Today, eDiscovery plays a much more important part in civil litigation than ever before. Email, Word and Excel documents, digital images, and even mobile phones are all examples of electronic data now being required as part of the discovery process. It is for these reasons that businesses need to have a sense of eDiscovery readiness and accept accountability for discovery obligations. Failing to produce this type of data in a timely manner puts businesses in a position where they are subject to monetary penalties as well as a loss in reputation. To assist in this process, vendors are developing platforms that can manage the entire lifecycle of the eDiscovery process. A combination of policies, procedures, and technology to manage corporate data creates a solid foundation for eDiscovery readiness. But what is a Small Business to do? The following are 5 things Small Businesses can do to make sure they are prepared for eDiscovery:
- First, understand what the rules are. The Federal Rules for Civil Procedure (FRCP) contains the requirements businesses must follow for the discovery process. At a minimum, knowing how email is being stored and whether it is stored in a compliant manner should be known.
- Create a compliance policy. Document what data needs to be retained to comply with regulatory and eDiscovery requirements and make sure employees are aware of these requirements.
- Backup solutions are no longer good enough. Backups create a point in time recovery point in the event of a hardware failure; it is not an archiving mechanism. Third party solutions as well as native solutions built into Microsoft Exchange provide mechanisms for archiving email and can save exorbitant amounts of time when searching for specific search terms.
- Understand how social media is being used for your business and how your employees are using social media. The bottom line is that courts are requiring companies to provide social media content. At a minimum, a social media policy should be distributed providing guidance on acceptable use. Examples of what could happen if the guidelines are not followed should be explained.
- Consider "The Cloud". Cloud based solutions such as hosted email or CRM can provide the means for archival and retention so that you are ready for eDiscovery when its requested. But be wary. You still need to have a plan. Moving data to the cloud usually means that data is likely to be located both locally and hosted, expanding the scope of discovery and ultimately making discovery costs go up.
What is File Slack? And how does it relate to Computer Forensics?
If you have a basic understanding of computers then you know that files take up space on your hard drive. You may also understand that some files are larger than others and that they can range from only a few bytes to many gigabytes. What you may not know is that files actually have two file sizes: A logical size and a physical size. The reason for the two sizes lies in the way that the file system stores files on your hard drive. Without getting into too much detail on how file systems work, the answer to this mystery lies in the understanding of File Slack, which is broken into 2 parts: Drive Slack and RAM Slack. Knowledge of File Slack is not required for everyday computing but it does play a very important role when it comes to Digital Forensics and eDiscovery.
You may have heard the terms Sector and Cluster when referring to hard drives. At a very basic level, the Sector makes up the smallest area on a piece of media, or hard drive, that can be written to. These Sectors are then grouped into Clusters that make up the allocation units on the drive. On Windows systems, the Sector is a fixed size of 512 bytes whereas the Cluster size is determined by the size of the disk itself. So smaller disks will have small Clusters sizes and vice versa. When a file is created, the file system allocates the first available Clusters depending on the logical size of the data being stored. Obviously, every file stored on a drive cannot possibly be the exact size of one or multiple Clusters so there will be space left over in the last cluster. This is File Slack.
RAM Slack refers to the remaining space in the last Sector of a file. Remember, Clusters are the allocation units but the file system still writes in 512 byte chunks. Very rarely will a file be an exact multiple of 512. So, once the file system finishes writing to the last Sector of a file, there will be space at the end of that Sector. Prior to Windows 95 version B, RAM Slack was filled with random data from RAM, hence RAM Slack. This was a huge security hole because data in RAM could contain passwords and other sensitive data. Since then, Windows file systems write the hex key x00 to the remaining space in the last sector of a file.
Drive Slack refers to the remaining un-written-to sectors in the last cluster of a file. The file system does not fill this space like it does with RAM Slack. The file system actually does nothing with this space. Whatever data that was contained in those sectors prior to the file being written still remains there, even remnants of deleted files.
You can see how important File Slack is to Digital Forensics and E-Discovery. With the correct set of tools and an experienced forensic examiner, like myself, data stored in File Slack and Unallocated Space can be recovered. If you have questions about our E-Discovery solutions or if you would like to learn more about Trigon's IT services, and how they can help you, contact us at solutions@TrigonIT.com or call us at 1-888-494-TRIGON.