Encrypted and hidden files put eDiscovery at risk

There are some pretty nice freeware applications available which allow a user to encrypt and hide files/data/electronic records in plain sight on their computers. Can this pose a problem for IT and corporate legal?  Let me put it this way…how would you find and place ESI that’s encrypted or is both encrypted and made to look like something else on a litigation hold?

Does the fact that encryption applications present in a corporate infrastructure make claims of spoliation if the files can’t be found or decrypted more likely? Is this a problem you should even worry about?

It’s a stretch but in some circumstances this capability could significantly raise your eDiscovery risk. To illustrate this problem further I will specifically talk about an application called TrueCrypt which is a free open-source disk encryption software application for Windows 7/Vista/XP, Mac OS X, and Linux.

TrueCrypt is an application for creating and maintaining an on-the-fly-encrypted volume (data storage device as opposed to a single file).This means that you can create an encrypted volume capable of storing many encrypted files which to casual observers, looks like a single file. On-the-fly encryption means that data is automatically encrypted or decrypted right before is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password or correct encryption keys. There are several encryption algorithms available in the application but the most secure is the AES 256-bit key algorithm, the same one used by the federal government in many instances.

Files can be copied to and from a mounted TrueCrypt volume just like they are copied to/from any normal storage device (for example, by simple drag-and-drop operations). Files are automatically decrypted on-the-fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume.  Similarly, files that are being written or copied to the TrueCrypt volume are automatically being encrypted on-the-fly (right before they are written to the disk) in RAM.

Now, to make matters worse (or better depending) TrueCrypt also can create a hidden encrypted volume within the visible encrypted volume.

The layout of a standard TrueCrypt volume before and after a hidden volume was created within it. (Graphic from the TrueCrypt manual)

The principle is that a TrueCrypt volume is created within another TrueCrypt volume. Even when the outer volume is mounted and visible, it would be impossible to prove there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.

So to put it another way, an employee trying to hide data from a discovery search could first create an encrypted volume on their hard disk or some other removable device such as a USB stick and store encrypted data on it. Even more diabolical, they could move some innocuous data to it as a decoy and store the real data on the hidden volume inside the original volume. This capability provides the employee plausible deniability in the case of corporate legal or IT forces the employee to decryption the volume they can see.

So the big question is this; how would you as a discovery auditor even know of or find these hidden and encrypted data volumes? In reality it’s not easy. You have to go into it looking for hidden and encrypted data. There are some forensics applications that will at least find and flag encrypted files and volumes including the TrueCrypt format. I am unable to determine if these forensics applications can find and flag hidden volumes.

As a test, I setup a 10 GB TrueCrypt encrypted volume on this computer and named it “Attorney Communication” in a folder I named “contracts”. To the casual observer all they see is a large file in a folder called “contacts” (see below).

Within that encrypted “Attorney Communication” file I copied four decoy files to make it look like those were the important files I was keeping encrypted just in case I am forced to open the encrypted volume by legal (see below).

As you can see above, you can’t tell by looking at it that it contains the hidden 8 GB volume I had also created. That hidden volume is accessible only by typing a totally different password.

The hidden 8 GB TrueCrypt volume on this computer

So how do you find these hidden volumes and files if the employee is not cooperating? If you suspect the employee has been using this technology the first obvious step would be to do a search of the employee’s hard disk looking for an application called “TrueCrypt”. This would be a dead give-away that the employee could have encrypted and hidden data volumes on their computer. This is not  certain because the employee could have installed the TrueCrypt application on a USB stick, which does not integrate with Windows, so when not plugged in to the computer, there would be no trace of the TrueCrypt application.

A second way to find potentially encrypted volumes would be to search for very large files. Usually encrypted volumes will be larger than normal files because they are just that, a large space to store many files. So you could do a Windows search for files over 10 MB and see what you get. An indication would be a large file with no applications associated with it. By this I mean that when you double click the file the system doesn’t recognize it as a standard Windows application and displays the “Open with” dialog box shown below:

That leaves the problem of discovering the hidden volume. A sure but very slow process to test this possibility would be to copy a bunch of files into the encrypted volume, if the employee has opened it, to see if the available storage space id equal to the volume size.  For example the file properties in Windows states my encrypted volume is 10 GB in size but in this example the employee only has 5 MB of files stored in it. To test to see if the volume contains a hidden volume, you could copy an additional 9.95 GB of data into it to see if you get a “volume full” message before all of the data was copied into it. If you could only copy an additional say 1.95 GB before the “volume full” message was received, that would indicate that a hidden 8 GB volume exists.

