cancel
Showing results for 
Search instead for 
Did you mean: 

Discovery Accelerator - forensically sound search?

Hypothetically...let's say we produced emails pulled from discovery accelerator to opposing counsel.  They claim the emails were altered.  What can Symantec provide to prove a forensically sound search and and export.  Are there logs, hash files, anything at all that can demonstrate that the email provided is the same as the email in the vault.

1 Solution

Accepted Solutions
Accepted Solution!

Hypothetically you could

Hypothetically you could provide them with the audit log which includes the audit trail and substantiates the validity of the data.

View solution in original post

3 Replies
Accepted Solution!

Hypothetically you could

Hypothetically you could provide them with the audit log which includes the audit trail and substantiates the validity of the data.

View solution in original post

I agree with Max   The export

I agree with Max

 

The export logs shows where the files came from and where they went to for export

 

 

If the files were in any way modified the meta-data of the file would be altered, Last modified date and so on.

 

Correct me if I'm wrong but if they say the data has been changed they must provide you with proof of the same so you can investigate on your side if this happened. They need to provide details of which files and how they can show it was changed.

 

You can then investigate the files in question to see what they looked like when they were exported, not only the file content but the file meta-data.

 

If a change has happened on the file since it was exported this will show in the meta-data.

 

You will also have to show the evidence handling processes you have internally to manage such data to show how the data got from DA to the opposition.

You may also need to show the EV settings on version management, retention, audit logs and expiry as well as the user policies and their ability to change data in the archive.

Before all the above can be done you first need to be presented with samples of what they say was changed so you can investigate internally to see if any part of your process could have changed it and if so it should be explained by way of your evidence handling procedures

Thanks for the quick response

I'll look into the files and see what I can see.