Tim LeeHealey is CEO of pioneering US forensic firm AccessData, which creates solutions that address criminal and internal investigations, ediscovery and information assurance. On a visit to Sydney to attend a seminar for forensic investigators, LeeHealy took some time out to discuss the status of digital investigation and ediscovery with IDM.

IDM: Tim, How did you get to your current role at AccessData?

TL: I was in investment banking before I joined and invested in Guidance Software which at that point was maybe a 50-70 person company. We grew it until it was by far the leading forensics provider, but I got to a point about three years ago where I didn’t necessarily agree with the vision of the company and so I left. I then took the money I had made and I invested in AccessData and, you know, three years later, here we are.

IDM: You’re operating in Australia and setting up a local division. Are there differences between the US and Australia?

TL: There are certainly differences in every market but I would draw a common thread through former colonies of England. The fact is all these countries adopt the same basic court system, the same basic equaliser of sort of every entity and you can all sue and resolve your issues in court and so within those markets we see the same basic dynamic over and over and over again. The real difference comes when you start to move to, you know, central European and Asian countries. And Latin American frankly, those are very different.

IDM: Are US firms more prepared because of the more widespread awareness that you must be able to produce any email or any document at any time?

TL: Maybe Australia is a little bit, and I would measure this in a matter of months versus years, a little bit behind the US because of course we had our federal rules of civil procedure go into effect several years ago which basically forced companies to adopt, but we actually look at the Australian market as a pretty progressive market frankly. I mean the conversations we’ve been having, the conversations I hear about are every bit as forward thinking as the ones we hear about in the States.

IDM How dependent are your tools on the extent to which an organisation has its data act together, are they able to suck in everything no matter where it’s located or how it’s managed, whether on servers or backup tapes?

TL: Our software relies on the information being accessible on the network, backup tapes represent something that effectively is off the network. So you would need a partner to expose those to the network, then we could search them. The advantage of AccessData’s ediscovery technology is that you don’t have to be organised. You could have a Wild, Wild West because the way discovery works, the obligation is, if you will, not all on the company. The opposing counsel needs to in some way provide guidance, and in the case of discovery that comes in the form of identifying custodians. I as the opposing counsel want all access to the information on these 50 people. At that point you can react to the discovery and sort of, okay so I’m going to go out and I’m going to push an agent or I’m going to go through the network share and suck down their information and then search it reactively. That’s a real powerful thing about AccessData’s technology, it allows you to do an investigation reactively or proactively. It’s not atypical to have a list of let’s say 50 or 100 key targets. These are the executives that get named in every single litigation. You set up the software to pre-index everything on those drives. So before you walk in into what we call a 26(f) meeting, that’s the meet and confer where you go and you talk to opposing counsel about what is going to be agreed on in the realm of discovery, you can actually go and pre-search these 50 or 100 people you think are critical, you’ve got them pre-indexed.
So before you go into that meeting you have a good idea what type of information you have that can be horse-traded over. Likewise if another 100 get named you can put those into the software and go reactively search them. The competitive differentiation versus other ediscovery tools is awesome, because the fact is most tools, in fact almost every one I can think of that is a competitor in this market, requires that you effectively index all of the data, it can’t reactively search. So if you’re a global 1000 company and you adopt one of their solutions, effectively you have to pre-index the entire network. Which is of course not doable.
If you have a petabyte worth of information on your network, and that’s small for a global 1000, you’re going to have an index at least a third that size, you know, and so now you’re talking about a solution where it’ll cost you $5 million to buy and another $4 million to buy the storage for the solution and, oh by the way, you have to update the indexes on a constant basis. It’s just not a viable solution which is why we’ve seen such dramatic growth within ediscovery for us, ‘cause we go with this hybrid approach, it’s got all the workflow you need and allows you to search.
Another reason why I’d say we speak so well to IT versus selling strictly to consultants, which a lot of players in this market do, is you can turn the software on its head. Why only search for ediscovery? Why only search when you’re told to? Let’s say you have a PCI audit you have to perform, well this is a searching technology. Yes, we have the ability to do stuff that is very natural for the ediscovery market, but there’s no reason you can’t put in PCI-type searching, search your network for PCI compliance. You could likewise, if you’re an IT driven company and somebody leaves with critical intellectual property and you want to figure out what they did, what they were doing, that’s the forensics portion and, oh by the way, you don’t have to stop there. Okay, this guy had access to this intellectual property, it’s sensitive. This is clearly an issue, I want to go to my management and say not only did we see how he got it and all that kind of stuff, but here are the 10 other people that have it that shouldn’t. It’s just an investigation. We sell investigative software and that’s the kind of message we can bring to IT that gets them so excited about it. They start to see all the different possibilities.

IDM: Is the market broadening beyond just forensic investigation? When you look at something like Symantec with its endpoint security products which it sells as an IT infrastructure tool. Is that something you see as a competitor?

TL: No. It’s interesting. All these technologies, the Symantec endpoint, McAfee EPO type infrastructure, they provide their technology and all their capabilities in a reactive security manner. Which is good if you want the node to beep if it thinks something funky is going on that might be a security issue. But if you ever want to turn the matter on its head and take an investigative approach you have no capability of doing that anywhere within their suite. And so we partner with McAfee, we talk extensively to Symantec because not only do they know they can’t do that, they have no intention to do that. Investigations are fundamentally different than proactive endpoint security. And so we see them as great partners, we like to work with them. We have never, ever in the history of this company run across them in the context of a deal. Even as we broaden out and start to talk about security investigations, so Symantec, McAfee, all these companies throw off alerts through an ArcSight SIEM, an intrusion detection system (IDS) or whatever. But they actually provide the individual no real mechanism for investigating that alert. And so we actually do see a rapid broadening of the investigative market and while there are competitors, the big security companies are not both, they’re not in it in any way, shape or form.

IDM: What does the future hold for Access data?

TL: The investigative market, not just ediscovery, but forensics and investigative, is filled with a number of different disciplines. And you have all these different constituents, if you will, that want to perform investigations for different reasons. And you have point companies developing in each specific area. And the theory, the philosophy, if you will, of AccessData is that above all forensics is the best foundation upon which to build because it’s accepted in court, it’s the most thorough of all the foundations and then what you need to build is basically a platform, if you will, and then host out to different constituents the information they want to see with the workflow and the manner in which they want to see it.
Our Forensic Toolkit (FTK) is recognised around the world as the standard in computer forensics investigation technology. FTK is a very hard core forensics technology, but you can process it up in a central database and then serve it out to legal in a real friendly, Web-based review tool. You could also serve it up to HR if it’s an internal investigation using an equally simple Web interface. Or you can serve it up to a business analyst with a forensic set of tools, to enable them to solve their business problems.
So the point is we’re trying to effectively converge, if you will, all these different investigative markets with easy purpose-driven workflow, centralised backend and the ability to grab data regardless of the data source. That’s where AccessData is going.
I think we’ve made a huge step already in that direction. And I think that’s why we’ve had so much success in the forensics world. It’s because people see okay, I’m a forensics practitioner but let’s be honest, 50% of my work is forensics, the other 50% is preparing this data to show to legal, whether they be a prosecutor or internal counsel or something like that.
And so they see that the AccessData structure leads them to being able to easily accomplish their forensics vision but then also allow legal to look directly in and get the information the way legal wants to get it. And I think that’s why we’ve had so much success early on in the forensics space.