Demystifying Data Forensics

Storage managers struggling to please industry regulators have another wolf approaching the door -- corporate lawyers. Increased litigation and the deadline for amendments to the U.S. Federal Rules of Civil Procedure (FRCP) set to go into effect December 1, are forcing companies to take a look at how they store data that could wind up in court.

By the end of this year, storage managers must be sure they can prove, among other things, that data required for any judicial purpose comes from a "good-faith operation of an electronic information system." They must take steps to ensure that data that may be needed in court -- emails, database entries, whatever -- is preserved without change from the moment that litigation is anticipated. (See Lawyers Urge Doc Management, Retention Rules Set to Change, and Storage Goes to Law School.)

The problem has several aspects. First, IT managers need to be sure they know where their data is in case it is required in court. "I'm sure some people are running around thinking of the December 1 date as a catastrophic problem," says Lori Wagner, a partner in the Minneapolis firm of Redgrave Daley Ragan & Wagner, which specializes in helping companies handle their data legally. "A lot of organizations don't really know what they have. They have to make some time to see that records management has an important connection with the legal department."

There's no magic bullet, Wagner warns. Whatever tools storage managers can deploy for finding their data and obtaining the necessary information about that data will be helpful to ensure smooth legal discovery. But no single product or group of products will work for everyone. "The worst thing is to spend big on something and not find the time for planning."

There are plenty of document management, data classification and search, and archiving products on the market to help out. But if the lawyers come calling for something specific, it may be time to consider products designed specifically for data forensics.These include software products that gather metadata on various systems and sort it in order to create "audit trails" that show who used which files, or wrote which emails, when. There also are packages that specifically work with the log files of firewalls and other security products to find patterns of use and to determine whether suspicious trends can be identified.

Among companies in this space are Network Intelligence, the outfit that EMC recently purchased for $175 million. (See EMC Pockets Network Intelligence.) Others include Mathon Systems, OpenService Inc., SenSage, Solera Networks, and Vericept. (See Vericept Content With $12.5M and Canopy Invests in Solera.)

These products can be part of the IT infrastructure. This is the case with Sonnenschein, a large Chicago law firm, where manager of information security Adam Hansen deploys OpenService's Security Management Center (SMC). "It collects and understands log data and puts it all together to identify security related trends." A state-based system, SMC gets smarter over time as it becomes seasoned by working within a specific firm's parameters, Hansen notes.

Besides products like SMC, there are tools that can help out once data is earmarked for court. Some of these locate and "image" or copy temp files, caches, or files that have been deleted on local or remote machines. These products can sometimes assign hash algorithms to ensure that a file, once isolated for legal examination, can be guaranteed not to have been tampered with or changed beyond a certain date.

Suppliers of these kinds of tools include ASR Data, Attenex, E-Fence Inc., Guidance Software, Technology Pathways, Wetstone. Another firm owned by Xiotech, Daticon, offers "litigation support services" with an online repository for storing electronic evidence once it's identified. (See Xiotech Completes Daticon Buy and Xiotech Launches Service.)Not even legally oriented forensic products, however, can do the whole job, particularly in a large enterprise environment, according to Eric Robi, president of Federal Forensics Group, a Culver City, Calif.-based consultancy that works with lawyers to provide computer investigations and analysis of electronic evidence.

"None of these tools are explicitly designed for large data centers," Robi maintains. "Because of the potential quality of data, you need an experienced forensics expert along with the network engineer to make intelligent decisions about what to capture."

Without expert help, well-meaning IT managers can actually compromise their electronic evidence, Robi says. "You need a methodology to establish chain of custody -- who has worked on the data and had possession of it. You need verifiability, you've got to know that the data has not been altered in any way." If an IT person pokes around before the data is captured, even to back it up, all bets are off.

Besides Robi's firm, there are a range of other firms that aim to help IT pros ensure their data is ready for the judge.

Table 1: Data Forensic Firms Sampler

Bottom line? The legal issues surrounding stored information have attracted a series of suppliers and service providers. If a company is organized up front, the work involved in going to court might be simply an evolutionary byproduct of well-organized and managed data stores.

Mary Jander, Site Editor, Byte and Switch