In "EDD Tale: Caught in the Middle" Computer forensic examiners can find themselves the scapegoats in discovery battles" an article posted on November 23, 2009, Jason Krause discusses a case in which an ediscovery vendor found itself defending against a motion for sanctions.

http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202435729989&EDD_Tale__Caught_in_the_Middle. 

 The article refers to the case Technical Sales Assocs., Inc. v. Ohio Star Forge Co., Nos. 07-11745, 08-13365 (E.D. Mich. May 1, 2009).  In that case Midwest Data Group was retained to search for certain terms in email.  When conducting its search, the company found no responsive email, but it also found evidence that 70,000 email had been deleted immediately after the court discovery order.  The vendor was supposed to produce its findings to the defendant, and it did report that it found nothing.  It then reported to the plaintiff, that it had found evidence of spoliation in the 70,000 deleted files.  This led to the defedant's counsel seeking sanctions against the vendor.  One problem is that the vendor had no instructions regarding what to do in such a circumstance.  Vendors need clear, understandable instructions and that it may advisable for them to participate in early conferences with counsel.  Another problem is that the vendor jumped to a conclusion - while the destruction of 70,000 emails immediately after a court order is suspicious, and best practices would have had the client suspend normal operation of its document destruction policy pending discovery, that destruction is not in and of itself proof of spoliation.  The vendor was also in an unclear situation regarding to whom it owed a duty - the court or the defendant that was its immediate client. 

This situation can create quite an ethical thicket, not just for the vendor but for counsel as well.  An attorney has an ethical obligation to disclose a fraud that its client perpetrates on the court.  Disclosure at some point may have been necessary, but before the vendor jumped the gun and reported a conclusion that spoliation had occurred, the vendor should have brought the evidence of destruction to its own client. 

 In the Law.com article, Krause argues that the case is support for the need for better training in forensics.  This doesn't seem like a lack of forensics knowledge on the part of the vendor.  It's pretty basic to know whether or not email was deleted.  Whether that deletion amounts to spoliation is a legal question.  While forensics experts should be expected to know rules about evidence preservation, chain of custody and evidence handling, they should not have to be lawyers.  To me this case is a good lesson that the ediscovery or forensics vendor needs to be clear what it is being asked to do.  There are also a number of ethical questions that need to have clearer guidelines within the nascent forensics profession.  The attorneys who retain the experts also need to make sure that their instructions are adequate. 

Most litigation support staff understand the basic challenges of electronic discovery. However, while many forensic methods are used in e-Discovery, computer forensics is a unique discipline.

“[F]orensic science is the application of a scientific discipline to the law, the essence of all forensic disciplines concerns the principles applied to the detection, collection, preservation, and analysis of evidence to ensure its admissibility in legal proceedings. Computer forensics refers to the tools and techniques to recover, preserve, and examine data stored or transmitted in binary form.” 
— Kenneally, Erin, “Computer Forensics,” The Magazine of Usenix& Sage, August 2002 Volume 27-number 4

This article will focus on practical issues faced by litigation support professionals when the use of computer forensics techniques and analysis are required. The potential of computer forensics has been almost always confined to criminal cases, but it can be very useful in civil cases as well. The biggest mistake litigation support personnel make in evaluating their need for forensics is looking to their internal IT departments for forensic support.

Understanding Where Forensics Will Be Useful

(a) Collections. In the context of civil litigation, computer forensics are most frequently used in the collection of evidence. Forensics experts are trained in acquisition methods that ensure the authenticity of evidence. The mere act of turning on a computer causes information to be written to the computer’s hard drive. The forensics expert will gather the information from the computer using special hardware and software tools that will ensure no changes to the data stored on the computer. In many litigation matters, evidence is collected by in-house IT staff, and not by forensics experts. This method of collection always results in the loss of some metadata. This metadata is not always material to the lawsuit; however, the best way to ensure that evidence collected is forensically sound and admissible in court is to have evidence collected by forensics experts or technicians trained in forensic acquisition methods. The EDRM model does not specifically require forensic collection, but forensic collection – whether of a full hard drive or simply logical files – works well for the collection phase of the EDRM.

(b) Analysis. Forensic analysis can obtain considerable information from a hard drive. It is often possible to recover deleted files, and in many cases even deleted and reformatted partitions. The date that a file was created, by whom, when it was changed, if it was copied off to an external drive, if it was sent in email are all possibly recoverable. Forensic techniques can often identify and break encryption or find information that was hidden deliberately with tools like steganography (hiding documents in pictures). In addition to criminal cases, forensic analysis can be useful in a number of civil cases, particularly if there are issues of fraud, if timing is critical, or if lost documents are needed. Forensic analysis can be very useful in cases of intellectual property theft, and in actions for wrongful termination.

