Prepare for e-Discovery

With state laws governing the capture and securing of evidence ' including electronic data ' the possibility of spoliation is a genuine concern. Not only could evidence subjected to spoliation be inadmissible, but misdemeanor or felony charges could apply to the collector and the contracting party.

Identifying electronic evidence, much like in a physical crime scene, starts with drawing increasing concentric circles around the victim or perpetrator. Some care must be taken regarding a company's policies and practices. State and federal law on personal property may be involved if the employee used personal devices legally or illegally in combination with the company's assets, and a warrant or commencement of discovery may be required to access personal property or equipment on private property.

Getting on the Trail

The first step in identifying potential sources of evidence starts with the company's assets and procedures. Lawyers and other key players involved should begin by finding out as much about their client's IT infrastructure as possible.

After you see how your client handles data, you will be prepared to ask for, and receive, the data you require.

An on-site visit will prove invaluable. This field trip will serve you well in the case, and will serve you effectively well into the future as you become more familiar with technical terms, technical equipment and the techies (the IT people whose job it is to keep the companies' systems running).

Plan to spend at least a couple of days acquainting yourself with a client's setup and procedures. Use this time to talk with the client's IT people and see for yourself what they do on a daily basis. Sitting in a conference room discussing the client's electronic documents with the chief information officer or the chief legal officer is like looking at an iceberg from afar: you'll get only 10% of the picture. You need to literally get down to the job, and to get down and dirty. For instance, going to the server rooms and asking questions ' lots of questions ' will allow you to help your client identify, locate, secure and produce e-docs, while allowing you to 'smell a rat' when the other side comes back with objections to your document requests. If you have visited an IT operation and asked many, many seemingly 'dumb' questions, then you'll be able to quickly dismiss the same tired objections filed by opposing counsel. The blissfully wed pairs of words unduly burdensome and extraordinarily difficult, and their relatives cost-prohibitive and fishing expedition, can be dealt with in short order because you've seen an IT operation with your own eyes.

Advancing on the Search

Now that a site visit's planned, what's next? What kind of questions can you ask? Who will translate the techie-speak into lawyer-speak?

A certified computer forensics expert will be extremely valuable in these situations. The expert will be able to translate your concerns about spoliation, for instance, to the techies, will be able to translate the technical setup, and explain why certain elements may be important for the case at hand. You shouldn't expect the computer forensics expert to do all the talking, though. After all, it's your case ' you're the lawyer. A sample list of questions the likes of which might serve as a starting point when investigating your client's e-mail system ' and the reasons why they're important ' are provided in the next section of this article. When asking these questions, you'll want to know the reasons the people you're querying chose for making the decisions they did, and whether their procedures are common in the industry.

While the list might seem fundamental and tedious, find a copy of Judge Elizabeth Maas' Adverse Inference Order in Coleman v Morgan Stanley in the 15th Judicial Circuit, Palm Beach County, and you'll see that the questions are worthy of consideration.

Interrogatories

Identify personnel responsible for administering the electronic mail system(s). This is important, because the person doing the mailbox creation for new users might not be the same person performing the backup and restoration process; and you'll want to talk to them all.

Describe all type(s) of e-mail programs in use at the time, and their installation dates. This is important to know because companies sometimes change e-mail programs, which requires data migration to the new system. In large-scale data migrations, occasionally documents are lost or corrupted. If there's a gap in e-mails for a particular custodian, then knowing that a data migration was performed, and when it occurred, could help identify a cause for the gap.

Then, you're ready to ask the following questions.

• Are e-mail messages stored in a central location (a server), are they on the user's desktop (locally), or both? The answer will put you in a better position to determine whether the users' desktop/laptop computer must be acquired as part of the data-harvesting effort.
• Do users select the location for their e-mail messages, or does the system administrator make this decision? This will help the data-harvesting process too, by quickly pinpointing the location of mailboxes on the individual users' hard drives.
• Is there more than one post office on the system? If yes, then identify post office locations. This is important because it will help identify other data locations (perhaps far from company headquarters). It's not uncommon for e-mail post offices to be broken down by region, job title, business unit or any number of other variables.
• Can users access their e-mail remotely? This will let you know whether home computers must be searched.
• Does a transaction record exist that records dial-up or remote access and the IP address of the originator of the access? (IP addresses are numbers that can be used to track the location someone used to access the e-mail system.) This will let you know whose home computers may need to be searched.
• Are e-mail passwords routinely changed? This, along with the transaction record mentioned previously, will allow you to reduce the 'someone else must have hacked my e-mail account' excuse that some users come up with.
• Are so-called janitorial or clean-up programs, or settings, used to purge e-mail? (These programs can be set by system administrators to delete e-mails that are older than a certain date, or empty waste baskets on a set schedule.)
• Are the post offices backed up? If so, are they backed up together on one tape, or on multiple tapes? Describe the backup software program(s) used. This is important because restoration of the tape may be dependant on having access to that software. These days, however, many vendors can restore tapes in their laboratories without accessing the original backup program.
• What's the frequency of backup? Are these full backups or incremental backups? Full backups, as the name implies, back up all active data. Incremental backups typically back up only data that has changed since the last backup. Full backups take much longer to perform than incremental backups, and as such are performed less frequently, and usually at times during which the business is closed.
• Is the backup process automated? Describe the type of backup media used (tapes, discs, drives, cartridges). Describe the tape rotation cycle. This is important to note, because most companies use only backup tapes for disaster recovery and not for document-retention. These tapes can be quite costly, with prices ranging from $50 – $100 per blank tape, so, understandably companies reuse tapes. Depending on the number of tapes used to perform the backups, this can be quite costly during a litigation hold. For a company that uses only 10 tapes a week, for instance, the cost of additional tapes can quickly soar to $50,000 a year.
• Have any tapes been pulled from rotation? If so, why. Was it well documented? This may need to be disclosed early in the discovery process.
• What is the location of the backup media (off-site storage, out-of-state storage)? |
  • How do the media get to the storage location?
  • How are tapes stored there (racks, cabinets, climate-controlled room or facility)?
• What's your tape destruction method (degaussing, shredding)? Degaussing uses extremely powerful magnets that rend data on the tapes unreadable.
• Are backup tapes labeled? If so, describe the methodology or codes used.
• Are backup tapes indexed by the backup software and/or logged? |
  • Do you back up these logs?
• Do you keep or discard old backup drives or backup software?
• Who has access to backups?
• Who performs backups? Are backups password-protected? |
  • Who has the passwords?
• Have you modified your backup procedures to comply with recent discovery requests?
• Are files ever deleted from the system(s)? If yes: |
  • Do you have a file purge schedule?
  • Are files routinely deleted from servers when employees leave or are reassigned? Describe the method(s) used to delete files.
  • Are e-mail and user server accounts closed and purged when an employee leaves?
  • Are other files archived off the system?
  • What other files have been archived?
  • Where are the archival backups maintained?
  • Who is the person who places the tapes in this place?
  • After being stored here, are they moved somewhere else? If so, who moves the tapes to the new location? Other questions related to these procedures can be crafted to fit specific situations.
• Have you restored data from a backup tape within 24 months? If yes: |
  • What data was restored?
  • Was the restoration operation successful?
  • Describe the resources required to perform the restoration (labor hours, equipment, drive space).
  • Why was the data restored?

Moving Forward

Now that you have met with the IT department and spoken to the people performing the tasks, it's time to turn your attention to the PCs that the custodians of interest use daily.

A complete profile of the individual's technical abilities and access to technology, whether via the company or personal resources, must be built and considered. You must determine where the individual's personal computer is, and ask whether that person uses or has access to handhelds such as:

• Blackberrys;
• CD-ROM or DVD drives;
• USB drives;
• Flash memory; and
• Iomega Zip drives, and their as-sociated media.

Also, determine whether the following are available:

• Network storage devices;
• Network servers or network server backup tapes; or
• Remote access to the company's ser-vers through a VPN or direct access.

Questions particular to the ex-employee's conduct include:

• Did the individual recently upgrade to a new computer, hard drive or software?
• Does the individual have a company or personal phone that has camera or PC features and abilities?
• Does the individual have one or more home computers or devices?
• Has the individual begun employment at another company and should the equipment used there be called into discovery?
• Does the employee have access to Internet-based e-mail or virtual storage services?
• Does the individual have access and abilities to scan and use OCR on documents from physical copies?

Once the identification of potentially discoverable evidence is finished, the collection of the information and permission to gain access must be addressed with care to ensure that spoliation doesn't occur. Leaving the issue of permission to access private property to another discussion, we'll address the collection of e-evidence.

Most states require some professional license for evidence collection, including electronic evidence. Using Texas as an example, data must be secured by a private investigator licensed by the Texas Department of Public Safety to 'secure evidence for use before a court.' Under Texas law, to provide these services, a vendor's staff must maintain private investigator licenses. Vendors collecting electronic evidence, processing it, recovering such evidence or moving it without this licensing are in violation of Texas law, which, in this case, is a Class A misdemeanor for a first offense and a felony for subsequent offenses. These vendors also risk the courts rejecting all the evidence collected. And remember: law firms, corporations and organizations hiring unlicensed vendors are also subject to the law and penalties.

