identification and collection
play

Identification and Collection Seminar on E-Discovery, February 9th, - PowerPoint PPT Presentation

Apr 01, 2023 •647 likes •925 views

Identification and Collection Seminar on E-Discovery, February 9th, 2012, College of Information Studies, University of Maryland Dr. Hans Henseler Amsterdam University of Applied Sciences, The Netherlands Information Technology & Computer

  1. Identification and Collection Seminar on E-Discovery, February 9th, 2012, College of Information Studies, University of Maryland Dr. Hans Henseler Amsterdam University of Applied Sciences, The Netherlands Information Technology & Computer Science E-Discovery Lab

  2. E-Discovery Seminar: Identification and Collection HvA - Kaart van Nederland Information Technology & Computer Science E-Discovery Lab

  3. E-Discovery Seminar: Identification and Collection HvA - Kaart van Nederland Information Technology & Computer Science E-Discovery Lab

  4. E-Discovery Seminar: Identification and Collection Dr. Hans Henseler - Ph.D. computer science (1993) - Netherlands Forensic Institute (1992-1998) - Netherland Institute of Applied Research (1998-2000) - CTO at ZyLAB (2000-2006) - Director at Pricewaterhouse Coopers (2006-2010) - Adjunct Professor HvA (2009-) - Partner at Fox-IT (2011-) Information Technology & Computer Science E-Discovery Lab

  5. E-Discovery Seminar: Identification and Collection 1. Recap: EDRM T4 Incident T3a T1 T2 T5a T6a T6b T5b T3b Information Technology & Computer Science E-Discovery Lab

  6. E-Discovery Seminar: Identification and Collection 1. Recap: Track 1: Information Management GOAL: Develop defensible retention policies and e- discovery processes HOW: By managing all information sources: - Complete information lifecycle: From creation, through using to archival and destruction. Information Technology & Computer Science E-Discovery Lab

  7. E-Discovery Seminar: Identification and Collection Track 2: Identification GOAL: Determine what should be preserved and collected HOW: By identifying and localising potential sources of information: - what kind of information is required? - relevant time period? Information Technology & Computer Science E-Discovery Lab

  8. E-Discovery Seminar: Identification and Collection Track 3a: Preservation GOAL: Preserve data to avoid spoliation claims/sanction HOW: By securing information that may potentially be relevant - By ensuring that information can not be altered or destroyed. Information Technology & Computer Science E-Discovery Lab

  9. E-Discovery Seminar: Identification and Collection Track 3b: Collection GOAL: Retrieve forensically sound copies of critical data HOW: By making digitale copies of electronic stored information and related meta data (information context) - In such a way that the integrity and authenticity of the information can be verified Information Technology & Computer Science E-Discovery Lab

  10. E-Discovery Seminar: Identification and Collection E-Discovery and Archeology Information Technology & Computer Science E-Discovery Lab

  11. E-Discovery Seminar: Identification and Collection Identification • Identification is the first reactive step in response to an E- Discovery request. • Identification involves: - Localisation of potential sources of electronic information. - Determine the scope of the investigation Which data (i.e. projects, employees, - departments) Which periods - • Forensic Technology: - Mapping the information landscape - Identifying relevant sources Information Technology & Computer Science E-Discovery Lab

  12. E-Discovery Seminar: Identification and Collection IT Infrastructure: Example 1 Information Technology & Computer Science E-Discovery Lab

  13. E-Discovery Seminar: Identification and Collection IT Infrastructure: Example 2 “The Server Farm” Routine Backup Tapes Y2K Tapes Disaster Recovery Tapes Database server Voice mail server Mainframe E-mail server Web server Application server PCs, other storage media, Off-site vendor backups and devices Routine Backup Tapes Disaster Recovery Tapes Corporate Network The Internet Workstation Macintosh Laptop PDA ISP Server ISP E-mail server Removable storage Computer Firewall Firewall Log Server Hand held computer Home computer IDS Logs Laptop computer from remote Location Information Technology & Computer Science E-Discovery Lab

  14. E-Discovery Seminar: Identification and Collection IT Infrastructure: Example 3 Information Technology & Computer Science E-Discovery Lab

  15. E-Discovery Seminar: Identification and Collection IT Infrastructure: Example 4 Information Technology & Computer Science E-Discovery Lab

  16. E-Discovery Seminar: Identification and Collection Systems: Accounting Creditor Employee Salary administration administration administration Debtor Inventory Electronic Banking administration administration Transaction Data Logging Data Access System logs administration Communication data Information Technology & Computer Science E-Discovery Lab

