guidance does a better job of documenting this than they have in past releases.

One of the most interesting notes of the evening was that you can run Evidence Processor on multiple examiner boxes and combine the results into one case. This nugget almost went without notice due to the poor presentation skills of our host, but I suppose I happened to perk up at the phrase multiple machines. I would think this should be a huge selling point, but maybe they’re not ready to push it yet. At first the capability will be manual, but they’re working on automating it for a few versions down the line. If they get it right, this will be great! It will almost catch them up to where their competitors were last year, but it’s nice to hear for die-hard EnCase fans. In addition to the Evidence Processor module, they’ll be releasing a dumbed down version of EnCase called EnCase Processor that will only run processing jobs, with no real GUI interaction. For those of you that have used EnCase eDiscovery, this should sound familiar, and I imagine they’re using similar methods.

Evidence Browsing

The old standby Table view of evidence is still around under the heading of “Browse”. This still doesn’t seem to include dates and times from $MFT FileName attribute, and when an audience member asked this question it totally went over the presenter’s head. This view is definitely familiar and long time users will feel right at home here.

Hash Libraries

Hashing isn’t all that glamorous, but there are some new things here as well. There will be a primary and secondary hash library (read: shared and private) that could be useful for labs sharing hash libraries, but also adding to local ones. In version 6 and before, if there were multiple instances of a hash in the library, only the first was shown. In v7, all instances will be shown to give the examiner more information. The examiner will be able to add custom metadata to hash entries (the example given was to associate a case number or conviction to specific hash values). I could definitely put this to use in investigations. MD5 is still supported, as is SHA1. The last new item I noticed is the ability to add a “tag” to hash library entries. I’ll talk more about tags a little later.

Search

Search has perhaps undergone the largest change in the interface. They referred to it as “Unified” search, which isn’t a new term (think Apple’s Spotlight Search). From one location you can search the Index, Tags, and regular Keywords. Searches are now named and the results are saved as such. Think of using multiple labels in Gmail and you’ll understand tags in v7 – you can define up to 63 tags, set colors for them, and then apply them to just about anything in the case. This should allow more flexibility than just bookmarking an item and having to use a folder structure. Hashing, email mounting, Internet history, has all moved to Evidence Processor (I believe).

Old and busted (v6):


New hotness (v7):


Indexing is using the same technology (read: GUI interface) that has been in EnCase eDiscovery for about a year now. They’re boasting integrated “Microsoft word-breaking,” not whitespace delimited, using the most conservative word-breaking. This allows the index to break URLs properly, for example. Searching the index gets you instant hit counts on your search terms (see below). You can also perform an indexed search in specific fields, such as Email To, From, Subject, etc.

Old and busted (v6):


New hotness (v7):


They weren’t prepared to show good old standby binary and GREP keyword searching, but I imagine it hasn’t changed all that much.

Results

Any type of search, including Conditions and Filters, send their results into the… wait for it… Results tab. This is all part of the unified search theme. I’m not terribly sure I like the results navigation just yet. The left side is a list of your “named” searches, conditions, or filters. You can drill into result sets and navigate using the green back and forward buttons that I’m sure you were wondering about in the depiction at the top of the post. I personally found this interface somewhat confusing. I’m hoping it just wasn’t explained very well, otherwise I can see new users having a hard time using the breadcrumbs navigation feature to get around.

New hotness (v7):

Email

Guidance is pitching “E-Mail Review the Way You Need It” with version 7. The default view for Email now is a tree on the left (not super different from how Records look in v6), and the Report view on the right. You can return to the familiar tri-pane view if you’d like. No one seemed clear on how the tree would be sorted by default, but apparently you have to turn the Table pane back on to sort things. They’ve added Conversation Threading and Find Similar functionality which runs across multiple mail files. This was already present in EnCase eDiscovery, and now Forensic users will be able to take advantage of it also. Find Similar isn’t all that advanced, at present it works simply by Subject from what I saw in the demo (and recall from eDiscovery demos at LegalTech), but it’s not bad. They’re supposed to be adding more choices here, like hash value, date ranges, etc. in later versions.

Old and busted (v6):


New hotness (v7):

Reports

There are new Report templates that are supposed to help make reporting easier for users. Headers, footers, colors, font styles, etc. Reports still depend on Bookmarks. There’s a new style editor that looks like a modified version of EnScript that will have average and new users complaining from day 1. Classic Guidance Software – rewrite from scratch when perfectly good markup languages already exist. Oh well, I probably won’t use it, anyway. Some people will love it, some people will hate it. Not sure I see much of a marketplace developing here.

