First published May 2005
by Joan E. Feldman, President
Computer Forensics Inc.
http://www.forensics.com
The discovery process in civil litigation has always been a critical and sometimes confusing area for attorneys. Most attorneys have wondered, at one time or another, whether they pursued all leads and uncovered all material that could help them to prevail. It is common for attorneys to lose sleep wondering whether a more precisely worded question might have produced the illusive “smoking gun.” With the proliferation of electronic data, the well-founded fear of overlooking valuable information is even greater.
Courts have routinely held that information generated and stored on computers and other electronic forms is discoverable. While this is good news, most attorneys have little or no experience in collecting electronic data and have absolutely no experience in analyzing the data collected. This is particularly troubling as the vast majority of electronically stored data is never reduced to printed form. Thus, it is important for attorneys to learn how to collect and analyze electronic data.
Provide Notice To All Parties
Once a suit has been filed, or at times, even before the suit is filed, it is important that all parties and their counsel are placed on notice that you will be seeking electronic evidence. As information stored on computers is ephemeral and changes every time a user saves a file, loads new software, or performs a myriad of other mundane functions, it is critical that you apprise all parties of your impending requests as soon as they are contemplated. The letter should outline the type and location of the information to be preserved. If parties are unwilling to stipulate to the preservation of electronic data, it may be necessary to file and obtain a protective order outlining the data to be saved and the methods of preservation.
Hire An Expert
After the initial letter has put all parties on notice of the information that will be sought, it may be time to consider hiring a forensic expert. A forensic expert can assist in the drafting of precise interrogatories and requests for production designed to solicit relevant data, as well as preparation for and participation in the 30(b)(6) deposition of a record custodian. Once the media is identified, an expert can ensure that all the data is securely collected, restored, and compiled in a manner that is accessible to an attorney. The expert may need to restore backup tapes and/or make evidentiary image copies of computer hard drives. With the increased use of computers as business and communication tools, failing to request such information could jeopardize your client’s case or, worse yet, subject you to a malpractice claim.
Preserve Chain Of Custody To Ensure Admissibility
After the expert has been hired, all subsequent actions must be undertaken with the realization that the admissibility of evidence will depend upon a reliable chain of custody protocols. First, one must be able to demonstrate that no information has been added or altered. Write protecting and virus checking all media helps satisfy this requirement. Secondly, you will need to demonstrate to the court that what is purported to be a complete copy of a specific medium is, in fact, what it purports to be.
You must show the court that a recognized and reliable copying process was used. Using appropriate forensic tools to make an evidentiary image copy of hard drives or other media, confirms that a complete copy was made. To be deemed reliable, the process must meet industry standards for quality and reliability, be able to withstand independent verification and the copies must be tamper proof. Meeting the industry standards is accomplished by using recognized forensic software to create the copy and by saving the data on a recognized medium. Using the same software relied upon by law enforcement agencies certainly legitimizes the process. As long as the court and the opposing counsel can independently verify the information, they can confirm the reliability of the results.
Understanding Your Opponents’ Information System
Interrogatories. Having placed all parties on notice of the impending discovery request and having established the protocols for preserving and authenticating the evidence that will be collected, you are ready to begin the search. One of the easiest and least expensive methods for gathering the basic information about a company’s information system department is through the use of interrogatories. However, as attorneys generally answer the interrogatories, the responses can be inadequate. This will necessitate scheduling a deposition with key information systems employees. In order to know whom to depose at a later date, make sure to ask the following questions in your interrogatories:
– The personnel responsible for the ongoing operation, maintenance, expansion, backup, and upkeep of the network.
– The personnel responsible for administering email.
– The personnel responsible for the maintenance of computer generated records.
Requests for Production. Requests for production afford a party the opportunity to examine opposing parties’ computer systems and to copy all relevant electronic data. When you formulate your request for production, make sure you ask for backup tapes, loose media such as diskettes or CDs, and request evidentiary image copies when necessary.
Backup tapes. Backup tapes generally contain all of an organization’s centralized data stores, including email, as of a certain date. This information can be extremely useful. Common procedures call for full backups to be made weekly, with the last tape of the month saved as a monthly backup. While weekly backups are normally rotated, monthly backups are saved anywhere from six months to several years. The backup process is usually indiscriminate. It saves all the information that is on the system at a given point. Thus, the tape may contain information that is damaging to the company.
When collecting backup tapes, make sure to gather information on how the tapes were made, including hardware and software used. In some instances, it may be impossible to restore backup tapes without using the same software and/or hardware used to create the backup.
Diskettes, CDs, and Other Removable Media. It is also important to collect and examine any removable media created by key witnesses. Removable media often contain information that the user does not want to keep on a company computer, information deemed especially important by the user, and information that may have been deleted from the hard drive in an automatic purging routine. While removable media are often overlooked, they may contain information that is not available anywhere else.