  17. E-Discovery Seminar: Identification and Collection Identifications of backups Typical company (1800 employees) had the following backups available in July 2007: - 12x Backup July 2006 /June 2007 - 1x Backup Friday 29/12/2006 - 1x Backup Friday 30/12/2005 - 1x Backup Friday 31/12/2004 Total 15 backups per custodian! Information Technology & Computer Science Page 17 E-Discovery Lab

  18. E-Discovery Seminar: Identification and Collection Data preservation • Goal: • Preserve data to avoid spoliation claims/sanction • Measures: • Issue a legal hold by sending out an internal company memo • Secure data to prevent it from being changed or destroyed (avoid data spoliation), for instance stop backup tapes from being recycled • Freeze records so they can not be destroyed Information Technology & Computer Science E-Discovery Lab

  19. E-Discovery Seminar: Identification and Collection Collection • Relevant electronicalle stored information is copied in a forensically sound way. • Forensic technology: - Maintain original meta data of electronic information (i.e. filename, path, dates etc) - Forensic computer image versus logical file copy - Maintaining chain of custody - Calculate secure hash values of collected data Information Technology & Computer Science E-Discovery Lab

  20. E-Discovery Seminar: Identification and Collection Collection: File Servers • What to expect: • Files • Personal email archives (pst, nsf etc.) • Long and deep file paths • Forensic tools: • Encase (Guidance Software) • Forensic Toolkit - FTK (AccessData) • Evidence Mover (Micro Forensics) • Robocopy (Microsoft) Information Technology & Computer Science E-Discovery Lab

  21. E-Discovery Seminar: Identification and Collection Collection: Mobile Phones • What to expect: • Mobile/Smart phones • Android Tablets, iPad • Forensic Tools: • XRY (MicroSystemation)  • Device Seizure (Paraben) • UFED (Cellebrite) • FTK Mobile Phone Examiner (AccessData) • Encase Smartphone Examiner (Guidance Software) Information Technology & Computer Science E-Discovery Lab

  22. E-Discovery Seminar: Identification and Collection Collection: Databases • What to expect: • Financial databases (SAP, Oracle Financials etc) • Firewall databases • SQL databases (MsSQL, Oracle, MySQL, Progress etc) • Best practices • Use SQL queries • Exports vs. Dumps • SAP abap scripts vs. Oracle database dumps • (depends on size and available time) Information Technology & Computer Science E-Discovery Lab

  23. E-Discovery Seminar: Identification and Collection Collection: Email Servers • What to expect: • Lotus Notes (nsf) • Microsoft Exchange (edb) • Groupware • Connect to life server (why?) • Exchange Server (2010 has interesting E-Discovery capabilities) • Encase Enterprise • Process message store • Network Email Examiner (Paraben), • PowerControls (Kroll Ontrack) Information Technology & Computer Science E-Discovery Lab

  24. E-Discovery Seminar: Identification and Collection Secure Hash: MD5 and SHA1 Message m Message digest, y (long) Cryptographic hash (Shorter fixed length) Function, h Shrinks data, so 2 messages can have the same digest: m 1 != m 2 , but h(m 1 ) = h(m 2 ) Goal: to provide a unique “fingerprint” of the - message. - How? Must demonstrate 3 properties: 1. Fast to compute y from m. One- way: given y = h(m), can’t find any m’ satisfying h(m’) = y 2. easily. Secure Hash: Strongly collision- free, i.e. can’t find any m 1 != m 2 3. such that h(m 1 )=h(m 2 ) easily Information Technology & Computer Science E-Discovery Lab

  25. E-Discovery Seminar: Identification and Collection Procedures, Forms and Logs 1. Data freeze directive 2. Data request 3. Letter of consent 4. IT inventory template 5. Encase acquisition form 6. Chain of custody form 7. Evidence log for tracking collected electronic data 8. Physical document collection sheets and scanning log 9. Standard Operation Procedure for Data Collection Information Technology & Computer Science E-Discovery Lab

  26. Information Technology & Computer Science E-Discovery Lab

Recommend

Event-Segmented Collection and Identification of Bioaerosols in a Busy Dental Clinic R.E. Baier

Event-Segmented Collection and Identification of Bioaerosols in a Busy Dental Clinic R.E. Baier

Event-Segmented Collection and Identification of Bioaerosols in a Busy Dental Clinic R.E. Baier and R.L. Forsberg NYSTAR EQS Site at University at Buffalo Other Contributors: L. Ortman School of Dental Medicine, Univ. Buffalo H. Patashnick

189 views • 14 slides
Sunglasses SM001 Collection SM005 Collection YPC001 Collection(swimming goggles) SR001

Sunglasses SM001 Collection SM005 Collection YPC001 Collection(swimming goggles) SR001

