Ride The Lightning

The blogosphere is an amazing place. Very shortly after I published my negative review of FTK 2, I received a phone call from Brian Karney, the COO of AccessData. To give credit where credit is certainly due, Brian offered a string of apologies, essentially saying “my bad” on behalf of his company. He could have been confrontational and argumentative, but he was genuinely acknowledging a series of errors (so many that I am still dumbfounded) and trying to convey the company’s sense that it needed to do a lot of damage control. Which it does.

For the moment, I am simply saluting the candor of the call and offering additional information from Brian’s follow up note to me, which said in part, “I agree we could have done a much better job of explaining and preparing our loyal customers for FTK 2 and the future of FTK 1.  As you can imagine we are doing what we can to clear the air on that matter now. We are confident that we are headed in the right direction addressing many of the core issues with FTK 2 and committed to not stopping until we do.” 

Brian also sent me a list of the items that are being addressed in the upcoming FTK v2.04 and FTK v1.80 release. 

Coming soon Version 2.0.4:
• 64-bit support
• Vista support
• Enhanced pre-processing performance
• Additional UI enhancements
o Much faster Quickpicks
o Much faster display of lists         
               
Coming soon — Version 1.8:
• RSR functionality (automated generation of registry reports)
• Microsoft Office 2007 support (recognition, indexing and display)
• New containers in the Email tab (webmail and other email)
• Bookmarking e-mail attachments with parent e-mail support
• Recursive file export (from the file, back to the root of the drive)

Though I am still slightly confused about Versions 1 and 2 of FTK, our friend Craig Ball tells me that he has spoken to AccessData's CEO, Tim Leehealey. Apparently, Mr. Leehealey acknowledged that the company had goofed in even naming the product FTK 2.0. He told Craig that, despite his company's marketing, they are two entirely different products geared to different customers. 2.0 is designed only for massively parallel, collaborative workgroups with legions of powerful machines (large corporations and the federal government, for instance). I’m not sure how we were supposed to divine this from the marketing, but the clarification is useful. If AccessData can get this word out (and perhaps rename FTK 2), it will better serve its customers.

Finally, I tip my hat to Brian and Tim for listening, talking to Craig and I courteously and going back to the drawing board to figure out how to make things right for their customers. As the Japanese (especially MY Japanese guy) are fond of saying, “Don’t point fingers – fix the problem.” Here’s hoping they do.

E-mail: snelson@senseient.com    Phone: 703-359-0700

The following e-mail appears to have been sent (without running a spellchecker!) to FTK’s registered users yesterday.

"Dear FTK 2 Customer:

The release of FTK 2 has created much more confusion than we had anticipated, so we would like to take a moment to once again clarify a very important point. FTK 2 is not meant to be a replacement for FTK 1 for all customers. While some customers will likely see FTK 2 as a superior solution and make the move, some will no doubt prefer the simplicity and minimal hardware requirements of version 1. It is for that reason that we are committed to not forcing our customers to choose between the two. Not only does every dongle of FTK 2 ship with a full working copy of FTK 1(both solutions can be utilized at the same time), but we are continuing to support and develop FTK 1.  A new version of FTK 1 will be releaed (sic) shortly with some powerful new features, and there will be additional new releases in the future.

We acknowledge there are challenges with FTK 2, such as slow processing, complex installation and GUI response issues. We are very well aware of these issues and diligently working on addressing them as quickly as possible.  Over time, as we learn to take greater advantage of the power that a database-driven approach provides, we believe the vast majority of the customer base will transition. However we are not now, nor do we plan to in the future, forcing custumers (sic) in one direction or the other. There are situations in which a database-driven solution is better and situations in which a memory-based solution is best. Therefore we are enabling you with both, and will allow you to decide when to use each.

We appreciate the continued feedback and support. We know we have not made it the easiest transition and for that we apologize. It is nobody’s fault but our own as the product manufacturer. So AccessData is committed to making FTK 2 easier to use and to providing continued customer support and educational resources for those who are interested in them . . ."

************************
The tone is nice and there is some candor here. However, the letter is a bit disingenuous in suggesting that users should have known that there were choices here. From the point of view of users, version 2 was simply advertised as an upgrade – not as a choice, with enumerated pros and cons. Also, it is clear that the release was premature as no one who really does computer forensics seems to believe that this is currently a viable product. Obviously, AccessData has been receiving a lot of heat. The company blew a whole lot of good will with this ill-advised move and has a long way to go to get it back.

