A simple but confounding problem with native file productions is the challenge of reading files in formats for which the receiving party does not have the native software.  This can involve extracting word processing documents from old or obsolete programs like DOS Wordstar or obtaining tables from a database created in Oracle or uncovering layers in a picture created in Photoshop.  There are a number of ways in which this information can be reviewed without the necessity of purchasing or finding a copy of the original software.

1.  Software that can Read ASCII

Just about any forensics software (for example Encase or FTK) , or ediscovery processing software (for example Law or Nuix) , or hex editor can interpret ascii text and make it readable as text.  The content of most email messages and word processing documents can be read as ascii text.  The disadvantage of this approach is that the original formatting of the underlying document will be lost, but most of the time the content is where the evidence is located. 

2.  Viewers

There are a number of file viewing applications, examples are Hijaak and Evince.  Hijaak was developed primarily to view various graphic formats.  Evince is an open source program developed to read various document formats.  One of the most powerful viewers is Outside In technology which is available from Oracle as a developer kit and incorporated by software vendors into their products.  Outside In is incorporated into recent versions of Encase.  Thus, a forensic analyst reviewing a document in encase can view and carve out if necessary documents in any of the 500 plus formats supported by Outside In. 

3.      Installs from Original Image

Often people download software and store the original install image somewhere on their hard drive.  Many companies keep their corporate install images located on the corporate servers.  If an analyst obtains the original install image from the server or the original disk, then the software can be installed on the computer being used for review.

4.   Quasi Native Format

Another option is to covert the file into a format that is readable and equivalent as part of the ediscovery processing.  This mostly applies to databases and spreadsheets.  Thus if data is produced in an Oracle format, it may be possible to convert it into an Access database.  Similarly, if data is in spreadsheet format, it may be translatable to a different spreadsheet or convertible into comma delimited format.

5.  Open Source and Freeware Alternatives

There are open source and freeware alternatives to the alternative product.  Open Office is widely known example.  Microsoft Office documents can be read by the Open Office software, which is available for free.  Another very useful open source program is Gimp.  Gimp is a Photoshop clone.  If one needs to review a document created in Adobe Photoshop and needs to unpeel layers in the photo, it isn’t necessary to purchase Photoshop, the photoshop layers can be revealed by opening the document in Gimp.

 

 

 

The question has come up several times recently whether it is necessary to file for a protective order when objecting to the discovery of not inaccessible data.  When I looked at the MCLE presentation that we do from Eclaris, I saw that our presentation on this point is ambiguous. To make clear, the current rule does not require a protective order in order to preserve an objection:

 "2031.210(d) If a party objects to the discovery of electronically stored information on the grounds that it is from a source that is not reasonably accessible because of undue burden or expense and that the responding party will not search the source in the absence of an agreement with the demanding party or court order, the responding party shall identify in its response the types or categories of sources of electronically stored information that it asserts are not reasonably accessible. By objecting and identifying information of a type or category of source or sources that are not reasonably accessible, the responding party preserves any objections it may have relating to that electronically stored information."

The current confusion in California seems to arise because an earlier version of the edisovery law, which was vetoed by Governor Schwarzenegger, would have required a protective order (it was vetoed for unrelated reason when the Governor was vetoing everything due to a budget dispute).  In her blog at FIOS (http://www.discoveryresources.org/library/case-law-and-rules/ca-new-rules-inaccessible-protective-order-gone/), Mary Mack has clarified this point.  The confusion created by the earlier version and subsequent change, seems to be fairly widespread.

 Fortunately, reason (and someone's experience) prevailed in the final bill.  It is now clear that in objecting what is needed is to identify the type or category of source or sources that are asserted to be not reasonably accessible.  This should suffice to preserve the objection.

