Saturday, June 22, 2013

Managing Email With Exchange Web Services

Mark Gerow, director of application development and business process at Fenwick & West Mark Gerow, director of application development and business process at Fenwick & West

We hear a lot today about "activity streams" — those scrolling lists of posts, comments, and "likes" that provide the substance of social media sites and blogs. But inside the enterprise, one activity stream reigns supreme: email; and for most firms email means Exchange. While the centrality of email within the 21st century law firm is assumed, managing its content can be a challenge. Beyond inbox quotas and automated archiving, how can IT help manage this flood of unstructured data in a way that promotes matter team collaboration?

One way is through Exchange Web Services (EWS), the set of services upon which Outlook Web Access (OWA) is based, and which provides all the core tools for finding, moving, updating and deleting email. As a tool for manipulating Exchange content EWS has several advantages over Outlook add-ins, including:

• It is not dependent on the version of Outlook installed on the user's desktop (in fact, a local Outlook client is not required).

• EWS does not need to be run from the user's computer, but can be centralized on a network server.

• With appropriate configuration of Exchange, EWS can manipulate the contents of any user's email and calendars, allowing for the development of centralized, firmwide applications.

In this article I will show how EWS may be used to find emails in an inbox matching a certain criterion, upload those matching emails to SharePoint, and move the original emails to the Outlook "Deleted Items" folder. Through this example you will learn the basics of working with email using EWS.

INSTALLING EWS ON A DEVELOPMENT COMPUTER

One nice thing about EWS is that the web service calls are "wrapped" in a class library that can be referenced in .NET, so it's not necessary to interact directly with the web service per se, only to instantiate objects based on the classes in the library, which can be found here. The version I've worked with successfully is 1.2, although there's a later 2.0 version available for download but as of this writing it appears to still have some bugs.

THE SHAREPOINT "COPY" WEB SERVICE

In addition to EWS, we will use SharePoint's built-in "Copy" service to upload emails to a document library. To use this service you will need to add a web service reference to your Visual Studio solution pointing to the URL: http://[your server name]/[path to site]/_vti_bin/copy.asmx.

GETTING CONNECTED TO YOUR EXCHANGE SERVER

To work with Exchange you need a connection specifying the location of the corresponding EWS instance and authorized user credentials. The following routine will get you connected to the inbox associated with the current application user's credentials:

For the complete code used in this story, see the .cs or .pdf file.

Note: EWS allows you to connect to any individual's inbox given sufficient permissions. Such permissions must be granted by your Exchange administrator. See here for more information.

RETRIEVING THE CONTENTS OF AN INBOX

It's often simpler to manipulate inbox content if it's first copied to a DataTable. The following method, "GetInbox" will read through the first items in an inbox that have a specified string in the subject, adding the data for those emails to a Data Table for later processing.

Click image to enlarge
Click image to enlarge.

RETRIEVING A SINGLE ENTRY BY ITS EXCHANGE ID

Each email message has a unique ID that can be used to retrieve its contents.

GETTING THE EMAIL FILE

To upload an email to SharePoint, we need to get the full email as a byte-array. Note that the "Load( )" method is called with a special parameter to get the "MimeContent". This is necessary in order to make the full byte-array representation of the email message available.

UPLOADING THE EMAIL TO SHAREPOINT

Once the metadata and byte-array contents of the email are available, we can use SharePoint's copy.asmx web service to upload a copy of the email to a document library.

DELETING A MESSAGE FROM THE INBOX

Finally, we want to delete the message after it has been uploaded to SharePoint:

message.Delete(DeleteMode.MoveToDeletedItems);

ALMOST, BUT NOT QUITE!

The selected documents are now in a SharePoint library, but they may not open correctly until a setting has been changed on your IIS server.

Click image to enlarge
Figure 1. Click image to enlarge

The reason is that EWS returns emails in the .EML format used by Exchange, not the .MSG format used by Outlook. In order to instruct Outlook to open these messages, you need to associate the .EML extension with the "application/octet-stream" MIME type. This tells Windows that the .EML file type should launch an application.

Click image to enlarge
Figure 2. Click image to enlarge

You may also need to have individual users associate the .EML document type with Outlook. This can be done by pushing a group policy out to all users, or individually by right-clicking on an .EML file and using the "Open with" option to associate Outlook with that type. See Figure 3.

Click image to enlarge
Figure 3. Click image to enlarge

CONCLUSION

Exchange Web Services, the set of services behind Outlook Web Access, can be a powerful ally in taming the email beast. EWS allows you to search through an inbox and process emails without end-user intervention. It also has an advantage over the Outlook object library in that EWS can run on any computer, does not require Outlook to be installed, and with sufficient permissions, allows you to open any inbox for processing.

A browser or device that allows javascript is required to view this content.

Mark Gerow leads the application development team at Fenwick & West and is responsible for defining and implementing the firm's intranet and extranet strategies using SharePoint technologies. Email: mgerow@fenwick.com.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

7 Cybersecurity, Forensics Tools to Watch

Computer and Enterprise Investigations Conference 2013 Exhibit Hall in Orlando, Fla. Computer and Enterprise Investigations Conference 2013 Exhibit Hall in Orlando, Fla.

At the Computer and Enterprise Investigations Conference in Orlando, Fla., a number of vendors in computer forensics, cybersecurity, and e-discovery released new products, which make CEIC an annual event for Law Technology News to attend.

Cellebrite's UFED series of mobile forensic devices got a new stand-alone application, called UFED Link Analysis. The Link Analysis tool is designed to visualize data extracted from mobile devices. With the stand-alone application, an investigator can see key relationships and important behavior among the authors of messages such as the number of messages transmitted and methods used to send and receive messages, all gathered from multiple phones.

Link Analysis ingests data from one or more mobile devices. The tool can ingest .xml files exported from Cellebrite's UFED Physical Analyzer or UFED Logical Analyzer as well as data from logical file systems and image files for analysis. The application draws graphs of mutual links between devices, lists events in chronological order, identifies multiple suspects on a single map, saves snapshots of data and project-related information, and writes custom reports that can add data and pictures collected during an investigation.

Cellebrite's new tool can visualize links between senders and receivers who exchange telephone calls, text messages, email messages, and chats. It also:

• Groups senders and receivers by their associations.

• Filters data by date, time, category, and event.

• Stores data extracted from file systems and physical media.

• Exports data to advanced link analysis tools such as Penlink, i2 Analyst's Notebook, and Palantir.

CEIC 2013 attendees saw the debut of a new indexing engine for DFLabs PTK Forensics 3.0. The engine runs pre-processing actions on imported evidence to facilitate investigations. It supports pre-indexing and allocated and unallocated slack space analysis, string and metadata extractions, file signature analysis, file hashing, and automatic data carving to recover data from file fragments or undifferentiated data blocks (raw data). Other new features in PTK Forensics include:

• Support for multiple, simultaneous users and granular user permissions.

• Advance reporting system with bookmarks, partition details, and timelines.

• The case management engine has been revamped with the incorporation of the DFLabs Digital Investigation Manager module to manage case notes, events, and maintain chains of custody to evidence.

The Forensic Store is making WDR Forensic Solution's "Simple Seizure Tool for Forensic" available to the U.S. market. The tool is a USB boot device that runs Windows PE 3.1, runs a program on the target machine, and collects a disk or partition image at the push of a button. The tool supports PATA, SATA, eSATA, SCSI, SAS, USB, and Firewire (IEEE 1394) drives. To support drives connected to special devices such as a proprietary controller or adapter, a technician can install the necessary drivers in the Windows PE environment.

The Seizure Tool supports imaging data in Guidance Software's E01 evidence file format and in DD format. Also, MD5 or SHA256 Hash can be used to verify the original image. All operations are recorded in a log file. After the image is acquired, plug the tool into a computer, touch a button, and the image is copied to the connected PC.

GetData Forensics Pty Ltd debuted Forensic Explorer (starting at $1,000) at CEIC. Forensic Explorer is computer forensics analysis software that is designed to give investigators a cost-effective alternative to current forensic tools.

Already known in the forensic community for Mount Image Pro and Recover My Files software, GetData's new product analyzes all common forensic image formats, including Guidance Software's Ex01 and Lx01 and AccessData's AD1 image files as well as more than 300 file types. It can also examine FAT, NTFS, HFS and EXT file systems. GetData has modules to analyze email, registry files, and bookmarks. Forensic Explorer also integrates dtSearch keyword indexing technology and Digital Metaphors Report Builder for automated reporting, supports a scripting language, and many aspects of the program such as menus, columns, and filters can be customized.

In April HBGary, a subsidiary of ManTech International Corp., unveiled its malware analysis product for virtual desktop infrastructures, called Active Defense (version 1.3). The product is designed to help organizations detect zero-day, root kits, and other malware in virtual machine environents. Active Defense provides live, runtime memory analysis of guest operating system sessions with minimal impact on the underlying host server.

Systools Sofware released its MailXaminer software at CEIC. MailXaminer supports multiple email formats such as Outlook (.pst), Exchange Mailbox store (.edb), Mozilla Thunderbird (.mbox) as well as Apple Mac Outlook and Eudora file formats. The tool can search message bodies, contact fields, and attachments and filter results to narrow a document review. Once email evidence is found, the content can be exported to .eml, .msg formats or PDF, HTML documents. Other features include:

• View multiple email formats in one interface.

• Import emails to selected files.

• Simple Mail Transport Protocol access to mailboxes.

• Recover corrupted email messages.

• Duplicate identification and removal.

CEIC COOL PRODUCT AWARD

FireEye Inc.'s File Malware Protection System (File MPS) was my answer to "What's the coolest thing you saw at CEIC?" The product was released at RSA and is designed to analyze network file shares to identify and quarantine malware brought in by partners, associates, and other legal professionals. The system finds malware that may bypass firewalls, intrusion protection systems, and antivirus software. Tools such as web mail and file storage, removeable media, and online file transfer can introduce malware, which can spread to file shares and move like wildfire.

The File MPS appliances (File MPS 5300, File MPS 8300) analyze file shares with a Virtual Execution or VX engine, which can detect zero-day malicious code embedded in file types such as PDF, Office documents, vCards, .zip and .rar archives, as well as multimedia files such as QuickTime and MP3. FireEye's file security product can work on identified malware in a protection-mode that quarantines bad code in a proprietary virtal machine for analysis or the product can work in analysis-mode only, which monitors the identified malware in place.

In protection-mode, the File MPS creates a dynamic execution environment for known and unknown malware that satisfies the National Institute of Standards and Technology's "Security and Privacy Controls for Federal Information Systems and Organizations" (SP 800-53, Rev. 4), Control 44 Detonation Chambers. Other product features include:

• Integrates with FireEye's anti-virus suite and supports third-party anti-virus software.

• Scheduled and on-demand scanning of CIFS-compatible file shares.

• Supports custom rule importation to analyze file threats specific to the organization.

FireEye claims you can deploy the File MPS appliances in under 30 minutes. The appliances do not require tuning or the installation of client software on file sharing computers. Coolness, however, comes at a price. The File MPS starts at $54,950.

A browser or device that allows javascript is required to view this content.

Attorney Sean Doherty is LTN's technology editor.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Fastcase Gets Negative Treatment

By Sean Doherty All Articles 

Law Technology News

April 26, 2013

Fastcase Bad Law Bot logo Fastcase Bad Law Bot logo
Image: Fastcase

Product of the week ending April 26: Bad Law Bot

Manufacturer: Washington, D.C.-based Fastcase, Inc.

Description: The Bad Law Bot is a software algorithm designed to find negative case citation history. The algorithm enhances Fastcase's Authority Check feature to show subscribers where courts have noted that a case has been treated negatively (i.e., reversed or overruled on any grounds). Bad Law Bot flags cases that have negative citation history and provides links to those cases.

Target market: from solo practitioners to large law firms.

Competitive landscape: LexisNexis Shepard's Citations Service and Thomson Reuters KeyCite in Westlaw and Westlaw Next.

Price: Starts at $65 per month or $695 per year, per user.

Press release. See the Fastcase blog for more information.

The product of the week is gleaned from the many press releases Law Technology News receives to lawtech@alm.com for publication. Each week, on Friday, we will select a product or service that was newly released or upgraded within the previous four weeks of the publication date. The product or service must be of use to lawyers or law firms and help support the practice or business of law. The product must be available to readers on or before the publication date.

A browser or device that allows javascript is required to view this content.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Review: No Surprises Software Makes Legal Bills Transparent

No Surprises Software LLC No Surprises Software LLC
Image courtesy of No Surprises Software LLC

Correction: Due to an editing error, we inacurately identified co-founder Robbie Friedman. The article has been updated with the correct information.

Legal professionals — lawyers, paralegals, forensics experts, investigators, researchers and librarians, for example — sometimes face an uphill battle when it comes to billing clients for their work. Especially when the time tracked is not attributable to creating traditional work products, such as briefs and trial memos. Add to that the growing trend for alternative fee arrangements, which often calls for flat rates for specific services, with the goal of decreasing legal bills. It's no secret that clients are often confused and angry when bills arrive.

Enter No Surprises Software, and its cloud-based product, Viewabill, which the company says is designed to bring transparency to legal billing. It's the creation of two entrepreneurs. David Schottenstein also launched Swiss Stays, in 2011 (it manufactures collar stays) and  founded Astor & Black, a custom clothing company, in 2004, at age 21. Robbie Friedman began his career at Akin Gump Strauss Hauer & Feld; and then served as general counsel at Astor & Black, managing corporate and private equity matters and external attorneys, according to the Viewabill website. The two men share the CEO title at No Surprises Software, which is based in Columbus, Ohio.

According to Schottenstein, he and Friedman were childhood friends. Schottenstein went into business at Astor & Black where he was shocked to see some of the legal bills the clothier received for outside counsel's contract review. After attending the Universty of Michigan Law School, Friedman started his career on the other side of the law firm billing process, at Akin Gump Strauss Hauer & Feld. Both Schottenstein and Friedman agreed that law firm billing practices detracted from the attorney-client relationship and decided to team up and work to make billing more transparent and understandable. Together they formed No Surprises Software and then solicited iconic lawyer and law professor Alan Dershowitz help to promote Viewabill. Dershowitz, a professor at Harvard University, is well known for his high profile clients (Mike Tyson, Patty Hearst, et. al) and outspoken liberal positions — but not famous for his technology prowess. He is, however, an established advocate of " accountability and transparency."

The trio launched Viewabill on March 11, to provide law firm clients — including corporate legal departments — current views of their legal costs, all calculated from specific time entries for particular matters entered into a firm's time and billing system. Its goal is to increase transparency in the lawyer-client relationship by surfacing and reporting on how client money is being spent and alerting clients to specific expenditures that reach a measured threshold, they explained.

No Surprises obtains data on matters, time-keepers, time entries, and billing rates from law firm time and billing systems and presents the data on secure web pages for clients to access via desktop or mobile web browser. If the firm's billing system is web-based, Viewabill uses its application programming interface to obtain data, albeit the amount and type of data available to No Surprises is limited to the third-party's API. If the firm's time and billing system is installed on premise, No Surprises installs a transmitter that makes read-only requests to an SQL database for data; the resultes are transmitted to Viewabill's web service via HTTPS (256-bit encryption).