It's also important to note that being licensed and qualified to collect e-evidence may be different things. Some states, through professional courtesy or position, allow CPAs, attorneys, police personnel and others to collect evidence ' whether qualified or not. Spoliation can occur in procedure and process. The legal license to collect evidence must be combined with the professional credentials to secure and process the data.

Scoping Out Vendors and Beyond

When selecting vendors, one should ensure that the vendors targeted have certified and qualified staff that might include licensed private investigators (or the equivalent) and certified computer examiners (CCEs). Certified computer examiners are trained to forensically secure data, forensically copy data, adhere to rigorous procedures and implement a chain of custody to avoid spoliation, and possibly recover data that might be hidden, corrupted or deleted. And a properly qualified external vendor can be called as an expert witness.

Once the private investigator collects and secures the devices, the chain of custody moves to the CCE to further secure, forensically copy, process and recover the data. After the devices are collected, the evidence should then be secured by following specific steps and procedures including:

• Forensically copying all storage devices, using a special hardware device that is a read-only device that will not update or modify the date and time stamps on any file. The copy made at this stage will be an exact bit-for-bit replica of the original drive, including deleted files, unallocated space and file slack, and not just a copy of the active files. In most cases, two copies should be made ' a working copy and a master copy. The master copy should be sealed, signed and documented with a proper chain of custody, and then stored in an appropriate secure location.
• All processing, data recovery and forensics should be performed only on the working copy. If there are additional working copies, copies for opposing counsel, or other needed copies, they should be cloned from the master copy, with the custodian at this point again following prescribed procedures, an established chain of custody and resecuring the master copy once the copying needed is completed.

With the evidence now secure, e-discovery, beginning with the recovery of files, encrypted data, deleted data and evidence in temporary files can begin with confidence that spoliation is not a concern.

Discovery in general is a process that involves time ' a seeking of destination or a particular item. And in legal discovery, and e-discovery especially, the process begins long before the first-level review.

With the arrival of personal computers, decentralized computing, Web-based e-mail, personal storage devices such as USB drives, and a highly mobile, educated and diverse workforce, computers are becoming crime scenes themselves.

And like the painstakingly professional criminalists depicted in the various CSI television shows, computer forensics experts must take care to adequately identify, collect and secure electronic evidence without corrupting (or inadvertently damaging) the source data, and ensure that the collection and processing of the evidence is done without compromise.

With state laws governing the capture and securing of evidence ' including electronic data ' the possibility of spoliation is a genuine concern. Not only could evidence subjected to spoliation be inadmissible, but misdemeanor or felony charges could apply to the collector and the contracting party.

Identifying electronic evidence, much like in a physical crime scene, starts with drawing increasing concentric circles around the victim or perpetrator. Some care must be taken regarding a company's policies and practices. State and federal law on personal property may be involved if the employee used personal devices legally or illegally in combination with the company's assets, and a warrant or commencement of discovery may be required to access personal property or equipment on private property.

Getting on the Trail

The first step in identifying potential sources of evidence starts with the company's assets and procedures. Lawyers and other key players involved should begin by finding out as much about their client's IT infrastructure as possible.

After you see how your client handles data, you will be prepared to ask for, and receive, the data you require.

An on-site visit will prove invaluable. This field trip will serve you well in the case, and will serve you effectively well into the future as you become more familiar with technical terms, technical equipment and the techies (the IT people whose job it is to keep the companies' systems running).

Plan to spend at least a couple of days acquainting yourself with a client's setup and procedures. Use this time to talk with the client's IT people and see for yourself what they do on a daily basis. Sitting in a conference room discussing the client's electronic documents with the chief information officer or the chief legal officer is like looking at an iceberg from afar: you'll get only 10% of the picture. You need to literally get down to the job, and to get down and dirty. For instance, going to the server rooms and asking questions ' lots of questions ' will allow you to help your client identify, locate, secure and produce e-docs, while allowing you to 'smell a rat' when the other side comes back with objections to your document requests. If you have visited an IT operation and asked many, many seemingly 'dumb' questions, then you'll be able to quickly dismiss the same tired objections filed by opposing counsel. The blissfully wed pairs of words unduly burdensome and extraordinarily difficult, and their relatives cost-prohibitive and fishing expedition, can be dealt with in short order because you've seen an IT operation with your own eyes.