E-mail: snelson@senseient.com     Phone: 703-359-0700

Here I had gone to the trouble of asking my partner John to stop grousing about FTK 2.0 and actually write about it and then he smugly points out that he doesn’t need to – our colleague and friend Craig Ball has beaten him to the punch. John further points out what is so often true, that no one could say it so well and . . . scathingly . . . as Craig did.

John and the other forensics technologists at Sensei were great fans of FTK 1.7x (the version we use) – loved the upfront indexing and the speed of indexed searching with the integrated dtSearch function. Now we get a higher priced (and higher maintenance) version which won’t install cleanly, doesn’t work on Vista, and places all data from various cases in a single database. We thought that we had purchased maintenance that entitled us to free upgrades. Apparently, AccessData has redefined the definition of free. Sure you get FTK 2.0 itself for no additional charge, but be prepared to pony up $50 for the new (I’m not sure improved or special) dongle that is required for this new version. So what happened to the free upgrade? Even Guidance Software didn’t charge (unless you didn’t return the old ones) for the upgraded dongles.

We’ve tried to use FTK 2.0 on 4 of our smaller cases just to see how it works. Not well would be an understatement. The cases involved single drives of 40GB and 80GB in size. Only one of the four was able to index the evidence overnight and that was one of the 40GB drives. Forget about the 80GB drives. To make matters worse, you have to let the processing continue to completion since there is no option to stop and pickup where you left off. Be prepared to dedicate a computer to processing the electronic evidence for a very long, long time. Think in terms of Rip Van Winkle.

To continue the rant, AccessData must have redefined the word ‘save’ in addition to free. After processing the ONE 40GB drive for multiple hours during the night and saving the case, the case could not be reopened. So much for saving the case file. Geez, even Microsoft gets that right.

So what have we done to recover from our apparent participation in the FTK 2.0 beta test? We’ve moved our licenses back to the original dongle so we can run cases in version 1.71 on Windows 2000, Windows XP and Windows Vista analysis machines. It really pains us that AccessData had an excellent opportunity to grab a huge amount of market share from Guidance Software (which is working overtime to alienate the private sector) and totally blew it. We really wanted to love this product and now feel burned by a faulty product that was clearly prematurely released.

That’s the semi-short version – to get the full version of Craig’s wrath (as if you didn’t get enough here), just check out his review. If this were Broadway, this play would have had a one night run.

Craig’s review of FTK 2.0 may be found at http://commonscold.typepad.com/eddupdate/2008/05/ftk-20-product.html

E-mail: snelson@senseient.com      Phone:          703-359-0700      

Miraculously, it is sunny in Seattle – and with luck, we can shortly remove the manacles which bind us to our keyboards and go enjoy the sunshine. John and I have just wrapped up speaking at the ALA annual conference here – the topic was “Disgruntled Employees in Law Firms: The Enemy Within.” Probably the most surprising thing to us was the sheer number of attendees that have experienced cases involving disgruntled employees and electronic evidence – nearly all of them, in fact. Equally astonishing were the range of cases, from sex/age/gender discrimination to theft of confidential data, destruction of data, hostile workplace, embezzlement and insider trading.

At the large firm level, it appeared that firms are increasingly trying to plan for these circumstances and guard against them, but finding that some policies meet with stiff resistance from employees and that partners – big surprise – often wish to be exempted from policies. This is particularly true for policies involving the use of USB devices, the installation of “rogue” software, encryption and Internet and e-mail policies.

One suggestion we made to keep employees from becoming incensed at their employers is having outside experts (whether HR, compliance, legal tech, etc.) come in and educate employees about the need for the change and explain that the experts recommended the change. At least this deflects some of the heat from management and permits employees to better understand the change and ask questions. The truth is, no one likes restrictions, but they are necessary to secure data and to insulate law firms from many kinds of liability.

For those who are letting the infantry run the regiment, it is indeed time to wake up and smell the coffee.

E-mail: snelson@senseient.com       Phone:          703-359-0700       

The National Law Journal recently featured an article which asserted that employers should be wary of a predicted wave of suits claiming overtime pay is due, those suits supported by irrefutable electronic evidence of e-mailing and dealing with phone calls after hours. Though BlackBerrys took center stage in the article, clearly any smartphone might prove problematic.

