My name is Scott Lefton and I’m a spoliator…
And you might be too…
For those of you who might not know what “spoliation” is, here’s one definition:
– Spoliation of evidence From Wikipedia
Spoliation of evidence is the intentional or negligent withholding, hiding, altering, or destroying of evidence relevant to a legal proceeding.
You’ll notice the word “negligent” in there and that’s the kind of spoliation I think we are all most guilty of. It’s not that we are really trying to alter evidence, but the fact is we do it every day by simply using Windows “Copy, Cut, or Paste functions” or even opening files to review them. No that doesn’t necessarily mean that you are about to get sanctioned or your current processes are broken, but I think things need to change in the industry in terms of how the majority of us lit support personnel, paralegals and attorneys intake evidence, process or load evidence into a review platform, and most importantly how it is maintained throughout the life of a case.
In this post, I’m going to show you one of the coolest tools we have; it’s a staple in the forensic community with a cult-like following, but I’m pretty sure most paralegals and lit support folks have never heard of it. It’s called FTK Imager. It’s FREE, incredibly simple to use, and you can download it here:
FTK IMAGER AND WHY THIS IS IMPORTANT
FTK Imager is a preview and imaging tool. You can open the contents of a file folder, physically attached hard-drive, CD/DVD, thumb drive, forensic image, just about anything you can think of. It allows you to open or preview your discovery data and create a forensic image WITHOUT altering any of the source metadata!!!! From within FTK Imager you can then create an .ad1 or .e01 forensic disc image which, guess what- drum roll please……
can be directly imported into Summation!!!
The importance of using forensic disc Images has three main benefits:
- It maintains the chain of custody
- It preserves all source metadata
- It can be directly imported/processed in Summation WITHOUT the need for a load file!!!
- You can apply compression to the image file to save space. This means you can actually make your evidence files smaller than the original and take up less space on your network
- You can apply encryption and protect images with a password for additional security/protection
SUMMATION AND FORENSIC IMAGES
In case you’re wondering, when I say “image”, or “forensic disc image” I’m not talking about a .PDF or .TIFF. I’m referring to an evidence container which is a bit-by-bit copy of the original data, and ensures the preservation of the associated metadata. FTK Imager can produce industry standard disc images, common types are .AD1 and .E01. One incredibly powerful new feature of Summation is the ability to directly ingest not just our own .AD1 files, but all of the industry standard types. I’m going to quickly walk you through how easy FTK Imager is to use and how you can process an .AD1 in Summation.
FTK IMAGER/SUMMATION WORKFLOW
A CD/DVD, or thumb drive has just landed on your desk from your client. Here is the typical process that I see occurring at most firms. You pop it into the CD tray, open the CD in Windows Explorer, and start to browse the data. Then if you determine you need to load this data in Summation, it is then copied to the network and loaded from there. From time to time you may also open the files from the network share to view the content. Unfortunately this very typical workflow most certainly alters the metadata. First, you altered the metadata stored in windows for “created date” by copying to the file server, and secondly, you altered the “last accessed date” of the file. Additional metadata for any file opened for a quick look may also have been altered. Hopefully those are the only things! Additionally another flaw with this workflow, is the simple fact that the files will remain in a vulnerable state in terms of spoliation or alteration if they are not put in some kind of container, like a forensic image, or .zip file. Once the files are protected within an .AD1 it is impossible for someone to open the file itself, thereby preventing any alteration of the file.
So, I’m proposing a simple, safer, and more defensible workflow by using FTK Imager before loading discovery evidence into Summation.
USING FTK IMAGER WITH SUMMATION – The basic steps
Step 1: Insert media into your computer (CD/DVD, Thumb drive, External Hard drive, etc.)
Step 2: Launch FTK Imager.
Step 3: Click “Add Evidence Item” under the file menu.
Step 4: Select Source – pick Physical drive, Logical drive, or Contents of a folder.
Step 5: Browse to the source, or enter the filepath ex: D:\Native files
Step 6: Click finish.
Step 7: You will now see the contents of the folder in the Evidence Tree and File list panes.
Step 8: From here you can choose what files you want to create an image of by right-clicking and choosing “Add content to custom” in the file list. Or you can create an image for any drive or folder by right-clicking the items in the Evidence Tree and selecting “Export Logical Image”.
Step 9: Follow the export instructions, choose destination, give the image a name (<name>.ad1). I’d recommend also selecting “Verify images after creation” and “create directory listing”. These are very handy for reporting purposes, maintaining the chain of custody, and can be used to prove metadata has been preserved later in the discovery process when we produce it, or admit it as evidence during the trial for example.
Step 10: Login to Summation, click the add evidence button, and choose your newly created .AD1 image!
IN SUMMATION (pun intended)
FTK Imager is really an invaluable tool that has been wholly adopted by the digital forensic community at large for many years. It is widely used by law enforcement, government agencies, and corporations to safe guard digital evidence and preserve it in a forensically sound manner. While this is a forensic tool, in my opinion it has great value to law firms and legal personnel dealing with any kind of electronic evidence. In addition it will greatly improve the way our Summation users can load and process data, and maintain their evidence. The biggest benefit of using FTK Imager up-stream of Summation is that it takes all the pain out of trying to load data with load files! We all know how much of a nightmare load files can be sometimes…
To be clear, I am NOT advocating that copying and pasting in Windows is necessarily wrong or will definitely result in spoliation accusations. Major spoliation claims are rare for your average civil suit. What I am advocating is that there is a more efficient and less risky option to handle evidence, especially for Summation users. This powerful new data injection option can make your firm’s ediscovery processes much more defensible, minimize risks, and steer clear of questions related to chain of custody. The fact is, plaintiff’s attorneys continue to become savvier with ediscovery requests, negotiating ESI exchange protocols, and are looking for any signs of spoliation. Spoliation accusations are no-doubt costly, distracting, and can potentially lead to hefty sanctions regardless of the true merits of the case! By using FTK Imager you can take some simple steps to ensure you are well prepared in the event someone questions the integrity of your documents and metadata.
FTK IMAGER AND SUMMATION STEP BY STEP
Follow my lead as I walk through the creation of an .AD1 image from a simple folder on CD and load it into Summation: