The tide has now changed and cell phone data is now quickly becoming a part of basic e-discovery.
Why is cell phone data becoming an important part of e-discovery?
One simple reason - with thanks to RIM (Blackberry), Apple (iPhone), and Microsoft (Windows CE devices), cell phones with PDA functionality are quickly becoming the main communications device that all business persons are using both for written (email, text messaging) and phone communications. While it is still a secondary device for web surfing (and that is changing given the increased screen resolution and QWERTY keyboards of such devices) there are many internet connected business applications in use for crucial functions such as data analysis, database input and reporting, and interfacing with servers. The email and business applications on such "cell phone" devices making the devices into the smallest form factor of a de facto laptop computer. In other words the cell phones devices have progressed to the point that they have similar business communications functionality to a laptop computer and given their small size they are, in many instances, used more often.
How do you extract cell phone data for e-discovery?
There are many ways to extract cell phone data some more elegant than others. Indeed, with some cell phone/PDA devices a large part of the data (but not all) including email can be synchronized to a central server by using, for example, the functionality found in Blackberry Server and Outlook Exchange.
There are also applications that on a one by one basis use the data port on the cell phone device to communicate with the USB port on a laptop running specialized software the runs the extraction. In this category a new product called the Cell Seizure Investigator (CSI) Stick from Paraben shows some promise.
Paraben's CSI Stick is a portable cell phone forensic and data gathering hardware and software tool. According to Paraben the way it works is that you select the colored cell phone tip (compatible with the communications port) for the cell phone model to be acquired, plug the power adapter in, plug the CSI Stick into the cell phone,and press the acquire button and the extraction begins.
The CSI Stick contains a switch where you pick the level of data extraction including:
- A logical copy gets all available active data (including text and multi-media files)
- The text filter copies all SMS and text messages, phonebooks, and call logs
- The multi-media filter copies all available pictures and movies
- A physical copy gets all memory on the device
In order to use the data extracted by the CSI stick you will need to own a copy Paraben's Device Seizure or Device Seizure Lite. According to Paraben "these advanced forensic analysis tools enable you to view, search, and report on data extracted from handheld devices."
The CSI Stick currently needs to beef up its cell phone and PDA device support as it only handles certain Motorola and Samsung phone models but Paraben indicates that more manufacturer support is coming soon. Frankly, Blackberry and iPhone support are very much needed given the popularity of such devices.
On the flipside, it seems that a large organization faced with the need to preserve a huge installed base of cell phone data will need to look to some other technology - more likely one that is centralized with synchronization. Such a software application will need to run over a large number of devices like the Blackberry Server and provide the same level of extraction as the CSI Stick - so that larger organizations with a large installed base of cell phone and PDA users can have a practical method of preserving cell phone/PDA data on demand - for example in a litigation hold climate.
The CSI Stick makes cell phone evidence gathering and analysis available to the masses including lawyers, investigators, and all others in the e-discovery chain who should consider it when faced with the daunting challenges of the current state of e-discovery and related investigations.
]]>
The K&L Gates e-discovery site recently published a useful list of current state e-discovery statutes - I found it helpful so I am reproducing the list below - here is a link to the K&L Gates site. I have seen a draft version of e-discovery statutory changes from California so don't be surprised if that state will soon be added to the list.
Arizona
Amendments to Rules of Civil Procedure 16, 26, 26.1, 33, 34, 37 and 45
Connecticut
Connecticut Practice Book, Superior Court - Procedures in Civil Matters
Sec. 13-9. Requests for Production, Inspection and Examination; In General (see subsection (d), at p. 192 of 259-page .pdf document)
Idaho
Idaho R. Civ. P. 34
Illinois
Illinois Supreme Court Rules 201(b)(1) and 214
Indiana
Amendments to Rules of Trial Procedure 26, 34 and 37
Rule 26. General provisions governing discovery
Rule 34. Production of documents, electronically stored information, etc.
Rule 37. Failure to make or cooperate in discovery; Sanctions
Louisiana
CCP 1424 - Scope of discovery; trial preparation; materials
CCP 1460 - Option to produce business records
CCP 1461 - Production of documents and things; entry upon land; scope
CCP 1462 - Production of documents and things; entry upon land; procedure
Minnesota
Amendments to Rules of Civil Procedure 16, 26, 33, 34, 37, 45
Mississippi
Miss. R. Civ. P. 26(b)(5)
Montana
Mont. R. Civ. P. 16(b). Scheduling and planning
Mont. R. Civ. P. 26(b). Discovery scope and limits
Mont. R. Civ. P. 26(f). Discovery conference
Mont. R. Civ. P. 33(c). Option to produce business records
Mont. R. Civ. P. 34(a). Scope
Mont. R. Civ. P. 34(b). Procedure
Mont. R. Civ. P. 37(e). Electronically stored information
Mont. R. Civ. P. 45(a). Form - issuance
Mont. R. Civ. P. 45(c). Protection of persons subject to or affected by subpoenas
Mont. R. Civ. P. 45(d). Duties in responding to subpoena
New Hampshire
Superior Court Rule 62. (I) Initial Structuring Conference (see subsection (C)(4))
New Jersey
Part IV - Rules Governing Civil Practice in the Superior Court, Tax Court and Surrogate's Courts
Rule 1:9. Subpoenas
Rule 4:5B. Case Management; Conferences
Rule 4:10. Pretrial Discovery
Rule 4:17. Interrogatories to Parties
Rule 4:18. Discovery and Inspection of Documents and Property; Copies of Documents
Rule 4:23. Failure to Make Discovery; Sanctions
New York
Uniform Civil Rules of the Supreme and County Courts, § 202.70 Commercial Division of the Supreme Court
See Rule 8. Consultation prior to Preliminary and Compliance Conferences
North Carolina
Local Rules of North Carolina Business Court
See Rule 17.1 - Case Management Meeting
See Rule 18.6 - Conference of Attorneys with Respect to Motions and Objections Relating to Discovery
Texas
Tex. R. Civ. P. 196.4 Electronic or Magnetic Data
Utah
Utah R. Civ. P. 26. General provisions governing discovery
Utah R. Civ. P. 33. Interrogatories to parties
Utah R. Civ. P. 34. Production of documents and things and entry upon land for inspection and other purposes
Utah R. Civ. P. 37. Failure to make or cooperate in discovery; sanctions
Utah R. Civ. P. 45. Subpoena
Effective November 1, 2007
]]>
Counsel involved in similar "RAM" e-discovery issues should research and be mindful of the core discovery principals at stake as the e-discovery cases evolve.
It is axiomatic that in response to a request for documents no litigant should be compelled to create, or cause to be created, new documents solely for their production. Federal Rule of Civil Procedure 34 requires only that a party produce documents that are already in existence. Alexander v. FBI (D.D.C. 2000) 194 F.R.D. 305, 310.” Paramount Pictures Corp. v. ReplayTV (C. D. Cal. 2002) CV 01-9358 FMC (Ex) (filed May 30, 2002) 2002 WL 32151632.
The phrase “Electronically Stored Information" was added to Federal Rule of Civil Procedure 34 in 2006. The Advisory Committee Notes to the 2006 Amendment of Rule 34(a) state that the rule “applies to information that is fixed in a tangible form” and that the definition “is expansive and includes any type of information that is stored electronically.” The Notes are silent as to any compact unity or functional integrity that the information must have in time or place of fixation. In the light of a generally cautious approach, it would appear that the silence is intentional. (“The wide variety of computer systems in use, and the rapidity of technological change, counsel against a limiting or a precise definition.”)
Counsel should be cautious as to any request for documents that seeks "documents" that only come about through the reduction of transient RAM to a different format "fixed in a tangible form" - especially if the production of documents requires the ongoing collection of data from transient RAM, gathering the data together into one or more files and then storage of the files in a tangible medium. Such a request for documents that requires the reduction of transient RAM to another format "fixed in a tangible form" appears to deviate from Federal Rule of Civil Procedure 34 which seems to mandate that such documents "already" be fixed in a tangible form as a condition of the requirement of production.
The Federal District Court gave a practical rule of determination in ReplayTV, supra:
“A party cannot be compelled to create, or cause to be created, new documents solely for their production. Federal Rule of Civil Procedure 34 requires only that a party produce documents that are already in existence. Alexander v. FBI (D.D.C. 2000) 194 F.R.D. 305, 310.” Further:
“It is evident to the court, based on Pignon’s declaration, that the information sought by plaintiffs is not now and never has been in existence. The Order requiring its production is, therefore, contrary to law. See National Union Elect. Corp. v. Matsushita Elec. Indust. Co., 494 F.Supp. 1257, 1261 (E.D. Pa. 1980).” (Footnote omitted.)
The phrase “Electronically Stored Information" was added to Federal Rule of Civil Procedure 34 in 2006 and the time of this writing there are few if any cases describing the contours of what "electronically stored information" is and what is considered "tangible". Given the lack of detailed legislative and judicial guidance regarding the revised Rule 34 there is a need for courts to provide clarity on how litigants should conduct themselves (especially when it comes to transient RAM data) in order to: create predictability regarding e-discovery compliance, reduce the ambiguity of data preservation letters, avoid the potentially harsh economic and social consequences of e-discovery over compliance, and to minimize the burden on the Judiciary caused by parties rushing to Court in a chaotic manner raising motions to compel, spoliation claims, and motions for protective orders.
We argued in our appeal, amongst other things, that:
Torrenstpy has never had server logging turned on and thus log files were never created. The Magistrate committed error when she ordered the creation of log files as it is axiomatic that in responding to a request for documents one need not be compelled to create documents. The Magistrate reasoned that such log file data was in existence as it (or the “HTTP header information”) was present in RAM for a transient moment (like frankly every web server in the world) and then the Magistrate used copyright law to decide in essence that RAM was sufficiently tangible to constitute a document for purposes of preservation duties and production of documents. The Magistrate committed error in finding that RAM was sufficiently tangible to constitute a document for purposes of document production. Transient RAM or “random access memory” is ipso facto ephemeral and there is no reported case in federal civil discovery to support such a radical view that transient RAM constitutes a document for purposes of production.
The privacy issues from a civil logging Order are real in this context - logging would have an enormous chilling effect on site use and the user experience. The good faith nature of this privacy issue can be summed up in one question: What users are going to want to use the Torrentspy.com search engine when they know that Torrentspy.com has been ordered by a Federal Court to log what is in essence user clickstream tied to their IP address?
Respectfully, the Magistrate’s order, “turn on logging” or “write software” amounts to a de facto injunction, without any finding of a likelihood of success on the merits and without any bond – such an injunction order not only violates due process but it also exceeds the Magistrate’s jurisdiction. There are no copyrighted works on the Torrentspy site or linked to by the site and there had been no finding on the merits of infringement or affirmative defenses such as the DMCA - if Torrentspy succeeds in its defense but the Order is not reversed there would be no bond to compensate it for the burdens and the lost users who were chilled from using the site under fear of being tracked and logged.
Such an order is also vastly overbroad as it is designed to turn on logging for “all” site visitors. The plaintiffs sued regarding roughly fourteen US copyrighted works. Initiating a download of a torrent file from a third party server does not demonstrate that the download was successful. According to the evidence even if the torrent file download was successful it does not demonstrate that the torrent file downloader loaded the torrent file into the specialized software program needed to attempt to fetch an audiovisual file or that such attempt was successful or that the user fetched one of the copyrighted works being sued upon.
Such overbreadth of the Order can also be found in that the un-rebutted evidence demonstrated that the vast majority, over 70% of the site visitors to the Netherlands Torrentspy servers are from outside the United States. Over 90% of the bit torrent trackers are located outside the United States. In essence, the vast majority of site visits to Torrentspy.com cannot lead to primary infringements under US Copyright statutes “as a matter of law” as the site visits and such conduct after the site visits occur wholly outside the United States and do not fall under this Court's subject matter jurisdiction.
]]>According to an Order made available today - the answer is at least sometimes yes. The Order is being appealed and is stayed pending appeal.
Indeed, the Federal Court in Los Angeles today granted Torrentspy.com's request for a stay of an e-discovery order pending appeal that in essence found that since user HTTP header information is in transient RAM on Torrentspy's servers that such data was tangible enough to be considered "documents" that needed to be "stored" in log files, preserved, and handed over in civil litigation e-discovery. Torrentspy.com did not have server logging "turned on" prior to litigation and therefore the Court in essence ordered that such server logging of user activity commence as part of its discovery order in response to a motion to compel production of documents.
You should note that in full disclosure this is a case I am working on and defending. But the "RAM" e-discovery Order is so important as an issue of first impression that I feel compelled to write about it on this site which focuses on e-discovery.
Here is a News.com story on the Order.
We will be appealing the Order as it does sound like in my view that defendants are being required to "create" documents not merely "provide" documents. In responding to requests for documents one does not have an obligation to create documents but merely to provide documents already in existence.
The Order - "turn on logging" - or "write a program to convert the data in RAM into log files" - also seems like a de facto injunction without a bond under the guise of a discovery order.
