E-discovery forensics at CEIC 2010: sorta sexy, sorta scary, not at all niche

This year marked the 10th anniversary of the Computer and Electronic Investigations Conference (CEIC), a show hosted by Guidance Software focusing on digital investigations in forensics, e-discovery and cyber-security.  I’ll be reviewing this event in two posts, because there’s a lot of ground to cover here – check in tomorrow for some show highlights and more on forensics in practice for e-discovery.

As you might guess, both the crowd and the content at CEIC had a heavy technical and practitioner bent, along with a refreshingly low BS-quotient – good attendance and engagement at the in-depth sessions, not a lot of swag-grabbing seat-fillers milling around the exhibition floor.  Forensics has traditionally had strong traction in law enforcement and government, but the new EnCase E-discovery certification exam (EnCEP) and cyber-security track brought in good numbers of private sector attendees from both IT and General Counsel as well.  Overall attendance reportedly grew about 40% this year to 1300.

At this point, some of us without EnCE certfication may be wondering, “why is forensics important to e-discovery, and what is it anyway?”

The bottom-line in practice is that forensic collection and Guidance’s EnCase format in particular have very strong court defensibility.  From a broader market perspective, Guidance is the only US e-discovery software vendor to go public (in 2006), and has an enviable customer base among the Fortune 500.  All this is to say that while forensics is an expert-grade technology, it is not at all a niche.  In fact, Guidance was #1 in our recent user survey for current usage at 23%, while rival forensics vendor AccessData was cited by 11% of respondents’ planning to purchase e-discovery software or services in 2010.

And what exactly is forensics?  Here I will steal paraphrase liberally from forensic examiner, attorney and expert at-large Craig Ball :

Computer forensics is the expert acquisition, interpretation and presentation of active, encoded and forensic data, along with its juxtaposition against other available information (e.g., credit card transactions, keycard access data, phone records and voicemail, e-mail, documents and instant message communications and texting).

What kind of data are we talking about?  According to Craig: any systems data and metadata generated by a computer’s OS and software (for example: the date you create an MS Outlook contact), as well as log files, hidden system files, and deleted files.  Many tools also handle encrypted files and have additional functions like scanning images to detect pornography – CSI-grade stuff.

The most familiar forensic method of gathering evidence is imaging an entire hard drive, i.e. creating an exact duplicate of every bit, byte and sector, including “empty” space and slack space, with no alteration or additions to the original data.  However for e-discovery purposes, processing and reviewing that much data from a large number of enterprise machines would be prohibitively expensive and time-consuming.  Not to mention the risk of finding things you’re not looking for (even potentially criminal data like pornography which must be reported by law), and the danger of making incriminating data or deleted files accessible to opposing counsel.  For these reasons (among others), vendors like Guidance offer “targeted collection,” often through desktop agents installed on laptops and PCs which automate searching and collections by specific criteria across the network.

Tomorrow’s post will feature CEIC highlights from users, vendors and speakers, plus more on forensics and the e-discovery use case.  In the meantime, for some additional perspective check out #CEIC on Twitter [update: or #CEIC2010], or blog coverage from Craig Ball, Chris Dale and Josh “Bowtie Law” Gilliland of D4.  Many thanks to them and to the others who shared their experiences with me.  Stay tuned.