The first issue is the new concept of electronically stored information (ESI). Under new rules in the US, all digitally stored records of any type, no matter how they were generated, are covered.
The second issue is that requests for business records now explicitly include digitally stored records – no matter where or how they are stored.
These two changes mean that if you save records of any kind, you need to be able to retrieve them if required in a legal proceeding. Since you would never need to retrieve documents that did not contain the information requested, you need to be able to discriminate between relevant and irrelevant documents.
That means that you need to read every document that you have stored electronically. Since the subject of the request may be buried in the text of the document, scanning the subjects of memos, for example, likely will not go far enough.
Simply finding the document with the required text is not enough, though. You need to be able to show that it is the document that you represent it to be and not an altered version.
This is a forensics issue and we are getting dangerously close to the notion of “if you flip a bit, you must acquit.”
While we have not reached quite that level of required forensic rigor (and are not likely to), the notion of authenticity has been and probably always will be a critical part of evidence management.
To address this challenge, Technology Pathways, developers of the ProDiscover digital forensics tools, are introducing e.s.i.Discover, a tool that finds the content, offers up the document and does it in a forensically sound way.
When I saw this product for the first time, I said, “Yeah, right, another search engine (yawn).” e.s.i.Discover looks, on the surface, like a typical Google-like search engine, but what is going on under the hood is awesome.
To address the forensic issues, and to provide speed and search granularity, Technology Pathways has called on its extensive experience with digital forensics and forensic image analysis. e.s.i.Discover is constantly indexing the enterprise, so that it finds documents no matter where on the enterprise they are stored.
It allows for blazing fast searches since there is a current index. Indexes are the most efficient way to search for large numbers of documents. But indexes also allow for a wide variety of search types.
The second benefit of indexes is that they preclude the need to intrude on the documents themselves at the time of searching. That means that documents can be hashed both on discovery and retrieval to ensure authenticity.
On the topic of authenticity and forensic purity, this appliance performs a number of tasks with which forensics experts are already familiar.
For example, documents are hashed to ensure authenticity. All actions by the device are logged and the logs are protected. Exact duplicates of documents are eliminated, reducing storage space. Original file creation data is preserved.
Finally, if you wish to use a computer forensic tool to extract a forensically pure copy of the document (or an image of a disk, PDA, etc.). e.s.i.Discover supports that as well.
And, for all of this, e.s.i.Discover is agentless, so implementation is a snap (once you figure out where your documents are located, of course).
Starting at US$50,000 for an appliance that supports up to a million documents, I found that pricing is very reasonable, especially considering that the product can scale up to 40 million documents.
Given the nature of the legal requirements that we see daily and the simple power of this tool, I predict that e.s.i.Discover will become the standard tool for forensic document discovery.
See original article on SC Magazine US
Discover looks, on the surface, like a typical Google-like search engine, but what is going on under the hood is awesome.