In my view if this Order as it relates to "RAM" is not quickly overturned or narrowed the worldwide social and economic consequences can be staggering. You can imagine the e-discovery preservation letters that will start being flung around warning opposing parties to preserve "relevant" things found in transient computer RAM or risk spoliation claims - the result will likely be fear and over-compliance (if one had the staff to reduce stuff in RAM to a log file) - it would follow that corporate IT and e-discovery costs would go way up as allegedly relevant data in RAM will need to be reduced to permanent storage based on one merely being a party to a case (or about to be a party).
It would also follow that consumer privacy would take a step backwards since just being a defendant with a privacy centric web server may be enough to be forced to turn server logging on and such logs handed over in discovery to the other side (without any finding that a defendant did anything wrong or is likely to lose the case).
So much for any right to surf anonymously. This may chill users "worldwide" from going to a US site that is involved in litigation and had to turn logging on.
Wait a second - a client called who was in the process of typing up some thoughts using Microsoft Word and erased something in his "open" document - it was a serious thought he had about crucial evidence related to a case - it was in transient RAM for an hour and not saved in a file yet - let me see - was that RAM thought supposed to be preserved before he pressed the delete key and saved the final version? Let us do a balancing test to figure this out.
]]>Given the dynamic and voluminous nature of the web it does beg the question:
How do you preserve web pages and whole web sites for later use as evidence?
The answer can be found in web spider and crawler software programs you can use to "mirror" web pages and whole sites for a given date and time. The terms web spider and web crawler (and web robot) are used interchangeably and in essence mean the same thing - a program or script that browses the world wide web from link to link in an automated fashion.
Generally speaking most web spider and crawler "capture" programs work the same way - you provide a starting URL, presumably either the "front page" of the site or a deep link for the main offending page and then you "tell" the program how many levels deep of the site or third party sites you want to spider and capture.
You can use web spider software to capture a single page or an entire web site, or even to follow links to third party sites. Needless to say that you need to be careful when you input capture criteria and start the spidering software as the amount of memory grows exponentially based on decisions related to levels to crawl and linked pages to store and whether to follow links to third party sites and servers.
You should also be mindful of the web spider side effect that in some instances you may be placing a large load on a target web server who is getting "pounded" with requests from your IP address which may prematurely reveal your investigation.
I have found that in many instances, especially in the civil litigation context, that the simplest and narrowest method of spidering is usually sufficient - especially when coupled with a web video produced using a software tool like Camtasia Studio providing a video exemplar of web site browsing clearly showing the offending content .
In other words in the current civil litigation climate it may be enough to use the the built in "web capture" tool in Internet Explorer or in Adobe Acrobat to capture a small number of pages or a single web page and such an approach will rarely be seriously disputed from an evidentiary perspective. The added advantage in using Adobe Acrobat for web spidering and capture is that you can bates stamp the resulting PDF pages and have your e-discovery document production of the target web pages ready to go in an easy to use format.
Adobe Acrobat does a conversion of the pages from their native format and thus may not be suitable if anything other than the general manifestation of the visible content on the target web pages is at issue - so choose a more robust solution if, for example, the underlying page formatting, page metadata, site directory structure, link structure, or dynamically generated code for the respective target web pages is at issue.
But, again, rarely does someone waste time challenging the integrity or admissibility of the Internet Explorer or Adobe Acrobat capture of the target web page(s) manifestation. If they do challenge the integrity of such a spidering effort then subpoena or request the production of documents to get a mirror or copy of the legacy web code to see if any of the alleged differences are material to the issues in dispute.
More complex spidering tools allow for much more accurate page and site capture and are particularly useful for copying a large number of web pages and sites over a long period of time and fully automating the process - including periodic programmatic review of the target web sites for changes and subsequent copies. Some of the leading programs in this category including Grab-a-Site, Web Copier, and WebWhacker.
Programs like Grab-a-Site use specialized methods of web spidering and capture that preserves the integrity of the original site and thus may reduce or mitigate attacks on evidence admissibility some of these methods include maintaining actual filenames, server directory structure, and Unix compatibility .
Web Whacker may change the filenames in the spidering and capture process but does allow, using a proxy server technology, for a relatively realistic off line simulation of the online browsing experience for the captured site. Thus there is an argument that you should use both Grab-a-site and Web Whacker to capture a target web site given the pros and cons of each.