A faster way to get an indication of hidden volumes is to use a large file finder tool. I found one called “Largefiles3” which had a surprising capability. In this case I ran the application looking for files larger than 10 MB on the C drive.

The interesting capability here is that it found the encrypted volume I named “Attorney Communication” but it determined its size to be 2.147 GB not the 10 GB shown in the Windows file system data. This is because I had created an 8 GB hidden volume inside the “Attorney Communication” volume thereby only leaving 2 GB for the original volume. This is a huge red flag if you are looking for it. Now, without the password you still can’t access the original encrypted volume or the hidden volume but at least you would know it exists and can apply pressure to the employee.

So how do you prevent these encryption applications from putting your eDiscovery processes at risk? The most obvious one is to include in your employee computer use policy a statement prohibiting the use of these types of applications with stated punishments if not followed. This will stop general employees from using this kind of application but will not deter those employees bent on breaking your rules. The obvious next step is to sample and audit your employees to see if these applications are being used. For corporate legal, the main thing you want to establish is your “good faith intent” to make sure your eDiscovery processes are defensible.


The duty to preserve ESI is not always cut and dried

The amendments to the Federal Rules of Civil Procedure (FRCP) describe the duty to preserve potential evidence when litigation can be reasonably anticipated. The term “reasonably anticipated” is a key idea and one that has caused many arguments over the last four-plus years. To make the point that organizations need to be conservative and take this seriously, it makes sense to look at a case that has gone on for several years.

On April 17, 2008, Phillip M. Adams & Associates L.L.C. (Adams) filed a motion for sanctions against ASUSTEK Computer, Inc. and ASUS Computer International for spoliation (destruction) of evidence. Adams claimed that “ASUS has destroyed the source code and documents relating to ASUS’s test programs, as well as other documents that would have conclusively demonstrated ASUS’ piracy.” On March 30, 2009, the magistrate judge issued a decision granting in part Adams’s motion. The magistrate judge found that “the universe of materials we are missing is very large,” and that “we have very little evidence compared to what would be expected.” In this case, the court reaffirmed its earlier holding regarding the trigger for defendants’ duty to preserve, namely that “in late 1999 the entire computer and component manufacturer’s industry was put on notice of a potential for litigation regarding defective floppy disk components (“FDCs”) by the well publicized settlement in a large class action lawsuit against Toshiba.”  In this ongoing case, a litigation hold responsibility was triggered by a settlement years before. The magistrate judge further found that “ASUS’ practices invite the abuse of the rights of others, because the practices tend toward loss of data.” In other words when the case was in process in 2008, the defendants should have applied a litigation hold to specific data back in 1999-2000, eight to nine years before the case showed up in court.

A related recent ruling: Phillip M. Adams & Assoc., LLC v. Windbond Elecs. Corp., 2010 WL 3767318 (D. Utah Sept. 16, 2010)

What does this mean for organizations today? Well, it’s difficult to “anticipate” future litigation so be conservative in your litigation hold triggering events meaning if even the slightest possibility exists of litigation based on external events, news stories etc. lock down that potentially responsive ESI as soon as possible. That’s easy to say but difficult to accomplish. The first step as pointed out in this case is to train your staff and employees to be sensitive to these “events” and to not be shy about pointing them out to your corporate legal department. The point is to manage your ESI more effectively. If you have control of your data you have a better chance of reacting to and finding responsive ESI when you need to and securing it.

Is the popular Dropbox file sharing application a huge eDiscovery risk?

