Microsoft®U.S. National Security Team White Paper
Establishing the Foundation of Authenticity
for Electronically Stored Information:
Strategies Using Microsoft Technologies
Produced by the Microsoft U.S. National Security Team
Authored by Debra Littlejohn Shinder and Mike Wolfe, Strategic Security Advisor
Microsoft®U.S. National Security Team White Paper
About the U.S. National Security Team (NST)
The US National Security Team is composed of strategic security advisors who work with
Microsoft customers, partners, MS internal constituencies and the information security industry to
promote the adoption of security processes and technologies. Its goal is to assist customers and
partners to increase their security awareness and implementation to create more secure
businesses, mitigate risk, and make security costs more effective. Its activities are informed by
three simple tenets: protect the consumer, secure the enterprise and enable developers to write
secure code.
As part of its mandate, in addition to producing white papers such as this one, the NST is
responsible for developing and executing security-focused events and Security Round Tables
across Microsoft's U.S. geographies. These events include the annual CSO Summit, which provides
formal feedback to business groups, security industry updates from leading analysts, peer
perspectives on security management from MSIT, and updates on the latest initiatives and
industry trends in enterprise security.
The NST also focuses on driving vertical security solutions for a wide range of industries. To this
end, the NST has produced a variety of white papers that address the specific security needs of
particular industries, such as the professional services and financial services industries.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of
the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Forefront, Antigen, Excel, SharePoint, Windows, Windows Server System, and the Windows Server System logo are
either registered trademarks or trademarks of Microsoft Corporation or Sybari Software, Inc. in the United States and/or other
countries. Sybari Software, Inc. is a subsidiary of Microsoft Corporation.
All other trademarks are property of their respective owners.
Microsoft®U.S. National Security Team White Paper
Contents
Executive Summary.............................................................................................................................. 1
Overview: The Laws of Digital Evidence ........................................................................................... 2
Federal Rules of Evidence ........................................................................................................................................... 2
Federal Rules of Civil Procedure ............................................................................................................................... 2
Other E-Discovery Rules .............................................................................................................................................. 3
Chain of Custody ............................................................................................................................................................ 4
Admissibility of Digital Evidence ....................................................................................................... 5
Purpose and form of evidence .................................................................................................................................. 5
Standards for admissibility ......................................................................................................................................... 5
Preservation ...................................................................................................................................................................... 5
Documentation................................................................................................................................................................ 6
Establishing Authenticity .................................................................................................................... 7
Electronic Data Lifecycle .............................................................................................................................................. 7
Types of Digital Evidence ............................................................................................................................................ 8
Contracts and Other Documents ......................................................................................................................... 8
Email and Other Written Communications...................................................................................................... 9
History, Log and Cache Files ............................................................................................................................... 10
Database Entries ....................................................................................................................................................... 10
Digital Photographs, Video and Audio Files ................................................................................................. 10
Metadata ..................................................................................................................................................................... 10
Electronic Evidence (E-Discovery) Process.......................................................................................................... 11
Common Authenticity Scenarios ..................................................................................................... 12
Scenario #1 ..................................................................................................................................................................... 12
Scenario #2 ..................................................................................................................................................................... 12
Scenario #3 ..................................................................................................................................................................... 12
The Authenticity Framework ............................................................................................................ 13
Laying the Foundation: Data Creation and Classification ............................................................................ 13
Ongoing Diligence: Data Storage and Retention ............................................................................................ 14
Discovery Response: Data Management and Production ............................................................................ 14
Microsoft®U.S. National Security Team White Paper
Using Microsoft Technologies ......................................................................................................... 15
Microsoft Office System Technologies ................................................................................................................ 16
Digital Signatures..................................................................................................................................................... 16
Document Encryption ............................................................................................................................................ 16
Information Rights Management ...................................................................................................................... 17
S/MIME in Outlook .................................................................................................................................................. 17
Other Security Mechanisms ................................................................................................................................. 17
Windows Vista/ Windows Server 2008 Technologies .................................................................. 18
The NTFS File System .................................................................................................................................................. 18
Encrypting File System ............................................................................................................................................... 18
Network Access Protection ....................................................................................................................................... 19
Rights Management Services .................................................................................................................................. 19
Certification Services/Public Key Infrastructure................................................................................................ 19
Search Technology in Windows Vista and Windows Server 2008 ............................................................ 20
Microsoft Networking Technologies .............................................................................................. 21
Internet Protocol Security (IPsec) ........................................................................................................................... 21
Virtual Private Networking (VPN) ........................................................................................................................... 22
ISA Server/IAG ............................................................................................................................................................... 22
Forefront Security ......................................................................................................................................................... 22
Data Protection Manager .......................................................................................................................................... 23
Windows Storage Server ........................................................................................................................................... 24
SharePoint Services/Office SharePoint Server 2007 ....................................................................................... 24
Search Server 2008 ...................................................................................................................................................... 24
Exchange .......................................................................................................................................................................... 24
SQL Server ....................................................................................................................................................................... 25
Office Communications Server/Live Communications Server .................................................................... 25
Microsoft Identity Integration Server/Identity Lifecycle Manager Server .............................................. 26
Mobile Data Protection Technologies .................................................................................................................. 26
Summary ............................................................................................................................................. 27
Microsoft®U.S. National Security Team White Paper
Executive Summary
Organizations today are under increasing scrutiny from governmental and quasi-governmental
agencies. Many highly regulated industries are subject to regulatory, tort and criminal law to a greater
degree than ever before. Failure to comply with laws and regulations can be expensive or even
devastating.
If a company becomes involved in a legal case, business records can be seized or subpoenaed as
evidence. Most organizations store their records in electronic format, which can present unique
problems when it comes to collecting, preserving, managing and presenting evidence at trial.
The legal landscape is changing to reflect and address these issues. Revisions
Civil Procedure that took effect in December 2006 clarified that electronically
subject to the discovery process. This includes not only the primary data,
Although the FRCP applies only to federal civil proceedings, other courts
adopting rules aimed specifically at ESI.
to the Federal Rules of
stored evidence (ESI) is
but metadata as well.
are following suit and
Before either party in a lawsuit or criminal trial can use evidence, it must be deemed admissible by a
judge. Admissibility hinges on many factors, including relevance, materiality and authenticity.
Authenticity often comes into question with digital evidence because it is less tangible than traditional
physical evidence.
Unlike a printed document, data stored on a computer’s hard disk, flash memory card or other
electronic media consists of a series of magnetic markers that represent 1s and 0s, (the binary or
machine-readable data), which in turn represents the characters we read on the screen. One cannot
assume that the digital content, the creator identity or other attributes of unprotected documents are
authentic. Without special measures for permission, it’s easy to delete or add content, spoof the
document’s origin, and even modify file attributes such as the timestamp. In legal terminology, the
destruction or alteration of evidence in pending or potential litigation is called spoliation.
In criminal cases, law enforcement officers must follow strict chain-of-custody rules in handling
evidence, but these rules do not deflect questions that can arise about how a document was created
and handled before they were submitted as evidence. Although the science of computer forensics can
detect many forms of tampering with ESI, the lack of indications does not prove that evidence is
authentic. For example, a file can show no signs of being altered, yet someone other than the person
shown as the author may have created it.
