Electronic Data Discovery Primer

[InfoSec News <isn () c4i org>]

http://www.law.com/jsp/article.jsp?id=1029171611801

Albert Barsocchini
Law Technology News
08-28-2002

Electronic data discovery quickly is becoming mainstream in civil
discovery. Recent surveys confirm that more than 90 percent of all
documents produced since 1999 were created in digital form. You don't
need surveys to prove that point; just walk into any office these days
and the first thing you will see is a computer!

Surprisingly, many attorneys fail to do any electronic discovery
because of concerns that it is costly, time-consuming and complicated.  
The irony: It is usually wildly cheaper to conduct discovery
electronically.

New computer forensic techniques allow the cost effective and safe
recovery of evidence normally invisible to the user. What used to cost
tens of thousands of dollars can now be done for less than $5,000
using trained computer forensic examiners.

There is an incredible amount of electronic evidence that can be
harvested, preserved, documented and authenticated.

Some firms get it. Aggressive law firms are now seeking
computer-generated evidence, especially in cases related to
defamation, trade secret and intellectual property theft, sexual
harassment in the workplace, fraud, breach of contract, divorce
proceedings and spoliation of evidence.

Even in small personal injury auto cases, defense attorneys are going
after e-mail and other electronic evidence related to wage and injury
claims.

GETTING HELP

Knowing where to get help is an important part of your successful
electronic discovery plan. Because of the growing demand, many legal
vendors are retooling their businesses to include electronic
discovery. There are a variety of services now available including
electronic discovery consultants, computer forensic investigators, and
litigation support services offering electronic document conversion,
scanning, indexing and online repositories.

Depending upon the size, type of case, and experience of counsel in
electronic discovery, it may be wise to consider retaining an
electronic discovery consultant. He or she can help create an
effective strategy for collecting, analyzing and processing the data.  
The scope of the consulting services normally includes assisting the
attorney in preparing discovery requests related to electronic
documents, reviewing and evaluating discovery responses, protecting
clients from overly broad demands, and assisting in the collecting,
analyzing and producing of relevant electronic data.

Electronic discovery in civil litigation has been hampered in the past
by a lack of streamlined procedures to access computers in the control
of opposing litigants or third parties. Unlike government
investigators, who can seize computers pursuant to warrant without any
advance notice, a civil litigant often gains accesses to opponent's
computer systems only after weeks of protracted objections and
discovery motions. With the help of a good consultant, unnecessary
objections and motions can be avoided. Your best bet: an electronic
discovery consultant who is both a lawyer with litigation experience
and trained in computer forensics.

WHAT TO DO

Recent case law has helped define procedures that counsel should
consider when computer evidence may be relevant:

1. Send a preservation letter.

2. Appoint a neutral forensic expert.

3. Prepare an order detailing the inspection protocol.

4. Hire a forensic expert to acquire and preserve computer data for
   examination.

5. Examine and analyze image data files for evidence.

6. Document the findings.

See Playboy Enterprises v. Welles, 60 F.Supp.2d 1050, 1054 (S.D. CA
1999); Simon Property Group v. mySimon, Inc. 2000 WL 963035 (S.D.);  
Trigon Insurance Company v. United States, 204 F.R.D. 277 (E.D. Va
2001); and Rowe Entertainment v. The William Morris Agency, 2002 WL
63190 (S.D.N.Y.).

Proper electronic discovery should always begin with the issuance of a
demand letter requesting the preservation of all relevant computer
evidence. At that point in time, any document retention and
destruction policy in effect should be suspended and the company is on
notice that any destruction of documents from that time on could turn
into a spoliation of evidence case.

After an electronic discovery plan has been created, interrogatories
and depositions follow to flush out information about what types of
relevant evidence might be found, what form that evidence may take,
information about the computer network configuration, what software is
in use, any document retention policies, data backup and storage
locations, and who has control and the most knowledge about a
particular computer network. From this first discovery fly-over, a
document production request can be carefully crafted.

FORENSICS

If the responses indicate that relevant evidence may exist in
electronic form, the next step is to bring in a computer forensic
examiner to perform the evidence harvesting. Computer forensics deals
with the collection, preservation, analysis, and presentation of
computer related evidence.

Besides recovering documents in specified directories, evidence also
lives in so-called swap files, slack files and in unallocated space
(free space) on your hard drive. Important evidence called "shadow
data" can be also be found living within the imperfections on a hard
drive and by any misalignment in the hard disk head when it writes,
reads and deletes data.

When looking for computer-related evidence, forensic experts first
create a complete non-invasive sector-by-sector "mirror image" backup
of all data contained on the target computer media in order to recover
all active, deleted and temporary files. This process allows the
examiner to "freeze time" by having a complete snapshot of the subject
drive at the time of acquisition. A so-called "hash file" (digital
fingerprint) is created of the original hard drive and the back copy
in order to prove that it has not been altered during the examination
process.

After the mirror image is created, the examiner conducts the
examination on the mirror image without ever altering the contents of
the original hard drive. This process is the only practical means of
searching and analyzing computer files without altering date stamps or
other information. Oftentimes, a file date stamp (file creation date,
last modified, or last accessed) is a critical piece of evidence that
may weigh in the balance of a dispute.

The importance of a proper forensic examination can be illustrated by
a single Word or WordPerfect document. Each document can include
historical information in a variety of places. Information can be
stored as "metadata," in timed backup files and related slack within
it, in a swap file, in temporary files and related slack within it, in
temporary print files and related slack within it, and possibly in OLE
files, too. So depending on how the discovery request is phrased, the
Request for Production of a single specific document can generate up
to 11 separate pieces of evidence with valuable historical information
about it.

Depending upon the scope of the request and volume of evidence to be
produced, counsel may need to engage a litigation support service to
help in the conversion, scanning, coding and indexing of the
electronic evidence generated. For small cases with limited documents,
all you really need is a good computer forensic examiner.

Many vendors and individuals offer these computer forensic services.  
When engaging a forensic examiner, always scrutinize his or her résumé
for the amount of training they have received, on-the-job experience
and how many times they have served as an expert witness in a civil
matter and actually testified in court.

Normally, a forensic expert will be retained by both parties and
experienced ones often act as a discovery referee or a special master,
too. The requesting party normally pays the cost of the forensic
examination; however, many courts will shift the cost of the forensic
investigation when the producing party is shown to have deleted files
in bad faith.

FRAGILE

The bottom line: Electronic discovery must be both taken seriously and
done properly because the evidence is fragile, easily erased and can
be compromised by untrained parties. Litigators practicing in today's
digital environment must understand the various ways information can
be stored and retrieved not only to ensure compliance with discovery
rules, but to build the best possible case for their client. Failing
to do so may not only prejudice the case, but may be malpractice.

California attorney Albert Barsocchini, a member of the Law Technology
News Editorial Advisory Board, is a senior law technologist and
electronic discovery consultant at San Rafael, Calif.'s The LawTek
Group. E-mail: lawtech () well com




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.