Saturday, September 1, 2007

Get Ready For a Whole New Vista on E-Discovery

By: Courtney David Mills
IPA Technology Director and Litigation Paralegal at Hall Render Killian Heath & Lyman, P.C.

Just when you were getting comfortable with the amendments to the FRCP, terms like “electronically stored information”, and the latest litigation support software, Microsoft has come along to rain on your parade. Microsoft has introduced its newest operating system, Windows Vista, and its companion office suite, Office 2007. These products have a full bag of tricks to make Electronic Data Discovery (“EDD”) more challenging and more important than ever. This article with discuss Vista’s security features, shadow copy tracking, and the new file formats and PDF support offered in Office 2007. It will also discuss the practical impact of these features on the EDD process. One of the most probable impacts will relate to Vista’s encryption feature, Bitlocker.

Bitlocker:

Bitlocker is a very sophisticated form of drive encryption that is built-in to Enterprise and Ultimate editions of Vista. It is hardware based solution rather than a software based solution. It is built on 128-bit encryption which is the same level of security for most online banks on government information sites (in geek terms, it is another way of saying that there are 2^128 possible keys and nearly impossible to crack using brute force). Bitlocker is characterized by utilizing multiple layers of security during the boot process. The current options include (1) enter a pin code while the computer is booting-up, or (2) insert a USB key during the boot process. Either of these methods will still require a standard windows password during the login process. Once logged in, you may still encounter encrypted files or entire folders that are encrypted.

The impact of this feature on EDD and computer forensics can be alarming. In today’s litigation environment, it is still relatively rare to encounter large amounts of encrypted information in the corporate environment. In fact, many companies have a policy against encrypting files without express permission. Certain areas of law that deal with large amounts of sensitive information, i.e. health law, will almost certainly integrate this function into their IT policies. Bitlocker was designed towards companies that have mobile workforces that often carry large amounts of sensitive information, i.e. health records, social security numbers, and credit card information. It is not uncommon to hear a story on the evening news about a company losing an employee laptop with sensitive information on thousands of customers. Often, the cost of the laptop is irrelevant when compared to the costs of waging a public relations campaign or potential litigation exposure. With Bitlocker, a lost or stolen laptop is not as serious of a concern because a user would need two methods of authentication to even turn on the laptop. Also, since Bitlocker is a form of hardware based security, users cannot simply remove the hard drive to another computer for access to cracking the hard drive. This aspect presents a unique problem for EDD experts. Clients may no longer be able to simply remove and store a hard drive for EDD preservation obligations. It may be necessary to decommission the entire laptop and preserve the laptop (with hard drive intact).

To make the matter even more difficult, there is reportedly no “back-door” (secret security protocol that allows law enforcement officials to access encrypted drives or files) to Bitlocker. This point has become an issue of contention between Microsoft and the FBI. In other words, if you receive a laptop from a client that was confiscated from an employee who was being discharged and the laptop has Windows Vista with encrypted files, do not plan on simply sending the laptop to your firm’s IT department. You will need to hire a computer forensic expert and possible a computer cryptologist to attempt to bypass the encryption.

Shadow copies:

Another interesting feature of Vista is the built-in shadow file function that will save a shadow copy of files that you are working on at pre-established intervals. This feature is referred to as “Transactional NTFS” or “TxF”. It essentially creates point-in-time copies of files as you work so that you can retrieve versions of files that may have been accidently deleted or saved over. This feature is available on the Ultimate, Business, and Enterprise versions of Vista. This feature can be configured to work on a single file or an entire folder.
The impact of this feature on EDD cannot be understated. This feature will eliminate the damage caused to the “last access time” metadata field when a person peeks at a document without a write protector, or when an antivirus program scans a file. It will also create a very significant “version trail” of a document that can easily be the smoking gun in a given case. This function is very similar to “document history” index that is available with many document management programs. This feature also makes the process of preserving and producing such information much more important. For years, I have told attorneys that metadata is more often than not, irrelevant in particular types of litigation. This axiom may no longer be accurate. While metadata fields such as “last access time” are usually not very helpful in everyday litigation, information showing different versions of a letter (such as the first draft of the letter drafted in the heat of the moment) can be invaluable evidence.

File Formats:

One of the features of vista that has frustrated just about everyone I know in the legal is the creation of new file types. Not only does Office 2007 have several new programs, it features new file formats. Office Ultimate 2007 includes: Accounting Express 2007 (an accounting program), InfoPath 2007 (a form and template program), Groove 2007 (a project and document collaboration program), and OneNote 2007 (a program that can potentially act as a litigation support program to create virtual trial binders). Some of the new file formats include: .docx (Word 2007), .xlsx (Excel 2007), and .pptx (Power Point 2007). These new file types are not even readable in Word 2003 without downloading an update from Microsoft.
Another interesting change with Office 2007 file types is the ability save files in XML (a type of computer code language). This feature will essentially allow EDD professionals to redact files in native format. This feature will likely continue the trend of EDD productions in native format and also challenge the generally held belief that “you cannot redact files in native format”.

These new file types (just like any other file type) offer new features and frustrations during the EDD process. It was less than a year ago when I spent an entire luncheon with several attorneys discussing the difference between .pdf, .doc, .txt, and .tiff files in the EDD process. I mentioned that it is almost always okay to accept .doc files in some kind of converted or quasi-native production, but would always recommend .xls files be requested in native format. Based on the features discussed above, I now suggest that .docx files be produced in native format.

PDF Support:

There has been on ongoing feud over the last few years between Adobe and Microsoft. Unfortunately, the feud has spoiled what could have been a great partnership of two great products, Adobe Professional 8 and Microsoft Office 2007. As it currently stands, the two products are not compatible. This is coming from someone that had to test this claim for himself. There are updates that users can download to perform simple functions such as print to PDF, converting files, etc. However, users that want to convert entire email folders to a PDF package must use Office 2003.

Conclusion:

Although it should cause for wide-spread panic or rioting in the streets, the impact of Microsoft Vista and Office 2007 on the EDD process is considered one of the most important themes for the coming months and years. The wait-and-see approach to companies adopting Windows Vista and Office 2007 coupled with the delay period between incidents and litigation, will likely allow the legal field a little more time to become acquainted with the issues discussed above. It is important to keep in mind that many of the features discussed above (Bitlocker and shadow copy feature) are only relevant on certain versions of Windows Vista (there are five different versions of Vista to choose from). It is important to know which version of Vista your client or the opposing party is using. For those of you just getting used to Windows XP and Office 2003, do not worry. The riots will start for at least a few months.

3 comments:

Anonymous said...

geek term clarification: "2128 possible keys" should read "2^128 possible keys." 128-bit means a 128 binary digit number. 2 to the 128th power. That's 2 multiplied by 2 128 times over, which is more than 339,000,000,000,000,000,000,000,000,000,000,000

Indiana Paralegal Association said...

Thank you for the clarification. I keep forgetting that the blog entry does not pick up the formatting of superscript. I didn't even think to just add sign in there. Thanks again.

Anonymous said...

Definitelу conѕіԁеr
that that you said. Your faνourіtе justificаtiоn seemed to be at the web the simplest factor to kеep
in mіnd of. I say to you, I definitely get irked at the same time as people think about issueѕ that they just don't recognise about. You managed to hit the nail upon the highest and defined out the entire thing without having side-effects , folks could take a signal. Will likely be back to get more. Thanks

Also visit my homepage - hcg diet injections