EnScript

Unfortunately the only comments Guidance was prepared to make about EnScript was that there will be a lot more capabilities and that they’ll provide a script to help users translate old scripts to accommodate the new v7 changes. That being said, I think there will be much greater capabilities in v7 EnScript than there were in v6. I can’t wait to see what’s been broken and get to work fixing old scripts.

Neutrino, ProSuite

The Neutrino brand is going away, and all of its features will be integrated directly into EnCase Forensic at no additional cost. Support for non-smartphones also dies with Neutrino, as Guidance realizes that other vendors do this much better. They’re focusing on dealing with operating systems and file systems, so… smartphones. They’re also now supporting iTunes backups and BlackBerry backups (I assume they’re talking about IPD files here). ProSuite components are also being rolled in – EDS, VFS, PDE. Sadly, the old reliable CD/DVD plugin is gone (just kidding, no one ever used that). What this really means is no more separate versions of EnCase aside from Forensic and Enterprise.

Future Additions

Looking to the future: Guidance would like to add OCR capabilities, but wouldn’t mention an integration vendor and wouldn’t say when. Pricing will be available in the next couple weeks, and they hope to release 7.01 a couple months after CEIC.

Summary

Overall, Guidance seems to have made some much needed improvements to speed and stability. Usability increases with the ease of use for index queries. The jury’s still out on the GUI changes (breadcrumb navigation, web look in some screens, unified Results, collapsing EnScripts/Conditions/Filters into a drop-down menu) and multiple machine processing. Anyone who knows me knows my penchant for EnScript, so I’m hoping to see positive changes there. No doubt Jon and I will have lots of fun porting Lightgrep for EnCase to v7.

If you see anything I missed or have questions, please let me know in the comments!

I’ve been very pleased with eSATA in my lab for the past couple years, and I’m not ready to make any changes just yet, but boy did Thunderbolt (née Light Peak) take me by surprise. I’m quite certain I read something last year about Light Peak, but I didn’t get the impression it was going to show up this soon. I’m sure Apple fanboys are very excited about the thought of this being present on new MacBook Pros, because it out-specs any other removable storage tech for laptops out there. I’m excited that other vendors will be forced to pick it up now that Apple has implemented it (not that I don’t like Apple products, but they’re generally not my first choice due to various limitations). The designers of Thunderbolt plan for the bandwidth to reach 100 Gbps in the next ten years. Of note, the latest spec of DisplayPort is already humming at 17 Gbps, but DisplayPort is solely used for video; Thunderbolt will be extremely versatile in its uses. If you work in forensics and you’re not gushingly excited by faster transfer rates for external storage, I might have to ship you a defibrillator.

Although there was a large turnout, I was pleasantly surprised at the level of interaction achieved in the sessions. Board members Nicholas Bunin, Jeri Head, and Patrick Gibson did a great job introducing sessions and spurring conversation. The board places great emphasis on active communication as opposed to having a single presenter talking at the crowd.

This recent forum was all about social media – Facebook, LinkedIn, Twitter – in corporate environments. Social media has obviously been around for quite some time, but in the corporate environment, policy makers are just getting comfortable with its use for business purposes. As a user, my first instinct is to question why this causes a problem; as a corporate investigator, I can tell you that social media can cause significant problems in the workplace and creates a whole new medium in which violations can occur. There are myriad new legal guidelines emerging around how corporations should regulate these tools in light of the current legal landscape. Regulatory agencies have also recently had their say on the diligent monitoring that must occur in the financial industry in relation to social media.

The forum had four main sessions during the day: Social Media and Reducing Risk, Practical Guide for Corporations to the Identification, Collection and Production of Social Media, Social Media Policy, and Social Media Dialog with Judges. While the guidelines of the organization prohibit sharing of content outside of the forum, I’ll just say that the day was well spent and I learned quite a bit. The next forum theme will be Cloud Technology, and will take place at the San Francisco Forum in June. The Corporate E-Discovery Forum would love to have new members participate and contribute to the discussions, and welcomes technical practitioners as well. If you’re a member of a corporate E-Discovery team, whether legal or tech, I’d highly encourage you join and participate!

Michael Herf makes a comment about AMT not only being present on his new Thinkpad, but also having the built-in web server active out of the box. This is kind of scary considering (if I’m reading this correctly) that in some Lenovo boxes the default password was “admin” (check out page 8 in the link). AMT does store logs of activity: “Persistent event logs, stored in dedicated memory (not on the hard drive) so the information is available anytime. IT technicians can now access the list of events that occurred even before a hardware or software problem was noticed, including events that occurred before a PC connected to the network.”

How many IR folks have looked at AMT logs before or even knew they were present? I’d love to know if there’s any useful content for investigations getting recorded in these. Perhaps they require configuration ahead of time to trap relevant data. Please let me know if you’ve had the occasion to use AMT logs in this capacity!