If you use Linux you may want to consider using the "wget" command - it is free and there is also a version for Windows. For example, to capture for your own off line review this site moredata.com you can use the command:
% wget -m http://www.moredata.com
If there problems due to internal links on the mirrored site having absolute links pointing back to the web - that can be handled by changing the wget command switch by using:
% wget -m -k http://www.moredata.com
The above change in the wget command will likely change the links on the captured site so that they are no longer identical to the original site. Thus, if you want to err on the side of evidentiary conservatism you may want to mirror target sites and pages using both wget methods around the same period of time.
It is important to remember that unless you ethically hack a server your web spidering software cannot capture much of the web site source code - like server side scripts and therefore depending on the issues in your case you may need to use litigation methods like subpoenas and document requests to get the original web source code. Indeed, the web spidering software is usually limited to what could be manifested in a user's browser and thus usually static HTML, browser side scripts, or what is dynamically generated by the web site's underlying source code - but often this is enough evidence to support the material allegations of illegal conduct on a given web site.
If you need to get access to historical manifestations of web pages and sites you can try searching the Google cache or use the Wayback machine.
You can search the Google cache by using the method "cache:URL". Here is an example of this site's home page in the Google cache.
Here is an example of my law firm web site's home page in the Wayback machine.
Given the likelihood that you will need to find, mirror, and preserve electronic evidence obtained from the web you should seriously consider acquiring as part of your electronic investigation toolkit the proper web spider software to accomplish such a task.
The general flow chart for a computer forensic investigation can be summarized with an acronym ISUPR and is as follows:
Image - where the target hard drives are cloned
Search - where keyword searches for relevant evidence are performed if feasible (i.e. non images)
Undelete - where you restore files that were deleted if enough of the underlying data is still present
Preview - where you use a universal viewer to review potentially relevant files, data, and images
Report - where you report on your methods and results
I will deal with the first stage here - Image the target hard drive(s).
The Image stage is perhaps the most exciting stage where an investigator needs to get actual access to the target's computer system and in essence "clone" the target's hard drive(s). Needless to say that the access to the target's hard drive must be lawful or the investigator may, ironically, be in violation of applicable law such as the Computer Fraud and Abuse Act. Some examples of lawful access include via a valid search warrant, subpoena, pursuant to a contract, and when appropriate that of an employee using an employer's PC.
The imaging process must also be forensically sound, well documented, and comply with applicable rules of evidence, including but not limited to, maintaining the chain of custody.
The National Institute of Standards and Technology (NIST) under an agreement with US Department of Justice has come up with some mandatory requirements for a forensically sound hard drive imaging tool and they are:
-The tool shall make a bit-stream duplicate or an image of an original disk or partition.
-The tool shall not alter the original disk.
-The tool shall be able to verify the integrity of a disk image file.
-The tool shall log I/O errors.
-The tool’s documentation shall be correct.
There are a variety of software and hardware tools that are used to Image a target's hard drive. The US Department of Justice has tested various software and hardware hard drive imaging tools to determine if they are forensically sound and has provided such results. I will not endorse any hard drive imaging tool here or pass judgment on whether they comply with the above requirements but rather provide you with a list in no particular order of commonly used computer forensic hard drive imaging tools for your convenience:
Paraben
FTK
LogiCube
WinHex
dd
ILook
You need to take care of handling the computer forensic Image stage in a technically sound and legally compliant manner since there is little chance to fix any mistakes made in this stage or to "unring the bell". If a mistake is made in the hard drive imaging process or an anomaly is found then a proper cross examination or other legal attack can possibly lead to the exclusion of such evidence. On the positive side if a technically and legally valid hard drive image or "clone" is made most mistakes made after the Image stage, such as "undeleting" erased files, can be fixed or redone on the fly with little or no consequence other than time.
]]>The lack of consistency of people "names" creates challenges in electronic investigations and e-discovery.
For example, there can be multiple variations of the same individual's name across Asia or the Middle East. If you introduce misspellings the global name recognition problem is compounded.
How do you analyze in an automated fashion huge amounts of data to identify an individual if you do not know all the multi-cultural keywords or name variations for a particular individual?
IBM has an answer and it offers a cross platform suite of AI software for Global Name Recognition consisting at its core Global Name Management, Global Name Scoring, and Global Name Analytics. The IBM Global Name Recognition software uses over 20 years of linguistic research and analysis and provides robust information for given "input" foreign names including cultural classification, gender, and possible alternative westernized spellings.
