Proven Legal Technologies, the corporate forensic investigation and e-disclosure firm, has revealed 10 of the worst searches made by businesses during e-disclosure investigations.
Phil Beckett, Partner, Proven Legal Technologies, comments:
“In cases where an e-disclosure investigation is necessary, it is essential that the procedure is highly efficient and provides clear and concise results. However, our experience has shown that firms are still making crucial errors in the process, such as agreeing to search for ineffective words and phrases.”
Featured Download: CISO Data Breach Guide
Beckett’s top 10 worst e-disclosure searches include:
1) Words likely to appear in email footers
Terms that appear in standard email footers will do little to narrow down the search process. Examples include: “deletion”, “company”, “legal”, “confidential”, and any alternative forms of the words.
2) Names
Searching an individual’s or custodian’s name is impractical, for they often if not always appear in email signatures. In addition, there are numerous alternative spellings and abbreviations that would require separate searches.
3) System-related words
Using words that are common place within computer or system terminology often brings up a vast number of false-positive results, including “network”, ”windows” or even “data”.
4) Standard terminology
Using standard terminology, be it relating to the specifics of a business (for example, products, or customers) or relating to business in general (invoices or sales), can create a large number of results. These results will generally need to be combined with other terms to be effective.
5) “Fraud”
Fraudsters would rarely use this word within emails or other methods of communication, not least because they do not believe that they are doing anything wrong, hence searching for this term is fruitless.
6) Misunderstood syntax
The same sentences can have numerous implications and meanings depending on its grammatical characters and structure. It is therefore essential to ensure that the search accounts for this possibility or eliminates any incorrect interpretations.
7) Initialisms
Many custodians use abbreviations or initialisation to references names or act as signatures. However, searching individual letters, particularly “A” and “I,” will prove futile due to their high frequency.
8) Proximity searching
When a phrase is searched, frequent words such as “a” and “of” are treated as “noise” or “stop” words, meaning that a phrase containing noise words will not be searched as intended. A more appropriate method is to use the “X within two words of Y” operator, where for example, “bill of sale” would become bill w/2 sale.
9) Searches in which one expects obvious fraud
In most cases, perpetrators of suspected wrongdoing will be aware of the illegitimacy of their actions and will endeavour to conceal them, thus searching material that blatantly betrays the fraudsters is unlikely to be successful.
10) Keywords
It is sometimes inappropriate to use keywords at all. One example of this is when actions are being deliberately concealed. Another is when dealing with hard-copy material that has had Optical Character Recognition (OCR) to make it searchable. No matter how good the software is, it will be dependent on the quality of the paper, text and scan. Words can be incorrectly identified on a regular basis, which would not be responsive to a keyword search.
Beckett concludes:
“Search processes within e-disclosure investigations should be cyclical and progressive, building on the findings of previous searches in order to narrow down results. Firms should also consider whether keyword searches are suitable to the nature of the investigation, or whether alternative methods would be more suitable.
“In order to establish an effective method and specific list of search terms for an investigation, businesses should seek expert advice and consultation. Specialist keyword analytics tools and experience eliminates wasted time and significantly increases the likelihood of producing crucial results and a conclusive investigation.”
By Phil Beckett, managing director at Proven Legal Technologies
Phil Beckett is a Managing Director at Proven Legal Technologies and joined the team after spending seven years leading Navigant Consulting Inc’s European Forensic Technology practice.
Throughout his career Phil has provided advice to lawyers, regulators, corporate entities, not-for-profit organisations and other stakeholders in relation to forensic investigations and e-disclosure projects in both the public and private sectors in the UK and also internationally. He specialises in advising clients concerning the preservation and investigation of digital evidence, the interrogation of complex data sets and the disclosure of electronic documents. He is also a qualified fraud examiner and has been a recognised court expert in relation to various aspects of digital evidence, producing numerous expert reports.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.