Most litigation support staff understand the basic challenges of electronic discovery. However, while many forensic methods are used in e-Discovery, computer forensics is a unique discipline.

“[F]orensic science is the application of a scientific discipline to the law, the essence of all forensic disciplines concerns the principles applied to the detection, collection, preservation, and analysis of evidence to ensure its admissibility in legal proceedings. Computer forensics refers to the tools and techniques to recover, preserve, and examine data stored or transmitted in binary form.” 
— Kenneally, Erin, “Computer Forensics,” The Magazine of Usenix& Sage, August 2002 Volume 27-number 4

This article will focus on practical issues faced by litigation support professionals when the use of computer forensics techniques and analysis are required. The potential of computer forensics has been almost always confined to criminal cases, but it can be very useful in civil cases as well. The biggest mistake litigation support personnel make in evaluating their need for forensics is looking to their internal IT departments for forensic support.

Understanding Where Forensics Will Be Useful

(a) Collections. In the context of civil litigation, computer forensics are most frequently used in the collection of evidence. Forensics experts are trained in acquisition methods that ensure the authenticity of evidence. The mere act of turning on a computer causes information to be written to the computer’s hard drive. The forensics expert will gather the information from the computer using special hardware and software tools that will ensure no changes to the data stored on the computer. In many litigation matters, evidence is collected by in-house IT staff, and not by forensics experts. This method of collection always results in the loss of some metadata. This metadata is not always material to the lawsuit; however, the best way to ensure that evidence collected is forensically sound and admissible in court is to have evidence collected by forensics experts or technicians trained in forensic acquisition methods. The EDRM model does not specifically require forensic collection, but forensic collection – whether of a full hard drive or simply logical files – works well for the collection phase of the EDRM.

(b) Analysis. Forensic analysis can obtain considerable information from a hard drive. It is often possible to recover deleted files, and in many cases even deleted and reformatted partitions. The date that a file was created, by whom, when it was changed, if it was copied off to an external drive, if it was sent in email are all possibly recoverable. Forensic techniques can often identify and break encryption or find information that was hidden deliberately with tools like steganography (hiding documents in pictures). In addition to criminal cases, forensic analysis can be useful in a number of civil cases, particularly if there are issues of fraud, if timing is critical, or if lost documents are needed. Forensic analysis can be very useful in cases of intellectual property theft, and in actions for wrongful termination.

Finding Forensic Experts

Most litigation support personnel are very familiar with methods for finding experts. One additional consideration for forensics are forensic specific certifications. There are a number of certifications, both third party and from vendors. The Computer Forensics Certified Examiner (CFCE) for law enforcement personnel and Computer Certified Examiner (CCE) (the CFCE for non-law enforcement personnel) are respected vendor neutral certifications. Another frequent certification is the Global Information Assurance Certification Certified Forensics Analyst (GIAC-GCFA) which is primarily connected to the SANS Institute programs. The Encase Certified Forensic Examiner (“ENCE”) is a vendor certification, but well-regarded because it involves both a written a practical exam and because Encase is the most frequently used forensic acquisition and analysis software.

Understanding the Limitations of Computer Forensics

Many forensics experts fear the “CSI Effect”. This is the belief that many people get from watching CSI on TV that forensics is infallible and instantaneous. On CSI the forensic analyst turns on the computer, guesses the password as the suspects daughter’s name and magically all data on the computer is easily accessible. Computer forensics is incredibly powerful in its own way, but it is often painstaking and tedious. The analyst often must spend hours studying a hard drive, looking at hexadecimal code, counting the bits and bytes forward and back, in order to find the hidden information. If a password is involved and it is cracked, that is usually just a starting point for investigation.

Understanding That IT is Not Computer Forensics

Due to the uniqueness of forensics as a discipline, the IT staff is not likely to be forensically trained. Many times the IT staff will want to look at a hard disk with data recovery tools, but they are not forensics analysts. One of the ways in which evidence is often damaged is when IT staff start poking through disks without using write blockers. IT staff lack the training to get the information while leaving the original intact, and they lack the training to do in depth analysis. They may know quite a bit about file systems, but they are unlikely to have had the in depth training into all the virtual crevices on a hard drive that would be the province of a forensic analyst.