Viewabill's client dashboard displays legal costs for all service engagements and matters in a bar chart that displays activity for 7, 30, or 90 days. Bars represent daily activity in hours entered in the firm's time and billing system. You can select the time of the display from the top of the page. See Figure 1.

Click image to enlarge
Figure 1 shows No Surprises' home page displaying current activity by engagement and matter. Total hours and costs for the selected period (7, 30, or 90 days) are calculated at the top of the bar chart that displays daily activity. Click image to enlarge.

The dashboard view calculates costs using total hours from "blocked" and published rates. The blocked rates indicates the number of billable hours the firm has entered without disclosing the billing rate to the client. The total cost (hours x rates) is displayed as the calculated cost, plus any balance due from an unpaid invoice. The chart context changes to a specific engagement and matter, which is selected from the lower left-hand side of the dashboard, which lists matters alphabetically by law firm.

When I drilled down into a law firm's matters from the dashboard, I saw each matter the firm is working on along with the number of time entries and total hours for all entries. Alongside each matter is a button labeled "Pencils Down." When I clicked on that, a dialog box opens to prompt me to send a message to inform the law firm to stop working on the matter.

Drilling down one more time lays bare specific time entries with data on the time-keeper, cost, time entered, task descriptor, and any notes. Each individual time entry has an "i" button that displays when the time entry was made and a question mark to send the provider a question on the item. See Figure 2.

Click image to enlarge
Figure 2: A "no surprise" view of specific legal service engagements and matters. Click image to enlarge.

I sent a provider a "Pencils Down" message from the dashboard, which triggered an email to the firm, asking it to stop billing for the task until further notice. The billing partner received an HTML email to reply and confirm the request. The message is returned to the dashboard via HTTPS and posted for the client to review.

When I reviewed my sent message copied to the dashboard's "Conference Room," the message informed me when I made the Pencils Down request and when I received the response. Both log entries indicated the minutes that had elapsed since I made the request and since I received an answer from the current time. I would rather see the date and time stamp surfaced in this view.

Rather than keep a periodic watch on the dashboard, I set up alerts or notifications by matter and chose a threshold amount of time or dollars for the firm to expend. When the firm reaches the threshold I set, Viewabill notifies me via email or pushes the alert to the dashboard. Then I selected a distribution schedule for all my alerts: none (disable), daily, or weekly. I would prefer to set a distribution time for each alert, rather than apply one distribution time for all notifications. Some matters may be more critical than others. See Figure 3.

Click image to enlarge
Figure 3 shows the Viewabill notifications' page where you can set up alerts to notify you of threshold hours and dollars expended by a law firm. Click image to enlarge.

The Viewabill toolbar menu at the top of each page provides quick access to your dashboard and individual matters, messages, and a request form to contact your service provider aka law firm and request information for other matters. The law firm has its own interface to Viewabill to set up client access, configure matters, and set permissions to open or restrict views to time and billing data. A search feature (magnifying glass icon) is also on the menu bar.

The search form is well thought out and designed to search, or filter, time and billing data. Search filters include law firm, matter, keywords, and dates. The date filter is prominently displayed. Click the beginning date on the left calendar form and the end date on the right, pull down a menu to filter on a matter and type in keywords. See Figure 4.

Click image to enlarge
Figure 4 shows the search form in Viewabill, available from the magnifying glass icon on the tool bar. Click image to enlarge.

A search for "Robert Friedman," returned all the time entries for a specified period entered by Friedman. The top of the search result form tallied all the time entries (5), totaled Friedman's billable hours (20.4), and then calculated the total cost ($3,567.00).

Legal business software such as Thomson Reuters' Serengeti and Hartford, Conn.-based Tymetrix 360 supply law firm analytics designed to give firms a competitive edge in proposals for work product. (See New Tools Put Legal Bills Under Microscope.") For corporate legal departments, Houston, Texas-based Datacert's Legal Spend Management, Andover, Mass.-based Sky Analytics, and Tymetrix's Legal Analytics are designed to help corporate counsel manage and reduce costs from outside counsel. But the current legal spend managers do not integrate directly with outside counsel's time and billing applications to retrieve, analyze, and report current time entries.

I am not aware of any product that directly competes with Viewabill, albeit it is possible for a law firm to use its own technology to surface and analyze billable time entries and create portals for client review. But in following today's trend for firms to get back to their core competency of practicing law, they may be hard pressed to compete with Viewabill's features and price.

Viewabill starts at $40 per matter per year, which can drop to $25 per matter per year with bulk discounts, said Schottenstein. Unlimited matters per year cost $35,000. Time and billing data are saved for 120 days, but a longer or shorter time period can be negotiated, added Schottenstein.

Press release.

A browser or device that allows javascript is required to view this content.

Attorney Sean Doherty is LTN's technology editor.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Product of the Week: Lexis Practice Advisor

Product: Lexis Practice Advisor series:  Mergers & Acquisitions module.

Manufacturer: LexisNexis Legal and Professional, New York.

Description: The new LPA module, like existing modules (e.g., Business & Commercial, Financial Restructuring & Bankruptcy, California, Corporate Counsel, and Securities & Capital Markets), helps practice groups complete transactions faster and more efficiently. It offers practical guidance and content from LexisNexis experts and legal editors, to help users execute transactions. All LPA modules use the new Lexis Advance research platform that provides research history, alerts, work folders, and interactive forms. The goal of the M&A module is to speed the document editing process to quickly complete a deal.

The M&A module also debuts Market Tracker, powered by Matterhorn. It helps users  locate and compare transactions across approximately 1,000 deals and more than 900 deal points, such as consideration type, target industry, and deal amount. The comparison tool views search results in the a Microsoft Excel-like web page with analytical features to compile and recompile lists and filter views. See Figure 1.

Click image to enlarge
Figure 1 shows a comparison of two cash-based technology acquistions in the Market Tracker, a tool in the Lexis Practice Advisor, Mergers & Acquisitions module. Click image to enlarge.

You can expect Market Tracker to compete with other market tracking tools for transactional lawyers, such as Exemplify and the Practical Law Company's What's Market tool (now owned by rival Thomson Reuters). With Market Tracker, you can apply granular filters to search results and hone in on deals by target and acquiring company, and negotiated terms, and find market-tested deal documents to use for a current client or project. Once you find relevant deals, you can compare and analyze them online or download them to your computer.

The new module covers key transactions in M&A practice groups, such as public company M&A, private asset acquisitions, private stock acquisitions, and private mergers. It provides information on representing core functions of M&A attorneys, structuring deals, negotiating agreements, conducting due diligence, and drafting and negotiating purchase or merger agreements.

Target market: Law firm merger and acquisition practice groups.

Price: The Mergers & Acquistion practice module is available for $140 per person per month.

Methodology: The product of the week is chosen by Law Technology News' editors from products or services that have been launched or upgraded within the last four weeks. To be eligible, the product or service must be of use to law firms, law departments, or other legal organizations to support the practice or business of law. The product must be available on or before the publication date. Press releases may be submitted to lawtech@alm.com.

A browser or device that allows javascript is required to view this content.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Review: LexisNexis Concordance Evolution

It's been a little more than a year since LexisNexis parted ways with Applied Discovery, a high-end document review platform they acquired in 2003. Concordance Evolution capably fills the void.

Concordance has evolved from its early form. Steven Ashbacher, vice president and general manager, Concordance for LexisNexis, says Concordance Evolution is intended for complex litigation matters burdened with enormous volumes of electronically stored information. The Concordance that litigators have been using for more than 25 years (and acquired by LexisNexis in 2006) has been re-labeled "Concordance Traditional."