Advancing on the Search

Now that a site visit's planned, what's next? What kind of questions can you ask? Who will translate the techie-speak into lawyer-speak?

A certified computer forensics expert will be extremely valuable in these situations. The expert will be able to translate your concerns about spoliation, for instance, to the techies, will be able to translate the technical setup, and explain why certain elements may be important for the case at hand. You shouldn't expect the computer forensics expert to do all the talking, though. After all, it's your case ' you're the lawyer. A sample list of questions the likes of which might serve as a starting point when investigating your client's e-mail system ' and the reasons why they're important ' are provided in the next section of this article. When asking these questions, you'll want to know the reasons the people you're querying chose for making the decisions they did, and whether their procedures are common in the industry.

While the list might seem fundamental and tedious, find a copy of Judge Elizabeth Maas' Adverse Inference Order in Coleman v Morgan Stanley in the 15th Judicial Circuit, Palm Beach County, and you'll see that the questions are worthy of consideration.

Interrogatories

Identify personnel responsible for administering the electronic mail system(s). This is important, because the person doing the mailbox creation for new users might not be the same person performing the backup and restoration process; and you'll want to talk to them all.

Describe all type(s) of e-mail programs in use at the time, and their installation dates. This is important to know because companies sometimes change e-mail programs, which requires data migration to the new system. In large-scale data migrations, occasionally documents are lost or corrupted. If there's a gap in e-mails for a particular custodian, then knowing that a data migration was performed, and when it occurred, could help identify a cause for the gap.

Then, you're ready to ask the following questions.

• Are e-mail messages stored in a central location (a server), are they on the user's desktop (locally), or both? The answer will put you in a better position to determine whether the users' desktop/laptop computer must be acquired as part of the data-harvesting effort.
• Do users select the location for their e-mail messages, or does the system administrator make this decision? This will help the data-harvesting process too, by quickly pinpointing the location of mailboxes on the individual users' hard drives.
• Is there more than one post office on the system? If yes, then identify post office locations. This is important because it will help identify other data locations (perhaps far from company headquarters). It's not uncommon for e-mail post offices to be broken down by region, job title, business unit or any number of other variables.
• Can users access their e-mail remotely? This will let you know whether home computers must be searched.
• Does a transaction record exist that records dial-up or remote access and the IP address of the originator of the access? (IP addresses are numbers that can be used to track the location someone used to access the e-mail system.) This will let you know whose home computers may need to be searched.
• Are e-mail passwords routinely changed? This, along with the transaction record mentioned previously, will allow you to reduce the 'someone else must have hacked my e-mail account' excuse that some users come up with.
• Are so-called janitorial or clean-up programs, or settings, used to purge e-mail? (These programs can be set by system administrators to delete e-mails that are older than a certain date, or empty waste baskets on a set schedule.)
• Are the post offices backed up? If so, are they backed up together on one tape, or on multiple tapes? Describe the backup software program(s) used. This is important because restoration of the tape may be dependant on having access to that software. These days, however, many vendors can restore tapes in their laboratories without accessing the original backup program.
• What's the frequency of backup? Are these full backups or incremental backups? Full backups, as the name implies, back up all active data. Incremental backups typically back up only data that has changed since the last backup. Full backups take much longer to perform than incremental backups, and as such are performed less frequently, and usually at times during which the business is closed.
• Is the backup process automated? Describe the type of backup media used (tapes, discs, drives, cartridges). Describe the tape rotation cycle. This is important to note, because most companies use only backup tapes for disaster recovery and not for document-retention. These tapes can be quite costly, with prices ranging from $50 – $100 per blank tape, so, understandably companies reuse tapes. Depending on the number of tapes used to perform the backups, this can be quite costly during a litigation hold. For a company that uses only 10 tapes a week, for instance, the cost of additional tapes can quickly soar to $50,000 a year.
• Have any tapes been pulled from rotation? If so, why. Was it well documented? This may need to be disclosed early in the discovery process.
• What is the location of the backup media (off-site storage, out-of-state storage)? |
  • How do the media get to the storage location?
  • How are tapes stored there (racks, cabinets, climate-controlled room or facility)?
• What's your tape destruction method (degaussing, shredding)? Degaussing uses extremely powerful magnets that rend data on the tapes unreadable.
• Are backup tapes labeled? If so, describe the methodology or codes used.
• Are backup tapes indexed by the backup software and/or logged? |
  • Do you back up these logs?
• Do you keep or discard old backup drives or backup software?
• Who has access to backups?
• Who performs backups? Are backups password-protected? |
  • Who has the passwords?
• Have you modified your backup procedures to comply with recent discovery requests?
• Are files ever deleted from the system(s)? If yes: |
  • Do you have a file purge schedule?
  • Are files routinely deleted from servers when employees leave or are reassigned? Describe the method(s) used to delete files.
  • Are e-mail and user server accounts closed and purged when an employee leaves?
  • Are other files archived off the system?
  • What other files have been archived?
  • Where are the archival backups maintained?
  • Who is the person who places the tapes in this place?
  • After being stored here, are they moved somewhere else? If so, who moves the tapes to the new location? Other questions related to these procedures can be crafted to fit specific situations.
• Have you restored data from a backup tape within 24 months? If yes: |
  • What data was restored?
  • Was the restoration operation successful?
  • Describe the resources required to perform the restoration (labor hours, equipment, drive space).
  • Why was the data restored?