Conclusion

Whether using it as part of e-Discovery, or as a key tool in proving a case, computer forensics can be extremely valuable in litigation. The key is to use forensic collection methods, be aware of what forensic analysis can provide, be aware of what it cannot provide and make use of the right experts.

Your client’s dreaded day has arrived.  His or her beloved company has been subpoenaed, sued, or threatened with impending litigation.  Chances are your client’s first thought will not be wondering about exactly where the company keeps its electronically stored information (ESI).  But it should be.  All litigation provides for a discovery period, in which evidence will be sought by the opposite party.  In the not so distant past, document production consisted solely of making available or reproducing paper records, such as agreements, contracts, letters, and miscellaneous financial information.  Not so today.  According to a recent University of California, Berkley survey, 93% of all information is now created in an electronic format.  Considering email alone, the average user can easily generate between 50,000 and 100,000 documents per year.  With numbers like these, it is no wonder that electronic discovery has become a matter receiving acute focus, with the goal being to find a way to effectively manage and sift through massive amounts of electronic data to locate the key information.

Traditional Search Methodologies

Not too long ago, attorneys would comb through repositories of electronic evidence in one of two distinct ways.  The first involved conducting electronic searches, using relational or Boolean methods that searched for words insofar as they connect to one another.   The second wass via key word searches, which simply targeted a known term.  Each of these two methods have been utilized beneficially for many years by attorneys, and they are comprehended well and have been generally accepted.

Relational and key word searches, however, have their drawbacks as well.  These searches can recognize only electronic data that contains the specific search words, either individually or in tandem..  Each methods thus is incapable of recognizing  documents that contain similar terms or variants that do not exactly match the chosen search terms.  Examples of missed items are initials, words that have been misspelled, nicknames, and synonyms. 

Jacques Nack Ngue, founder and lead ediscovery specialist at eClaris, Inc., has commented that relying solely on Boolean or keyword-search technologies, without employing other search methods that have been developed, “is akin to using a typewriter when computers are available and accessible.”  Litigators that fail to leverage these new possibilities run the risk of being out-searched by more technologically savvy opponents.  Whereas traditional search methods are adequate for small databases, Ngue emphasizes that they are invariably lacking when dealing withthe legal analysis of massive databases involving complex queries.  There must be, and is. another more thorough, more powerful alternative.

 A Third Way— Concept Searching

Given the limitations of mere keyword and Boolean search methods, the legal industry has recently turned to “concept searching” as a potential solution.  The producers of this technique maintain that concept searching has the power to more effectively and efficiently winnow out that handful of significant documents from millions of pages of electronic discovery.  The primary advantage is that this method, if effectively used, can significantly reduce the need for laborious and expensive page-by-page attorney review.

As one might imagine, some concept-search technologies are better than others.  In order to determine whether a specific technology is a viable option, it is first instructive to understand how it operates.  Each concept-search technology will likely include some or all of the following three tools: (1) taxonomy abilities; (2) clustering functions; and (3) Bayesian demarcations.

“Taxonomy abilities” enable the concept search to classify data containing subcategories of language or terminology.  In particular, this technique is used to categorize documents containing words that are subsets of issues directly relevant to a particular case.  As an example, if Major League Baseball were a relevant subject, taxonomy abilities could also identify documents that use such terms as “Yankees,” “Dodgers,” and “Cubs.”  Taxonomy abilities are vital for effectively pinpointing and managing large volumes of subset relationships. 

A second tool is “clustering functions.”  This technique operates in a manner directly opposite to the conventional Boolean and keyword search techniques, which automatically recognize potentially relevant data via directly identifying terms either individually or within a defined relation.  Conversely, clustering functions use arithmetical relationships, which makes it possible to identify data containing a penumbra of words grouped or clustered together in pertinent categories.  In essence, via the use of clustering functions, documents are selected based on the greater or lesser likelihood that their overall terminology pertains to a relevant topic; the more words a document has that correspond with the collection of relevant terms,  the greater the likelihood the document will relate to the same topic and thus be relevant to some important issue in the litigation. 

Third, there are "Bayesian markers."  Named after 18^th century statistician Thomas Bayes, Bayesian benchmarks involve the use of probability to identify relevant documents.  The use of Bayesian markers maximizes the use of skilled assumptions about the probable significance of data based on in the case history of spotting relevant documents.  Bayesian search results are sorted and positioned based on the forecasted chance of the probable significance of certain kinds of documents to litigated issues.