After testing Evolution, I am convinced the transition is necessary, but fearful that the days of Concordance Traditional may be numbered. Ashbacher assured me there are no plans to sunset that edition, acknowledging the investment customers have put into the system, including years of training, as well as creating workflows and customization. Ashbacher anticipates that current customers will continue to use Traditional for smaller matters but turn to Evolution when they need a high-performance, scalable program to handle the inevitable ESI snowball.

SURVIVAL OF THE FITTEST

While there are some similarities between Concordance Traditional and Evolution, Evolution can stand on its own. The back end is built on Microsoft SQL and delivered through the Microsoft Internet Explorer web browser (version 8 or 9) based on a Microsoft .NET framework. Concordance Evolution also replaces the Imagebase-Opticon-Concordance Image medley with the very powerful Brava Viewer from Informative Graphics Corp. All of this delivers a powerful system that Concordance Traditional could never compete against.

Yet Concordance Evolution could still benefit from a few refinements to make it a natural selection among litigators. Customers are currently required to use IE 8 or 9, which limits browser options and eliminates the use of mobile devices. The concept search and near-native tools feel a bit clunky when compared to other similarly positioned tools on the market such as kCura Relativity and Integreon eView. Ashbacher promises an aggressive rollout schedule this year and next for both new and upgraded features.

In other document review platforms, a list of concepts is generated so that reviewers can gain an additional angle into the data, whereas in Concordance Evolution the Concept Search is baked into the Quick Search bar. And while the document viewer in Concordance Evolution is very powerful (see below), I felt that it was a tad bit sluggish when I zoomed in or switched views.

NEAR-NATIVE

The interface of Concordance Evolution is simple and straightforward. Depending on your access rights, you can navigate the entire system via the omnipresent tabs at the top for Administration, Review, and Reports. There's also a breadcrumb trail that divulges your whereabouts in the system. Clicking the trail worked much better than hitting my browser's Back button.

Concordance Traditional users will recognize the Table View in Evolution to view a list of documents. The default, however, is much more useful and called the Snippet View. It looks like a page of Google Search Results — you see the name of a document followed by a few lines of content. See Figure 1.

Click image to enlarge
Figure 1: Clicking a document in Concordance Evolution brings up the near-native rendering where the Brava viewer offers options for viewing page thumbnails, adding stamps and redactions, etc. Clicking the Document Data tab shows the fielded data for the document which Concordance Traditional users will recognize as the Browse view. Click image to enlarge.

Clicking a document brings up the near-native rendering where the Brava viewer offers options for viewing page thumbnails, adding stamps and redactions, etc. Clicking the Document Data tab shows the fielded data for the document, which Concordance Traditional users will recognize as the Browse view.

A browser or device that allows javascript is required to view this content.

Subscribe to Law Technology News

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Friday, June 21, 2013

AccessData Releases Summation 5.0 With FTK

By Sean Doherty All Articles 

Law Technology News

June 11, 2013

Summation logo

AccessData announced today the release of Summation 5.0, featuring an FTK license, technology-assisted review, and free training.

Summation 5 brings together features for forensic analysis and document review. It shares a database back end with AccessData's FTK forensic review tool, which means you can now use FTK to forensically process and analyze data and then view the processed data in the Summation user interface. To show off the FTK integration, each upgrade to Summation includes a fully functional FTK license. Free training courses for both FTK and Summation are also included so users can quickly realize a return on their Summation, with FTK, investment.

In addition to a free FTK license and training, the new Summation includes support for predictive coding and visual analytics. Other features include:

• Improved email threading views.

• Real-time transcript support.

• Direct import of Concordance and Relativity load files.

• A Concordance database migration tool.

AccessData markets Summation to small teams as well as large organizations with big cases. The digital investigations and litigation support software manufacturer offers Summation as a subscription without per-use or per-gigabyte fees.

See the Summation web page for more information.

A browser or device that allows javascript is required to view this content.

Attorney Sean Doherty is LTN's technology editor.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Connecting SharePoint Task Lists to Outlook Calendars

Mark Gerow, director of application development and business process at Fenwick & West Mark Gerow, director of application development and business process at Fenwick & West

The fact that many legal professionals consume and interact with most, if not all, of their digital content in Microsoft Outlook cannot be overstated. It follows that if you want to deliver data to your law firm community, do it through Outlook.

This article describes a method for presenting temporal data in Outlook calendars. With minor modifications, however, the technique described may be used to present Outlook data from sources as varied as SharePoint, SQL Server, XML, web services, or Excel. All of this relies on a protocol first released by Microsoft in 2003 called STSSYNC.

STSSYNC is a protocol originally introduced for SharePoint 2003 that allows calendars, contacts, and tasks to be synchronized between SharePoint and Outlook. When you choose the "Connect to Outlook" option in SharePoint 2003 or later you invoke the STSSYNC protocol handler in Outlook. The protocol essentially does two things:

1. It provides Outlook with information about a calendar, contact, or task list in SharePoint to be displayed in Outlook.

2. The protocol causes Outlook to periodically synchronize data with a source list and to update a local copy of that list's data.

SYNCHRONIZING A SHAREPOINT TASK LIST TO AN OUTLOOK CALENDAR

In my experience, a calendar is the preferred means for viewing date and time oriented data — very few people know about, let alone use Outlook tasks. While out-of-the-box SharePoint can synchronize a task list to an Outlook task list, the scenario we'll explore is synching items from a SharePoint task list to an Outlook calendar. To accomplish this we'll need a custom web service that will respond to Outlook's data requests.

Because the STSSYNC protocol has been poorly documented by Microsoft, very little use has been made of it beyond the built-in SharePoint connectors. Most articles by Microsoft provide arcane descriptions of how it can be used to connect arbitrary data sources to Outlook, but seem to assume it will only be of interest to commercial software vendors and not to IT professionals.

The STSSYNC out-of-the-box implementation has real but limited usefulness. It can connect a SharePoint calendar, contact, or task list to its Outlook counterparts, but does not recognize SharePoint views and so cannot limit the synchronization to a subset of those items. Nor can the standard implementation link anything other than SharePoint calendar, contact, or task entries to their corresponding type in Outlook.

To realize STSSYNC's full potential for connecting disparate data sources we need to crack it open and get an understanding what is actually going on under the hood.

This article builds on two previously published articles. The first was published in 2004 by Stephen Toub, a Microsoft engineer, in which he described how to create a general purpose content provider for Outlook using the STSSYNC protocol. The second article, published by P. Creehan in 2006, builds on the first and updates it for Outlook 2007 and 2010. Neither article addressed the question of creating custom connectors for SharePoint lists, a topic we'll cover in this article.

The key insight of Toub's article is that Outlook expects the list provider to call the SharePoint "Lists.asmx" web service, and thus any web service that mimics Lists.asmx will also be recognized by Outlook, regardless of the source of the data it returns. Some of the data sources referenced in his code are no longer functional and have been removed from the .cs files here attached. The general framework presented in Toub's article, however, is just as useful today as it was when first written.

Creehan's article updated Toub's Lists.asmx design to work with Outlook 2007 and later. This update was necessary because Toub did not implement the Lists.asmx interface in its entirety, and while Outlook 2003 did not require a fully implemented interface, Outlook 2007 and later do.

The code from these two articles, along with a few modifications, forms the basis for a connector to display a SharePoint task list in an Outlook calendar. The steps to install and test all of the necessary code are described below.

INSTALLING AND TESTING THE CUSTOM TASK LIST CONNECTOR

Prerequisites. To follow my instructions below you will first need to download and install the source code provided by Toub, and the modifications provided by Creehan. Once you have a working site combining both authors code you are ready to add the custom task list connector.

1. Make sure you have access to a copy of Visual Studio 2008 or later.

2. Download and extract the sample application from the Toub article here.

3. Open the website extracted in step 2 above in Visual Studio (note that you will be prompted to update the project format to the current version of Visual Studio).