In addition IBM's Global Name Recognition software helps discern spelling errors, provides for a huge multi-cultural knowledgebase, and ranks search results amongst other things.
In this connected world it would be wise for the electronic investigator and e-discovery attorney to have access to global name recognition software to save investigation time and money and to increase accuracy.
]]>For example, in a trade secrets case a senior level employee may have attempted to bypass company email to use his private "web email" to communicate regarding stolen trade secrets. Getting screenshots of such web based email pages and related communications would be helpful to prove the theft of trade secrets.
In another example, an employee visited a web site to download illegal content in violation of a company's policies and subsequently erases such content from the "my documents" area and denies the download.
Obviously to "forensically" obtain web browsing history would be helpful in investigating matters involving illegal downloading or to help explain or verify other wrongful conduct.
How do you reconstruct web browsing history? In an area deep in the caverns of the Windows operating system resides "temp" and "cache" directories and files some of which are "hidden" that contains, usually by default, the data needed to reconstruct a robust web browsing history. For most users this type of data is relatively inaccessible in that it is hard to find and harder to reassemble into a useful form.
There are software tools available to computer forensic investigators to automatically reassemble web browsing history. One well established tool is NetAnalysis which scans a PC for the hard to find files stored in areas like temp and cache directories and processes the files and attempts to reassemble them into a web browsing log complete with screenshots and time and dates of visits. NetAnalysis goes further and even has functions that will attempt to find data in the file "slack" and other hard to analyze storage areas. NetAnalysis also includes a robust report writer feature that summarizes web browsing history by useful criteria, including date, time, and URL.
On the flipside, there are multiple tools to "wash" a computer of "hidden" web browsing history including most notably Webroot's Window Washer software which also allows for "bleaching" a fancy word for military standard deletion with multiple overwrites.
From an investigation perspective there is a bit of a race - keep in mind that you had better capture the hard drive to run NetAnalysis before the alleged wrongdoer runs Window Washer.
Getting access to web browsing history can be an important part of an investigation and can make or break a case. NetAnalysis allows you to quickly, efficiently, and comprehensively forensically analyze hard to get at web browsing system files to recreate browsing history and optimize your evidence results.
]]>Given the evolving intrusive nature of e-discovery and electronic investigations it will likely become more commonplace for employees, executives, and investigation targets to attempt to gain some "perceived" preemptive privacy by the use of password protection on electronic files.
For example, in a trade secrets case you may find a suspicious password protected PDF file as an attachment in an email in the Outlook "sent box" of a top research scientist employee and that scientist is no longer around or cooperative. Access to the contents of the “locked” PDF file may be crucial to determine if the employee sent the competitor trade secrets.
In another more benign example, a top executive may have misplaced login information to a key Windows server hosting a document production in a pending litigation. Ethically hacking the “locked” Windows server to gain access to the stored files can save a huge amount of time and money in the document production process.
Needless to say that investigators and attorneys should be careful to fully evaluate lawfulness in the given context before deciding to “crack” the password to a target file or operating system. There are numerous state and federal laws which may prohibit unauthorized access to files and systems including, but not limited to, the Federal Computer Fraud and Abuse Act, the Federal ECPA, and state privacy, anti-spyware, and anti-hacking statutes like California's Consumer Protection Against Computer Spyware Act.
You may need to use brute force, dictionary attack, or “common vulnerability” techniques to crack the passwords of and gain access to the contents of a target file or system.
Here is a shocker for many non-tech lawyers and investigators – most of the popular file format and operating system passwords can be hacked in minutes using techniques like “brute force” or “dictionary attacks” amongst others. Indeed, researcher Philippe Oechslin developed such an optimized brute force cryptanalytic technique that he was able to hack Microsoft Windows password hashes in about 13.6 seconds.
Common vulnerability access to password protected files is both a recognized method of ethical hacking as well as a national security risk and thus the Department of Homeland Security National Cyber Security Division has created the National Vulnerability Database where you can query a large number of cyber security vulnerabilities for appropriate purposes.
Unless you have a lot of time on your hands if you need to gain lawful access to a password protected data file or system you will be better served to use an existing “ethical hacking” software tool which usually contains sufficient heuristics, from years of research, to determine an optimized method of cracking the password to a given file format or system.
The Elcomsoft Password Recovery Bundle is a comprehensive software package that allows authorized users and investigators to crack password protection and gain access to a large number of common business software file formats and operating systems including: