[ISN] Electronic Data Discovery Primer

From: InfoSec News (isnat_private)
Date: Thu Aug 29 2002 - 00:17:01 PDT

  • Next message: InfoSec News: "[ISN] War Flying"

    Albert Barsocchini
    Law Technology News
    Electronic data discovery quickly is becoming mainstream in civil
    discovery. Recent surveys confirm that more than 90 percent of all
    documents produced since 1999 were created in digital form. You don't
    need surveys to prove that point; just walk into any office these days
    and the first thing you will see is a computer!
    Surprisingly, many attorneys fail to do any electronic discovery
    because of concerns that it is costly, time-consuming and complicated.  
    The irony: It is usually wildly cheaper to conduct discovery
    New computer forensic techniques allow the cost effective and safe
    recovery of evidence normally invisible to the user. What used to cost
    tens of thousands of dollars can now be done for less than $5,000
    using trained computer forensic examiners.
    There is an incredible amount of electronic evidence that can be
    harvested, preserved, documented and authenticated.
    Some firms get it. Aggressive law firms are now seeking
    computer-generated evidence, especially in cases related to
    defamation, trade secret and intellectual property theft, sexual
    harassment in the workplace, fraud, breach of contract, divorce
    proceedings and spoliation of evidence.
    Even in small personal injury auto cases, defense attorneys are going
    after e-mail and other electronic evidence related to wage and injury
    Knowing where to get help is an important part of your successful
    electronic discovery plan. Because of the growing demand, many legal
    vendors are retooling their businesses to include electronic
    discovery. There are a variety of services now available including
    electronic discovery consultants, computer forensic investigators, and
    litigation support services offering electronic document conversion,
    scanning, indexing and online repositories.
    Depending upon the size, type of case, and experience of counsel in
    electronic discovery, it may be wise to consider retaining an
    electronic discovery consultant. He or she can help create an
    effective strategy for collecting, analyzing and processing the data.  
    The scope of the consulting services normally includes assisting the
    attorney in preparing discovery requests related to electronic
    documents, reviewing and evaluating discovery responses, protecting
    clients from overly broad demands, and assisting in the collecting,
    analyzing and producing of relevant electronic data.
    Electronic discovery in civil litigation has been hampered in the past
    by a lack of streamlined procedures to access computers in the control
    of opposing litigants or third parties. Unlike government
    investigators, who can seize computers pursuant to warrant without any
    advance notice, a civil litigant often gains accesses to opponent's
    computer systems only after weeks of protracted objections and
    discovery motions. With the help of a good consultant, unnecessary
    objections and motions can be avoided. Your best bet: an electronic
    discovery consultant who is both a lawyer with litigation experience
    and trained in computer forensics.
    Recent case law has helped define procedures that counsel should
    consider when computer evidence may be relevant:
    1. Send a preservation letter.
    2. Appoint a neutral forensic expert.
    3. Prepare an order detailing the inspection protocol.
    4. Hire a forensic expert to acquire and preserve computer data for
    5. Examine and analyze image data files for evidence.
    6. Document the findings.
    See Playboy Enterprises v. Welles, 60 F.Supp.2d 1050, 1054 (S.D. CA
    1999); Simon Property Group v. mySimon, Inc. 2000 WL 963035 (S.D.);  
    Trigon Insurance Company v. United States, 204 F.R.D. 277 (E.D. Va
    2001); and Rowe Entertainment v. The William Morris Agency, 2002 WL
    63190 (S.D.N.Y.).
    Proper electronic discovery should always begin with the issuance of a
    demand letter requesting the preservation of all relevant computer
    evidence. At that point in time, any document retention and
    destruction policy in effect should be suspended and the company is on
    notice that any destruction of documents from that time on could turn
    into a spoliation of evidence case.
    After an electronic discovery plan has been created, interrogatories
    and depositions follow to flush out information about what types of
    relevant evidence might be found, what form that evidence may take,
    information about the computer network configuration, what software is
    in use, any document retention policies, data backup and storage
    locations, and who has control and the most knowledge about a
    particular computer network. From this first discovery fly-over, a
    document production request can be carefully crafted.
    If the responses indicate that relevant evidence may exist in
    electronic form, the next step is to bring in a computer forensic
    examiner to perform the evidence harvesting. Computer forensics deals
    with the collection, preservation, analysis, and presentation of
    computer related evidence.
    Besides recovering documents in specified directories, evidence also
    lives in so-called swap files, slack files and in unallocated space
    (free space) on your hard drive. Important evidence called "shadow
    data" can be also be found living within the imperfections on a hard
    drive and by any misalignment in the hard disk head when it writes,
    reads and deletes data.
    When looking for computer-related evidence, forensic experts first
    create a complete non-invasive sector-by-sector "mirror image" backup
    of all data contained on the target computer media in order to recover
    all active, deleted and temporary files. This process allows the
    examiner to "freeze time" by having a complete snapshot of the subject
    drive at the time of acquisition. A so-called "hash file" (digital
    fingerprint) is created of the original hard drive and the back copy
    in order to prove that it has not been altered during the examination
    After the mirror image is created, the examiner conducts the
    examination on the mirror image without ever altering the contents of
    the original hard drive. This process is the only practical means of
    searching and analyzing computer files without altering date stamps or
    other information. Oftentimes, a file date stamp (file creation date,
    last modified, or last accessed) is a critical piece of evidence that
    may weigh in the balance of a dispute.
    The importance of a proper forensic examination can be illustrated by
    a single Word or WordPerfect document. Each document can include
    historical information in a variety of places. Information can be
    stored as "metadata," in timed backup files and related slack within
    it, in a swap file, in temporary files and related slack within it, in
    temporary print files and related slack within it, and possibly in OLE
    files, too. So depending on how the discovery request is phrased, the
    Request for Production of a single specific document can generate up
    to 11 separate pieces of evidence with valuable historical information
    about it.
    Depending upon the scope of the request and volume of evidence to be
    produced, counsel may need to engage a litigation support service to
    help in the conversion, scanning, coding and indexing of the
    electronic evidence generated. For small cases with limited documents,
    all you really need is a good computer forensic examiner.
    Many vendors and individuals offer these computer forensic services.  
    When engaging a forensic examiner, always scrutinize his or her résumé
    for the amount of training they have received, on-the-job experience
    and how many times they have served as an expert witness in a civil
    matter and actually testified in court.
    Normally, a forensic expert will be retained by both parties and
    experienced ones often act as a discovery referee or a special master,
    too. The requesting party normally pays the cost of the forensic
    examination; however, many courts will shift the cost of the forensic
    investigation when the producing party is shown to have deleted files
    in bad faith.
    The bottom line: Electronic discovery must be both taken seriously and
    done properly because the evidence is fragile, easily erased and can
    be compromised by untrained parties. Litigators practicing in today's
    digital environment must understand the various ways information can
    be stored and retrieved not only to ensure compliance with discovery
    rules, but to build the best possible case for their client. Failing
    to do so may not only prejudice the case, but may be malpractice.
    California attorney Albert Barsocchini, a member of the Law Technology
    News Editorial Advisory Board, is a senior law technologist and
    electronic discovery consultant at San Rafael, Calif.'s The LawTek
    Group. E-mail: lawtechat_private
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 03:00:34 PDT