Computer Forensics Inc. Electronic Evidence Experts
What's New? Tip of the Month Site Map
What's New? - CFI in the News

The TechnoLawyer Community

December 18, 2003

1. BEHIND THE BOOK: FASTER THAN YOU CAN WRITE IT: THE CHALLENGES OF KEEPING UP WITH THE EVOLVING TECHNOLOGY

The topic of electronic discovery has been widely discussed at legal conferences, litigation support seminars and in legal trade publications for the last couple of years. Most of these conversations have focused on the seriousness of e-discovery, the risks associated with failing to conduct proper e-discovery, the costs involved and other snapshots. Some have concentrated on the important legal issues, court precedents to be followed, potential for spoliation charges and other technical information.

What was clearly lacking in the marketplace was a practical guide that would lead attorneys and other legal professionals through the specifics of the electronic discovery process.

In consultation with my publisher, Glasser LegalWorks, I set out to write a book that would essentially serve as a compilation of the entire e-discovery process from start to finish. The goal was to present practical information – not a legal treatise – that would demystify the process by explaining how to find and use cyber evidence.

To be sure, there were a handful of significant challenges we had to confront in order to complete this project. For starters, as the founder and president of a growing company in this space (Computer Forensics Inc., based in Seattle), I had to run a business and write a book at the same time. Obviously, there were times when those dual responsibilities conflicted and something had to give. Related to that, I didn't have the luxury of being an academic observer of the topic on which I was writing – the reality is that I'm a professional consultant who is busy in the trenches of electronic discovery projects every day. To that extent, an asset to me in the writing of the book (first-hand knowledge) was also a liability (little time to cogitate).

Perhaps the most daunting challenge, however, was the lightning speed at which technology has been changing in the e-discovery space. In fact, this book had to be rewritten three times in six years because of significant technological changes in the process of electronic discovery.

In spite of the challenges, there were several pleasant and unexpected joys that arose from this project. I'll always cherish some time spent in 2002 while working on revisions to the book with Debbie Juhnke, my friend, editor and vice president of my company. The two of us would work all day, then break to visit a nearby horse ranch where Debbie worked with the horses and taught me the basics of horseback riding. We found that riding was a great diversion from writing.

There's been another unexpected treat that arose from writing this book. The publication of the book and its subsequent promotion has allowed me to reconnect with some old friends who have heard or read about my new authorship status.

In the end, I'm very satisfied that we created a much-needed practical guide to the electronic discovery process. While not perfect by any means, "Essentials of Electronic Discovery" walks readers through the basics of computer-based discovery, the nuances of e-mail discovery, discovery of databases in litigation, planning and conducting electronic discovery, forensic collection and analysis, electronic risk management, and the effects of future technology improvements on electronic discovery. It was not a simple book to write, but I believe that it fills an important void in the professional literature.

Joan Feldman
President
Computer Forensics Inc.
jfeldman@forensics.com

2. BOOK EXCERPT: ESSENTIALS OF ELECTRONIC DISCOVERY: PLANNING AND CONDUCTING ELECTRONIC DISCOVERY

In every lawsuit, discovery strategy has to be tailored to meet the specific needs of the case and the client's budget. The scope and depth of the discovery effort also will be significantly affected by the degree to which opposing counsel co-operate in the exchange of electronic data.
Substantial savings are possible if the parties to a lawsuit work out among themselves the guidelines to be used for the preservation and production of electronic evidence. Having one repository of the electronic material for all the parties can avoid duplication of efforts and expense….

THE EXPERT'S ROLE IN COMPUTER BASED DISCOVERY

Attorneys and judges can face extreme challenges to their technical knowledge when it comes to computer-based discovery. Locating, reviewing, and managing computer based files requires an understanding of technology that often goes beyond that of the most experienced power user. In recent years, attorneys and the courts have turned to computer forensics experts for help in cutting through the technical issues that often cloud discovery objectives. The computer forensics expert may fill one of two roles. The computer forensics expert may serve in the traditional role of the expert – helping to educate the court and all parties in their search for facts. In such cases the expert may review the computer evidence directly and prepare forensic reports and affidavits, or oversee the work of the other party's expert witnesses. In a secondary role, the expert may act as more of a "vendor" of services. For example, the expert may not prepare an expert report of findings, but may instead provide a range of services such as consulting or project management tasks….

TEN STEPS TO SUCCESSFUL COMPUTER BASED DISCOVERY

Although many lawyers ask for electronic evidence, they may not have had experience collecting and analyzing the data they seek. What follows is some practical advice on how to collect relevant data and assure it can be authenticated and admitted as evidence.

1. Send a preservation of evidence letter. It is critical to put all parties on notice as soon as possible, informing them that electronic evidence will be sought through discovery. A letter should identify as specifically as possible the types of information to be preserved. If necessary, obtain a protective order requiring all parties to preserve electronic evidence and set out specific protocols for doing so.

2. Include definitions, instructions, and specific questions about electronic evidence in written discovery.

  • Make clear that electronic documents, as well as paper, are being sought. Define documents as data compilations, electronic mail, and electronically stored data.
  • Use a series of interrogatories to get an overview of the target computer system.
  • If necessary, include a request for inspection to examine the computer system firsthand and retrieve any relevant data.

