e-Discovery: Real World Lessons from Virginia Tech - PowerPoint PPT Presentation


PPT – e-Discovery: Real World Lessons from Virginia Tech PowerPoint presentation | free to download - id: 5a60ef-YzMzO


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

e-Discovery: Real World Lessons from Virginia Tech


e-Discovery: Real World Lessons from Virginia Tech Institute for Computer Policy and Law Cornell University August 14, 2008 Mary Beth Nash, William Dougherty – PowerPoint PPT presentation

Number of Views:111
Avg rating:3.0/5.0
Slides: 25
Provided by: WilliamD82
Learn more at: http://net.educause.edu


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: e-Discovery: Real World Lessons from Virginia Tech

e-Discovery Real World Lessons from Virginia
  • Institute for Computer Policy and Law
  • Cornell University
  • August 14, 2008
  • Mary Beth Nash, William Dougherty

A little background
  • Unprecedented events have unprecedented
  • At Virginia Tech, among other things, this took
    the form of major impacts on computing systems.
  • For example

A humongous traffic spike
that tested our IT infrastructure
We transferred 432GB of data on April 16(Normal
day 15 GB)Only two months in 2006 eclipsed
that figure
An interesting effect on e-mail traffic.
.that none of us could have predicted.
Working with Lawyers
  • First of all, they prefer the term attorney.
  • Work toward your strengths and specialties defer
    to them for legal advice.
  • Many are technology challenged so often they
    are very happy to have some assistance.
  • Be sure they understand that just because
    something is automated or in electronic
    format does not equate to instantaneous access.

Data Collection and Preservation
  • Timeline 2007
  • April 16th, meeting with central IT Support
    staff (Systems Support, Database Management
    Systems, Web Hosting) steps taken to extract and
    preserve information related to shooter. Similar
    actions taken to preserve data for victims once
    names were released.
  • April 18th-27th Direct Interaction with law
    enforcement (FBI, State Bureau of Investigation,
    Blacksburg Police Dept., VT Police Dept.)
  • April 23rd First preservation memo issued by
    University Legal Counsel

Implications of the Hold Memo
  • Very broad cast a wide net.
  • Included internal and external electronic
  • Included calendar records.
  • Included spreadsheets.
  • Included databases.
  • Included log files.
  • Included audio files.
  • Included video files.
  • Included metadata.
  • Specifically prescribed against modification or
    deletion of data.
  • Restricted standard tape rotation or recycling
    during backup routines.
  • Restricted house cleaning operations such as
    disk de-fragmentation or data compression that
    would result in the loss of data even if the data
    had been purposely discarded.

Data Collection and Preservation
  • Timeline (Continued) 2007-2008
  • May 9th First meeting with consultant
  • May 10th First meeting with departmental I.T.
  • June 7th First image taken
  • Bulk of images (99) completed late November
    2007 last image taken March 5th, 2008 but there
    have been re-dos
  • Now in process of copying file share data stored
    on central NAS

Data Collection and Preservation
  • Backup and Recovery
  • Often data requested will no longer be online
    knowing what is stored on backup media (disk,
    tape, optical) and retention periods and policies
    will greatly aid collection.
  • Just because something is archived or backed up
    doesnt always mean it can be recovered.
  • Data formats may have changed if data is old.
  • Data could have become corrupted on media.
  • System to recover may not be capable of receiving
    back up data under normal conditions.

Data Collection and Preservation
  • Backup and Recovery (continued)
  • Deleted item recoveryas in retrieving data files
    a user has deleted from a host computercan be
  • Even using software tools, files often become
    corrupted after being deleted.
  • Portions of files are overwritten and thus
    reconstructing original is impossible.
  • The Recycle Bin is your friend!
  • Amazing numbers of people do not empty the trash.

Data Collection and Preservation
  • Statistics
  • 27 departments interviewed (including entire
    College of Engineering)
  • 150 individual custodians (over 200 total images)
  • 7TB stored for imaging
  • 10,000 tapes stored from backup systems over
    900TB stored (750,000.00 spent on tapes alone)
  • 5TB of log files stored

Data Collection and Preservation
  • Statistics (continued)
  • Average size of hard disk imaged 80GB
  • Largest disk imaged 500GB smallest 20GB
  • Average image process duration 1.75 hours
  • Longest 27.5 hours (250GB iMac) shortest 20
    minutes (40GB Dell D410)
  • Approx. 1600 person-hours spent on imaging
    process alone.

Data Collection and Preservation
  • NOTE Members of ITSO, colleagues at Cornell, and
    consultants hired reviewed procedures prior to
    use procedures were developed and tested by GIAC
    certified engineers from VT.

Data Collection and Preservation
  • Procedures
  • E-mail personal web site content extraction,
    storage, and transmission
  • To law enforcement and families
  • Initial imaging attempt used network for transfer
    direct to storage with encryption and
    compression network speed presented an issue.
    (Hoped to avoid second step of copying data from
    USB drives to the NAS.)
  • Moved to local USB drives using dd and lzop
    (under a Knoppix environment).
  • MD5 checksum performed on way out and while
    loading to NAS.

Data Collection and Preservation
  • Procedures (continued)
  • GPG Encryption (2K key size) used to store on
  • Keys passed to University Legal and stored in
    sealed envelope in records preservation vault.
  • A few laptops had encrypted data as well
    (BitLocker) keys for those were obtained and
    provided to University Legal as well.
  • Custodians signed and returned documents and
    survey forms.

Data Preservation and Collection
  • Issues
  • Privacy
  • Academic Freedom
  • Research Projects Pros and Cons (Surveys, plus
    funded research).
  • Storage space, both online and in vault.
  • Scheduling length of time required (MACs vs
    Intel products).
  • Equipment in homes.

Data Preservation and Collection
  • Issues (continued)
  • Impact on operations, both staff that performed
    imaging and those who had to give up access to
    their computers during the process.
  • Assisting departments with resources such as
    additional tapes, desktops, servers.

Data Preservation and Collection
  • Issues (continued)
  • Assuming control of resources purchased by/owned
    by other departments.
  • Chain of evidence always had 2 people on site
    documenting various elements includingOwner of
    equipment (used PID) size of device unique
    identifier for image file (especially when
    multiple hosts were in use by individual) time
    to image Cheksum value type of machine (MAC vs.
    Intel no LINUX based workstations in group).

Lessons Learned
  • Document where your data is/are.
  • Centralized services save time.
  • Take time now to meet with your IT Security
    Officer and Legal Counsel.
  • Review your existing data retention policies
    update or modify after consultation with ITSO and
  • Review existing privacy policies and regulations.

Lessons Learned
  • Consider funding extra storage and media for
    data preservation potential for huge amounts.
  • Open dialogues with peers many have been through
    this already.
  • Provide training to key staff in IT (SANS).
  • Forewarn community of processes that will unfold
    if and when necessary. Make sure preservation
    memos make it to the right people. (Dont try to
    show up to perform a 4 hour image operation
    without laying some groundwork first. )

Lessons Learned
  • Ensure space is available in secure, off-site
    location to store media and equipment. Usage of
    such space at VT grew by 350 over normal.
  • If you havent already purchased or investigated
    e-mail archiving products, you may wish to begin
  • Update or prepare your Standard Operating
    Procedures (SOP) document.
  • Include references to applicable policies and
    information about centrally provided services.

  • Governors Review Panel final report

  • Information and Communications Infrastructure
    Group report

About PowerShow.com