Moving Forward

Now that you have met with the IT department and spoken to the people performing the tasks, it's time to turn your attention to the PCs that the custodians of interest use daily.

A complete profile of the individual's technical abilities and access to technology, whether via the company or personal resources, must be built and considered. You must determine where the individual's personal computer is, and ask whether that person uses or has access to handhelds such as:

• Blackberrys;
• CD-ROM or DVD drives;
• USB drives;
• Flash memory; and
• Iomega Zip drives, and their as-sociated media.

Also, determine whether the following are available:

• Network storage devices;
• Network servers or network server backup tapes; or
• Remote access to the company's ser-vers through a VPN or direct access.

Questions particular to the ex-employee's conduct include:

• Did the individual recently upgrade to a new computer, hard drive or software?
• Does the individual have a company or personal phone that has camera or PC features and abilities?
• Does the individual have one or more home computers or devices?
• Has the individual begun employment at another company and should the equipment used there be called into discovery?
• Does the employee have access to Internet-based e-mail or virtual storage services?
• Does the individual have access and abilities to scan and use OCR on documents from physical copies?

Once the identification of potentially discoverable evidence is finished, the collection of the information and permission to gain access must be addressed with care to ensure that spoliation doesn't occur. Leaving the issue of permission to access private property to another discussion, we'll address the collection of e-evidence.

Most states require some professional license for evidence collection, including electronic evidence. Using Texas as an example, data must be secured by a private investigator licensed by the Texas Department of Public Safety to 'secure evidence for use before a court.' Under Texas law, to provide these services, a vendor's staff must maintain private investigator licenses. Vendors collecting electronic evidence, processing it, recovering such evidence or moving it without this licensing are in violation of Texas law, which, in this case, is a Class A misdemeanor for a first offense and a felony for subsequent offenses. These vendors also risk the courts rejecting all the evidence collected. And remember: law firms, corporations and organizations hiring unlicensed vendors are also subject to the law and penalties.

It's also important to note that being licensed and qualified to collect e-evidence may be different things. Some states, through professional courtesy or position, allow CPAs, attorneys, police personnel and others to collect evidence ' whether qualified or not. Spoliation can occur in procedure and process. The legal license to collect evidence must be combined with the professional credentials to secure and process the data.

Scoping Out Vendors and Beyond

When selecting vendors, one should ensure that the vendors targeted have certified and qualified staff that might include licensed private investigators (or the equivalent) and certified computer examiners (CCEs). Certified computer examiners are trained to forensically secure data, forensically copy data, adhere to rigorous procedures and implement a chain of custody to avoid spoliation, and possibly recover data that might be hidden, corrupted or deleted. And a properly qualified external vendor can be called as an expert witness.

Once the private investigator collects and secures the devices, the chain of custody moves to the CCE to further secure, forensically copy, process and recover the data. After the devices are collected, the evidence should then be secured by following specific steps and procedures including:

• Forensically copying all storage devices, using a special hardware device that is a read-only device that will not update or modify the date and time stamps on any file. The copy made at this stage will be an exact bit-for-bit replica of the original drive, including deleted files, unallocated space and file slack, and not just a copy of the active files. In most cases, two copies should be made ' a working copy and a master copy. The master copy should be sealed, signed and documented with a proper chain of custody, and then stored in an appropriate secure location.
• All processing, data recovery and forensics should be performed only on the working copy. If there are additional working copies, copies for opposing counsel, or other needed copies, they should be cloned from the master copy, with the custodian at this point again following prescribed procedures, an established chain of custody and resecuring the master copy once the copying needed is completed.

With the evidence now secure, e-discovery, beginning with the recovery of files, encrypted data, deleted data and evidence in temporary files can begin with confidence that spoliation is not a concern.