4.Make the modifications to the "WssListResponse.cs" class as described in the Creehan article.

Additional Modifications. In addition to the modifications required in step 4 of the preceding section, you will need to make two additional changes to get the sample application working with a SharePoint task list:

5. Add the "TaskListCalendarProvider.cs" class to the "Sample Providers" folder.

6. Modify the "CalendarProviderSettings.cs" class to remove the reference to configuration settings in web.config that won't work with ASP.NET 3.5 or that refer to sources that no longer exist. In addition you will add a reference to the new "TaskListCalendarProvider" class (see the modified CalendarProviderSettings.cs).

Note: you will need to modify line 51 of the above C# class to specify your SharePoint site and task list name.

7. Add a reference to the SharePoint Lists.asmx web service to the project and name it "ListsService."

Click image to enlarge
Figure 1: Adding a reference to the Lists.asmx web service.

TESTING

At this point our modified Outlook calendar provider should run in Visual Studio. To test it, simply press F5 to start the application. You should see a page that looks like the following:

Click image to enlarge
Figure 2: Home page listing installed calendar providers.

Clicking on any of the icons in the "View Events" column should display a list of events for the corresponding provider. For example, clicking on the "SharePoint 2010 Task List" view-events link displayed the following on my computer (results will of course vary depending on the data entered into the source SharePoint task list).

Click image to enlarge
Figure 3: Viewing source data from a SharePoint task list.

Now, link the task list to Outlook.

Click image to enlarge
Figure 4: Initiating the link.

The underlying link behind the highlighted icon is:

Click image to enlarge

Notice the highlighted segments of the URL:

• "Stssync" tells Windows that Outlook should process this link;

• Calendar indicates that this list will be synched to a calendar, rather than a task or contact view;

• http%3a%2f%2flocalhost%3a33879%2fodc_OLOutlookCalendarSample is the encoded URL of the custom provider site, not the underlying SharePoint site;

• %7B5996db53%2Dae0c%2D45be%2Db4c1%2D86ccbf61b0a7%7D is the encoded unique ID (GUID) of the TaskListCalendarProvider instance (each connection in Outlook must have a unique ID).

When you click on the link, you will see two dialogs in succession. First, you'll be asked to allow your task list provider to open Outlook.

Click image to enlarge
Figure 5: Allowing our web service to open Outlook.

Click the "Allow" button to proceed. Next, you'll be asked wither it is OK to connect Outlook to this specific SharePoint list.

Click image to enlarge
Figure 6: Confirming the link in Outlook.

Click "Yes". Finally, if all works as expected, you will see the linked calendar in Outlook:

Click image to enlarge
Figure 7: The linked task list displayed in Outlook.

After successfully registering your linked list, adding, deleting, or changing tasks in SharePoint will automatically be reflected in the synchronized calendar in Outlook.

WHAT'S GOING ON UNDER THE HOOD?

Behind the scenes clicking on an STSSYNC link causes Outlook to add an entry to your linked SharePoint lists collection. You can see your current linked lists by opening the Account Settings dialog and navigating to the "SharePoint Lists" tab.

Click image to enlarge
Figure 8: Outlook account information page.

Click image to enlarge
Figure 9: Dialog showing linked SharePoint lists in Outlook.

Click image to enlarge
Figure 10: SharePoint List Options dialog

The definition above contains enough information to tell Outlook the URL and name of what appears to be a SharePoint site and list, but is actually our custom web service. Whenever Outlook refreshes the synched list it will append "/_vti_bin/Lists.asmx" to the site URL and call the "GetListItems" method of that web service for the specified list (represented in Outlook by the GUID provided in the original STSSYNC URL). Our provider's "Application_BeginRequest" event handler in the Global.asax.cs file will intercept the call from Outlook and reroute it to "OutlookCalendar.asmx", where our SharePoint task list provider will be called. Next, our provider queries SharePoint to return all items for the source task list and formats the results to conform to an Outlook "event". Finally, Outlook receives the data returned from our web service and maps it to entries in the synchronized calendar.

PRODUCTION

In the example above we ran our custom calendar provider from within the Visual Studio environment. In this development configuration the synchronization process will only succeed when Visual Studio is running because the URL sent to Outlook includes a port assigned dynamically by Visual Studio. When you're ready to go live you'll need to install your application on a production IIS server that is accessible to all of your Outlook users.

OTHER SCENARIOS

The STSSYNC protocol requires a web service that behaves like the SharePoint Lists.asmx web service. As long as that requirement is met, any data can be returned assuming it's formatted correctly. For example, data stored in SQL Server (such as that from Aderant's CompuLaw docketing application), web services (e.g., LexisNexis Interaction), XML, or Excel all could be displayed through Outlook when appropriately formatted. This opens up many opportunities to present actionable data to users who may use Outlook as their primary (if not sole) data access tool.

CONCLUSION

Although Microsoft has done a poor job of explaining the architecture of the SYSSYNC protocol, a bit of research will show that it provides a way to link Outlook to SharePoint via a call to the Lists.asmx web service. Toub (2004) showed that a custom web service masquerading as Lists.asmx allows any source of data with a time dimension can be displayed as an Outlook calendar. Creehan (2006) provided updated source code to address the more stringent requirements in Outlook 2007 and later. Combining Toub's and Creehan's code forms the basis of a general purpose web service to present any time-based data, including that stored in a SharePoint task list, as an Outlook calendar.

Fenwick & West uses a custom web service and the STSSYNC protocol to make task lists more visible and usable for legal professionals. IT no longer has to coax busy individuals to a SharePoint site to manage their tasks. Rather, task data is represented in a tool they use throughout the day: Outlook.

A browser or device that allows javascript is required to view this content.

Mark Gerow is director of applications and business process at Fenwick & West. Email: mgerow@fenwick.com.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Workshare Professional Now Supports Windows 8 and Office 2013

By Sean Doherty All Articles 

Law Technology News

May 17, 2013

Workshare logo

Product of the week: Workshare Professional 7.5.

Manufacturer: Workshare, which offers secure enterprise collaboration software.

Description: Workshare Professional incorporates document comparison, metadata removal, and PDF creation software. The 7.5 upgrade adds support for Microsoft Windows 8 and Microsoft Office 2013. Workshare's collaboration software can now launch from inside Office 2013 applications. All document edits are contained in an original master document, which gives users easy access to content changes and dispenses with the need to create document versions. Law firms can centrally administer policies to intercept email attachments sent from Outlook, automatically remove metadata or create a PDF, and even replace attachments with a secure link to the document stored online. These strategies are designed to prevent employees from inadvertently including sensitive or hidden information in documents sent outside the organization.

For more information see the press release and Workshare Professional's webpage.

Target market: small to large law firms using Microsoft Windows and Office products.

Competitive landscape: Litéra and Microsystems.

Price: Starts at $199 for a one-year subscription with customer support.

The product of the week is gleaned from the many press releases Law Technology News receives via email or at tradeshows. Send your press release to lawtech@alm.com. Each week, on Friday, we will select a new or upgraded product or service that has debuted within the previous four weeks. The product or service must be of use to lawyers or law firms and support the practice or business of law. It must be available to readers on or before the publication date.

A browser or device that allows javascript is required to view this content.

Attorney Sean Doherty is LTN's technology editor.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Product Review: Catalyst Insight

Catalyst Repository Sysems, Inc. logo

Image: Catalyst Repository Sysems, Inc.

Searching documents in e-discovery should be fast. No one has time to wait for a database to churn out search results. Fortunately, most of today's hosted document review platforms are speedy enough, but could they be faster?