 

 

 

 

Sometimes IT departments become very concerned when receiving litigation hold letters.  It isn't always easy to manage users and keep them from deleting documents.   Doing a forensic collection of the custodian's desktop can be an excellent way to alleviate some of these concerns with only minimal business disruption.  When a technician takes a forensic collection, the entire hard drive, including the deleted files, slack space, and unallocated space is included in the image.  The image is checked for consistency and authenticity against the original, and the image meets the requirements of "Best Evidence" under the federal rules.  The analyst can take the forensic image and store an copy, to be left untouched on a server.  The subsequent analysis to search for files and email to produce can be done away from the custodian's office.  If the scope of discovery later expands, the full disc has been preserved.  This can save dozens of hours in attorney time, going back and forth on the phone, inquiring about files that were later determined to be relevant.  It also allows the option of doing a deeper forensic analysis should one become necessary, and it reduces of the risk of spoliation because there is a reference copy of the original disc available.

I was just writing an article on Computer Forensics for the Federal Lawyer magazine.  In the days when I was a federal government lawyer, ediscovery and forensics were not issues.  In 1982 I bought a Radio Shack Model 100 portable computer and communicated with our office minicomputer by dialing in with a 300 baud modem.  In 1984 when I was leading a team writing regulations under the Comprehensive Environmental Reform Compensation and Liability Act (CERCLA), we had an IBM XT  for the entire team.  It had a 5 MB hard drive and was maybe one of five personal computers in the entire department.  What we know of today as ediscovery and forensics could actually be applied to the old mini computers we had, but at that point the volume of material was small.  If anything had to be produced we printed it.

Federal agencies get a certain degree of protection because many cases are "on the administrative record".  However, there are still many times when government lawyers have to do broader discovery.  There are also criminal cases, civil service cases, civil rights cases and many other kinds of cases where the government must provide discovery.  Ediscovery rules apply to the federal government the same as everyone else.  Life as a government lawyer presents an entirely new set of challenges.  So many government records are computerized that some government lawyers must be experiencing ediscovery as quite a nightmare.

As a young associate almost thirty years ago I worked on an antitrust case that involved what at the time seemed like an incredible volume of over one million pages of documents. The law firm rented empty office space and filled an entire room with boxes of documents. I supervised a team of three paralegals and we spent months in that office, reviewing, selecting, redacting and bate stamping. We thought it was a massive project.

Today a one GB file can contain as many as 65,000 pages of Word documents or 750,000 text documents. Ninety six to ninety nine percent of business documents are created on computers. Budget computers have hard drives of 160 GB. Many cases today involve volumes of evidence that are thousands of times greater than what I once thought was a huge case.

There are a lot of posts around the web on the differences between Computer Forensics and Ediscovery. I've spent a lot of time thinking about this, and it seems to me that there are clear areas of difference - most forensics involves in depth analysis of one hard drive. Ediscovery usually involves readily available information across networks or groups of custodians.

But I'm really having trouble with the way that documents are collected for Ediscovery much of the time. When I do a forensic collection I take several carefully documented steps to ensure the authenticity of what I collect and to maintain the chain of custody. Ediscovery often involves the undocumented, non forensic collection of loose files and emails. If someone gives me a Word document that they simply copied onto a thumb drive it may have the OLE data, but I've lost any meaningful file system or operating system data, I can't verify the times on the documents and there isn't much that can be done with it forensically.

There are an incredible number of really interesting white papers available free on the web that are great ediscovery and forensics resources.

Some of my favorite places to find them are:

http://www.guidancesoftware.com/resources-whitepapers.htm

http://www.craigball.com/articles.html

http://www.fiosinc.com/e-discovery-knowledge-center/electronic-discovery-whitepapers.aspx

http://www.applieddiscovery.com/ws_display.asp?filter=White%20Papers%20%26%20Fact%20Sheets

I hate reading white papers on my computer, and I hate printing them. My solution - I load them onto my Sony Reader or Amazon Kindle.

The Sony Reader accepts the pdf documents in native format, but only the Kindle DX does. Sometimes though, the print is too small to read so I often prefer to convert the pdf to formats for the Kindle or Sony Reader. I rarely read books on my Kindle DX, but it has become a portable library of Forensics and Ediscovery papers.