Forum Discussion

jarhead79's avatar
Level 2
14 years ago

Discovery Accelerator - forensically sound search?

Hypothetically...let's say we produced emails pulled from discovery accelerator to opposing counsel.  They claim the emails were altered.  What can Symantec provide to prove a forensically sound search and and export.  Are there logs, hash files, anything at all that can demonstrate that the email provided is the same as the email in the vault.

  • Hypothetically you could provide them with the audit log which includes the audit trail and substantiates the validity of the data.

3 Replies

Replies have been turned off for this discussion
  • Hypothetically you could provide them with the audit log which includes the audit trail and substantiates the validity of the data.

  • I agree with Max


    The export logs shows where the files came from and where they went to for export



    If the files were in any way modified the meta-data of the file would be altered, Last modified date and so on.


    Correct me if I'm wrong but if they say the data has been changed they must provide you with proof of the same so you can investigate on your side if this happened. They need to provide details of which files and how they can show it was changed.


    You can then investigate the files in question to see what they looked like when they were exported, not only the file content but the file meta-data.


    If a change has happened on the file since it was exported this will show in the meta-data.


    You will also have to show the evidence handling processes you have internally to manage such data to show how the data got from DA to the opposition.

    You may also need to show the EV settings on version management, retention, audit logs and expiry as well as the user policies and their ability to change data in the archive.

    Before all the above can be done you first need to be presented with samples of what they say was changed so you can investigate internally to see if any part of your process could have changed it and if so it should be explained by way of your evidence handling procedures