That's a question that John Tredennick and his team at Catalyst Repository Systems, Inc., set out to answer several years ago when they started to push the limits of current technology in their larger cases. The "structured query language" (SQL) that most platforms use requires data to be placed in some kind of a structure before it can be searched. But most of the data involved in e-discovery is unstructured in the form of email, Word documents, text files, etc. That's why Tredennick and the Catalyst team turned to an XML-based back end for their new Insight document review platform.

I tested Catalyst Insight using a PC with Windows 7 Professional and Google's Chrome browser (version 24.0.1312.56) and found the hosted platform blazing fast for document review.

IMMEDIATE SEARCH AND RESPONSE

To give an example, I accessed an Insight account that contained 8 document collections with a total of 8,981,995 records. I knew there were that many records in the database because a counter in the lower right corner updated itself in response to anything I typed.

Since one of the document collections was the Enron data set, I jumped right into the "Free-Form Search" box and searched for one of my favorite emails from the collection with the words "lunch" and "shred." As soon as I typed "lunch" my record count jumped down to 83,191 in under a second. When I typed "shred" it immediately plummeted to 52. I hit the Search button and pulled up the email I was looking for: "This week is not good [for lunch]. I have too large a pile of documents to shred. Next week is better."

The story here isn't that I found my email — I can perform the same search in any platform and (probably) get the same result. The story is how responsive Catalyst Insight was to my search. I don't want to simply call it "fast," I would describe it as "immediately responsive" because the system was running my search in the background before I even hit the search button. I could experiment with search terms and immediately see the number of potential results.

MULTIPLE SEARCH OPTIONS FOR YOUR DOCUMENT COLLECTION

When you log into Catalyst Insight, the primary navigation appears on the left side with small square icons for Search, Folders, Review Projects, Monitors, and the Administrator Console. By default, you're brought to the Free-Form Search screen which I used in the example above. See Figure 1. There are some Advanced settings here (stemming, case sensitivity, etc.) but if you want to just start typing you're free to do so. There's also a "Search Assist" box that allows you to select a specific field to search if you wish.

Click image to enlarge
Figure 1: The Free-Form Search screen. Click image to enlarge.

But if you're taking the exploratory route in your search, you're better off starting with "Faceted Search." See Figure 2. The Facets here are based on the fields that appear in the main window as list boxes. You can bring up the author box and add names to your search. Next, you can add another Facet such as "doctype" to narrow your search. The "docdate" field comes up as a nice visual graph allowing you to drag your cursor over the relevant timeframe.

Click image to enlarge
Figure 2: Faceted Search. Click image to enlarge.

The "Tracked Search" option allows you to generate useful reports on search terms. See Figure 3. You build your search by clicking the plus sign for each box and then entering your terms. If you already have a list of search terms that someone composed, you can copy and paste them into the "Delimited Entry" tab as long as they're separated by a comma, semicolon or hard return. You'll have to spend some time building your search here, but once you're done you can select "Create Report" from the Search Options at the top.

The Report provides details on the document collections and folders that were searched, followed by a visual chart of the documents as per doctype (which can be switched to a pie graph, doughnut, column, etc.). The most helpful information is at the bottom where it lists the keywords you used with the number of hits recorded. It also lists the similar words that were NOT included in your search. This report is extremely helpful when you're arguing about search terms with the other side.

Click image to enlarge
Figure 3: Tracked Search report. Click image to enlarge.

VIEWING YOUR DOCUMENTS

When you're ready to view documents, Insight lists them in "Table View" by default. See Figure 4. Site Administrators can customize this default view or users (as allowed) can create their own views. All the tools are there to customize your list of columns but it did take me a few minutes to find everything (e.g., adding a new column requires clicking on a dropdown in an already existing column).

Click image to enlarge
Figure 4: Table View. Click image to enlarge.

To see the content of a document, simply click the row and a Preview window pops open on the right side of the screen. See Figure 5. Nothing fancy here as the Preview window only shows the textual rendition of the file, but it does highlight search terms. You can also click "Show Fields" to see a list of all the metadata associated with the document.

Click image to enlarge
Figure 5: Preview the content of a document. Click image to enlarge.

Clicking the "Launch Detail" button will open the document in a separate browser window where you can view either the text of the document or a PDF. The embedded viewer worked great for every file type I tested but if you need to view the native file you can download it and use local software on your computer.

The bottom right corner of the Document Viewer shows "Related" documents (e.g., an email and its attachments) and "Duplicates" pulled from the database. Checkboxes allow you to tag the groups as appropriate. See Figure 6.

Click image to enlarge
Figure 6: Document Viewer. Click image to enlarge.

While the Table View will satisfy most review needs, Insight also shows the number of documents per author in the customizable Chart View, or graphs the total sizes of the files by selecting the Size option. See Figure 7.

Click image to enlarge
Figure 7: Chart View. Click image to enlarge

There's also a "Communication Tracker" and "Communication Report" that visually presents how emails were exchanged between individuals. See Figure 8.

Click image to enlarge
Figure 8: Communication Tracker. Click image to enlarge

REDACTING, PRINTING, AND EXPORTING

Insight fully supports redactions for documents, but you'll need to have permission to do so from the site administrator. Documents must be converted to PDF first before any redactions can be applied. When you click the "Redact" button, you'll need to choose a Redaction Set in which to save the redacted document before continuing. Once you go through all of that, Insight offers a nice set of tools for creating redactions and stamps.

The "Print" option allows you to batch together selected documents as a compiled .pdf or .zip file. This is a tad confusing since this feature doesn't actually send the documents to a local printer, but the tool is an excellent way for support personnel to generate a combined PDF of the selected documents complete with separator sheets and custom PDF bookmarks.

There's also an "Export" feature which allows one to select and download structured information about the documents. You can choose the fields you want included and export them as an Excel file, .csv, Microsoft Word, etc. This is an excellent method for creating a privilege log.

CONCLUSION

I found Catalyst Insight to be blazing fast compared to numerous other review platforms. The Catalyst team promises more tweaks and updates very soon including a process for lawyers to help train the system for predictive coding.

Using Insight makes me believe I've seen the future of how we will search "Big Data." It's not that anything's wrong with our current systems, but the fact that a veteran vendor like Catalyst is looking to new technologies tells me that it may be time for others to start considering other alternatives as well.

PRICING INFORMATION

Prices start as low as $35 per gigabyte that includes project management. There are no separate user fees. Rates are adjusted for larger volumes. Catalyst also offer terabyte rates for corporations and law firms who enter into enterprise agreements.

A browser or device that allows javascript is required to view this content.

Brett Burney is principal of Burney Consultants, where he works with law firms and corporations on managing electronic data for litigation matters. Email: burney@burneyconsultants.com.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

iPad Competition Heats Up

When Apple released its first iPad on April 3, 2010, few lawyers had ever even seen a tablet system much less used one. Three years later, tablets have joined cell phones and notebook computers as the legal community's most popular mobile productivity tools.

Lawyers now use tablets for a wide range of tasks, including Web research, note-taking, book and document viewing, making travel reservations, tracking juries, conducting presentations, checking email and much more. Yet as manufacturers introduce new systems and sell more tablets (market research firm IDC reports a 142.2 percent sales increase in 2013's first quarter as compared to a year ago), it's becoming increasingly difficult for attorneys to sort through all of the offerings to find that "just right" model.

TABLETS TODAY

When Apple released its first iPad, users had to settle for the tablet the late Steve Jobs, thought they needed. Storage capacity — 16GB, 32GB or 64GB — and optional 3G connectivity support were the only major choices buyers could decide. Today, tablet shoppers can choose from a bewildering number of large- and small-screen models from over a dozen makers. Options now include three system platforms — Apple's iOS, Google's Android and Microsoft Windows — different form factors, body textures, screen resolutions, app libraries and many other features, services and attributes.

Since lawyers work in many fields and often have specific needs and preferences, it's impossible to pinpoint any one tablet model that's best for everyone. Do you need a tablet that supports hundreds of thousands of apps? Do you want a unit you can easily hold with a single hand, or a heavier one with a larger 10-inch screen? Would you like pen input support? How about cellular connectivity so you can use your tablet to get online anywhere? The choices go on and on.

To help you in your search for the right tablet, here's a look at the top models.

LARGE-SCREEN TABLETS

Full-size tablets, featuring displays measuring from approximately nine to 11 inches, require users to trade off portability in favor of increased visibility and usability. Large-screen tablets are better business tools than their more compact counterparts, primarily because their bigger displays support more spacious virtual keyboards and present information in easier to read and edit formats. Many large-screen tablets also have more powerful processors and, sometimes, deeper memory, storage and interface resources than smaller-screen models.

Apple iPad (4th Generation, click for image)

Screen Size: 9.7 inches

A browser or device that allows javascript is required to view this content.

Subscribe to Law Technology News

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Thomson Reuters to Acquire Practical Law Company

Image courtesy of Thomson Reuters

Thomson Reuters, a software and information provider to businesses and professionals, announced Thursday that it has signed a definitive agreement to acquire London-based Practical Law Company, which offers legal content and workflow tools to law firms and corporate legal departments in the UK and U.S.

Allison Guidette, managing director of Large Law Firms Segment at Thomson Reuters, said that the acquisition was in response to customer needs — PLC offers customers know-how to meet the practice needs of law firms and corporate legal departments. According to Robert Dow, PLC's chair and co-founder, 80 percent of Am Law 200 law firms and more than 700 corporate legal departments in the U.S. now subscribe to the company's practice materials and resources.

When asked how PLC compares to Lexis Practice Advisor, a legal information resource for transactional lawyers, Guidette said that PLC is broader than transactions, aiming to support all research tasks presented to corporate legal departments and law firms. Ian Nelson, PLC's vice president of Business Development and Marketing, said that although PLC and LPA compete for law firm and corporate legal budgets, PLC offers legal content and workflow tools to accomplish common tasks and transactions for general counsel and law firm practice groups. LexisNexis declined to comment on the acquisition and PLC's competitive position relative to LPA.

PLC provides a wide range of legal content focused on law firm and corporate legal department transactions and tasks for many practice areas from antitrust, commercial, corporate & securities law to employee benefits & executive compensation, environmental, finance, intellectual property, and technology law. PLC's resources within each practice area include:

• Practice notes: how-to guides with explanations ranging from basic overviews to detailed analysis for specialists that link to related content in documents, clauses, checklists, and articles.

• Standard documents with practical drafting notes and negotiating guidance.

• Standard clauses with common contractual clauses and drafting notes.

• Checklists, timelines, and flowcharts of current law and practice.

TEST DRIVE

PLC resources are grouped in a hierarchical arrangement by Law Firm and Law Department. I first drilled down into Law Firm materials, which are partitioned by a number of practice groups: Commercial, Corporate — Securities, Employee Benefits & Executive Compensation, Finance, Intellectual Property & Technology, International Arbitration, Labor & Employment, and Federal Litigation with additional practice areas in Antitrust, Real Estate, and Tax.

Click image to enlarge
Practical Lawyer Company's user interface to the Law Firm materials. Click image to enlarge.

I selected IP & Technology materials and found the top-level user interface is shared among all the practice materials and includes a list of the top five most popular resources accessed by customers or subscribers. Here, the most popular document was a bring-your-own-device to work  (BYOD) policy with drafting notes. In a mouse click, I saved the policy my desktop and opened it in Microsoft Word document. I viewed the policy with the drafting notes, but you can also open the document without the notes and open the notes in a separate document.

Click image to enlarge
PLC's web page for Intellectual Property and Technology Practice Center. Click image to enlarge.

Featured tools on the practice page include What's Market, Cross-border, and Glossary. These tools, along with a search window powered by Google Search Appliance, were available from most all web pages. The What's Market tool includes information on U.S. deals tracked by PLC editors in selected topic areas that includes public merger and private acquisition agreements; initial public offerings and equity offerings; commercial, license, and credit agreements; commitment letters; and executive employment agreements.

A browser or device that allows javascript is required to view this content.

Subscribe to Law Technology News

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here

Thursday, June 20, 2013

Product Review: Encase Forensic 7

Encase Forensic 7.5 software box shot Encase Forensic 7.5
Image: Guidance Software, Inc.

Guidance Software, Inc., makes computer forensics, security, and e-discovery software. The Los Angeles-based digital and e-discovery investigations company upgraded on October 11, 2012, its EnCase Forensic product, which is designed to forensically collect data and conduct investigations. Law firms and legal departments use EnCase to collect, examine, and analyze data for evidence in corporate and government investigations, civil litigation, and criminal trials.

EnCase Forensic can acquire and analyze data from Microsoft Windows, Linux, AIX, Apple OS X, and Sun/Oracle Solaris operating systems. The application supports handling, reviewing, and reporting on potential evidence that includes deleted files, file slack, and unallocated space. EnCase Forensic also makes exact duplicates of original data, which can be verified by hash and Cyclic Redundancy Check values, to transfer evidence to clients, government officials, or outside counsel.

Guidance Software boasts that the latest version of EnCase Forensic, 7.05, processes data three times faster than its predecessor. It does this without overutilizing the CPU, using memory and ample disk cache. The new version lets you select a subset of files from collected data for prioritized processing, so you can view and analyze some potential evidence while EnCase Forensic continues to work on the corpus of a collection. You can view the early results of keyword searches while the application completes the search query in the background and simultaneously view multiple records as well as email threads and related conversations.

Other features included in v7:

• Acquire data from supported smartphones.
• Embed hyperlinks in exported reports.
• Case analyzer can indicate computer activity from the metadata of files collected.

I took EnCase Forensic for a test drive on my Lenovo ThinkPad T520 (dual core Intel i7-2860QM CPU at 2.5 GHz, 8 gigabytes RAM) running Windows 7 (64-bit) operating system, which is recommended by Guidance Software. A separate, external SATA 7200 RPM hard disk for evidence storage is also recommended. I stayed with the internal Intel SSD 320 Series 2.5-inch drive (160 GB) that shipped with my system, which required 425 megabytes of free disk space to install the application.

I found EnCase v7 very usable, without a steep learning curve to create a case, collect evidence, analyze data, and report results.

TEST DRIVE

The EnCase Forensic graphical user interface can't be much easier to use to start a case. One-click access to recent cases are displayed prominently, with case file actions to start a new case and open an existing case just below. See Figure 1.

Click image to enlarge
Figure 1 shows the Encase Forensic graphical user interface. Guidance Software's Windows executable file opens up to a familiar browser-like interface with hyperlinks to begin workflows to open an existing case or start a new case.

When an existing case is selected, the case page becomes the focal point of the UI with context-specific tasks such as add evidence. When you drill down into the evidence of a case, the UI changes to a view to examine evidence in a troika of panes: a hierarchical tree view, a table list view of a selected item in the hierarchy, and a view of discreet evidence selected from the table view. EnCase Forensic uses Oracle Corp.'s Outside In technology to view evidence without the native application installed on the local machine.

I started a new case and a dialog box displayed to enter the case name, case path, and evidence cache locations. To speed the encase.exe program, which is a multithreaded application that calls various modules to accomplish tasks, Guidance Software uses disk cache. So if you want the benefits of the faster EnCase Processor in version 7, I would follow the software maker's advice and use a large, external SATA 7200 RPM hard drive.