Sunglasses SM001 Collection SM005 Collection YPC001 Collection(swimming goggles) SR001 Collection SR002 Collection SR003 Collection SR004 Collection Optical-Anti blue glasses FU006 Collection FU002Collection FU004 Collection FU001

186 views • 17 slides
RISK IDENTIFICATION Everything your competitor knows about Risk Identification on Software

RISK IDENTIFICATION Everything your competitor knows about Risk Identification on Software

RISK IDENTIFICATION Everything your competitor knows about Risk Identification on Software projects David OBrien | PMI Ireland Chapter 23 03 2020 Let Risk identification is your super-power Risk Identification 30 MARCH 2020 2 RISK

375 views • 22 slides
What is the Sanborn Map Collection? How can you access this collection? 1 2 3 What can you

What is the Sanborn Map Collection? How can you access this collection? 1 2 3 What can you

What is the Sanborn Map Collection? How can you access this collection? 1 2 3 What can you use the collection for? Locating the homes and workplaces of ancestors. Seeing how a community has changed over time. Understand the

746 views • 22 slides
Cloud Computing: E-Discovery Challenges Best Practices to Minimize Pitfalls in Identification,

Cloud Computing: E-Discovery Challenges Best Practices to Minimize Pitfalls in Identification,

Presenting a live 90-minute webinar with interactive Q&A Cloud Computing: E-Discovery Challenges Best Practices to Minimize Pitfalls in Identification, Preservation and Collection of ESI WEDNESDAY, OCTOBER 24, 2012 1pm Eastern | 12pm

865 views • 74 slides
> CAN COLLECTION < By RON A N & ER WA N BOU ROUL L EC > CAN COLLECTION < In the

> CAN COLLECTION < By RON A N & ER WA N BOU ROUL L EC > CAN COLLECTION < In the

> CAN COLLECTION < By RON A N & ER WA N BOU ROUL L EC > CAN COLLECTION < In the Can sofa, Ronan and Erwan Bouroullec are seeking to go beyond the creation of a practical, elegant and comfortable design. The intention is to

348 views • 15 slides
Digital representations of the collection objects in the Museum fr Naturkunde Berlin Falko

Digital representations of the collection objects in the Museum fr Naturkunde Berlin Falko

Digital representations of the collection objects in the Museum fr Naturkunde Berlin Falko Glckler, Jana Hoffmann, Gregor Hagedorn Identifiers An identifier is a unique identification code that is applied to 'something', so that the

579 views • 46 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Gem Identification Gem Identification There are approx. 4000 minerals Approx. 100 are

Gem Identification Gem Identification There are approx. 4000 minerals Approx. 100 are

Gem Identification Gem Identification There are approx. 4000 minerals Approx. 100 are classified as gem species. They are found in gem quality. The gem quality has the attributes of a gemstone beauty, durability, rarity, and

613 views • 42 slides
Data Collection and HIVe Current Data Collection For those collecting data, you are use to

Data Collection and HIVe Current Data Collection For those collecting data, you are use to

Data Collection and HIVe Current Data Collection For those collecting data, you are use to the Excel data collection sheets All Ryan White Funded entities will be required to report client level data Non-Medical Case Management

266 views • 13 slides
Levy & Collection & Exemption Levy & Collection & Exemption from tax from tax

Levy & Collection & Exemption Levy & Collection & Exemption from tax from tax

Levy & Collection & Exemption Levy & Collection & Exemption from tax from tax LEVY & COLLECTION OF TAX (SEC:9) OF CGST ACT Subject to the Provision of sub section (2),there shall be levied a tax called Central goods and

423 views • 40 slides
MA CHIA DATA COLLECTION & SHARING PRACTICES Kathy Hines Senior Director of Partner

MA CHIA DATA COLLECTION & SHARING PRACTICES Kathy Hines Senior Director of Partner

DE-IDENTIFICATION ASSESSMENT OF MA CHIA DATA COLLECTION & SHARING PRACTICES Kathy Hines Senior Director of Partner Operations and Data Compliance, Massachusetts Center for Health Information and Analysis (MA CHIA) Samuel Chick Data &

292 views • 17 slides
Conference + Meeting Spaces Salt + Pepper TONON COLLECTION Macs Table TONON COLLECTION Pit

Conference + Meeting Spaces Salt + Pepper TONON COLLECTION Macs Table TONON COLLECTION Pit

Conference + Meeting Spaces Salt + Pepper TONON COLLECTION Macs Table TONON COLLECTION Pit TONON COLLECTION Tabula TONON COLLECTION Flat / Flat Soft TONON COLLECTION Spring TONONCOLLECTION Step TONON COLLECTION Swing TONON

530 views • 32 slides
Conference + Meeting Spaces Salt + Pepper TONON COLLECTION Macs Table TONON COLLECTION Pit

