Once upon a datacentre…
eMag Solutions completed a comprehensive, end to end e-discovery engagement this month. The project was to be completed on behalf of the Spanish arm of a global catering organisation, who were investigating some evidence of fraud within their workforce. A very successful global law firm, who were already an existing client of the US division of our firm, were the link between eMag and the organisation.
Before eMag could even gain access to the required back up media and computers, there were many legislative and security regulations to consider. As a result, the security and confidentially documentation took over a week to resolve. The security measures required were documented in the Spanish Royal Decree of 1999; this decree specifically requires the highest levels of security be employed for personal data. In particular, it requires that the data is not to be transmitted via any form of telecommunications.
The Science Bit
In its entirety, the project required the restoration of two LTO backup tapes, one an exchange backup and the other a file server, in addition to the investigation of three laptop computers. The restored /imaged data was then to be de-duplicated, and a thorough search for specific key words and phrases as supplied by the law firm. The responsive data then needed to be converted into a format which would allow accessibility and ease the review process.
Tape number one contained the information created on an Exchange backup system. This tape restored with no real difficulties, until the team attempted to open the Exchange Database (.edb), when it was revealed that the majority of files were corrupted. eMag then decided that the most successful way to rectify this problem would be to process the files using our in house propriety software. As a result, access was gained with a minimum number of corrupted attachments (less than 3%!). This enabled the technicians to proceed with the extraction of the 17 named custodian?s data.
Tape number two consisted of a backup from a network file server which contained the user directories of approximately 500 employees. This LTO2 tape had a medium error, some 12GB into a 127GB data set. After many attempts to restore the data using everything from different tape drives to different handlers, it was left to our head technician to determine what needed to be done in order to read the tape. If the least complicated route was taken, 60GB of data would be lost, which incidentally would have been 75% of the required data. The head technician used a number of different utilities and applications, each offering a little more than the last, until he was able to restore the necessary amount of data. Once restored, 10 of the 17 named custodians data was found to be backed up onto this particular tape. The data was then easily extracted and converted into an easily accessible and readable format for the client
With both tapes successfully investigated and restored, all that remained was to interrogate the three laptop computers. This involved the imaging and extraction of the laptop data, and in particular an intimate knowledge of ENCASE version 5. Once the imaging and extraction was complete, the data was de-duplicated with the data extracted from tapes 1 and 2. The final step required a key word search on the resultant files to highlight the responsive data.
The Happy Ending
The evidence was extracted quickly and cost effectively, whilst allowing for constant on-site review and cost control. Throughout the project, careful adherence was made to strict foreign data management laws, and with an eMag Spanish interpreter on standby the client had complete control of every situation. 24 hour project and technical support teamed with a rapid extraction, meant that the law firm were quickly and cost effectively able to provide their client with the evidence needed to support their claim.
Recent Comments