Encrypted and hidden files put eDiscovery at risk


There are some pretty nice freeware applications available which allow a user to encrypt and hide files/data/electronic records in plain sight on their computers. Can this pose a problem for IT and corporate legal?  Let me put it this way…how would you find and place ESI that’s encrypted or is both encrypted and made to look like something else on a litigation hold?

Does the fact that encryption applications present in a corporate infrastructure make claims of spoliation if the files can’t be found or decrypted more likely? Is this a problem you should even worry about?

It’s a stretch but in some circumstances this capability could significantly raise your eDiscovery risk. To illustrate this problem further I will specifically talk about an application called TrueCrypt which is a free open-source disk encryption software application for Windows 7/Vista/XP, Mac OS X, and Linux.

TrueCrypt is an application for creating and maintaining an on-the-fly-encrypted volume (data storage device as opposed to a single file).This means that you can create an encrypted volume capable of storing many encrypted files which to casual observers, looks like a single file. On-the-fly encryption means that data is automatically encrypted or decrypted right before is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password or correct encryption keys. There are several encryption algorithms available in the application but the most secure is the AES 256-bit key algorithm, the same one used by the federal government in many instances.

Files can be copied to and from a mounted TrueCrypt volume just like they are copied to/from any normal storage device (for example, by simple drag-and-drop operations). Files are automatically decrypted on-the-fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume.  Similarly, files that are being written or copied to the TrueCrypt volume are automatically being encrypted on-the-fly (right before they are written to the disk) in RAM.

Now, to make matters worse (or better depending) TrueCrypt also can create a hidden encrypted volume within the visible encrypted volume.

The layout of a standard TrueCrypt volume before and after a hidden volume was created within it. (Graphic from the TrueCrypt manual)

The principle is that a TrueCrypt volume is created within another TrueCrypt volume. Even when the outer volume is mounted and visible, it would be impossible to prove there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.

So to put it another way, an employee trying to hide data from a discovery search could first create an encrypted volume on their hard disk or some other removable device such as a USB stick and store encrypted data on it. Even more diabolical, they could move some innocuous data to it as a decoy and store the real data on the hidden volume inside the original volume. This capability provides the employee plausible deniability in the case of corporate legal or IT forces the employee to decryption the volume they can see.

So the big question is this; how would you as a discovery auditor even know of or find these hidden and encrypted data volumes? In reality it’s not easy. You have to go into it looking for hidden and encrypted data. There are some forensics applications that will at least find and flag encrypted files and volumes including the TrueCrypt format. I am unable to determine if these forensics applications can find and flag hidden volumes.

As a test, I setup a 10 GB TrueCrypt encrypted volume on this computer and named it “Attorney Communication” in a folder I named “contracts”. To the casual observer all they see is a large file in a folder called “contacts” (see below).

Within that encrypted “Attorney Communication” file I copied four decoy files to make it look like those were the important files I was keeping encrypted just in case I am forced to open the encrypted volume by legal (see below).

As you can see above, you can’t tell by looking at it that it contains the hidden 8 GB volume I had also created. That hidden volume is accessible only by typing a totally different password.

The hidden 8 GB TrueCrypt volume on this computer

So how do you find these hidden volumes and files if the employee is not cooperating? If you suspect the employee has been using this technology the first obvious step would be to do a search of the employee’s hard disk looking for an application called “TrueCrypt”. This would be a dead give-away that the employee could have encrypted and hidden data volumes on their computer. This is not  certain because the employee could have installed the TrueCrypt application on a USB stick, which does not integrate with Windows, so when not plugged in to the computer, there would be no trace of the TrueCrypt application.