Finding Forensic Experts

Most litigation support personnel are very familiar with methods for finding experts. One additional consideration for forensics are forensic specific certifications. There are a number of certifications, both third party and from vendors. The Computer Forensics Certified Examiner (CFCE) for law enforcement personnel and Computer Certified Examiner (CCE) (the CFCE for non-law enforcement personnel) are respected vendor neutral certifications. Another frequent certification is the Global Information Assurance Certification Certified Forensics Analyst (GIAC-GCFA) which is primarily connected to the SANS Institute programs. The Encase Certified Forensic Examiner (“ENCE”) is a vendor certification, but well-regarded because it involves both a written a practical exam and because Encase is the most frequently used forensic acquisition and analysis software.

Understanding the Limitations of Computer Forensics

Many forensics experts fear the “CSI Effect”. This is the belief that many people get from watching CSI on TV that forensics is infallible and instantaneous. On CSI the forensic analyst turns on the computer, guesses the password as the suspects daughter’s name and magically all data on the computer is easily accessible. Computer forensics is incredibly powerful in its own way, but it is often painstaking and tedious. The analyst often must spend hours studying a hard drive, looking at hexadecimal code, counting the bits and bytes forward and back, in order to find the hidden information. If a password is involved and it is cracked, that is usually just a starting point for investigation.

Understanding That IT is Not Computer Forensics

Due to the uniqueness of forensics as a discipline, the IT staff is not likely to be forensically trained. Many times the IT staff will want to look at a hard disk with data recovery tools, but they are not forensics analysts. One of the ways in which evidence is often damaged is when IT staff start poking through disks without using write blockers. IT staff lack the training to get the information while leaving the original intact, and they lack the training to do in depth analysis. They may know quite a bit about file systems, but they are unlikely to have had the in depth training into all the virtual crevices on a hard drive that would be the province of a forensic analyst.

Conclusion

Whether using it as part of e-Discovery, or as a key tool in proving a case, computer forensics can be extremely valuable in litigation. The key is to use forensic collection methods, be aware of what forensic analysis can provide, be aware of what it cannot provide and make use of the right experts.

The Seventh Circuit has adopted an ediscovery pilot program.  It's report is available here:  http://www.ca7.uscourts.gov/7thCircuit_ElectronicDiscovery.pdf and is well worth studying for guidance on how to handle ediscovery.  What makes this program unique is that it is actually being tested in trials:

"Individual district court judges,magistrate judges, and bankruptcy judges in the Seventh Circuit have agreed to adopt the Principles and implement them in selected cases during the Phase One period. This will be done through entry of the [Proposed] Standing Order by the participating judges in the selected cases.  Once adopted as standing orders, the Principles will serve as supplemental procedural guidelines to be followed by litigants. The Principles' efficacy will then be evaluated and refined. Phase One of the pilot project will occur from October 2009 to May 2010. The Institute for the Advancement of the American Legal System at the University of Denver is developing questionnaires to assess the efficacy of the Principles. Questionnaires will be completed by the participating judges and by the lawyers who practice before the judges. The results of the IAALS's questionnaires will be presented at the 7th Circuit Annual Meeting in  May 2010. In May 2010, the E-Discovery Committee will also evaluate the efficacy of the Principles and refine them as appropriate. Phase Two will then proceed from June 2010 to May 2011. In May 2011,the E-Discovery Committee will then formally present its findings and issue its final Principles." p. 12

 Identifying the problem with ediscovery the report note:

"Too often these exchanges begin with unhelpful demands for the preservation of all data, which often are followed by exhaustive lists of types of storage devices. Such generic demands lead to generic objections that similarly fail to identify specific issues concerning evidence preservation and discovery that could productively be discussed and resolved early in the case by agreement or order of the court. As a result, the parties often fail to focus on identifying specific sources of evidence that are likely to be sought in discovery but that may be problematic or unduly burdensome or costly to preserve or produce." p.9.

 The report attempts to clarify the specific steps to be taken to get cooperation from the attorneys, better define "inaccessible" data, apply a standard of proportionality, require appointment of an ediscovery liaison, and give specific suggestions for education of attorneys.

When I was a General Counsel, we started a policy in my company of retaining the hard drive of the employee.  In some cases we would also copy the email store from the server and the network share to a DVD and keep a copy.  This isn't something we started out doing, we had a couple of employees leave to work for competitors who we were pretty certain had taken our proprietary data when they left.  Once we experienced that, we realized that we would have been better off to have the original hard drive.  Forensic tools can capture whether data was copied onto an external drive, whether data was deleted, and can often recover deleted data.  If we had kept the hard drive, we would have been more able to substantiate our case that our intellectual property had been stolen.  Subsequently we kept the hard drives, and there were several instances over the next few years when referring back to them was useful, not just for purposes of potential litigation, but also to find records that were otherwise unavailable. 