To prove their cases, companies involved in litigation, accusations of criminal conduct or investigation
of possible regulatory violations must demonstrate that the evidence they want to introduce to support
their positions is authentic – and thus admissible.
This guide will provide a brief overview of the law and concepts regarding admissibility of digital
evidence at trial, and requirements for establishing authenticity. We also will explain how to use
Microsoft server, client and networking technologies to lay the foundation for establishing authenticity
based on common evidentiary scenarios.
The information in this document is not intended as legal advice.
1
Microsoft®U.S. National Security Team White Paper
Overview: The Laws of Digital Evidence
No single definitive law governs digital evidence. The rules can vary from nation to nation, and state to
state. Rules of evidence differ in civil and criminal proceedings within the same state, while federal rules
apply to cases in the federal court system.
To determine the specifics of the laws of evidence as they pertain to a particular case, you first should
establish jurisdiction, which refers both to the geographic location and the body of law (criminal, civil or
regulatory).
Despite the lack of one overriding body of law applicable to all cases involving electronic evidence,
some general guidelines apply in most jurisdictions. In the United States, many guidelines are based on
the Federal Rules of Evidence (FRE).
Federal Rules of Evidence
Formally established by the U.S. Congress in 1975, the FRE were revised most recently in 2006. The rules
define the criteria for admission and presentation of evidence in the federal court system. Many states
also use the FRE as a model for their own rules of evidence. The rules grant much discretion to trial
judges to admit or exclude evidence based on opposing parties’ arguments.
Article X of the FRE governs the admissibility of the contents of writings, recordings and photographs.
Rule 1001 clearly includes digital evidence by defining writings and recordings as “letters, words or
numbers, or their equivalent, set down by handwriting, typewriting, printing, photostating,
photographing, magnetic impulse, mechanical or electronic recording, or other form of data
compilation.” The rules do not differentiate, however, between digital and other written evidence.
Article IX of the FRE addresses authentication and identification of evidence. Rule 901 broadly defines
the requirement of authentication or identification as a condition precedent to admissibility that is
“satisfied by evidence sufficient to support a finding that the matter in question is what its proponent
claims.” This generally leaves it up to the judge to determine whether a piece of evidence is authentic –
and leaves it up to the party seeking to introduce the evidence to convince the judge that the
requirement has been met.
Prior to adoption of the FRE, the “best evidence rule” required the production of original documents.
With digital evidence, however, a copy can be difficult to distinguish from an original. The FRE relaxes
this requirement if the original is lost, destroyed or cannot be obtained. It also specifies that if data is
stored in a computer or similar device, “any printout or other output readable by sight, shown to reflect
the data accurately, is an original.”
Federal Rules of Civil Procedure
As its name implies, the Federal Rules of Civil Procedure (FRCP) only apply to civil (not criminal) actions
brought in federal district courts. Companies are more likely to face civil litigation than criminal charges
for product liability cases, contract disputes and various regulatory actions. In an increasingly litigious
society, the risk of a civil lawsuit increases. Stricter governmental regulations also place organizations at
a greater risk of civil action over non-compliance.
Approved by Congress after being promulgated by the U.S. Supreme Court, the FRCP governs
procedural rather than substantive issues. On December 1, 2006, new rules relating specifically to
electronic evidence took effect under Chapter V, which addresses rules of the discovery process.
2
Microsoft®U.S. National Security Team White Paper
Discovery in this context refers to how parties to a civil proceeding seek to obtain relevant information
from the opposing party and/or third parties.
The new rules create a new category of evidence for ESI that includes metadata, rather than including
metadata in the category of “documents.” The requesting party has the right to select the format in
which ESI is produced. To satisfy discovery requirements, the responding party usually must do more
than simply submitting a printed copy or scanned image.
Now the emphasis is to produce files in their native format, such as a Word document’s .DOC or .DOCX
file. Native formats can contain hidden data in the form of metadata (data about the data). An
important change to Rules 26 and 34 makes the authenticity of the metadata an issue as well by
clarifying that metadata is subject to discovery in the same manner as the primary data it describes.
Although the changes to the FRCP impose new burdens on businesses, the news is not all bad. Rule
37(f) creates a “safe harbor” provision that decreases the likelihood of severe penalties for deletion of
ESI in the course of routine operations (such as policy-based automated deletion) as long as the
company operated in good faith.
Other E-Discovery Rules
In addition to the FRE and FRCP, a number of U.S. District Courts have enacted local rules governing
discovery of electronic evidence. Such rules may address preservation requirements for potential digital
evidence once custodians have received notification of litigation or a “litigation hold” imposed by the
court.
Typical rules require, as part of the litigation-hold process, some or all of the following:
Categorization (nature and types) of potentially discoverable electronic evidence
Relevancy of electronic evidence to claims and defenses in the case
Determination of key persons with custody of and/or control over potentially discoverable
electronic evidence
Determination of where potentially discoverable electronic evidence is likely to be stored (including
copies, backups and archives)
How potentially discoverable electronic evidence should be preserved (transfer to read-only media,
isolation of data and other measures to protect against modification or deletion, and
restrictions on installation of new software, running maintenance programs, purging deleted
data, and other actions that could threaten the existence or integrity of potentially discoverable
evidence)
Assignment of persons responsible for compliance
Failure to comply with rules of discovery can be expensive. Although it was later overturned on appeal,
a $1.5 billion judgment was issued against Morgan Stanley in favor of Ronald Perelman in large part
due to the company’s inability to produce electronic evidence requested by Perelman’s attorneys
(Coleman v. Morgan Stanley). The case also resulted in a regulatory investigation that was resolved by
Morgan Stanley’s agreement to pay $15 million in fines.
3
Microsoft®U.S. National Security Team White Paper
Chain of Custody
In criminal law, the chain of custody is a vital part of validating the integrity of evidence. Law
enforcement agencies have strict policies and procedures for documenting how, when, why and by
whom evidence is handled at every step from its collection to preservation in court. The chain of
custody is designed to prevent opportunities to tamper with or change the evidence. Original ESI is
designated “hands off,” and forensics investigators work off exact, bit-level copies in examining
evidence.
While it’s unlikely that ESI is handled as meticulously in civil actions before or after discovery, your
capacity to provide complete documentation of the chain of custody will make it easier to establish
authenticity of digital evidence.
4
Microsoft®U.S. National Security Team White Paper
Admissibility of Digital Evidence
Admissibility of digital evidence depends on several factors, including:
The purpose and form of the evidence
The standard of admissibility applied by the particular court
Preservation of the evidence
How well the preservation is documented
Purpose and form of evidence
The purpose and form of a particular piece of evidence can determine standards of admissibility:
Real evidence – a physical object involved in a case (a murder weapon, written contract or trace
evidence such as carpet fibers or gunshot residue)
Demonstrative evidence – a representation of an object, such as a photograph, video or sound
recording
Documentary evidence – information preserved in a form of media, including paper documents,
photographs, sound recordings or ESI
Traditionally, documentary evidence cannot stand on its own but must be authenticated by testimonial
evidence (a witness who can affirm its authenticity). For example, the author of a report testifies that the
document represents what she wrote originally, or a photographer declares that his image was not
altered in any way.