3. Take a 30(b)(6) deposition of staff from the information systems department. This form of the custodial deposition may be the single best tool for discovering types of electronic information stored on the opponent's computer systems. Include questions about the specific hardware and software used and how data is used and stored. Be sure to include questions about backup procedures. Backup tapes can be an important source of historical information.

4. Collect backup tapes. Routine data backups, created to help companies recover from a disaster (system or natural disaster), are normally stored on high-capacity tapes. Backups are often created daily and or weekly. It's common for one backup set (such as data backed up on the last day of the month) to be pulled from rotation (i.e., not re-used or overwritten) and stored for one year. Using this backup schedule, a company would have twelve monthly backups on hand for the year. This is often enough data to provide a highly detailed picture of corporate activity.

5. Collect diskettes, Zip drives, and other removable media. It's essential to collect and examine all media with files created by key witnesses. Computer users often create ad hoc backups of files and e-mail. Users can keep such data sets indefinitely.

6. Ask every witness about computer usage. Each witness and his or her assistant(s) must be questioned about how they organize and store data on their computer. Perhaps the most overlooked source of electronic evidence is the witness's or assistant's home computer. Data can be transferred to and from the workplace via diskettes and portable media, or by logging onto the company network from home. Palmtop devices, another source of evidence, can allow users to make notes and use e-mail. Notebook computers, often shared among a number of users, can also be a rich source of evidence.

7. Make image copies. To capture residual data, an image copy of the target drive must be created. An image copy duplicates the disk surface sector by sector as opposed to a file-by-file copy, a process that does not capture residual data.

Residual data can be recovered from hard drives and floppy disks. Residual data includes deleted files, fragments of deleted files, and other data that is still extant on the disk surface. With computers, the term "deleted" does not mean destroyed. When a file is deleted, the computer makes the space occupied by that file available for new data. However, the bits and bytes of the file remain on the hard drive until they are overwritten by new data or wiped through the use of specialized software. If neither has occurred a deleted file may still be recovered from the disk surface.

8. Write protect and virus check all media. Electronic media must first be write protected to maintain its integrity. This helps ensure the evidence is not altered or erased as it is gathered. All media should be checked with current virus software to keep evidence from being altered. [Note: Do NOT install virus software on a hard drive that is or will become evidence.] If a virus is detected, make a record of all information and notify the party producing the media. Do not take steps to clean the original media or this could change the evidence produced.

9. Preserve the chain of custody. Electronic evidence can be easily altered. Maintaining a clean chain of custody is critical. At a minimum, be prepared to assure that:

  • No information has been added or changed;
  • A complete copy was made;
  • A reliable copying process was used;
  • All media was secured.

A reliable copy process has three characteristics:

  • It must meet industry standards for quality and reliability; including image capture software and media.
  • The copies must meet the independent verification standard. In other words, their expert must be able to read and verify your expert's copy.
  • The copies created must be tamper proof.

10. Hire an expert. An expert will help fine-tune discovery and maximize the amount of relevant data that is recovered, while minimizing the total amount of data reviewed. The expert can also provide resources for copying and examining data. Restoring backup tapes and image copies often exceeds the technical talent and system resources of clients and lawyers.

Direct forensic examination of data, tape restoration, and copying or printing services can range from $150 to $375 per hour.

Experienced experts can help draft deposition outlines, sit in on depositions, help educate the court or discovery magistrates, and help parties prepare stipulations for protocol and cost sharing. Rates for these services can range from $375 to $600 per hour.

The goal of computer-based discovery is to find useful information and collect it in a manner that assures it can be admitted into evidence. While technology will undoubtedly continue to change, these basic techniques for collecting electronic evidence should continue to prove effective.

.. end of excerpt.

ABOUT THE AUTHOR

Joan Feldman, known as one of the nation's premier "cybersleuths," is a pioneer in the science of forensic computing. Ms. Feldman's background combines over twenty years of computer forensics and litigation expertise. As president of Computer Forensics Inc.™, Ms. Feldman obtains and analyzes electronic data used as evidence in civil litigation and oversees the work of CFI's forensic teams. A recognized authority on electronic media discovery and related topics, Ms. Feldman is a busy national speaker, magazine contributor, and media resource for expert commentary.

Representative computer forensic cases include product liability, trade secret theft, sexual harassment, contractual disputes, electronic document authentication, bankruptcy, insurance claim disputes, construction accidents, shareholder class action, and antitrust litigation matters.

Ms. Feldman also maintains primary responsibility for Computer Forensics Inc.'s corporate electronic risk control programs, assisting business clients with the development of e-mail communication, data retention, and privacy policies for electronic records. Representative risk control clients include Fortune 500 businesses and public agencies.

Prior to her computer forensic work, Ms. Feldman worked as a records management consultant for clients in the utility and nuclear power industry, developing needs analysis and recommendations for records and information management systems. As a litigation consultant to law firms, Ms. Feldman managed support efforts for many of the nation's largest complex litigation matters. You can reach Ms. Feldman via e-mail.