Disclaimer: We are in no way affiliated with the owners or creators of the tool(s) described below; it's just something we've used regularly that's saved us from many hours of lost time and frustration.

Most E-Discovery projects are going to involve a lot of files. This can be thousands of native files or the hundreds of thousands of TIFF and TXT files involved in a load file production. Moving or copying large quantities of files can be a very time consuming process that can delay a review and tie up resources. In addition to speed constraints, traditional copy methods have several shortcomings including lack of verification, inability to handle errors, and more. To rectify this problem, we decided to conduct several tests to find a better way to move our files from disk to disk.

Before any files are moved, we need to look at how they are stored on a hard drive. When a file is saved to a drive, it is stored on a section of the drive called a cluster. Each cluster has a limited size (varying sizes based on the drive) and only one file can be placed in side. If the file size is smaller than the cluster, the extra space will remain empty. If the file is bigger than the cluster, it will carry on to another cluster. Because of this, one hundred files that are smaller than the cluster size will occupy one hundred clusters while one large file that is equal to the size of all one hundred of the smaller files may occupy as few as one cluster. Now that we know how these files are stored, we can look at how the computer is going to move them. When we want to move the large file, the computer only has find one cluster to obtain the information to be copied. To obtain the smaller files, the computer is going to have to find one hundred different clusters which in most instances are not near each other on the drive. From our perspective it is like moving one file folder from a file cabinet to another as opposed to having to move one hundred folders that aren't in the same drawer. Based off this concept, we tested and show that one large file copied faster than lots of smaller files of equal capacity.

After determining that a single large file transferred faster, our next test involved zipping the files. Zip programs allow us to combine multiple files into a single container file. Using both WinRAR and 7-zip (two popular zip programs), both programs were able to compress all the files into a single load and transfer to the destination drive in a fraction of the time that the traditional copy took. Next we had to unzip (uncompress) the files to make them ready for use. While zipping was looking promising, it showed to be ineffective during this uncompress phase which ended up taking just as much time as the traditional copy.

From here we looked at software programs that specialized in copying files. After testing several free tools with little to no success we came across Teracopy. Our tests showed that Teracopy greatly improved transfer time. Not only did it prove more time efficient, it included several additional features that make this a well rounded program. Unlike traditional copy methods, Teracopy easily deals with errors during the copying process. Normally, the entire copy process would be canceled if a file encounters an error and you would be left without knowing what files were not copied. If an error occurs using Teracopy, the program will continue with the rest of the workload and create a log of the files that were troublesome. This allows for an easy review of the files that failed to copy so that they can be handled appropriately. Teracopy also analyzes each original file's "digital fingerprint" and compares it to the copy to ensure an accurate copy. A stop and start feature is also included just in case the process needed to be paused for any reason. Teracopy can also be installed to take the place of traditional Windows copy so that drag-and-drop copying is seamless. When tested on smaller data sets, Teracopy did not show to be much more speed efficient than traditional Windows copy but the added features still made it the choice method of moving files.

During a recent investigation, Jones Dykstra and Associates was asked to acquire information from a Western Digital (WD) Passport 2 external drive with a USB Mini-B interface.  When we plugged this hard drive into our Tableau T8 USB forensic bridge in order to write-block it, the device was not recognized.  Since all of the WD Passport drives we tried previously had worked with this write-blocker, the problem was unexpected.  We made sure that our firmware was up to date and swapped out different USB cables and T8s, but continued to experience difficulties.

To sort out the issue, we called Tableau tech support.  Tableau informed us that certain drives do not receive enough power from the T8, and that a powered USB hub was required for these drives to work.  We connected the Passport to a Belkin USB 2.0 4-port powered hub.  The drive remained unrecognized.

Tech support could not figure it out; they mirrored our setup, but had no problems.  After a few minutes of comparison, we figured out that the only difference was that Tableau tech support was using a USB 1.1 powered hub, but we were using a newer USB 2.0 powered hub.  When they switched over to a USB 2.0 hub to match our configuration, they immediately experienced the same problem we'd been having, and confirmed that this was a new compatibility issue with USB 2.0 hubs.  Our support request was forward this to their engineering group, but we were given no timeframe for an expected fix; Tableau's only workaround was to use USB 1.1 instead of 2.0.

At this point, there are a few questions some might ask:

• Why not just remove the casing from the external drive and use the hard drive's interface instead of the enclosure's USB? Like many other currently-produced externals, the WD Passport 2 is basically one piece of sealed hardware; these drives are not merely easily-removable laptop drives inside enclosures.
• Well, then why not just use USB 1.1 instead, as Tableau suggested? USB 2.0 can transfer data at 480Mbps, which is forty times faster than USB 1.1. For standard, low-volume transfers, USB 1.1 might be acceptable, but when duplicating hundreds of gigabytes of data, using 1.1 could delay work on a project by days.

Since Tableau could not provide us with a workaround other than to use a version of USB that is unacceptably slow, we sat down and came up with a workaround that utilized USB 2.0 transfer speeds and is even cheaper than buying a 1.1 hub: we swapped out the powered hub with a special USB cable known as a "Y cable."

A USB Y cable (shown here) is made up of two type-A male USB connectors and one type-A female USB connector.  The Y cable's male connectors include one normal USB connector (which transfers both data and power), and one that is dedicated to providing the device with power.  We could therefore plug the WD Passport's USB cord into the female end of the Y splitter, then connect the standard male USB into the T8, and connect the male dedicated power connector to any available USB port on our computer.  We tested this setup as if the bridge was being used as intended by Tableau, and the WD Passport was both recognized and write-protected.

We contacted Tableau with this solution on October 29, 2008, and they acknowledged our workaround as a viable solution to this problem.  If you are experiencing the same difficulties write-protecting your external drives, USB Y cables for our workaround can be purchased on Amazon.  Until the USB 2.0 compatibility issue is resolved, this is the cheapest and most efficient workaround we know of.

We'll keep you apprised of any new developments.

When Windows Vista was announced, a few of the new features (most notably the User Account Control (UAC) and BitLocker Drive Encryption) sparked great interest in the security and forensics community.  As these features have slowly become documented and better understood, the intricacies and less publicized changes in the newest Microsoft OS are being more closely examined.

One such change, which was included to increase Vista's performance, is a change in the NtfsDisableLastAccessUpdate registry key value.  This value is now set to a 1 (true) instead of a 0 (false) by default, which means that the "last accessed" timestamps of files and folders will no longer be updated in Windows Vista.  While some might see this as a major evidentiary sacrifice for a minor boost in performance, it's really not; computer forensics experts already know that MAC times, and more specifically, access times, should never be taken at face value.

Aside from the ability to be changed intentionally by the user (by readily-available programs like Metasploit's Timestomp), MAC times can be inadvertently changed when files are accessed by automated programs like backup software, thumbnail creators, and virus scanners, and mass-altered when files are copied or moved.  Access times are also only guaranteed by Microsoft to be accurate to within one hour of the time of access, and in cases where chronological precision is key, a timestamp of this granularity might lead an investigator to adopt a false conclusion.  And lastly, disabling the last access time is not a new concept; the ability to stop Windows from updating this timestamp is available whenever one uses NTFS (NT/2000/XP/2003/Vista), and has been long-reported by the "OS tweaking" web sites out there as a performance booster.  Running into computers with this tweak enabled is nothing new, as users looking for performance gains have been using it for years on multiple operating systems.

While MAC times are useful when corroborated with other evidence (registry entries, .lnk files, MRU lists, file metadata, etc.), many computer forensics experts already know to be extremely wary of file system timestamp information.  Let's have Microsoft's decision to turn off the "A" in "MAC times" serve as a reminder that these timestamps should be used only as a starting point in investigations; they are not the only piece of evidence we rely on for temporal analysis, and they should not be treated as such.

In the last few weeks we have witnessed the passing of the Wall Street bailout package, the sub-prime lending crisis and the downfall of a few major banks.  Needless to say, these days money is in short supply, and keeping money in the bank is more important than ever.  E-Discovery is often an important part of the litigation process, and it can be a very expensive process if you're not careful.  With that in mind, I would like to suggest a few steps that can help keep your E-Discovery costs manageable and save you money over the life of your project.

Step One

Make sure you bring in the right Computer Forensic/E-Discovery company from the beginning.  While this may seem obvious, it is probably the most important step.    I have worked on at least three cases in the last year where JD&A was called in to replace another company that could not live up to all the promises they made.  Having to replace one vendor with another is always going to incur additional costs to you or your client.  It will take time for a replacement to come in, figure out the situation, and relearn (if not completely redo) everything the previous company did, and all of these actions will increase the total cost.  Paying the bills is never fun; it is even less enjoyable if you have to do it twice for the same service. 

It pays to spend a little extra time when shopping for your E-Discovery vendor.  Do your research; just because a firm provides the lowest bid or is the biggest name doesn't mean they are qualified. Consider the source of the information. Did you get the quote from a sales person, or from someone that will actually be performing the work? Don't forget to talk to colleagues; one of the best ways to find reliable help is through other satisfied customers.

