Few remarks on the EnCase Enterprise ediscovery capabilities
To do an automated document collection in Encase Enterprise environment we can write our own enscript instrumentation or, more reasonably, can use existing file collecting tool in the sweep enterprise wizard.
Today EnCase Enterprise is practically entry level product, its capabilities in such specialized area as basic ediscovery is rudimentary, but we still can get the required results and be cost effective.
Here is the link to presentation how to do basic data collection in EnCase Enterprise v7.
Most of the steps are documented in webinars, manuals and training, but some things may be easily overlooked and can cause a problem. I'll concentrate on that sticky parts, also there are not all listed in one place. As ediscovery is well described so I'll go to the directly Encase v7 environment application.
First a bit of theory, ediscovery in the EnCase Enterprise tool is process of extracting data from end node trough condition applied by the servlet. We can use three types of data selection filters for our collecting process:
- by document metadata, which means file name, path attributes, dates etc., best to think is in the terms of conditions used in evidence table view, most what you can choose there by condition you can do in data collecting filtering
- by raw keyword search, which means detecting documents which contains keywords
- by hash set which means detecting files which hashes are in the required hash set
These methods are mutually exclusive in the basic enterprise sweep, the most practically useful one is search by metadata, but in fact in all three methods you have same condition filters available, so it is easy to do combinations.
There are some sticky points in sweep collecting, related to method how Encase Enterprise v7 works. Basically you have to create a filter for documents by using complex conditions and after your collecting process is finished, you have to reapply this condition to create one global cumulative logical evidence file with all responsive files from the sweep. Conditions used for finding responsive files have to be reused trough import/export mechanism which is not very user friendly or easy to find in the condition wizard. Again handling and exporting/importing conditions is documented in manual but easily overlooked.
These “filtering”conditions are usually created while examining the data on the custodian machine to narrow down search only to the responsive files. Once when condition is precise enough it is important to export this conditions from condition wizard, not only save it or report it, since later it can be only imported into the sweep wizzard conditions.
The other peculiar thing is hardwired in the method how sweep works and stores responsive files. Sweep collects responsive files and snapshot data in same L01 file for each examined responsive node. As far as I know there is no way to look into these responsive files without creating a condition or doing complex manual woodo dance trough encase menus. To access this collected files you have to manually add all L01 sweep files into case and position yourself at entry/evidence part of L01 file. It is sometimes very confusing process, again it is described in the manual, but easy to get lost while doing it especially form more than one l01 file. Important is to remember that l01 files has two parts, snapshot data and entry part, in entry part our collection is located. Snapshot part is the „default view“ so we have to move from it into entry view to see collected files.
To add a bit more confusion status of collection is visible through case analyzer enscript, Case analyzer is very unusual enscript program which shows you what was collected but not the content of collected data. This is good tool for intermediate report which can be later used to confirm data extracted in L01 files.
As for any Encase enterprise operation you should have a case and being logged into safe as user with appropriate role. For each responsive node a L01 file is created and stored in case enscript folder named by sweep name, timestamp is also included. As I already mentioned you have to manually add these files into case for further processing, I often think about these files as intermediate data before creating final L01 and case report about findings, often even creating a new case where I process this L01 files. Extraction of the files can be done through condition which collects all files into one new big L01 file, it is a bit peculiar but I haven't find any other practical way without enscript coding. After this step we can remove all responsive nodes L01 files and use the cumulative last one, maybe from a new case to avoid duplication.
To confirm and check if all collection is correct one of the previous case analyzer reports can be used to compare files in cumulative l01 and first step of collecting.
Workflow
- Input is the list of document selection and definition criteria (which also include location and ownership relations)
- Criteria are compiled into conditions, keywords and hash sets values, location lists, IP ranges and other data necessary for automatic sweep
- Encase Enterprise system is installed and properly configured (roles, networks, users)
- Test and measurements are prepared and done (bandwidth, access rights etc.)
- On the custodian machine (or test machine) conditions are tested to see if match is achieved, volume of data and speed. When conditions are ok, they are exported for further use.
- Data collecting strategy is tested also, since we have 3 exclusive methods of collecting data it is wise to decide how to collect files and where to do searches and analyses, also it has to be legally acceptable.
- Sweep is started, in appropriate case, in case folder structure at least evidence and condition folder should be added (condition for required conditions, keyword lists, hash sets, IP ranges etc.) and evidence for cumulative L01 files. For your data collection method in sweep enterprise import the condition you used in testing and don't forget to click on collect file content.
- When sweep is finished intermediate report trough case analyzer should be created, list of responsive nodes which succeeded and list of collected files. If we have some nodes which failed new sweep can be started, this depend on the procedure
- All collected L01 files should be added into case, L01 are in casefolder/enscript folder in the sweep-name subfolder. Best way is to go to add evidence menu and add evidence files, don't forget to open all of them and in one of them go to evidence/entry. Check that no other evidence files are in the case than sweep L01 results and then reapply condition which was used for data collecting, from results of this condition created a new cumulative L01 file which will now contains all collected files.
- At this step we have our collection results in one cumulative L01 file appropriate for further processing, it is a good idea to create a new case where only this last cumulative L01 is processed and analyzed. To check if we did all list of files from intermediate case analyzer report can be compared with list of files in our current cumulative l01 file.
- Do report, backup and document, don’t forget the console logs.
Links and ideas
http://gvsu.edu/e-hr/e-discovery-2.htm?gclid=COHLye7MyLwCFafKtAodAycAQQ
http://www.guidancesoftware.com/products/Pages/encase-ediscovery/overview.aspx
