The Truth Will Set You Free: Leveraging Forensic Technology to Achieve Intelligent Search
The value of computer forensic technology beyond criminal investigation is becoming widely accepted, as evidenced by a report published in December, 2010, by The Council on Library and Information Resources in Washington, DC. "The same forensics software that indexes a criminal suspect's hard drive allows the archivist to prepare a comprehensive manifest of the electronic files a donor has turned over for accession; the same software that allows the forensics investigator to create an algorithmically authenticated ‘image' of a file system allows the archivist to ensure the integrity of digital content once captured from its source media; the same data-recovery procedures that allow the specialist to discover, recover and present as trial evidence an ‘erased' file may allow a scholar to reconstruct a lost or inadvertently deleted version of an electronic manuscript-and do so with enough confidence to stake reputation and career."1
Today the realms of information management and digital investigations clearly intersect. Yet, there remains confusion around the idea of using a forensic solution for the purposes of enterprise search. The phrase "computer forensics" can be intimidating for those outside the IT department, and non-forensic search vendors are more than willing to perpetuate the confusion. However, forensic analysis capabilities are integral to achieving intelligent search, and there are solutions available that not only enable intelligent search, but provide a collaborative environment to facilitate information sharing, more effective early case assessment and more efficient compliance auditing.
This article is intended to shed light on some common misconceptions regarding forensic technology and illustrate for the reader how such an electronic discovery platform can augment your current processes and information management infrastructure.
Computer Forensics Does Not Require Full Disk Imaging
Contrary to the implications made by search vendors that don't have roots in computer forensics, search solutions built on computer forensic technology do not require full disk imaging. There are electronic discovery platforms built on industry-standard computer forensic technologies that have met the high standards required in a court of law, and while these solutions are able to forensically preserve an entire hard drive, they are designed to facilitate complex, targeted enterprise search and collection. These solutions are widely used for many purposes such as e-discovery, compliance auditing and FOIA requests. However, the fact that a solution built on forensic technology gives you the option of full disk imaging is actually a good thing and provides value beyond just enterprise search, a concept that will be addressed later in this article.
Forensic Solutions Support Large-scale Auditing
The days of standalone computer forensics tools were over many years ago. The enterprise search and collection solutions designed by computer forensics companies have the ability to perform large-scale data audits, and are leveraged by government and commercial organizations to identify data leakage, perform PCI audits and to enforce records retention policies. In addition, organizations utilize the forensic-level auditing to facilitate early case assessment at the onset of litigation without having to collect any files. This is of great value to organizations handling e-discovery in house, because it gives inside counsel and IT an accurate look at how many documents and emails will have to be collected. In addition, it allows for the testing and refinement of search terms prior to an e-discovery collection. Finally, the large-scale, forensic-level auditing facilitates data mapping to aid in litigation preparedness.
The underlying forensic technology enables the solution to expose the data an organization is looking for with greater accuracy than non-forensic tools. The forensic engine is quite literally extended with an architecture that allows network-enabled search and collection on workstations, laptops, network shares, email servers and structured data repositories.
Due to the stringent requirements of contemporary forensics, these solutions further push the bounds of current enterprise search solutions by supporting search across all varieties of operating systems and hardware platforms. In addition, using a forensic enterprise search solution, it is even possible to search and collect from laptops that are not attached to the corporate network. Even if an employee is at a café on public WiFi, technology exists that will enable search and collection from that person's laptop.
Forensics is Not Analysis Overkill
If the goal is to achieve intelligent, efficient and comprehensive search, wouldn't an organization want its solution to provide the most thorough search possible? Wouldn't the organization want to be able to have visibility into its deleted documents and emails, as well as any encrypted documents or even documents that have been hidden or obscured? If "intelligent search" is the goal, shouldn't the solution include the ability to retrieve content from social media outlets or chat applications whenever possible? As confirmed in a recent Deloitte survey and several court decisions, social media is a growing risk and it is becoming necessary for organizations to update their procedures2. Finally, when performing e-discovery for the purposes of litigation, isn't it of considerable importance to have the ability to locate and collect files and emails that are open and in use? Small and large organizations alike inherently disguise these obstacles in the course of normal business. It isn't until they are compelled to provide or obtain access to encrypted files or uncover deleted documents that they realize the need for forensic-level search.
Electronic discovery solutions built on a forensic engine are not subject to the limitations of a non-forensic product. Forensic technology is able to handle a broader variety of file types, as well as embedded files, deleted files and encrypted files. Furthermore, documents and emails that are open and in use are not skipped over when leveraging forensic-level search. This deeper visibility into the data is due to the fact that computer forensic technologies were designed many years ago for criminal cases, where ALL evidence on the drive is in-scope. They have been developed and honed to not only look at every part of every file, but also every part of the drive in question. These products continue to evolve in the highly scrutinized environment of criminal law and are held to much higher performance standards.