Image Copies. Most people think that by deleting a file the information contained within that file is lost. This is incorrect. When a file is deleted, the computer makes the space occupied by that file available for new data. But the bits and bytes that make up the file remain on the hard drive until they are overwritten by new data or “wiped,” through the use of utility software. Deleted files and other “residual” data, which includes deleted files and fragments of deleted files, may be recovered from hard drives and many forms of removable media by making an image copy.
An evidentiary image copy duplicates the disk surface, sector-by-sector, creating an exact copy of the source drive. By recreating the deleted files, you may be able to find damaging information. In contrast, a file-by-file copy (active data) would not provide you with any of the “residual” data. This could prove to be a significant oversight.
Depositions. A deposition, allowed under Civil Rule 30(b)(6), is the best tool available for gaining knowledge of the types of electronic information that exist in your opponents’ computer systems. The following checklist is designed to assist you in formulating your own questions:
– The layout of the computer system, including the number and types of computers.
– The structure of any network and electronic mail system(s), including software used, the number of users, the location of mail files, and password usage.
– The software packages used including the software maker, program name, version of each program, when it was installed, and whether it has been upgraded. Remember that different software packages will be used for calendars, project management, accounting, word-processing, and database management. Make sure you ask about any proprietary programs and encryption software.
– The procedures used by system users to log on to computers and into the network. This includes use of passwords, audit trails, and other security measures used to identify data created, modified, or otherwise accessed by particular users. – Whether access control lists identify which users have access to which files.
– How shared files are structured and named on the system.
– Descriptions of all devices and software used to create backups, what information is backed up, backup schedules, and tape rotation schedules.
– The process for archiving and retrieving backup media, both on and off site.
– Routines for archiving and purging different types of data.
Support Staff, Palmtops, and Notebooks. Witnesses’ and parties’ support staff may have produced or stored information for the witness or party. This data may include letters that were dictated to relevant parties. The staff member should be asked for a detailed account of how the respective information is stored and labeled. The data should then be requested for your review.
Each witness or party should also be asked about his or her computer usage. It is important to determine whether the witness conducts business from any computer other than the one at their desk. The witness may be able to log onto the company’s network from home. If that is the case, the home computer acts just like the employee’s office computer. The witness may also take work home on removable media such as thumb drives or CDs, or via email, thereby transferring relevant data to his or her home computer. Additionally, inquire about palmtop devices such as electronic address books, PDAs (such as PalmPilot and iPAQ), and multifunction phones that integrate text messaging, which in addition to storing calendar and contact information allow the user to make notes and use email. These devices may contain evidence that is not contained on the witness’s standard work computer. Finally, information may be contained on a shared notebook computer.
What To Do With The Procured Data
The requests for production have necessarily yielded image copies, backup tapes, diskettes, CDs, and other media. Before anyone views or handles the evidence that has been gathered, the integrity of the media must be preserved. This involves a two-step process of write protecting and virus checking the media. Write protection prevents data from being added to the media. This guarantees that the evidence you gathered has not been altered or erased. Virus checking detects whether there are any programs that could alter the information contained on the media. If a virus is detected, record all information about it and immediately notify the party producing the media. Do not attempt to clean the media, as the process will necessarily change the evidence that was produced.
If you have collected an original hard drive or removable media, it is also critical that you do not open or otherwise work on the original media without first making a forensically sound copy. Once you have protected the media, you are ready to search.
Conclusion
The following information is designed to furnish you with techniques for helping to ensure the admissibility of evidence. Evidence can be deemed inadmissible if its origin is not clearly delineated. The following process will assist you in avoiding any pitfalls:
– Write protect all media before doing anything else.
– Assign each piece of media a different number.
– Virus check all media. Immediately notify the producing party of any discovered viruses.
– Virus check the drive that you are restoring the data to and make sure the drive is free from any other data. (Ideally, restoration should be to a distinct drive, dedicated to a single case).
– Assign each restored piece of media a file name that corresponds to the original number given to the media being restored (e.g., everything restored from a diskette numbered 100 should be restored to a file named “Disk 100”).
– Verify that all files on the directory listing appear in the copy restored.
– Secure the source media.
– When printing a particular document, insert a distinct header or footer that gives the full directory listing for the printed document (e.g., Disk 100\corr\bingo.txt).
With the ever-growing use of computers as business and communication tools, data stored electronically is a vital source of discovery. The days of relying upon printed material are gone forever. But as with tangible evidence, it is imperative that you gather electronic media in a manner that ensures the admissibility of the evidence. This requires attorneys to develop standard protocols for acquiring, preserving, and presenting electronic media. While the technology will continue to change, the basic techniques for collecting evidence should remain consistent.
Reproduced with permission. The original article can be viewed at http://www.forensics.com/pdf/Collection.pdf