Standards for admissibility
Admissibility tests for scientific evidence have evolved over the years. Common standards include:
The Frye standard (1923), also known as the “general acceptance test,” which says the results of
scientific tests are admissible if the method has general acceptance in the relevant field
The Marx standard (1975), sometimes called the “common sense” test, which requires that the
technique and results be explained simply and clearly so that a jury can understand it
The Daubert standard (1993), which requires special pre-trial hearings that lay out rules on validity
and reliability
The representational accuracy standard, which states that the output of data stored by a computer
or similar device, if shown to reflect the data accurately, is considered admissible as an original
Preservation
Digital evidence is much more easily lost or changed than other types of evidence. Thus evidence
preservation takes on utmost importance. In criminal cases, forensics specialists work off bit-level copies
of the evidence – instead of the original – to prevent changes, inadvertent or otherwise.
Every contact with evidence has the potential to change it, and with digital evidence, merely accessing it
can change properties such as the timestamp and other important metadata. Alteration of metadata
may or may not affect the admissibility of the substantive data, depending on its relevance. For
5
Microsoft®U.S. National Security Team White Paper
example, if a file’s modification date is material to issues in a case, then alterations to the timestamp
could impact the file’s admissibility.
Because of its more fragile and volatile nature, digital evidence does not enjoy the same level of
presumption of authenticity as more tangible evidence. To lay the proper foundation for establishing
authenticity, you should take the necessary steps to preserve and ensure the integrity of digital data
long before it becomes subject to the legal process. This requires reliable documentation.
Documentation
In court cases such as Bouriez v. Carnegie Mellon University (Western District of Pennsylvania), electronic
evidence – in this case, email – was excluded when its authenticity was challenged, even without clear
evidence that the emails were not authentic. Thus admissibility may hinge upon documentation that can
show the authenticity of the digital evidence.
Documentation requires an accurate and reliable detailed logging procedure. Sworn affidavits,
depositions, and/or direct testimony at trial from witnesses with knowledge of the process and controls
also are building blocks for establishing authenticity of digital evidence and supporting documentation.
6
Microsoft®U.S. National Security Team White Paper
Establishing Authenticity
Authenticity is a key factor in admissibility of digital evidence, as case law has made clear. In AmEx v.
Vinhnee (2005), the trial judge prohibited American Express from entering its electronic business records
into evidence because the company failed to authenticate them adequately. The court determined that
the company should have provided information about access controls, computer policies, logging of
changes to data, and system control and backup procedures. AmEx subsequently lost its appeal
because it could not submit the evidence. The decision established a requirement that parties must
prove authenticity before ESI can be admitted as evidence.
In Lorraine v. Market (2007), electronic documents on which the case hinged were excluded from
admission due to lack of authentication. “The primary authenticity issue in the context of business
records is on what has, or may have, happened to the record in the interval between when it was placed
in the files and the time of trial,” the judge noted.
Procedures and guidelines for establishing authenticity depend on various factors, including the
category in which the evidence falls and how it was created, stored, used, retained and disposed of (if
applicable). Organizations should examine each factor separately for every item of digital evidence.
Electronic Data Lifecycle
The foundation for proving authenticity of digital evidence rests on the ability to account for who could
access and control the data during each step of the electronic lifecycle, from creation to retention
and/or disposal. The steps for proving authenticity include:
Creation – Identify who created the file and when it was created (This information is typically part of
the metadata embedded in the file.)
Storage – Show where the file was stored (physical location and logical file path) and who had
access to it during storage
Use – Identify everyone who used the file (viewed, edited, copied, forwarded or otherwise
interacted with it) and when
Retention – Document the file retention process, including backup
Disposal – Demonstrate compliance with applicable policies and company practices for any deleted
file or metadata
7
Microsoft®U.S. National Security Team White Paper
Types of Digital Evidence
In its most basic form, all digital evidence consists of binary data (1s and 0s). In its user-accessible
format, digital evidence comes in many forms, each of which is created, stored and handled in different
ways, even within specific categories.
Some broad categories of digital evidence include:
Contracts and other documents
Email and other written communications
History, cache and log files
Database entries
Digital photographs, video and audio files
Metadata
Contracts and Other Documents
Word processing and text files, spreadsheets and slide presentations are various types of documents
that may constitute evidence. Storage options include:
Hard disks of local computers or servers
Network storage devices
Removable media such as USB drivers, flash memory cards or floppy disks
Portable devices such as PDAs, smartphones and MP3 players
Backup media such as tape, CD or DVD
In civil lawsuits, contracts that have been created, signed and stored in electronic form are one of the
most common types of digital evidence. In the U.S., the Electronic Signatures In Global and National
Commerce (e-Sign) Act of 2000 establishes requirements for businesses that use digital records and/or
digital signatures for consumer transactions. When those requirements are met, electronic signatures
have the same legal effect and validity as handwritten signatures. To read the full text, visit the
Government Printing Office website at:
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf.
Digital signatures are based on digital certificates, utilizing a Public Key Infrastructure (PKI) that uses a
pair of two mathematically related keys for signing and encryption. A user uses the private key to sign
the document, which then can open with the associated public key.
8
Microsoft®U.S. National Security Team White Paper
Documents other than contracts also can contain digital signatures to ensure:
Document integrity: If someone makes changes to a document after it is signed, the digital
signature will be invalidated. This assures the sender and recipient that no one tampered with
the document’s content between signing and receipt.
Sender/creator authenticity: Digital signatures use a PKI, a public/private key pair in which the
private key is bound to a specific person, to assure the recipient that the person associated with
the key and signature did, in fact, sign the document.
Non-repudiation: A person cannot repudiate (disclaim responsibility for) a particular signed
document without repudiating the signature key, thus invalidating all documents signed with
that key.
A companion white paper titled Electronic Signature Assurance and the Digital Chain of Evidence –
Executing Admissible Digitally Signed Records provides more information about the authentication and
admissibility of digital signatures.
To establish the authenticity of documents that do not contain digital signatures, you must prove that
the document was secured against unauthorized access or tampering during each step of its lifecycle.
(See the section below titled Electronic Document Lifecycle.)
Email and Other Written Communications
Informal electronic communications also can contain information that the prosecution or defense can
submit as evidence in criminal, civil or regulatory proceedings. Because email, instant messages and
online chat content tend to be composed “on the fly” and sent without editing, they often provide
evidence that would not be found in more formal documents.
Although email messages can contain digital signatures, the vast majority of messages sent over the
Internet and corporate networks are unsigned. This requires organizations to establish the authenticity
of messages without digital signatures based on other criteria, depending upon how the messages are
created, sent, received and stored.
An email message, for example, is created through either:
A traditional email client program on a desktop or laptop computer
A mobile email program on a Smart Phone or PDA
A web browser and web mail service
Likewise, email messages can be stored on a corporate email server such as an Exchange server, on the
recipient’s local machine when using POP mail, or on a web service’s server. Instant messages and chat
conversations can be stored in log files on a participant’s local machine (if the client software is
configured to log sessions), in server logs (with the appropriate monitoring software deployed) or
perhaps captured by packet sniffers (protocol analyzers) while in transit across the network.