If I were still the General Counsel I would change this policy slightly and instead of just keeping the hard drive I would keep a forensic image which I would store on a server in an archive.  I would do this for two reasons (a) hard drives can fail too easily if just put in storage, and (b) once an image is made I can review information from the image without damaging metadata or deleted data on the files. 

If a company does this, it also is smart to have the image made forensically, using forensic recordkeeping, write blockers and software in case it needs to be used in litigation.  That way there is less concern about authenticity or spoliation. 

Frequently when disputes arise with employees, one of the first things that happens is that IT looks at the computer.  This is a bull in a China shop approach that makes alterations to the data, and causes it to be looked at by technicians who are not trained in finding data.  It also could put the internal staff at risk of being called as witnesses.  Not all employees may be likely to steal data or bring lawsuits, so some companies may adopt a policy of imaging drives only for employees who have had access to critical data or who are likely to sue.  In my experience, the cost of keeping the data was small, and there were many times we were glad to have kept it.

A simple but confounding problem with native file productions is the challenge of reading files in formats for which the receiving party does not have the native software.  This can involve extracting word processing documents from old or obsolete programs like DOS Wordstar or obtaining tables from a database created in Oracle or uncovering layers in a picture created in Photoshop.  There are a number of ways in which this information can be reviewed without the necessity of purchasing or finding a copy of the original software.

1.  Software that can Read ASCII

Just about any forensics software (for example Encase or FTK) , or ediscovery processing software (for example Law or Nuix) , or hex editor can interpret ascii text and make it readable as text.  The content of most email messages and word processing documents can be read as ascii text.  The disadvantage of this approach is that the original formatting of the underlying document will be lost, but most of the time the content is where the evidence is located. 

2.  Viewers

There are a number of file viewing applications, examples are Hijaak and Evince.  Hijaak was developed primarily to view various graphic formats.  Evince is an open source program developed to read various document formats.  One of the most powerful viewers is Outside In technology which is available from Oracle as a developer kit and incorporated by software vendors into their products.  Outside In is incorporated into recent versions of Encase.  Thus, a forensic analyst reviewing a document in encase can view and carve out if necessary documents in any of the 500 plus formats supported by Outside In. 

3.      Installs from Original Image

Often people download software and store the original install image somewhere on their hard drive.  Many companies keep their corporate install images located on the corporate servers.  If an analyst obtains the original install image from the server or the original disk, then the software can be installed on the computer being used for review.

4.   Quasi Native Format

Another option is to covert the file into a format that is readable and equivalent as part of the ediscovery processing.  This mostly applies to databases and spreadsheets.  Thus if data is produced in an Oracle format, it may be possible to convert it into an Access database.  Similarly, if data is in spreadsheet format, it may be translatable to a different spreadsheet or convertible into comma delimited format.

5.  Open Source and Freeware Alternatives

There are open source and freeware alternatives to the alternative product.  Open Office is widely known example.  Microsoft Office documents can be read by the Open Office software, which is available for free.  Another very useful open source program is Gimp.  Gimp is a Photoshop clone.  If one needs to review a document created in Adobe Photoshop and needs to unpeel layers in the photo, it isn’t necessary to purchase Photoshop, the photoshop layers can be revealed by opening the document in Gimp.

 

 

 

The question has come up several times recently whether it is necessary to file for a protective order when objecting to the discovery of not inaccessible data.  When I looked at the MCLE presentation that we do from Eclaris, I saw that our presentation on this point is ambiguous. To make clear, the current rule does not require a protective order in order to preserve an objection:

 "2031.210(d) If a party objects to the discovery of electronically stored information on the grounds that it is from a source that is not reasonably accessible because of undue burden or expense and that the responding party will not search the source in the absence of an agreement with the demanding party or court order, the responding party shall identify in its response the types or categories of sources of electronically stored information that it asserts are not reasonably accessible. By objecting and identifying information of a type or category of source or sources that are not reasonably accessible, the responding party preserves any objections it may have relating to that electronically stored information."

The current confusion in California seems to arise because an earlier version of the edisovery law, which was vetoed by Governor Schwarzenegger, would have required a protective order (it was vetoed for unrelated reason when the Governor was vetoing everything due to a budget dispute).  In her blog at FIOS (http://www.discoveryresources.org/library/case-law-and-rules/ca-new-rules-inaccessible-protective-order-gone/), Mary Mack has clarified this point.  The confusion created by the earlier version and subsequent change, seems to be fairly widespread.

 Fortunately, reason (and someone's experience) prevailed in the final bill.  It is now clear that in objecting what is needed is to identify the type or category of source or sources that are asserted to be not reasonably accessible.  This should suffice to preserve the objection.