Conference + Meeting Spaces Salt + Pepper TONON COLLECTION Macs Table TONON COLLECTION Pit

Conference + Meeting Spaces Salt + Pepper TONON COLLECTION Macs Table TONON COLLECTION Pit TONON COLLECTION Tabula TONON COLLECTION Flat / Flat Soft TONON COLLECTION Spring TONONCOLLECTION Triangolo TONON COLLECTION Wind TONON

498 views • 30 slides
EASM 2014 Individuals characterized with high team identification would be more involved with a

EASM 2014 Individuals characterized with high team identification would be more involved with a

Examination on the Relationship Among School Identification, Team Identification, and Sport Consumption of College Students Submitting author: Dr Li-Shiue Gau Asia University, Taiwan, Taichung, 41354 Taiwan All authors: Jong-Chae Kim,

525 views • 3 slides
Re Regional Wo Workshop on on Str Strength then enin ing the the Collection Collection and and

Re Regional Wo Workshop on on Str Strength then enin ing the the Collection Collection and and

Re Regional Wo Workshop on on Str Strength then enin ing the the Collection Collection and and Us Use of of In Internatio ional Mi Migr gration Da Data in in the the Con Context of of the the 203 2030 Ag Agenda enda fo for Sustai ainabl

610 views • 16 slides
Hazard Identification & Control Contents Hazard Identification & Control Hazard Alert

Hazard Identification & Control Contents Hazard Identification & Control Hazard Alert

Hazard Identification & Control Contents Hazard Identification & Control Hazard Alert Form Hazard Tracking Log Quiz Employer / Instructor Notes: 1. Review Hazard Identification and Control and the Quiz (prior to conducting

192 views • 8 slides
Religious Profile: Jewish Identification 2 Jewish Identification (Jewish Households)

Religious Profile: Jewish Identification 2 Jewish Identification (Jewish Households)

1 1 Religious Profile: Jewish Identification 2 Jewish Identification (Jewish Households) Reconstructionist Conservative 2% 20% Orthodox 9% Reform 35% Humanist 4% Just Jewish 31% 3 Jewish Identification (Jewish Persons) Conservative

1.59k views • 119 slides
Agenda Unique Identification (UID); Item Unique Identification; Unique Item Identifier (UII)

Agenda Unique Identification (UID); Item Unique Identification; Unique Item Identifier (UII)

Unique Identification of Items U NIQUE ID ENTIFICATION (UID) September, 2005 (UID) Agenda Unique Identification (UID); Item Unique Identification; Unique Item Identifier (UII) UID/IUID Policy Contracting for IUID Marking Items

1.09k views • 88 slides
Seedling Tree Selection and Numbering Leaf Collection Seedling Tree Fruit Picking Fruit

Seedling Tree Selection and Numbering Leaf Collection Seedling Tree Fruit Picking Fruit

Seedling Tree Selection and Numbering Leaf Collection Seedling Tree Fruit Picking Fruit Marking for Sun Blotch Identification Protocols of Virus Testing excellence for Hand, Surface Sun Blotch Cutting Open Seed Size and Utensil Seed

551 views • 28 slides
Identification and Specification of Identification and Specification of NGN Service and Control

Identification and Specification of Identification and Specification of NGN Service and Control

I nternational Telecom m unication Union ITU-T Identification and Specification of Identification and Specification of NGN Service and Control NGN Service and Control Requirements Requirements Tobey Trygar Telcordia Technologies I TU-T W

703 views • 21 slides
Key Issues and Questions Identification of reimbursable meal Identification of reimbursable

Key Issues and Questions Identification of reimbursable meal Identification of reimbursable

5/3/2012 USDAs National School Lunch and School Breakfast USDA N ti l S h l L h d S h l B kf t Programs Key Issues and Questions Identification of reimbursable meal Identification of reimbursable meal Identify content of reimbursable

558 views • 12 slides
Data Collection International Labour Office Department of Statistics Data Collection data

Data Collection International Labour Office Department of Statistics Data Collection data

Data Collection International Labour Office Department of Statistics Data Collection data collection activities should be established, adapted to countries national circumstances main sources of information establishment surveys

129 views • 10 slides
Camera identification on YouTube Y A N N I C K S C H E E L E N J O P V A N D E R L E L I E

Camera identification on YouTube Y A N N I C K S C H E E L E N J O P V A N D E R L E L I E

Camera identification on YouTube Y A N N I C K S C H E E L E N J O P V A N D E R L E L I E Introduction Why camera identification? Agenda Pattern noise Video encoding Experiment Results Analysis Conclusion Noise

437 views • 30 slides

More recommend