To establish authenticity, an organization must prove that it took the necessary measures to prevent
unauthorized access or tampering with content, headers and the attributes of message data during
transit between sender and recipient, and in storage.
9
Microsoft®U.S. National Security Team White Paper
History, Log and Cache Files
Information stored in history, log and cache files can become evidence pertinent to a criminal, civil or
regulatory proceedings, sometimes without the knowledge of the computer user whose actions
generate that information. Internet Explorer or other browser history files, if not purged, contain an
evidence trail pertaining to websites that a user has visited. Other examples include the logs of firewalls
such as ISA Server, or the output of other monitoring software.
Database Entries
Information stored in databases, such as those on a SQL server, also can constitute evidence pertinent
to criminal or civil actions. Such databases also can contain customer or client information that could be
subject to regulatory control (HIPAA, GLB, etc.). Because the security of the database itself may be at
issue, an organization could face the burden of proving that it took the necessary measures to preserve
the data’s integrity and protect confidentiality.
Digital Photographs, Video and Audio Files
Multimedia files such as digital photographs, video recordings and sound recordings generally provide
documentary (as opposed to demonstrative) evidence at trial. For example, modern VoIP voicemail
systems send audio recordings of voicemail messages to the VoIP user’s email inbox. These messages
are stored as .wav or other sound files along with other email attachments, either on the mail server, the
user’s local hard drive or on the VoIP system server, which is accessed through a web interface.
Other examples in this category include video recordings made by security surveillance systems that
indicate criminal activity or digital photographs that are offered to support or negate accusations of
breach of contract in a civil lawsuit.
The authenticity of digital photos, videos and audio files often faces challenges in court because
popular editing software makes it easy to alter digital images, cut or rearrange sequences in a video
recording, or change an audio file by deleting part of it or rearranging individual words and phrases to
piece together a totally different conversation.
Metadata
Metadata defines the primary data’s properties and attributes, such as the creation and modification
dates, author, file size and revision number, and so forth. The metadata can contain important
information for establishing the authenticity of the file, such as digital signatures and audit trails.
Application metadata is embedded in the file along with the primary data. A software application can
add metadata to the file automatically, or a user can add it manually. Windows Vista and other modern
operating systems make it easy to add, delete or change application metadata information.
Metadata is hidden within a file and generally not displayed when you view a document or photograph,
unless the user enables viewing. In Microsoft Word, for example, you can track your changes and
comments while editing, and highlight them on the screen and/or in a printed document. Some types of
files contain very detailed metadata. Digital cameras, for example, can record specific attributes for each
photo, such as aperture and shutter speed, ISO settings and focal length of the lens.
10
Microsoft®U.S. National Security Team White Paper
System metadata is stored separately and doesn’t remain with the file when it is copied. This makes it
more challenging to modify information such as the location and path of the stored file, the creation
date, modification date, etc. Organizations may need to hire a computer forensics expert to find and
review the metadata.
Electronic Evidence (E-Discovery) Process
Discovery is the process of requesting (or demanding) evidence from the opposing party in a legal
proceeding, locating or producing the evidence, securing it, examining it for relevance, and
documenting its authenticity prior to presenting it to the court.
Automated searches can enable organizations to examine digital content and metadata for relevancy
and authenticity. Typically in criminal cases, and sometimes in civil proceedings, computer forensic
experts are hired to locate, identify and examine digital evidence. These specialists are trained to
conduct a thorough examination of the contents of hard drives, removable storage media and even
volatile random access memory (RAM). They use specialized software tools to recover evidence that isn’t
apparent, such as deleted files that were not yet overwritten.
11
Microsoft®U.S. National Security Team White Paper
Common Authenticity Scenarios
Consider the following common scenarios in which the ability to show authenticity of evidence can
make the difference between:
Exoneration rather than a guilty verdict resulting in fines (for corporate defendants) or
imprisonment (for individual defendants) in a criminal prosecution
Found not liable rather than liable and subject to civil monetary penalties or injunctions as the
defendant in a lawsuit
Receiving nothing rather than granted monetary awards or other compensation as the plaintiff in a
lawsuit
Found in compliance rather than subject to fines and other penalties for violations of regulatory
statutes or administrative rules
The following scenarios illustrate the importance of proving the authenticity of digital evidence.
Scenario #1
A wholesale company has been accused of deceptive business practices under state law. It was charged
with misrepresenting products it sold to another company as being new when they were, in fact, rebuilt
or reconditioned. The buyers filed a complaint with local law enforcement officials and produced a
printed copy of a letter from the wholesale company’s sales representative. The letter contains language
implying that the products are new.
An examination of the wholesale company’s electronic records showed that the original letter contained
a paragraph that excluded the particular products in question, stating that those items may be
refurbished. This paragraph was omitted from the paper copy of the letter filed with the criminal
complaint. The court’s decision to admit or exclude the defendant’s evidence hinges on the authenticity
of the digital file.
Scenario #2
An employee of a mid-sized law firm files a sexual harassment suit against the company and one of its
partners under Title VII of the Civil Rights Act of 1964. The suit alleges that the partner, for whom the
employee worked as a legal assistant, created a hostile work environment by frequently sending her
jokes of a sexual nature by email, and that the firm’s other partners knew of and tolerated the behavior.
The court orders the firm to produce all email correspondence exchanged between the partner and
employee during the past two years. When the firm does so, and none of the messages produced
contain offensive content, the firm is challenged to show evidence that the electronically stored
information is complete and authentic.
Scenario #3
A financial services organization is under scrutiny by the U.S. Attorney General’s office for possible
violations of the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). In its defense, the company
produces electronic policy documents and email messages to demonstrate an ongoing effort to comply
with the Act’s provisions. The authenticity of the evidence, particularly as to whether the documents
were created after the fact and backdated, is called into question.
12
Microsoft®U.S. National Security Team White Paper
The Authenticity Framework
Organizations can protect themselves by deploying measures at each step of the electronic data
lifecycle to minimize future challenges to authenticity should that data and metadata ever become
subject to e-discovery. This framework relies on policies, processes and technologies designed to
protect the integrity of the data, limit access and provide auditing trails.
The framework consists of three basic categories:
Data creation and classification
Data storage and retention
Data management and protection
By creating and applying policies within this framework, you will be in a better position to prove the
authenticity of data if and when it becomes an issue in a criminal, civil or regulatory proceeding.
Laying the Foundation: Data Creation and Classification
The foundation of authenticity begins with the data creation process. Depending upon the application
used to create the file, you can enter relevant information at this time, identifying the author, time and
date of creation, and more.
To avoid problems in proving authenticity at a later date, it’s important to establish policies that govern
the entry of identifying information to append this metadata. Policies also should prohibit users from
creating documents or files when logged on through another user’s account, as this affects who is
identified as the author. The best practice for proving authenticity is to sign a document digitally upon
completion, and/or deploy rights management to restrict recipients from making changes or sharing
the document with unauthorized persons.
Proper classification can help you locate files if they become needed for evidence in a legal action.
Classification also helps to demonstrate that the material you provide in a discovery process is complete,
which is another important aspect of authenticity.
13
Microsoft®U.S. National Security Team White Paper
Ongoing Diligence: Data Storage and Retention
Authenticity is easier to prove if you can show that data was stored in a manner that prevents
tampering. To secure files with confidence, you should:
Apply access permissions and restrict access to those whose job duties require it
Deploy network security technologies, including firewalls, anti-virus and network access protection,
to prevent hackers or malicious programs from making changes to files
Encrypt files to further restrict who can open stored files
Implement policies and technologies to prevent users from copying files to removable media, as
this could result in someone making changes to the files and presenting them as the originals
Store data in a properly secured, centralized location instead of local machines
Use object auditing to provide a record of who has accessed the file over the course of its storage
Data retention policies can protect organizations from accusations of destroying evidence, by
demonstrating that files were deleted properly and according to policy.
Discovery Response: Data Management and Production
Stored data must be managed effectively so that you can locate and produce evidentiary data if
required. You should:
Purge files that are not required to be retained, according to a specific policy and schedule
Use standard formats such as XML that allow documents to be transferred through the systems of
multiple vendors during the stages of e-discovery; removing the necessity to convert to
different formats for this purpose reduces the opportunities for inadvertent changes that could
endanger authenticity
Utilize good search mechanisms to produce files in a timely manner, which in turn will lend
credence to claims of authenticity
14
Microsoft®U.S. National Security Team White Paper
Using Microsoft Technologies
Proving authenticity hinges on maintaining a solid security framework for managing and protecting
data. Microsoft technologies provide a foundation to create, classify, store, retain, manage and produce
digital data in such a way that you can preserve and document its authenticity at each step of the
information lifecycle.
The table below shows the elements of an effective framework based on Microsoft technologies:
Security Framework for Managing and Protecting Data with Microsoft Technologies
Need
Description
Secure infrastructure
Safeguards that protect against malware, intrusions and unauthorized
access to personal information, and protect systems from evolving threats
Identity and access control
Systems that help protect personal information from unauthorized access or
use, and provide management controls for identity access and provisioning
Data encryption
Safeguards that protect sensitive personal information by converting data
into incomprehensible code that requires a “key” – held by an authorized
recipient – to decode
Document protection
Protection of personal information stored in documents throughout the
entire lifecycle of the document
Auditing and reporting
Monitoring to verify the integrity of systems and data in compliance with
business policies
Search technology
Technologies that enable fast, comprehensive and accurate search of large
amounts of data to identify potential evidence
The following Microsoft technologies offer tools and features that work together to establish a solid
foundation for proving authenticity of digital evidence:
Microsoft Office System
Windows Vista and Windows Server 2008 operating systems
Microsoft networking technologies including IP Security, Virtual Private Networking, application
virtualization and mobile data protection
Network server products such as ISA Server/IAG, Forefront Security, Data Protection Manager,
Windows Storage Server, SharePoint Services, Exchange Server, SQL Server, Live
Communications Server/Office Communications Server, and Microsoft Identity Integration
Server/Identity Lifecycle Manager Server
15
Microsoft®U.S. National Security Team White Paper
Microsoft Office System Technologies
The 2007 Microsoft Office system provides applications for the creation of documents, spreadsheets,
databases, slide presentations, email, notes, calendar entries, task lists, publications, diagrams and more.
Any of these file types could become potential evidence in a criminal, civil or regulatory proceeding and
subject to electronic discovery.
Some Microsoft Office applications allow you to authenticate the creator or sender, restrict what
recipients can do with them, provide confidentiality of the content, and so forth. These technologies
serve as building blocks for establishing authenticity through the use of:
Digital signatures
Document encryption
Information Rights Management (IRM)
S/MIME in Outlook
Other security mechanisms
Digital Signatures
It’s much easier to prove to the court that documents and emails are authentic when they have digital
signatures. Document signing provides an electronic authentication “stamp” to confirm that a
document originated from the signer and has not been altered. Document signing also ensures that
documents have not been intercepted and changed in transit without the recipient’s knowledge.
Multiple reviewers can attach signatures to a file as long as it remains unchanged.
Document signing allows administrators to:
Configure Microsoft Outlook to create digital signatures automatically or on a per-message basis
Use the XMLDSig format to allow digital signatures for Word documents, Excel spreadsheets and
PowerPoint presentations
Enable InfoPath forms so that users can sign forms in InfoPath 2007 or Internet Explorer using
digital signatures
Document Encryption
Encryption is the basis for securing electronic information to preserve the content’s authenticity. The
deployment of encryption mechanisms helps establish authenticity by showing the court or regulatory
authority that the likelihood of tampering or other changes to documents by unauthorized users was
reduced.
Administrators can encrypt Microsoft Word documents, Excel workbooks and PowerPoint presentations
using a strong, built-in encryption feature that requires the correct password to open a file. The
Advanced Encryption Standard (AES) encryption – the strongest industry-standard algorithm available –
was selected by the National Security Agency as the encryption standard for the U.S. government. AES’
default 128-bit key can be increased to 256-bit via the Windows Registry, and uses SHA-1 hashing.
Microsoft provides AES support for Office 2007 in the Windows Vista operating system.
To provide the maximum amount of AES encryption protection, passwords should contain at least eight
characters, and include upper and lower case letters, numbers and symbols. Network administrators can
16
Microsoft®U.S. National Security Team White Paper
set document controls in Microsoft Office with the Office Customization Tool and Active Directory
Group Policy.
Information Rights Management
Information Rights Management (IRM) extends the Rights Management Services in Windows Server
2008 into Microsoft Office 2007 and Microsoft Internet Explorer. Organizations can use IRM/RMS to
control document rights and reduce the likelihood of tampering. This shows a court that access to
documents was highly restricted, increasing the odds that they are authentic.
With IRM, users can control who can open a document and how recipients can use it. For example, you
can grant rights to open, modify, print or forward a document, and apply an expiration date to prevent
access after a specified time period. You also can create custom usage-policy templates, such as
“Confidential – Read Only,” for financial reports, product specifications, customer data, emails and other
sensitive documents.
S/MIME in Outlook
Microsoft Outlook 2007 supports S/MIME (Secure Multipurpose Internet Mail Extensions) security,
which allows users to exchange security-enhanced email messages with other S/MIME clients over the
Internet or internal network. Based on digital certificates and public/private keys in a PKI, S/MIME
provides authentication, integrity and non-repudiation via digital signatures, and data confidentiality via
encryption.
Email messages encrypted by the user’s public key can be decrypted only with the associated private
key. When a user sends an encrypted email message, the recipient's certificate (public key) encrypts it.
When a user reads an encrypted email message, the user’s private key decrypts it.
For best authentication, a certificate authority (CA) should issue certificates that require the holder to
verify his or her actual identity rather than just binding the certificate to an email address.
Other Security Mechanisms
The 2007 Microsoft Office system was developed on the “secure by default” principle. This means that
macros, ActiveX controls, and other means by which potential attackers could run code in efforts to
compromise a document’s authenticity, are not enabled by default. Organizations can dictate high
security settings and configure them through the Trust Center to help prove the low probability of
unauthorized access.
17
Microsoft®U.S. National Security Team White Paper
Windows Vista/ Windows Server 2008 Technologies
Windows Vista and Windows Server 2008 include many new security features that help protect the
integrity of information created and used in those operating systems. These technologies can help to
establish the basis of authenticity of data produced in response to e-discovery requests or offered as
evidence in a criminal, civil or regulatory proceeding.
Specifically, the following technologies in Windows Vista and Windows Server 2008 help to build the
foundation of authenticity:
NTFS file system in Windows Vista and Windows Server 2008
Encrypting File System (EFS) in Windows Vista and Windows Server 2008
Network Access Protection (NAP) in Windows Server 2008 and NAP client in Windows Vista
Rights Management Services in Windows Server 2008 and Rights Management Client in Windows
Vista
Certification Services in Windows Server 2008
Search technologies in Windows Vista and Windows Server 2008
The NTFS File System
The NTFS file system enables users to set permissions designating who can access documents on disk,
thus preventing anyone from opening the file without permission. Setting restrictive file-level
permissions on documents reduces the possibility of tampering and unauthorized changes, and makes
it easier to prove authenticity.
Encrypting File System
Encrypting File System (EFS) is a feature of NTFS that enables users to encrypt files and folders that are
stored on disk. EFS protects documents from unauthorized access and changes by external attackers or
“insiders” who otherwise might have legitimate access to the disk. Using EFS encryption to protect data
during storage also would increase the strength of your case in proving the authenticity of that data.
EFS includes many new security, performance and manageability features in Windows Vista and
Windows Server 2008. In Windows Vista, EFS encrypts the system page files and supports the storage of
user keys and administrative recovery keys on smart cards. If smart cards are used for logon, EFS
operates in a Single Sign On mode that uses the logon smart card for file encryption without further
prompting for the PIN.
Windows Server 2008 introduces a new design for EFS with remote files called Client Side Encryption.
Windows Vista clients can perform file encryption and decryption locally when storing files on Windows
Server 2008 file servers.
18
Microsoft®U.S. National Security Team White Paper
Network Access Protection
Network Access Protection (NAP) is a network access control system that allows IT administrators to set
security requirements to allow only those machines that conform with the requirements to connect with
the network, while enabling non-compliant machines to get “clean” before they are allowed access. By
using NAP to protect the network from the risks posed by non-compliant machines that could pass on
viruses and attacks, companies can demonstrate that data is less likely to have been compromised or
changed by malicious code, and thus more likely to be authentic.
The NAP client in Windows Vista simplifies the enforcement of network health policies and protects
against network attacks by enabling organizations to establish requirements for client health status,
such as current software updates and up-to-date virus signatures, and enforcing those requirements
when the client connects to the network. If a client machine does not meet the health requirements,
NAP can update the machine automatically or direct it to a separate “quarantine” area where the user
can remedy the situation.
Windows Server 2008 can function as a RADIUS server and proxy (NPS) to provide authentication,
authorization and accounting services for network access, and act as a NAP health policy server.
Rights Management Services
Windows Rights Management Services (RMS) enables end-to-end protection and control over who can
read, print, change, forward or copy a document or email. Deployment of an RMS infrastructure
demonstrates to the court that the organization has taken steps to prevent unauthorized changes to
important documents and emails.
Information Rights Management (IRM) extends RMS to 2007 Microsoft Office system applications. RMS
depends on a supporting infrastructure that includes Certificate Services (PKI), Windows Rights
Management Services server(s), Internet Information Services (IIS), Microsoft Active Directory and SQL
Server, along with RMS client software and RMS-enabled applications. RMS works with RMS-enabled
applications to help safeguard confidential and sensitive information from unauthorized use – no matter
where it goes or how it is transferred.
Certification Services/Public Key Infrastructure
Active Directory Certificate Services (AD CS) in Windows Server 2008 provides the means to deploy a
public key infrastructure (PKI) to issue, manage and revoke public key certificates that validate the
identity of users, computers and services. Organizations can demonstrate authenticity with PKI because
the identity of a person, device or service is bound to a public/private key pair.
Many security technologies utilize certificates, including digital signatures, S/MIME, VPN, IPsec, SSL/TLS,
EFS, Windows Rights Management and smart card logon. Windows Server 2008 supports Cryptography
Next Generation (CNG), which allows custom cryptographic algorithms and cryptography in kernel
mode, and supports Suite B algorithms, a subset of cryptographic algorithms approved by the National
Institute of Standards.
19
Microsoft®U.S. National Security Team White Paper
Search Technology in Windows Vista and Windows Server 2008
The capacity to locate potential evidence quickly when required is another aspect of building a
foundation of authenticity. Windows Search, a platform built into Windows Vista and Windows Server
2008, works with the indexing service to enable rapid, comprehensive and accurate searches on file
names and contents, as well as metadata tags. Non-Microsoft applications can use the Application
Programming Interface (API) to query the index.
Windows Search technologies support remote management by Group Policy, through which IT
administrators can customize the setup, indexing and search settings to meet organizational needs.
Advanced Query Syntax (AQS) allows users and programmers to refine searches through Boolean
operatives and filters, or to specify the scope or data store where files reside, such as email repositories.
The Windows Vista client allows queries through Windows Server 2008, which transfers the results back
to the client.
20
Microsoft®U.S. National Security Team White Paper
Microsoft Networking Technologies
Microsoft networking technologies include many new security features that help protect the integrity of
information in transit across the network and in storage. Specifically, the following Microsoft networking
products and technologies help to build the foundation of authenticity of data produced as evidence:
Internet Protocol Security (IPsec)
Virtual Private Networking (VPN)
ISA Server/IAG Server
Forefront Security
Data Protection Manager Server
Windows Storage Server
SharePoint Services/Office SharePoint Server 2007
Search Server 2008
Exchange Server
SQL Server
Live Communications Server/Office Communications Server
Microsoft Identity Integration Server/Identity Lifecycle Manager
Mobile Data Protection Technologies
Internet Protocol Security (IPsec)
IPsec is a framework of open standards for protecting communications over Internet Protocol (IP)
networks through cryptographic security services. By protecting data in transit across a network, IPsec
reduces the likelihood of interception and modification by unauthorized persons.
IPsec supports network-level peer authentication and data origin authentication, data integrity and
confidentiality (encryption), and replay protection. Microsoft implemented IPSec based on standards of
the Internet Engineering Task Force (IETF) IPsec working group.
Supported by Microsoft Windows operating systems beginning with Windows 2000, IPsec also
integrates with Active Directory, which stores information and settings in a central database. Group
Policy allows IPsec settings to be configured at the domain, site or organizational unit level.
Administrators can set IPsec to control access to file, mail and database servers, and to lock non-trusted
computers out of all network resources.
Windows Vista and Windows Server 2008 include many improvements to IPsec, including integrated
firewall and IPsec configuration, integration with NAP, client-to-domain controller protection, improved
authentication, new configuration options and cryptographic support, and integrated IPv4 and IPv6
support. Windows Vista and Windows Server 2008 also support Authenticated IP (AuthIP), which adds a
second authentication for IPsec communications. Server and domain isolation via IPsec can provide
more security for the network while protecting the authenticity of the potential evidence stored there.
21
Microsoft®U.S. National Security Team White Paper
Virtual Private Networking (VPN)
A virtual private network allows authorized users to connect securely to the network from remote
locations. Encryption of data sent over a VPN connection protects it from interception and modification,
thus acting as another building block in establishing a foundation of authenticity.
With a VPN, users can send encrypted data between two computers across a shared or public network
(like the Internet) in a manner that emulates a point-to-point private link. If someone were to intercept a
packet on a shared or public network, the data would be indecipherable without the encryption keys.
ISA Server/IAG
Organizations can use secure gateway products to prevent external attackers from gaining access to a
network and making modifications to data stored there. Secure gateways can increase the confidence
level of the data’s authenticity in the event of a legal challenge.
For businesses of all sizes, Microsoft Internet Security and Acceleration Server 2006 (ISA Server) and
Intelligent Application Gateway 2007 (IAG) are Microsoft Forefront edge security and access
products that combine to serve IT needs for network separation and full control of inbound and
outbound access. Together they add a broad range of edge security functionality to address emerging
Internet threats.
ISA Server is an integrated edge security gateway that helps protect IT environments from Internet-based
threats while providing users with fast and secure remote access to applications and data. It provides a
single solution for network firewall and application layer inspection, remote-access VPN server, site-tosite VPN gateway, and Web proxy and caching. ISA Server 2006 comes in both software and hardware
versions.
IAG is a comprehensive and secure remote-access gateway that provides secure socket layer (SSL)-based
application access and protection with endpoint security management. IAG 2007 enables granular
access control, authorization and deep content inspection from a broad range of devices and locations
to a wide variety of line-of-business, intranet and client/server resources.
Forefront Security
Viruses and other malicious software can make changes to data without the knowledge of those who
have custody of over it, making it risky to presume that unprotected digital information is authentic. The
Microsoft Forefront security family is a comprehensive line of business security products that provide
protection for the client operating system, application servers and the network edge. By using Forefront
products to guard against malware attacks, organizations can increase the credibility of claims that the
data they produce or provide as evidence is authentic.
Members of the Forefront family include:
Forefront Client Security
Forefront Security for Exchange Server
Forefront Security for SharePoint
Forefront Edge Security and Access
22
Microsoft®U.S. National Security Team White Paper
Microsoft Forefront Client Security provides unified malware protection for business desktops,
laptops and server operating systems that is easy to manage and control. FCS helps guard against
emerging threats such as spyware and rootkits, as well as traditional threats such as viruses, worms and
Trojan horses. It integrates with existing infrastructure software, such as Active Directory.
Microsoft Forefront Security for Exchange Server includes multiple scan engines integrated in a
single solution to help businesses protect their Microsoft Exchange Server messaging environments
from viruses, worms and spam.
Microsoft Forefront Security for SharePoint manages and integrates multiple antivirus engines to
provide comprehensive protection against the latest threats, helping ensure that documents are safe
before they are saved to or retrieved from the SharePoint document library.
Forefront Edge Security and Access products provide enhanced network edge protection and applicationcentric, policy-based access to corporate IT infrastructure. (See ISA Server/IAG above.)
Data Protection Manager
The authenticity of stored data can be verified by comparing it to the backup data. If the primary data
has been purged, backup media could be the only source of data demanded in the e-discovery process.
Microsoft System Center Data Protection Manager 2007 (DPM) is a reliable data backup and
recovery system than can provide evidence that the data is authentic.
The new standard for Windows backup and recovery, DPM offers sophisticated data protection through
administrative tools that can:
Deliver continuous data protection for Microsoft application and file servers using seamlessly
integrated disk and tape media
Enable rapid and reliable recovery through advanced technology for enterprises of all sizes
Protect Windows Servers by capturing data changes continuously with application-aware, blocklevel agents, providing an easily manageable data protection solution for disks and tapes, and
one-click Lossless application recovery
Recover data in minutes from an easily accessible disk instead of locating and restoring from less
reliable tapes
Combine the best features of disk and tape
Reduce infrastructure requirements
DPM is part of the Microsoft System Center family, which plays a central role in the Microsoft vision to
help IT organizations benefit from self-managing, dynamic systems. System Center solutions capture
knowledge about infrastructure, policies, processes and best practices to enable IT administrators to
build manageable systems and automate operations to reduce costs and enhance service delivery.
23
Microsoft®U.S. National Security Team White Paper
Windows Storage Server
Organizations require a reliable storage system that can integrate seamlessly into existing IT
infrastructure and investments. Microsoft Windows Storage Server 2003 R2 protects data by
providing high reliability and availability, and uses Volume Shadow Copy Service for fast recovery and
restoration of deleted or corrupted files. As a dedicated file and print server, Windows Storage Server
doesn’t deploy business applications that could be exploited by hackers and attackers. By protecting
data from the possibility of such attacks, you make it easier to prove the data’s authenticity.
Microsoft Windows Server 2008, the next generation of the Windows Server operating system, adds
advanced security features including Network Access Protection and new reliability monitoring tools.
SharePoint Services/Office SharePoint Server 2007
Office SharePoint Server 2007 is an integrated suite of server capabilities built on Windows
SharePoint Services. By providing comprehensive content management and enterprise search
capabilities, these technologies can accelerate shared business processes and facilitate information
sharing across boundaries for better business insight.
Office SharePoint Server 2007 allows administrators to create portals and manage enterprise content.
The Standard and Enterprise editions provide all of the features of Windows SharePoint Services and
more. They also include Enterprise Search to identify and enable specific content to be indexed,
searched and displayed to authorized users. (The Enterprise edition adds business intelligence features
such as integrated spreadsheet publishing, data collection libraries and key performance indicators.)
The 2007 Microsoft Office system provides even broader RMS capabilities through new developments
in Microsoft SharePoint. Administrators can set access policies for SharePoint document libraries on a
per-user basis. For example, users who have “view-only” access to library documents (but cannot print,
copy or paste) will have those policies enforced by RMS, even if the document is removed from the
SharePoint site.
By using RMS in conjunction with SharePoint, you can demonstrate that documents available to
multiple parties for collaboration weren’t compromised.
Search Server 2008
Microsoft Search Server 2008 and Search Server 2008 Express provide powerful search capabilities
throughout the enterprise, using the Search Center interface. These technologies help to identify and
locate potential evidence quickly – an important step toward building the foundation of authenticity
and demonstrating a complete and accurate discovery process for ESI. Administrators can configure the
software to index a wide variety of repositories and apply authentication and security mechanisms to
restrict access as appropriate.
You can download Search Server Express for free at:
http://www.microsoft.com/enterprisesearch/serverproducts/searchserverexpress/try-1.aspx.
Exchange
Microsoft Exchange Server 2007 provides built-in security mechanisms to protect the integrity and
authenticity of email messages. All mail traveling within an Exchange Server 2007 organization is
24
Microsoft®U.S. National Security Team White Paper
encrypted by default, and messages exchanged between organizations can be encrypted in both serverto-server and host-to-host scenarios.
The following technologies prevent spoofing and provide confidentiality of messages in traffic:
Transport Layer Security (TLS) for server-to-server traffic
Remote Procedure Call (RPC) for Outlook connections
Secure Socket Layers (SSL) for Client Access traffic (Outlook Web Access, Exchange ActiveSync and
Web Services)
Using a policy-driven interface, administrators also can use Microsoft Exchange Server 2007 to
configure ethical firewalls that comply with applicable laws, regulations and organizational policies. An
ethical firewall is a zone of non-communication between distinct departments within an organization to
prevent conflicts of interest that might result in the inappropriate release of sensitive information.
Exchange Server 2007 also can help organizations comply with data governance regulations by applying
information rights management principles automatically at the gateway level.
Other features can help you protect information more efficiently by:
Providing RMS licenses with rights-protected documents, which reduce the need to contact the
server to obtain and verify permissions
Detecting whether an outgoing email contains certain types of sensitive information (such as Social
Security numbers), rejecting the email, and offering the user guidance on how to transmit such
data properly
Microsoft Exchange Hosted Services is an alternative solution that help organizations protect email
against malware, satisfy retention requirements for compliance with regulatory standards, encrypt data
to preserve confidentiality, and preserve access to email during and after emergency situations.
Exchange Hosted Archive is an advanced message archiving system that enables you to apply the
appropriate retention policies, and filter and search for electronic messages.
Exchange Server 2007 or Exchange Hosted Services can reduce your chances of becoming involved in a
regulatory non-compliance case in the first place. If a legal issue does arise, you can show due diligence
in protecting email information, making it more likely that the evidence you submit will be accepted as
authentic.
SQL Server
Databases store much of the data that can end up as the subject of litigation or other legal action. To
support the data’s authenticity, organizations must demonstrate that their databases are secure.
Microsoft SQL Server 2005 enables administrators to protect against tampering with information by
encrypting the entire database or specified portions of it. SQL Server also allows administrators to
encrypt information from the database that resides on a client system disk.
Office Communications Server/Live Communications Server
Instant messages (IM) are an important potential source of evidence in criminal, civil and regulatory
cases because people tend to be more open and uninhibited when instant messaging than in more
formal communications. Although some businesses prohibit the use of IM altogether, many have
embraced it for fast, real-time communication with co-workers, customers and partners.
25
Microsoft®U.S. National Security Team White Paper
Microsoft Office Communications Server 2007 (OCS) and its predecessor, Live Communications
Server 2005 (LCS), offer enterprise instant messaging solutions with protection measures that can
support organizations in demonstrating that their communication records are authentic. For example,
administrators can log and archive all IM traffic that goes through the server, providing call detail
records that potentially could become the subject of e-discovery. OCS/LCS also offer the ability to
encrypt IM traffic and provide Voice over IP (VoIP) services for voicemail, which is another potential
source of digital evidence.
Microsoft Identity Integration Server/Identity Lifecycle Manager Server
The very basis of proving authenticity is the ability to validate the identities of those who create or
access the data. Microsoft’s identity and access solutions help organizations keep tight control over
digital identities and ensure that those accessing data really are who they claim to be.
Microsoft Identity Lifecycle Manager Server (ILM) and its predecessor, Microsoft Identity
Integration Server (MIIS), can provide organizations with a policy-driven, unified view of all known
identity information about users, applications and network resources. These products enable IT
administrators to synchronize information across a wide variety of different systems, allowing updates
to data across disparate platforms while maintaining integrity and ownership. ILM 2007 builds on the
metadirectory and user-provisioning capabilities in MIIS 2003 and adds new options for managing
strong credentials such as smart cards.
Mobile Data Protection Technologies
Increasingly, more and more workers take their work with them after leaving the office, and use mobile
devices such as handheld computers and smart phones to send or receive work-related messages, or
store company data. Windows Mobile devices contain built-in security technologies that help protect
the integrity of data, making it easier to prove authenticity if the data should become the subject of ediscovery.
Microsoft provides increased security in the Windows Mobile 6 (WM6) operating system for handheld
computers and smart phones. WM6 supports memory card encryption, which prevents tampering with
information stored on flash memory cards, as well as new Exchange Server policies and certificate
options. WM6 also supports Windows rights management, so that documents sent and received by
these devices can be subject to the same restrictions as those on desktop and laptop computers.
26
Microsoft®U.S. National Security Team White Paper
Summary
Preserving the integrity of digital evidence – and having the capacity to prove its authenticity – is vitally
important to organizations involved in active or pending lawsuits, criminal cases or regulatory inquiries.
You can respond to e-discovery orders or introduce evidence in support of your case more effectively
by laying the proper foundation to establish authenticity of all data created or stored on your network.
Microsoft offers a wide variety of security technologies to help organizations create the building blocks
of authenticity. The table below, which continues to the next page, summarizes the technologies and
how they can integrate with an overall plan to ensure proof that data produced as evidence is authentic.
Summary of Microsoft technologies designed to build a foundation of authenticity
Microsoft technology
Type of data affected
How it aids in building a foundation of
authenticity
Digital signatures
Office documents,
Provides authentication of the identity of the
creator/sender and non-repudiation
email messages
Document encryption
Office documents
Reduces the likelihood that unauthorized persons
have been able to access and modify documents
Information Rights
Management and
Rights Management
Services
Office documents,
Prevents unauthorized changes to data by
recipients of the data
Outlook/
Email messages
Provides authentication, integrity and
non-repudiation
NTFS
All files
Enables setting permissions to reduce the
possibility of tampering that could compromise
authenticity
Encrypting File System
All files
Protects files stored on disk from unauthorized
access and tampering
Network Access
Protection
Data stored on the network
Prevents infection by malware, viruses or attacks
that could modify data and threaten its
authenticity
Certificate Services/
Data protected by PKI-based
security technologies
Verifies the identities of users and computers
IPsec
Data that travels over the
network
Prevents interception and modification in transit
VPN
Data exchanged between
remote systems and the LAN
Encrypts data to prevent it from being
intercepted and changed
email messages
SMIME
PKI
27
Microsoft®U.S. National Security Team White Paper
ISA Server and IAG
Data stored or transmitted
on the network
Prevents intrusions from external attackers who
can gain access to a network and make
modifications to data
Forefront Security
family
Data stored or transmitted
on the network
Reduces chances of a virus or other malicious
software making changes to data
Data Protection
Manager
Backed up data
Provides reliable secondary source of authentic
data when the originals have been destroyed or
damaged
Windows Storage
Server
Data stored on file server
Prevents attacks based on exploits of services that
run on full-fledged Windows Server 2008
machines
SharePoint Services
Data shared for collaboration
Supports RMS and other security mechanisms to
ensure that shared data is authentic
Exchange Server
Email, calendaring, task lists,
notes
Protects email and other user data from
tampering
SQL Server
Database entries
Encryption protects against tampering or
modifying information in the database
OCS/LCS
Instant messages, VoIP
voicemail
Provides logging and archiving to make
production of IM and voicemail evidence easier to
authenticate
ILM/ MIIS
All data
Manages digital identities of users who may have
access to data, making it easier to authenticate
Mobile data protection
technologies
Data stored on, sent from or
received by mobile devices
Encryption, rights management and other security
mechanisms protect the integrity and authenticity
of mobile data
28