So, Which Approach Wins The Day?

Concept searching seems promising.  The breadth, efficiency, and exactness that can be potentially accomplished by using this technology are truly remarkable.  Nonetheless, many have wondered if concept searching is superior to the aforementioned Boolean and keyword approaches.

There is a reason that Boolean and keyword searching have become standard: prevalence.  All of the major legal-research search engines, such as Lexis Nexis^®, Loislaw^® and Thomson-Reuters Westlaw^®, use these search technologies.  As a result, both court and counsel are quite familiar with the way they operate. In addition, the straightforwardness of these searching techniques are readily understandable.

The simplicity of Boolean and keyword searching, however, cuts both ways.  Boolean searches can interrogate only the data containing specific, pre-identified terms.  In other words, before a document can be identified as relevant, the attorney must identify in advance each and every specific word that will be searched for.  In reality, of course, people communicate with a variety of terms.  This limitation of Boolean and keyword searching almost guarantees that relevant data will be passed over.  Moreover, keyword searches can be over-inclusive.  Keyword searches necessarily target every single document containing the chosen term, regardless of whether the term’s actual use in context is is always relevant to the case. 

By comparison, concept-searching tools do not rely on identifying the mere presence of specific terms within a given document.  Instead, concept searching is smarter than that, for it includes techniques for determining whether a word’s use in context is likely to be relevant.  As a result, for analyzing massive electronic databases, concept searching is capable of identifying highly relevant information that keyword and Boolean searches cannot identify.

That said, there are nevertheless drawbacks to concept searching.  In particular, the possible benefits of concept searching must be weighed against the cost, both in money and in resources, necessary to employing the method.   For example, concept-search techniques, like Boolean and keyword searches, can and often do yield many documents that are not truly significant. Counsel must, as always, weigh the costs and benefits.

The Verdict

While concept-search technologies potentially  exceed the performance of Boolean and keyword searches, their time has not yet arrived..   For effectiveness, speed, and accuracy, as of today nothing beats Boolean and keyword searches, especially when employed in iterative progressions, in which subsequent searches further winnow previous search results.  Yet for highly significant matters involving millions of pages of electronic data, concept-search technologies are worth deploying, whether separately or in concert with keyword and Boolean searches. 

The evidence introduced at trial is inevitably a product of the discovery process.  Even in complex lawsuits involving millions of pages of electronic data, a judge or jury can only view and digest a limited amount of data.  This limitation makes attorneys’ analysis of produced documents all the more important.  Given the proliferation of electronic data, winnowing out that handful of truly significant documents has become harder to accomplish.  When a lawsuit involves millions of pages of documents, attorneys who use smart search methods gain an advantage over attorneys who know only how to work hard.

In order to best employ advanced search methods, counsel should  learn how the concept-search technologies operate and take into consideration their potential benefits.  In the end, the lawyer who better understands how to effectively identify the important documents may well win the day.

 This article appeared in the Summer 2009 edition of Proof, the newsletter of the ABA's Trial Evidence Committee. 

In a post this week on Information Week’s Information Management blog, Andrew Conry-Murray provides a case study of why legal departments should work closely with technology professionals from the moment the business or organization is implicated in a lawsuit – even if the entity isn’t even a party to the suit. http://www.informationweek.com/blog/main/archives/2009/01/the_6_million_m.html.

The Office of Federal Housing Enterprise Oversight (OFHEO) was subpoenaed to provide documents in Fannie Mae/Freddie Mac litigation. An OFHEO lawyer agreed to the plaintiffs’ search terms for eDiscovery of backup tapes. The plaintiffs submitted 400 search terms, which yielded 660,000 documents, 80 percent of the agency’s total e-mails. The OFHEO had to hire 50 lawyers to review the documents – many of which were entirely irrelevant – and in the process missed court-ordered deadlines to produce evidence. The court eventually held the agency in contempt, which it appealed and lost. All this cost the agency an unbudgeted $6 million, 9 percent of its annual operating budget.

This eDiscovery could have been avoided had the agency consulted IT professionals at the outset to help define the search terms.  

What is your eDiscovery headache? Let us know and we’ll come up with a solution.