Know What to Keep

Preserving Electronically Stored Information for Litigation and Investigations

Implementing a “Litigation Hold”
While the above sounds fairly straightforward, one only has to look at how dispersed our data has become to realize what a complex task faces anyone implementing a “litigation hold.” The first step in the process is identifying where relevant materials are located.

Locations may vary depending on the issues in dispute, but the starting point would probably be the office computers of the key parties named in the litigation. From here you would look to preserve the relevant mailboxes on your mail server, and probably the home directories on the network server of the key parties. Preserving this information can be as simple as burning relevant files and folders to a series of CDs or DVDs. This type of storage medium is ideal since the files stored on them are “read only.”

Unfortunately for most business professionals, digital records are not stored in two or three locations. We have hand-held devices, home computers and multiple e-mail accounts. In many organizations, voice mail is digital and is forwarded to an e-mail account. There are now tools that convert voice mail to text and can be sent as either a regular e-mail or text message (see SpinVox — and PhoneTag — For some organizations, such as police departments, there are laptop computers in employee’s cars.

For security professionals, archiving security camera footage may also be necessary. And do not forget back-up tapes, which can be taken out of the rotation cycle for the duration of litigation. For some storage locations and media, one can successfully argue that the cost to preserve the materials is unduly burdensome; however, keep in mind that companies will run into problems if something is overlooked or improperly identified.

To be on the safe side, organizations should implement a preservation hold when litigation is reasonably anticipated at the earliest and when served notice of litigation at the latest. The steps should include identifying the custodians of relevant information and the creation of a data map identifying the systems most likely to contain this information.

A data map is not the same as a network topology diagram that most system administrators are familiar with. This map should include the name of the system, the types of material it contains and the date the system was put into service. If the system was put into service after the issues in dispute occurred, it may not need to be preserved.

While this is a complex task, there are some excellent materials that can guide you and your lawyers through the process. The Sedona Conference ( is arguably on the forefront of these issues and has published some great resources. The first is “The Sedona Principles, Second Edition, Best Practices Recommendations & Principles for Addressing Electronic Document Production” ( and the other is “The Sedona Conference Commentary on Preservation, Management and Identification of Sources of Information that are Not Reasonably Accessible” ( This last document includes a decision tree that can help identify items that need to be preserved.

Deciding What to Dump and What to Keep
This preservation concept is often counter to the concepts embraced by security professionals and privacy advocates. By deleting and destroying data, one can reduce the risk of inadvertent disclosure of proprietary and confidential information. More and more tools are becoming available to remove or destroy digital data. While on the surface this appears to be a good idea, the more data that is destroyed, the more difficult it can become to identify the inappropriate activities of employees.

Computers generate an enormous amount of data in the background during use. Because much of this information is not user-created, users do not know it exists and rarely take time to delete it. One of the best examples is the data that is cached when someone visits a Web page. For Internet Explorer users, this information can be found in the “Temporary Internet Files” folder. Whenever you visit a Web page, that page’s contents are stored in this folder. This does not sound too interesting on the surface until you realize that the contents of Web-based e-mails such as Yahoo and Hotmail can be found in this folder. This is very important from an investigative perspective as people will often use Web-based e-mail accounts to bypass the monitoring of their corporate e-mail. From an investigative perspective, this Web-based e-mail is a great source of information and can help identify the true nature of a person’s activity.

Unfortunately, many organizations routinely delete Temporary Internet Files and other residual data that could benefit an investigation. This is not necessarily done to “cover one’s tracks,” but more likely as a security and privacy mechanism. The utility “Disk Cleanup,” which is installed as part of a normal Microsoft Windows application, provides the option to remove Temporary Internet Files. Some organizations have “Disk Cleanup” scheduled to run every time a computer starts up in order to remove any potentially malicious files that might have been downloaded in the Temporary Internet Files folder. This means that employees can now communicate via Web-based e-mail regarding any inappropriate activities they choose because their own employer is helping them cover their tracks!

Some businesses will take this a step further and install a third-party application to assist with the removal of residual data. One such tool is CCleaner (formerly Crap Cleaner) that not only removes the cached files for Internet Explorer, but does so for the other popular browsers Opera and Mozilla Firefox. It will also remove other “hotbeds” of evidence such as the files in the Recent Documents folder, prefetch directory information and user assist history.

We had a client who suspected a former employee of having stolen proprietary information when they left to go work for a competitor. When we examined the former employee’s computer, we could not find any material that could help us determine the employee’s activities. We then noticed that CCleaner was installed and had been used prior to the employee’s departure. This is often a “red flag” and is an indicator that someone is trying to cover their tracks. When we brought this information to the client, they told us that they had installed CCleaner on all of their employee’s computers and encouraged them to use it daily. It makes it easy to behave inappropriately when your employer encourages you to destroy evidence!

If you are not familiar with the types of residual data that can be found on a computer, you may wish to download my whitepaper, “Secure File Deletion: Fact or Fiction?” which describes numerous types of residual data and data destruction techniques. It can be found in the SANS Reading Room at

Data preservation is a complex issue and can only be addressed at a very elementary level in a short article such as this. But if you are a working business professional, you will be involved in preserving data for litigation or investigative reasons — and it is important to understand some of these issues surrounding preservation.

Take a minute to evaluate the digital information you and your team generate or are responsible for maintaining. If you were asked to preserve specific data from a certain period in time, could you do it? What problems might you face? As with any security-related project, prior planning can significantly reduce the cost of the process. If any of the concepts discussed in this article were either frightening or alien to you, I suggest you review some of the references cited (and review some of the case summaries at The time spent could save your company a significant amount of money or help you identify the misdeeds of an employee.