 

 

 

 

Why does California do things differently?  This is intended as a rhetorical question.  Looking at the California Ediscovery Law reminds me of the California Solid Waste Law and its relationship of the Resource Conservation and Recovery Act (RCRA).  The Federal Government passed a law setting out how to handle solid waste, and virtually every state adopted the federal regulations with minor modifications.  Except for California.  This was a bit of a historical accident in that California's solid waste law preceded RCRA.  However it meant that the cost of complying was more expensive in California, since you needed to learn two regulatory schemes, and I also found that enforcement in California was weak because there were more resources in Sacramento devoted to writing and amending the law than there were to enforcing it.  I have often said, at least somewhat tongue in cheek, that California could balance it's budget if it would conform its laws to the majority of the states.

 Now we get a California ediscovery act that (a) is written in its own terms with its own structure so it doesn't track the federal rules, and (b) appears to make some changes that may or may not be real - maybe or maybe not the definition of electronic media is broader - arguably deleted files or active memory are more likely to be required to be produced in California, (c) follows a different procedure (perhaps) as meet and confer may be required by local courts but form of meet and confer might be different, and (d) seems to shift the burden of proof that data is not reasonably accessible and probably shifts the cost sharing burden.  The result is that in an area of the law where there is already significant confusion and a big learning curve, California has managed to pass a law that will appears to add more confusion.  So why do we have to do things differently?

Sometimes IT departments become very concerned when receiving litigation hold letters.  It isn't always easy to manage users and keep them from deleting documents.   Doing a forensic collection of the custodian's desktop can be an excellent way to alleviate some of these concerns with only minimal business disruption.  When a technician takes a forensic collection, the entire hard drive, including the deleted files, slack space, and unallocated space is included in the image.  The image is checked for consistency and authenticity against the original, and the image meets the requirements of "Best Evidence" under the federal rules.  The analyst can take the forensic image and store an copy, to be left untouched on a server.  The subsequent analysis to search for files and email to produce can be done away from the custodian's office.  If the scope of discovery later expands, the full disc has been preserved.  This can save dozens of hours in attorney time, going back and forth on the phone, inquiring about files that were later determined to be relevant.  It also allows the option of doing a deeper forensic analysis should one become necessary, and it reduces of the risk of spoliation because there is a reference copy of the original disc available.

I was just writing an article on Computer Forensics for the Federal Lawyer magazine.  In the days when I was a federal government lawyer, ediscovery and forensics were not issues.  In 1982 I bought a Radio Shack Model 100 portable computer and communicated with our office minicomputer by dialing in with a 300 baud modem.  In 1984 when I was leading a team writing regulations under the Comprehensive Environmental Reform Compensation and Liability Act (CERCLA), we had an IBM XT  for the entire team.  It had a 5 MB hard drive and was maybe one of five personal computers in the entire department.  What we know of today as ediscovery and forensics could actually be applied to the old mini computers we had, but at that point the volume of material was small.  If anything had to be produced we printed it.

Federal agencies get a certain degree of protection because many cases are "on the administrative record".  However, there are still many times when government lawyers have to do broader discovery.  There are also criminal cases, civil service cases, civil rights cases and many other kinds of cases where the government must provide discovery.  Ediscovery rules apply to the federal government the same as everyone else.  Life as a government lawyer presents an entirely new set of challenges.  So many government records are computerized that some government lawyers must be experiencing ediscovery as quite a nightmare.

Encase Forensic software can be an amazingly powerful tool.  When I use it I feel like a magician - I am able to see and understand so much about the content of a computer drive.

Since I use it a lot I have a lot of strong feelings about it, both positive and negative.  The part of it that drives me the craziest is the reporting function.  A forensic analysis requires the preparation of a professional report.  It needs to be something that can be submitted in court.  If attorneys had to use software for preparing their briefs as convoluted as Encase is for preparing reports, they'd probably go back to writing their briefs by hand or on typewriters.

What drives me nuts about the reporting function is that it is dynamic - which is one of those things that is a feature that feels like a bug.  If I find an item of interest, bookmark it, and add it to the report, the information may or may not stay in the report depending upon what else I do in the software.  For example if I open a zip file container so that I can analyze it and add it as a logical file then create a bookmark - I can put it in the report.  If I then close the logical file to free up memory, the bookmark will disappear from the report.  It's also very difficult to format the report so that it looks professional, and the notes function is very limited.  There is a workaround for the notes function which is to create a text document and paste the text into the note. 

 There is also a workaround for the constant changes in the report.  When I have an issue documented and I've found all the supporting evidence in the file, I have learned to stop my analysis and export the report at that point to a rich text file.  I have then memorialized my findings in hard copy and if the report continues to change internally in Encase, it is still documented.  Similarly, the final report goes into an rtf file and is reformatted in Word.  This works, but it adds time.  There are other report generating tools an other forensic software has better reporting.  I wish that Guidance Software would work a little on the reporting feature.