First let me say the Dropbox file sharing program is one of the greatest applications I’ve run across in a long time and to date has approximately 25 million users world-wide. What is Dropbox? Dropbox is a cloud storage application which synchronizes files between computers and other electronic devices like iPhones. Installing Dropbox creates a special folder on your computer. Anything that you put in this folder is automatically synchronized with any other computer or iPhones on which you’ve installed the service. The files you drop in for synchronization are also located on a remote server, which means you can download files even when all of your other devices are turned off or offline. It’s easy to understand why instant synchronization across all your computers and iPhones is inherently fantastic. You drop a file into your Dropbox folder on say your work computer and it’s almost instantly on all your other computers (with an internet connection) and iPhones, be it at home, work, on the road or on vacation. What’s greater than that?

You need to be aware of a couple of potential problem areas if you are going to install Dropbox; first when you delete a file in your Dropbox folder on your computer it is not really deleted from the Dropbox cloud. It is classified as “Deleted” and will disappear out of your desktop folder but in the Dropbox cloud it still exists and can be “Undeleted”.

Dropbox saves a history of all deleted and earlier versions of files for 30 days for all Dropbox accounts by default. If you have the Pack-Rat add-on, Dropbox saves those files for as long as you have the Pack-Rat add-on. With Pack-Rat, you never have to worry about losing an old version of a file. You can permanently delete files inside of the 30 days but that must be done in your web account.

Another capability to be aware of is the “Events” tab in the web account.

The Events window shows you all of the recent(?) activity that has taken place in your account. This includes a wide variety of data such as the addition and deletion of files, moving files, adding and removing folders, sharing files and folders, linking computers to your account and more. At this point I’m not sure how long this history is available in a given account but in my account, the history is showing info back to when I created the account 6 months ago.

All of these great capabilities point out two areas of concern that organizations need to be aware of. First, could intellectual property theft get any easier? A worst case scenario would be the following; an employee decides to leave the company and wants to take some IP he or she has been working on for the last 7 months. The employee can simply drag the electronic files to his Dropbox folder on their company supplied computer and later that night access it from their computer at home or even worse, give their new employer the password to their Dropbox account and within seconds all that IP is sitting on the new employer’s desktop…it can happen in a matter of seconds, would the current employer even be able to tell if that IP was copied?

An even more interesting concern arises around eDiscovery risk. Would the fact that a custodian has or had at one time a Dropbox account, make all of their non-business supplied computers and iPhones a target of eDiscovery if they were a party to litigation in their organization?

An opposing counsel’s questioning might go something like this;

Opposing counsel: “Bill, do you now or did you during the time period in question have a Dropbox account?”

Bill: “Possibly…I’ve had one for sometime”

Opposing counsel: “While you’ve had the Dropbox account, have you ever copied work related documents or emails to your Dropbox account for whatever reason?”

Bill: “Yes I have”

Opposing counsel: “Could you have copied files that are relevant to the current case?”

Bill: “Maybe…I don’t remember”

Opposing counsel: “You don’t remember…is that the truth?

Bill: “Is that the truth? …YOU CAN’T HANDLE THE TRUTH!! (Jack Nicolson flashback)”

Opposing counsel: “Judge, I would like to include every computer and iPhone Bill has access to in the eDiscovery request as well as Bill’s  Dropbox account to view any deleted files as well as his “Events” history.”

Bill: “You’ve got to be kidding…Judge?”

Judge: “Do I look like I’m kidding? …Makes sense, approved”

Is the preceding example a possibility? Sure it is. So how would your organization defend against this type of eDiscovery risk?

In my experience, if you inform employees (in writing) that by using the Dropbox application from their work as well as personal computers and company supplied iPhone, they open themselves to having their personal home computers or any computer that had the Dropbox application installed on to be potentially accessed and reviewed by attorneys, most employee will refrain from installing it on their work related computers. It would also be a good insurance policy to create a computer use policy which includes a directive against installing the Dropbox application on work owned assets.

Again, let me stress that I think the Dropbox application is fantastic and has great uses for everyday life but employees and organizations need to be aware of the risks associated with it in litigation.

Placing a “Computer Illiterate” in charge of eDiscovery is not a winning strategy for the defense

A case that had been decided for the plaintiff years earlier was reopened due to eDiscovery process questions. In the case of Green v. Blitz U.S.A., No. 2:07-CV-372 (TJW), 2011 WL 806011 (E.D. Tex. Mar. 1, 2011), the original attorney for the plaintiff was a plaintiff’s attorney on another case against the same defendant. During discovery for this other trial, the plaintiff’s attorney found out that evidence that should have been turned over for the previous plaintiff’s trial had not been. Because of this fact, the original lawsuit was reopened. In this second trial it was revealed the defendant had placed a single person in charge of electronic discovery for several ongoing cases. The problem with this was the person put in charge of eDiscovery was less than experienced. In fact, it was revealed that the employee “solely responsible for searching for and collecting ESI relevant to litigation between 2004 and 2007 issued no litigation hold, conducted no electronic word searches for emails, and made no effort to speak with defendant’s IT department regarding how to search for electronic documents.  In fact, the employee himself stated that he was “about as computer illiterate as they get.”

Making matters worse, some of the information discovered after the close of plaintiff’s case would have easily been identified with a simple word search, as the target words were in the subject line of one of the undisclosed emails specifically discussed by the court.  Also of note, as to the specific email discussed by the court, was the fact that the employee tasked with discovery was a recipient of the email and still failed to disclose it in discovery.  Despite failing to produce relevant material, the defendant made the certification that “full and complete disclosure ha[d] been made in accordance with the Federal Rule’s of Civil Procedure and the Court’s orders.”

The court also discussed defendant’s failure to issue a litigation hold to its employees and its failure to cease rotation of its backup tapes, two other actions expected when litigation is reasonable anticipated.  Accordingly, the court concluded that “it will never be known how much prejudice against the plaintiff was actually caused by the defendant’s failure to preserve documents” and found that sanctions were warranted.

Given the context and type of documents not disclosed, the court found that defendant’s conduct was a willful violation of the Court’s Discovery Order and that plaintiff had been prejudiced as a result. In other words, the original award would have been much higher if the ESI was found and turned over.

I don’t know if the defendant’s counsel choose a totally inexperienced person to run the eDiscovery process was just stupid or was part of a strategy to insure responsive ESI was not found. I think, minus proof of the second, we will have to go with the first explanation.

That being said, litigation hold and eDiscovery is a serious business and should never be taken lightly. Having control of your organization’s ESI is an important responsibility expected by the courts.

Case summary from eDiscoverylaw.com

How do you keep the ESI skeletons out of your closet?

A blog post written by Jim McGann of Index Engines on May 4th zeroed in on an interesting topic; how to keep ESI skeletons out of your corporate closet.

In his post Jim writes: Law firms and corporations alike tend to keep data storage devices well beyond what their compliance requirements or business needs actually dictate.  These so-called “skeletons in the closet” pose a major problem when the entity gets sued or subpoenaed. All that dusty data is suddenly potentially discoverable. Legal counsel can be proactive and initiate responsible handling of this legacy data by defining a new, defensible information governance process.

These skeletons can encompass both old, out of date data as well as the devices the old data is stored on. The risk includes not just the old data that might have content that you would rather not have discovered but also the storage devices that would “read” the old data. An attorney friend of mine related a case he was involved in several years ago where a company in discovery was asked about a filing cabinet in their warehouse that contained hundreds of 8 inch floppy disks. The plaintiff’s attorney asked if those floppy disks could contain data from the time period in question (8 years ago). No one at the company could really answer the question so the plaintiff’s attorney asked for an inventory of the data on those 8 inch floppy disks.

The defendants counsel obviously raised concerns over their ability to actually read the data as well as the cost involved. They argued that the disks drives which could read the 8 inch floppy disks couldn’t be found, that even if they could find the drives, they didn’t have computers with the correct interface to actually look at the data and the software to enable the floppy disks to be read did not exist.

The Judges question to the defendants was obvious; “why do you have a filing cabinet full of hundreds of 8 inch floppy disks if they can’t be read?”

The point of the story is data/information has a life span. 8,9,10 year old data in most cases will not be useful to an organization (unless there are regulatory reasons to keep it) so manage it for as long as its useful to your organization then get rid of it, especially if the technology to utilize it is way out of date.