Encrypted and hidden files put eDiscovery at risk

There are some pretty nice freeware applications available which allow a user to encrypt and hide files/data/electronic records in plain sight on their computers. Can this pose a problem for IT and corporate legal?  Let me put it this way…how would you find and place ESI that’s encrypted or is both encrypted and made to look like something else on a litigation hold?

Does the fact that encryption applications present in a corporate infrastructure make claims of spoliation if the files can’t be found or decrypted more likely? Is this a problem you should even worry about?

It’s a stretch but in some circumstances this capability could significantly raise your eDiscovery risk. To illustrate this problem further I will specifically talk about an application called TrueCrypt which is a free open-source disk encryption software application for Windows 7/Vista/XP, Mac OS X, and Linux.

TrueCrypt is an application for creating and maintaining an on-the-fly-encrypted volume (data storage device as opposed to a single file).This means that you can create an encrypted volume capable of storing many encrypted files which to casual observers, looks like a single file. On-the-fly encryption means that data is automatically encrypted or decrypted right before is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password or correct encryption keys. There are several encryption algorithms available in the application but the most secure is the AES 256-bit key algorithm, the same one used by the federal government in many instances.

Files can be copied to and from a mounted TrueCrypt volume just like they are copied to/from any normal storage device (for example, by simple drag-and-drop operations). Files are automatically decrypted on-the-fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume.  Similarly, files that are being written or copied to the TrueCrypt volume are automatically being encrypted on-the-fly (right before they are written to the disk) in RAM.

Now, to make matters worse (or better depending) TrueCrypt also can create a hidden encrypted volume within the visible encrypted volume.

The layout of a standard TrueCrypt volume before and after a hidden volume was created within it. (Graphic from the TrueCrypt manual)

The principle is that a TrueCrypt volume is created within another TrueCrypt volume. Even when the outer volume is mounted and visible, it would be impossible to prove there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.

So to put it another way, an employee trying to hide data from a discovery search could first create an encrypted volume on their hard disk or some other removable device such as a USB stick and store encrypted data on it. Even more diabolical, they could move some innocuous data to it as a decoy and store the real data on the hidden volume inside the original volume. This capability provides the employee plausible deniability in the case of corporate legal or IT forces the employee to decryption the volume they can see.

So the big question is this; how would you as a discovery auditor even know of or find these hidden and encrypted data volumes? In reality it’s not easy. You have to go into it looking for hidden and encrypted data. There are some forensics applications that will at least find and flag encrypted files and volumes including the TrueCrypt format. I am unable to determine if these forensics applications can find and flag hidden volumes.

As a test, I setup a 10 GB TrueCrypt encrypted volume on this computer and named it “Attorney Communication” in a folder I named “contracts”. To the casual observer all they see is a large file in a folder called “contacts” (see below).

Within that encrypted “Attorney Communication” file I copied four decoy files to make it look like those were the important files I was keeping encrypted just in case I am forced to open the encrypted volume by legal (see below).

As you can see above, you can’t tell by looking at it that it contains the hidden 8 GB volume I had also created. That hidden volume is accessible only by typing a totally different password.

The hidden 8 GB TrueCrypt volume on this computer

So how do you find these hidden volumes and files if the employee is not cooperating? If you suspect the employee has been using this technology the first obvious step would be to do a search of the employee’s hard disk looking for an application called “TrueCrypt”. This would be a dead give-away that the employee could have encrypted and hidden data volumes on their computer. This is not  certain because the employee could have installed the TrueCrypt application on a USB stick, which does not integrate with Windows, so when not plugged in to the computer, there would be no trace of the TrueCrypt application.

A second way to find potentially encrypted volumes would be to search for very large files. Usually encrypted volumes will be larger than normal files because they are just that, a large space to store many files. So you could do a Windows search for files over 10 MB and see what you get. An indication would be a large file with no applications associated with it. By this I mean that when you double click the file the system doesn’t recognize it as a standard Windows application and displays the “Open with” dialog box shown below:

That leaves the problem of discovering the hidden volume. A sure but very slow process to test this possibility would be to copy a bunch of files into the encrypted volume, if the employee has opened it, to see if the available storage space id equal to the volume size.  For example the file properties in Windows states my encrypted volume is 10 GB in size but in this example the employee only has 5 MB of files stored in it. To test to see if the volume contains a hidden volume, you could copy an additional 9.95 GB of data into it to see if you get a “volume full” message before all of the data was copied into it. If you could only copy an additional say 1.95 GB before the “volume full” message was received, that would indicate that a hidden 8 GB volume exists.

A faster way to get an indication of hidden volumes is to use a large file finder tool. I found one called “Largefiles3” which had a surprising capability. In this case I ran the application looking for files larger than 10 MB on the C drive.

The interesting capability here is that it found the encrypted volume I named “Attorney Communication” but it determined its size to be 2.147 GB not the 10 GB shown in the Windows file system data. This is because I had created an 8 GB hidden volume inside the “Attorney Communication” volume thereby only leaving 2 GB for the original volume. This is a huge red flag if you are looking for it. Now, without the password you still can’t access the original encrypted volume or the hidden volume but at least you would know it exists and can apply pressure to the employee.

So how do you prevent these encryption applications from putting your eDiscovery processes at risk? The most obvious one is to include in your employee computer use policy a statement prohibiting the use of these types of applications with stated punishments if not followed. This will stop general employees from using this kind of application but will not deter those employees bent on breaking your rules. The obvious next step is to sample and audit your employees to see if these applications are being used. For corporate legal, the main thing you want to establish is your “good faith intent” to make sure your eDiscovery processes are defensible.


Backups are an effective eDiscovery resource, if it’s the right backup

I have always been told relying on backups for eDiscovery purposes is a costly and time consuming mistake.

Searching through backup tapes or even a disk-based backup for eDiscovery is difficult. Imagine restoring 22 200 GB backup tapes of your employee workstations and

Consider an eDiscovery request which asks for any files on 73 custodian workstations which contain the terms “Mimosa” and “Iron Mountain” that were created or accessed between Feb 19 2008 and June 3 2010, all the while meeting a 30 day deadline from the court to produce. How would you quickly determine what if any responsive content exists on those 73 custodians laptops/desktops?

The scenario I laid out above is not a corner-case, made-up situation. I have seen this many times. Many of you will recognize a situation very close to this.

Now consider one additional requirement to the above scenario… you must insure any responsive ESI on those workstations are secure and not deleted (litigation hold) by the custodian starting right now.

Active content on custodian workstations and laptops is the single biggest risk when facing litigation hold and eDiscovery responsibilities for most organizations. The usual processes most organizations follow for custodian resource collection is either:

  1. Custodian led collection: the organizations legal department sends out a detailed email to all custodians’ involved asking them to search for specific content on their system (including any PSTs) and forward any results to the legal department. Many opposing counsel’s have a problem with this process


  1. The legal department creates collection teams which consist of a legal department employee and an IT employee to visit each custodian’s workspace to look for responsive ESI, usually including the imaging of the custodian’s hard disks. This imaging of the custodian’s hard disk takes hours and then has to be filtered somewhere else to look for responsive content.

What if you could utilize your centrally managed custodian workstation/laptop backup process for eDiscovery purposes?

Iron Mountain has addressed this major eDiscovery risk and cost with its newly announced Connected® Classify & Collect, a solution which simplifies the collection process for distributed PC ESI to comply with a legal hold request as well as discovery. The Connected Classify & Collect offering helps businesses to quickly find relevant data on laptop and desktop computers to meet litigation and compliance requirements.

The Connected® Classify & Collect offering makes laptop and desktop data easily visible, searchable and usable. It also protects data and prevents accidental deletion to support eDiscovery or internal investigations. Its enterprise-class data-classification capabilities give administrators visibility into vast amounts of data stored on enterprise PCs and allow them to lower eDiscovery costs by quickly collecting relevant information to be used for early-case assessments and first-pass reviews.

An interesting twist to this capability is the fact that even if the custodian is disconnected from the network, Classify & Collect can discover against the existing centrally managed backup of each custodian’s workstation or laptop. The next time the custodian connects to the network, additional searching will be accomplished automatically in the background on the custodian laptop.

Additionally, the Connected Classify & Collect offering helps businesses establish a thorough and defensible collection process with its ability to track all activities, including the search terms and documents returned to support internal reviews.

eDiscovery ROI and ESI Archiving

The Cost of Collection:

Medium to large sized organizations are being driven to lower their overall litigation costs by bringing more of the eDiscovery processes in-house. To do this, organizations need to understand and proactively plan for the eDiscovery process. The most cost effective way to quickly lower eDiscovery costs are to prepare for the collection phase by putting in place an ESI archive to capture and manage those ESI silos that are most requested…Email, File System and SharePoint ESI.

The average cost to acquire all potentially responsive ESI from all corporate infrastructure locations including email servers, file shares, SharePoint systems, as well as from all custodian locations including desktop/laptops, local external storage devices, portable media such as USB thumb drives, CDs and DVDs in a defensible manner is between $1000 and $2000 per custodian discovered.

Realistically, the cost of eDiscovery can be reduced dramatically if your organization understands the eDiscovery process and proactively plans for it. Some areas to look at include:

  1. The number one way to reduce e-discovery expense (besides not getting sued/investigated) is having less data to collect/review
  2. Create, follow and enforce an ESI records retention policy to control legacy data including backup retention which should be in sync with the retention ESI retention policies
  3. Eliminate custodian PSTs. These little bombs are the biggest contributor to the cost of collection and review
  4. Develop and implement a litigation hold policy and have all custodians review and signoff on it
  5. For medium to large organizations, the most effective cost and risk reducer, besides reducing the amount of ESI in your organization, is to put a centrally managed ESI archive in place with centrally managed ESI retention policies. If, for example, you have an ESI archive which collects and manages your email data, file system data and your SharePoint data, the most requested ESI data types in discovery, then for those data types, you no longer have to search every custodian’s workstations, removable media, etc. A simple query of the archive will let you find, place legal holds, cull, review and export responsive ESI in a fraction of the time you normally take.

Employees Using Personal Email Accounts to Send Large Files

In a recent survey conducted by Osterman Research, it was revealed that 82 percent of employees use their personal email accounts to send large work-related files when an email attachment exceeds the size limit imposed by IT.

Is this a problem?…YES

Lets say your company is involved in civil litigation and has received interrogatories (written questions as part of the discovery process) from opposing counsel. One of the questions could be; “Has any of your employees or contractors ever sent business related emails or attachments to another party using their personal email account?” According to the Osterman data, 82% of your employees will answer yes to that question.

Why is this a problem?

First, your eDiscovery process including legal hold requirements will have to include searching your employees personal email accounts, if they give you permission. In my opinion, that doesn’t relieve you of the responsibility of protecting those responsive emails.

Second, eventually your employees are going to face the possibility of attorneys reading their personal emails and attachments from within their personal email accounts. There are few employees that will think this possibility is a good thing.

So how do you remove or at least lower this possibility?

First, create written email use policies that forbid employees from ever accessing their personal email accounts at work from employer provided equipment.

Second, Include in the above mentioned policy that company related records are never to be sent or received from personal email accounts.

Third, explain to employees that if they violate the policy, they could be fired.

Forth, explain that if they were to violate the policy, attorneys, including opposing counsel may be reading their personal emails in discovery some day.

Fifth, create a way within your infrastructure to send and receive large files so employees don’t have to fall back to using their personal email accounts to send or receive large business related files.