Some employees are exempt from the overtime requirements, but virtually all businesses have some non-exempt employees who may have a good case for making overtime demands. In order to stave off such suits, lawyers are recommending that businesses adopt clear smartphone usage policies (in addition to the computer polices they should have already) and obtain employee sign-off on those policies.

Reportedly, some law firms are already trolling for clients to lead the charge in this area. In response to the buzz in the press, businesses are beginning to make the decision to issue smartphones only to exempt employees. In a world where these devices have begun to be dispensed as routinely as Pez, it was probably inevitable that these devices would bring legal headaches. Time for another policy review.

E-mail: snelson@senseient.com    Phone: 703-359-0700

Yes, I spelled it right! In case you haven’t heard, the computer forensics world has been buzzing about a free tool provided by Microsoft to members of the law enforcement community. COFEE (Computer Online Forensic Evidence Extractor) is basically a thumb drive which contains 150 commands and can be further customized. Distribution began last June and more than 2000 officers in 15 countries are now utilizing COFEE. Essentially, COFEE allows investigators to scan for evidence, decrypt passwords, analyze Internet activity, etc. on a “live” computer in a “read-only” mode and extract evidence for use in court.

Why the jitters? Privacy advocates worry that COFEE will find its way outside of law enforcement and be used as a snooping device. And of course, there is concern that law enforcement might misuse the device. A private equivalent of COFEE is sure to come, if indeed it doesn’t currently exist.

For all the hype, COFEE really doesn’t contain any new tools – the key to its notoriety is simply that it is a portable device that can be used onsite, often making it unnecessary to seize computers, and very quickly allowing the extraction of evidence.

Further information may be found at http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html

E-mail: snelson@senseient.com      Phone: 703-359-0700

Curiously, when John and I visited the U.K. last week, there was no hesitation amongst any of our interviewees when asked to define the major difference between electronic discovery in the U.K. and the U.S. Everyone agreed that “electronic disclosure” (as it is known in the U.K.) is principles based, whereas electronic discovery in the United States is rules based. To a man (yes, this seems to be primarily a male domain across the pond), our English friends like the principles based system better. Frankly, after listening to them, so did we.

In the U.K., attorneys must certify to the court that they have fully disclosed relevant information to the court. If their certifications are later proven false, they can be “stricken from the roll” – in our terms, disbarred. As a result, attorneys are well motivated (ethically and practically) to sternly admonish clients that there will be no “hide the ball” tactics. In this country, we tend to administer sanctions, but we have only to read the headlines to realize that there is very little fear of disbarment. In fact, attorneys seem to be pushing the envelope when it comes to playing fast and loose with e-evidence here.

The next few days will be spent assembling our notes from our meetings and composing an article based on our findings. Just to whet your appetite, here are some of the experts who were kind enough to meet with us last week:  Laurie Watt (Senior Counsel) and John Sykes (Partner) from Charles Russell, Darren Pauling (Forensic Tech Director Operations) and Rahoul Bhansali (Senior Manager, Forensic) from KPMG, Adrian Palmer (Director) from Palmer Legal Technologies, Ian Henderson (President) from Advanced Forensics, and Dr. Ian Mitchell and Dr. Carlisle George (Senior Lecturers in Forensic Computing from Middlesex University).

Our all star cast gave generously of their time and experience, as a result of which I have nearly 100 pages of notes. This, of course, is why God made weekends, so we could be manacled to our home computers rather than our work computers. With luck, an article will emerge next week. The cross border implications of electronic discovery has been a hot topic recently, so hopefully this will be an article of great interest. I’ll post it on the Sensei site and link to it from Ride the Lightning as well.

Till then, go home tonight and start the weekend right by downing a pint with your mates. Cheers!

E-mail: snelson@senseient.com      Phone: 703-359-0700

First, apologies for taking a blogging sabbatical while in London, but all work and no play makes Jack a dull boy. Or Jill a dull girl. Business in London frequently involves a splendid pub lunch and always a pint of ale. We really need to import that tradition. More on “forensic computing” in London soon, but for now I wanted to make sure to update the circus over the missing White House e-mails.

Judge John Facciola, polite but firm, has noted the contradictory statements by White House officials explaining the government’s archiving efforts. On April 24th, he issued an order directing the administration to collect and preserve all e-mails in .pst files for individuals employed at the White House between March 2003 and October 2005. Millions of e-mails appear to be missing from this period, which covers the start of the Iraq war, the Valerie Plame incident and the White House’s response to Hurricane Katrina.

