At DriveSavers, we often receive requests for data recovery from grieving family members who don’t know the passcode to their loved one’s device.
eDiscovery and Forensic Techniques Behind Clinton Email Investigation
By Rene Novoa, Manager of eDiscovery and Digital Forensics
The recent FBI probe into Democratic presidential nominee Hillary Clinton’s private email likely mirrored eDiscovery tactics used by DriveSavers when processing electronically stored information (ESI) and digital evidence for law firms, corporations, government agencies, educational institutions and individuals.
As an eDiscovery company with additional data recovery and digital forensic capabilities, DriveSavers is very familiar with the process used in investigations to piece deleted information back together.
Initial Consultation
The initial consultation involves interviewing IT experts, users (otherwise referred to as custodians), management and others in an attempt to better understand and locate relevant systems, what data was stored where and what actions or events took place surrounding the storage of ESI.
In the Clinton case, interviewees included Hillary Clinton, IT administrators and specialists employed by Clinton who set up and maintained her personal server, government staff members with whom Clinton corresponded by email and those involved with the production of emails to the State Department for their initial investigation in 2014, according to the director of the FBI, James B. Comey.
Preservation
Preservation ensures ESI is protected against any alteration or destruction. This must be carried out with any device or any data that may reasonably become part of the investigation.
Preservation is the responsibility of the party or parties in question, whether they conduct the work themselves or use a third party. The parties in question are typically put on notice to preserve the information or they could face sanctions for spoliation, a legal term that applies when evidence is destroyed, either purposefully or through negligence.
In the Clinton case, most pertinent emails were preserved, but many had already been deleted or otherwise rendered unreadable. Most of these emails that had not been adequately preserved were later reconstructed through digital forensic efforts by the FBI.
Data Collection
Data is collected after identifying the location of possibly relevant or responsive data during the initial consultation and after measures have been taken to ensure that all of this identified data remains unaltered in any way. Data collection can be accomplished by physically collecting devices or by creating exact copies—unaltered, bit by bit hashed backup copies—of all data and media devices.
In the Clinton case, the private email server that was initially identified as relevant to the case was physically turned over to the FBI. Later, several more devices and thousands more emails were identified as pertinent to the case and collected as well.
Initiation of Chain of Custody
From the beginning of an investigation, controls are initiated for who has access to ESI during the investigation and chronological documentation is maintained.
Beginning with the collection of the initial private email server to the presentation of findings to the Department of Justice, the chain of custody for the Clinton case remained entirely in FBI hands. Each person who handled the server in question and other devices deemed potentially relevant, handled data involved in the investigation or worked on the investigation in any way will have been documented along with every action taken concerning the devices and data involved in the case.
Processing/Review/Analysis
Processing involves culling and formatting data so it can tell a story of what happened. What begins as a large data set is sorted down to a much smaller data set that is more relevant or responsive to the case. This process may include undeleting and searching through data and data fragments, determining what data is relevant and/or privileged, and then evaluating the data for context, patterns, topics, discussions, etc.
In the Clinton case, the FBI were specifically looking for emails that contained information that was classified at the time that it was sent.
Production and Presentation
At the end of the eDiscovery process, after data has been identified, collected, processed and reviewed, results and reports are produced in appropriate usable formats to display and present to the designated authorities and audiences.
In the Clinton case, results were presented by the FBI to the Department of Justice. No further action has been taken, but there has been much speculation as to whether this is the end of the story, or only the beginning.