A second way to find potentially encrypted volumes would be to search for very large files. Usually encrypted volumes will be larger than normal files because they are just that, a large space to store many files. So you could do a Windows search for files over 10 MB and see what you get. An indication would be a large file with no applications associated with it. By this I mean that when you double click the file the system doesn’t recognize it as a standard Windows application and displays the “Open with” dialog box shown below:

That leaves the problem of discovering the hidden volume. A sure but very slow process to test this possibility would be to copy a bunch of files into the encrypted volume, if the employee has opened it, to see if the available storage space id equal to the volume size.  For example the file properties in Windows states my encrypted volume is 10 GB in size but in this example the employee only has 5 MB of files stored in it. To test to see if the volume contains a hidden volume, you could copy an additional 9.95 GB of data into it to see if you get a “volume full” message before all of the data was copied into it. If you could only copy an additional say 1.95 GB before the “volume full” message was received, that would indicate that a hidden 8 GB volume exists.

A faster way to get an indication of hidden volumes is to use a large file finder tool. I found one called “Largefiles3” which had a surprising capability. In this case I ran the application looking for files larger than 10 MB on the C drive.

The interesting capability here is that it found the encrypted volume I named “Attorney Communication” but it determined its size to be 2.147 GB not the 10 GB shown in the Windows file system data. This is because I had created an 8 GB hidden volume inside the “Attorney Communication” volume thereby only leaving 2 GB for the original volume. This is a huge red flag if you are looking for it. Now, without the password you still can’t access the original encrypted volume or the hidden volume but at least you would know it exists and can apply pressure to the employee.

So how do you prevent these encryption applications from putting your eDiscovery processes at risk? The most obvious one is to include in your employee computer use policy a statement prohibiting the use of these types of applications with stated punishments if not followed. This will stop general employees from using this kind of application but will not deter those employees bent on breaking your rules. The obvious next step is to sample and audit your employees to see if these applications are being used. For corporate legal, the main thing you want to establish is your “good faith intent” to make sure your eDiscovery processes are defensible.

Are Custodial Self-Discovery and Preserving ESI in Place Good for You?


A majority of organizations still follow the traditional practice of instructing custodians—that is, employees–to search for and protect potentially responsive electronically stored information (ESI) locally or what’s known colloquially as “preserving it in place”. In fact, the international law firm Fulbright & Jaworski found in its 7th Annual Litigation Trends Survey that more than half (55%) of companies still rely on custodians as their primary method to identify and preserve their own information for litigation or an investigation.

By following this practice, these companies, particularly those with larger numbers of custodians,  have a higher risk of incomplete collection, inadvertent deletion/spoliation, and metadata corruption. What’s more, it’s difficult for legal to supervise  the collection process,  leading to inadequate defensibility of the litigation hold and eDiscovery process.

In a 2008 Kahn Consulting survey on employee understanding of eDiscovery responsibilities, only 22% of respondents said they had a good understanding of their responsibilities for retaining ESI for discovery. Only 16% said they had a good understanding of their responsibilities when responding to a litigation hold. These statistics, while a few years old, blatantly highlight the risk of custodial self discovery and preservation in place.

Still not convinced? The courts are now holding litigants to a higher standard. In a recent case, Roffe v. Eagle Rock Energy GP, et al., C.A. No. 5258-VCL (Del. Ch. Apr. 8, 2010), the Judge expressed surprise overt the custodial self discovery practice used by one attorney:

The Judge asked:

Am I correct that you have been relying on what they [the defendants] self-selected to put in their transaction files in terms of what you obtained and produced?

The defense attorney answered:

That’s correct, your Honor. I was told that they uniformly would put all of their Eagle Rock e-mails into that folder. I have not checked, and I don’t know whether that is true or whether that is accurate. I believe they are telling the truth, but I don’t know if that is accurate.

The Judge immediately responded:

Then here is my ruling. This is not satisfactory. From what you have described to me, you are not doing what you should be doing. First of all, you do not rely on a defendant to search their own e-mail system. Okay? There needs to be a lawyer who goes and makes sure the collection is done properly. So both as to the two directors who already have produced — we don’t rely on people who are defendants to decide what documents are responsive, at least not in this Court. And you certainly need to put somebody on a plane to go out and see Mr. Smith.

In this exchange, the Judge clearly states: We don’t rely on people who are defendants to decide what documents are responsive. Custodial self-discovery is like the fox guarding the chicken coop.

Relying on litigants to find, protect and eventually turn over potentially responsive ESI can be problematic. Most of them will attempt to do what’s right to the best of their understanding. But as we’ve seen from the 7th Annual Litigation Trends Survey, fewer  than1 in 4 (23%) have a good understanding. Those few that could have something to hide may find ways to do a sub-par job in the discovery process. If I am the opposing counsel, I  want to know if self discovery was relied on.

So what is a defensible answer for the risks posed by custodial self discovery and preservation in place? Well in my opinion—and I’m about to sound like a corporate schill–you need an ESI archive, which captures the majority of potentially responsive ESI from the in-house infrastructure along with a solution for the remote collection of custodian ESI from their locally controlled equipment.

First, a central ESI archive that captures, indexes, stores, protects, manages and disposes of ESI allows for central discovery of ESI for silos like email systems, share drives and SharePoint systems.

So what can be done for the discovery of locally controlled custodian locations?

Some organizations centrally backup custodian workstations on a regular basis. But relying on restoring backups and searching for responsive ESI has never been considered a good idea. It’s also expensive.

What if you could schedule forensically sound backups of all custodian workstations and use those backups of custodians’ workstations to discover against, even when those custodians are traveling and not synced to the organization’s infrastructure?

A consolidated metadata repository provides enterprises with an accessible catalog of the types of data and content stored on PCs. Using flexible metadata selections, administrators can quickly identify information that is relevant to litigation or compliance matters and, if necessary, retrieve that relevant data from the solution for further review.

Are Custodial Self-Discovery and Preserving ESI in place a good idea?


A majority of organizations still rely of the practice of instructing custodians to search for and protect potentially responsive ESI locally or “preserve it in place”. In its 7th Annual Litigation Trends Survey, Fulbright & Jaworski reported that 55% of responding companies still rely on custodians to identify and preserve their own information as the method used most frequently to preserve potentially relevant information in litigation or an investigation.

Custodial self-discovery and “preservation in place” is a potentially risky in that, especially with larger numbers of custodians, the risk of incomplete collection, inadvertent deletion/spoliation, and meta data corruption is greatly increased, legal supervision of the collection process is impossible leading to inadequate defensibility of the litigation hold and eDiscovery process.

In a 2008 Kahn Consulting survey on employee understanding of eDiscovery responsibilities, only 22% of respondents said they had a good understanding of their responsibilities for retaining ESI for discovery. Only 16% said they had a good understanding of their responsibilities when responding to a litigation hold. These statistics blatantly highlight the risk of custodial self discovery and preservation in place.

The courts are now holding litigants to a higher standard. In a recent case, Roffe v. Eagle Rock Energy GP, et al., C.A. No. 5258-VCL (Del. Ch. Apr. 8, 2010), the Judge was surprised at the custodial self discovery practice one attorney was relying on:

The Judge asks;

Am I correct that you have been relying on what they [the defendants]  self-selected to put in their transaction files, in terms of what you obtained and produced?

The defense attorney answers;

That’s correct, your Honor. I was told that they uniformly would put all of their Eagle Rock e-mails into that folder. I have not checked, and I don’t know whether that is true or whether that is accurate. I believe they are telling the truth, but I don’t know if that is accurate.

The Judge immediately responds to the defense attorney;

Then here is my ruling. This is not satisfactory. From what you have described to me, you are not doing what you should be doing. First of all, you do not rely on a defendant to search their own e-mail system. Okay? There needs to be a lawyer who goes and makes sure the collection is done properly. So both as to the two directors who already have produced — we don’t rely on people who are defendants to decide what documents are responsive, at least not in this Court. And you certainly need to put somebody on a plane to go out and see Mr. Smith.

In this exchange, the Judge clearly states; we don’t rely on people who are defendants to decide what documents are responsive. Custodial self-discovery is like the wolf guarding the chicken coop.

Relying on litigants to find, protect and eventually turn over potentially responsive ESI can be problematic. Most of them will attempt to do what’s right; to the best of their understanding (less than 23% have a good understanding). Those few that could have something to hide may find ways to do a subpar job in the discovery process. If I am the opposing counsel, I am going to want to know if self discovery was relied on.