After I selected name and file locations for my new case, I clicked OK and the UI changed context to add evidence to the case. I was prompted to choose the type and location of the evidence such as a local device connected to my computer, a raw image file (e.g., FAT32, NTFS, Solaris UFS, HPUX HFS, VMware's VxFS, and Netware), an existing evidence file (an EnCase image file used to store digital evidence acquired from computer memory, a hard disk), a storage volume image, or logical files.

I plugged in a USB thumb drive and selected the new local device for acquisition. I had the option to preview and acquire physical memory used by applications, such as msword.exe as well as the programs that enabled desktop synchronization with Google Drive and Microsoft SkyDrive. Note that if the target device has antivirus software running, the driver used to access memory may destabilize the acquiring machine. So disable any antivirus programs during acquisition. See Figure 2.

Click image to enlarge
Figure 2: EnCase Forensic UI to add a local device to acquire evidence.

After I selected the USB drive and physical memory for specific applications, another dialog box opened to specify metadata for each targeted acquisition. I had to repeat information already produced in the case metadata, such as case number and case examiner. After I filled in the metadata for each acquisition, I kicked off the acquisition process and EnCase Forensic began to acquire the external device and portions of physical memory, using an ample amount of CPU, disk, and memory, but leaving me plenty of resources to engage other activities. See Figure 3.

Click image to enlarge
Figure 3: A view of Windows 7 Resource Monitor while EnCase Forensic acquired evidence from an external drive and physical memory.

ADDING LOGICAL EVIDENCE

After acquiring evidence from an external drive and memory, I directed my attention to a Logical Evidence File that Guidance Software provided for my review. I opened a new case and selected the option to add the evidence file (.ex01). Before I took another step I verified that the acquisition hash made at the time the file was acquired and the verification hash were the same. If not, the file would have been corrupt or tampered with.

The next thing for me to do was to verify that the time zone settings for EnCase Forensic matched the time zone settings for the evidence file. This is another opportunity for automation, as I had to traverse registry settings in the evidence file to ferret the information out. I mounted the appropriate Windows Registry file to view the time zone of the source of the evidence file. I noted that I could mount a file for viewing and calculate the unallocated space as well as find deleted content.

After I viewed the file structure (i.e., mounted the appropriate Registry file), I found that the evidence was gathered from a source using Pacific Standard Time. I changed the time zone setting in EnCase Forensic to match that.

ENCASE EVIDENCE PROCESSOR

Before processing the evidence file, I knew that I wanted to index the evidence and exclude information that would not be evidence, i.e., National Institute of Standards Technology's National Software Registry Library Reference Data Set (version 2.38). From the EnCase Forensic tools menu, I clicked Manage Hash Library and pointed the library laid out on my local disk. Then I selected the evidence file and clicked "Process Evidence" from the menu. A dialog box opened up.

I enabled "Recover Folders," which allowed me to recover files that were deleted or corrupted and to locate hidden files on FAT and NTFS volumes. I also enabled Hash analysis, which allowed me to create MD5 or SHA1 hash values to compare to other evidence in other files, if the need arose. Double clicking on "Hash Analysis" opens another dialog box to select MD5 or SHA1 or both.

Click image to enlarge
Figure 4. EnCase Forensic options to process evidence files.

I opted to expand compound files, i.e., extract archive files, and find internet artifacts that included browser bookmarks and history. The options to index text and metadata included setting a maximum word length (default = 64 characters) and exclude all files in the Hash Library. I opted to include private information and load a number of keywords to index.

Other processing options included the ability to collect custom registry keys on Windows systems (System Info Parser); recover instant messages from AOL, MSN, and Yahoo messengers (IM Parser); find file fragments, file slack, and unallocated file space (File Carver); and collect contents of Windows event logs (Windows Event Log Parser). Once I set the processing options, I saved them to a configuration file (*.EnProc) to reuse them on other evidence files and clicked OK to process the .ex01 file.

Once processing was complete, I pulled down the "View" menu and selected "Search." A Search tab opened up with pull-down menus for search conditions, filters, a function to load saved searches, and features to bookmark and tag files.

I viewed my keyword hits in one click from the key icon available from the search menu. The results displayed the number of files that contained a keyword and the number of times a keyword appeared in the entire collection. The file custodian's name, "Tyler," appeared in the most items and had more hits than any other keywords, which listed persons of interest in the case. The next highest was "John," so I searched with the word "John" (227 hits, 136 items). I combined the search terms ("John AND Tyler") and narrowed my search to 53 documents. I found a few documents and emails worth returning to. I highlighted those files and clicked "Go To" and the UI changed to the logical location of the file in the file system. I bookmarked these files and right-clicked them to "Find Relevant" files by name and see threaded email conversations.

The case file template that I had been working with since identifying my case as a "forensic" investigation came with default tags to mark files for "Review," "Add to Report," "Follow Up with Submitter," "Ignore," and "Important." I added a "Privilege" tag. Then I took an email message from a search of "John OR Tyler" with a subject matter of "Still in Business" and searched for the email conversation. I selected all the files from the search result showing the conversation and tagged them privileged.

SMARTPHONE ACQUISITION

I plugged my Droid Bionic (System 6.7.246.XT875) running Android version 4.0.4 into the Lenovo ThinkPad used for this review. Per Guidance Software, I set Android security to allow unknown sources to run on the device and enabled USB debugging. After a couple of starts and stops, I received the message that EnCase Forensic 7 does not yet support the OS on my platform. Drat.

I loaded into my case an example evidence file from Guidance Software that was captured from an HTC EVO 4G running Google Android. Once loaded, the smartphone acquisition was saved into an evidence file for EnCase Forensic to process, analyze, and search the evidence like any other evidence file acquisition. And I did not need any additional hardware devices or software.

With two evidence files loaded into my case, I simultaneously searched both files and my results window reflected hits from both files. In addition to the universal search, placing the two evidence files in the same case also allowed me to tag files of interest from both files and relate them in a report. Analyzing multiple evidence files can be complex, but EnCase Forensic streamlines finding hits in files.

From a table view of search results, I viewed individual items in "Transcript" view, which provides the plain text version of content. Rather than using the "Find" and "Find Next" functions to search for hits in the file, I clicked on "Compressed View" to only see the hit highlights in the file context. Clicking on the "Next Item" button (or "Previous Item" button) scrolls through my search results quickly to find and review hit highlights. See Figure 5.

Click image to enlarge
Figure 5. EnCase Forensic "Compressed View" option to speed through views of hit highlights from a table list of search results.

If I am the only member of my team with EnCase Forensic, I will want to make evidence available for review without everyone looking over my shoulder. Guidance Software developed the "Review Package" option to package up potential evidence for an outside reviewer. I selected a number of images from a filtered view of two logical evidence files. From the Search tab menu "Review Package," I selected "Export" and a dialog box opened for me to package up the selected items and choose the metadata to attend the items in a list view provided by an HTML application file (.hta), which can only be viewed in Internet Explorer. See Figure 6.

Click image to enlarge
Figure 6. This image shows how to export evidence from EnCase Forensic using the "Review Package" tool to enable outside review and comments. (See an image of the resulting .hta file here.)

At any time during my investigation, EnCase Forensic includes reporting options available from a report template that details the investigation and examination of individual file types such as email, internet artifacts, documents, and photographs.

CONCLUSION

Guidance Software has made it easy for an EnCase Forensic v7 to collect, process, analyze, and report forensic evidence from computer and smartphone sources. Without formal training, I feel confident that I can use new version to forensically collect and process evidence for trial. But looking at the 500-plus pages of the user guide, I have barely scratched the surface of EnCase Forensic.

PRICING INFORMATION

EnCase Forensic version 7 starts at $3,495 with volume discounts available.

A browser or device that allows javascript is required to view this content.

Attorney Sean Doherty is LTN's technology editor.

You must be signed in to comment on an article

Sign In or Subscribe
">

View the original article here