The White House has admitted that there are a lot of e-mails missing but says the e-mails are on back-up tapes and drives that haven’t yet been found. Hmmm. Judge Facciola also recommended that the preservation order be extended to data on flash drives and other portable media. If the White House is to be believed, there is no monitoring or tracking of any of these devices – everything is left up to user discretion (anyone familiar with IT security is no doubt cringing at this folly). He further ordered that the White House advise the court as to whether all backup tapes created between 2003-1005 have been preserved and to specify any dates for which no backups exist. Though the opinion is polite, the court’s frustration with the government failure to be wholly forthcoming and specific is clear.

Given the blatant contradictions (we overwrote backup tapes/no, no, of course we didn’t do that), the real status of the missing e-mails is clear as mud. In the private sector, the entire IT staff would be pink-slipped if they couldn’t identify (and quickly) the status of the backups. How often confusion is convenient.

The court’s order may be found at http://www.citizensforethics.org/files/Document%2067%20(4-24-08)_0.pdf

E-mail: snelson@senseient.com     Phone: 703-359-0700

No, I am not being a slacker. In fact, I'm in London with John interviewing computer forensics experts for an article for the ABA. Though there is lots to say (when I'm back home), I thought it amusing that the first thing I heard from our British colleagues was that "forensic computing" is definitely the 'right' term and that "computer forensics" is - well - entirely incorrect. Forensic, they tell me in a patient tone, is an adjective. When I queried, "So do the Yanks have it wrong again?," there was a grave nod and the words "'fraid so." Two countries separated by a common language, yet again!

Quite on another subject, John and I were greatly amused to hear yesterday that a gentleman was subject to a jail term of up to two years because he was a repeat offender whose "wheely-bin" (trash can) was open a full six inches. Well, there you go. England is serious about crime.

Forevermore in our lives, garbage cans will be "wheely-bins" and the very words will make us chuckle.

For now, time to "top up our Oyster" (look it up) and then get home to an expensive room the size of a broom closet and sleep on our twin beds. It's been years since I had a dorm room. Now I remember why. :-)

E-mail: snelson@senseient.com      Phone:          703-359-0700      

Just when you think you’ve seen everything, the bad guys invent a new spin on an old game. Phishing for data is now old hat – we’ve all received notices from banks where we have no accounts telling us we must verify our accounts. This year, it was pretty clever when the phishers came up with an e-mail from the IRS requiring us to enter information to collect our “refund.” That certainly suckered in thousands of folks who apparently didn’t want to look a gift horse in the mouth even when they KNEW they shouldn’t be getting a refund. Never underestimate the power of greed.

The latest twist is a pseudo-subpoena from a court. I’m actually quite chagrined that I did not receive one of these – my friend Ross Kodner was kind enough to send me his. I really felt excluded from the Cool Kids Club. It was fun to take a look at the “subpoena.” The underlying idea is ingenious in one sense, because almost everyone is afraid of getting in trouble with a court. Of course the execution of the idea was execrable – what might been a great scam was foiled by an author who never made it out of 3rd grade English.

As an example of the mangled language, here is a verbatim part of the document. "Any organisation not a party to this suit thas is subponaed for the taking of a deposition shall designate one or more offcers, directors, or managing agents, or other persons to testify on its behalf, and may set forth, for each person designated, the matters on wich the person will testify. Federal Rules of Civil Procedures,20(b)(6). Failure to appear at the time and place indicated may result in a contempt of court citation. Bring this subpoena with you to the courtroom and oresent it to the bailiff. Direct any questions to the person requesting you to appear: City Prosecutor."

Though a fairly pathetic example of phishing, the link to a document which users were told to download carried the usual virus harvesting passwords, account numbers, credit card numbers, etc. In spite of the clear red flags, VeriSign’s iDefense Labs estimated that 1,800 recipients clicked on the link. Though the incident is being investigated, law enforcement and computer forensics experts rarely catch the phishers, who decamp with predictable regularity after quickly socking away what data they can. In this incident, the point of origin appears to have been a server in Singapore, which is probably a kiss of death for the investigation, though I’d love to be wrong on that score.

The Administrative Office of the U.S. Courts posted an alert on its website after (unsurprisingly) receiving a lot of calls. The law.com article may be found at http://www.law.com/jsp/article.jsp?id=1208342617032 and the AO notice may be found at http://www.uscourts.gov/newsroom/2008/alert.cfm

E-mail: snelson@senseient.com       Phone: 703-359-0700