Can your potential vendor provide you with a list of references so that you can check the quality of their work?  You want to look for reliable vendors that do a lot of repeat business with their clients.  This is a good sign a vendor has their clients' best interests in mind, and the vendor is not out to run up a huge bill on a one-time engagement and never do business with that client again.  Spending the time up front greatly reduces the risk of having to replace your vendor halfway through an E-Discovery project, and will therefore save you money.  Once you find the right company to handle your E-Discovery project, it is time to get them involved in your decision-making process.

Step Two

Bring your Computer Forensic/E-Discovery expert into the loop as early in the project as possible.  Assuming that you spent the time to find a quality firm, you should make use of your expert to his or her full potential.  Clients hire attorneys to help make important legal decisions because matters of the law should be handled by well-trained professionals.  The same is true when a law firm hires an E-Discovery firm to handle an ESI (Electronically Stored Information) project.

Another important goal in the early stages of an E-Discovery project is putting your expert in touch with your or your client's IT staff.  Sometimes when technical information has to go from IT person to lawyer and back to IT person it can become misrepresented and misunderstood.  In this situation it is best to let the IT professionals (both the IT staff and your Computer Forensic/E-Discovery experts) have a meeting of the minds, which could happen in your presence.  During this meeting, your expert will develop an accurate understanding of what the E-Discovery project entails, allowing them to be better prepared if on-site work is required, since the type and amount of equipment needed varies greatly by situation. The result is less time spent on-site trying to figure out any unknowns. If this work is being done on an hourly basis, then you want it to go as smoothly and efficiently as possible.

You should consult with your expert early and often about the scope and details of the ESI aspect of the case.  Your expert can help you determine what types of data or information sets can and should be collected.  Your expert can help you identify data stores you may not have considered or are unaware of, such as source code repositories or wikis. 

Acquisition can be expensive; why collect data from sixty laptops and six Email servers if data relevant to your case is only found on one-third of those systems?  Instead of casting a very broad and costly net, allow your expert to provide his recommendations to narrow the acquisition scope down to a smaller set of systems with the highest probability of containing relevant data.  The same is true when requesting information from opposing counsel.

Law firms often have a difficult time sorting through data provided by opposing counsel through the discovery process.  We find that law firms routinely agree with opposing counsel to share TIFFs and text extractions of the native files.  This presents several problems, the most important of which is this: without native files, what do you compare the TIFFs and text extractions to in order to assure accuracy?  TIFFs are not easily searchable, and text extractions are created by passing a file through an OCR (Optical Character Recognition) program, which can be inaccurate 

You should involve you E-Discovery expert when making any ESI discovery requests.  They can make sure you are asking for the right data in the best format possible. By doing so, you can save money down the road by avoiding costly review problems due to poor data quality or irrelevant data.

Step Three

Keep your keyword search list(s) short and to the point.  If you've spent the time and consideration to collect only the relevant data you need and you've thus far kept acquisition costs down, then why ruin it now by running a hundred search terms against it?  Think of the E-Discovery process as a funnel.  You and your expert have already culled the amount of data down significantly by identifying and forensically acquiring only the systems that had the highest probability of containing the relevant data.  Now you will cull this data down even more by developing a set of quality search terms that will, in turn, provide quality responsive data.  Notice that I stress quality over quantity; your end goal is to be left with a small amount of highly responsive data to review.

In order to avoid unnecessary amounts of data, your expert should be consulted when creating keyword searches to be run against the ESI you have collected; they can help to avoid producing large amounts of false-positives by reviewing your terms.  An example of this might be searching for a company's name that also happens to be a program commonly used by Windows.  We have seen some unsuccessful search terms in the last year, such as the number 200, the word Yahoo, and a person's name, which hit on every single email that he sent because his emails contained a signature block. 

Allowing your E-Discovery expert to be involved in the creation of your lean and mean search term list will potentially reduce costs substantially in the project. Having a smaller search list doesn't mean it will miss data that a larger list would pick up.  Your goal is to create the smallest set of terms that you know are going to be highly responsive to the data you are looking for, while avoiding terms that will create large numbers of false-positive hits.

If you input a smaller, more refined set of search terms, your output will be a smaller, more refined set of highly responsive data.  That means you will save money on your load file production cost, which is usually charged per gigabyte.  Inevitably, your refined data set will cost less to host than a larger data set containing tons of false-positives.  Finally, a small, highly responsive data set takes less time to review, and this labor is usually performed by outside contractors at an hourly rate; less review time equals less hours billed by reviewers.

Money is tight these days, but if you follow these steps you should be able to save some extra cash on a future E-Discovery project.  Don't forget that a cheaper E-Discovery project will also make your client happy, and a happy client is a client for life.