practicehacker

Cybercontrols, LLC

FRCP Rule 34 provides that the requesting party can "inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control … any designated documents or electronically stored information – including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations – stored in any medium from which information can be obtained …".

Generally, the producing party will provide disclosure of responsive data to the requesting party’s ESI production request by physically transferring the data by CD-ROM, DVD, or other storage media. However, amended FED. R.CIV. P. 34 allows testing, sampling, or in some instances for entry onto the property of an adverse party for the purpose of inspecting the property. Depending on the circumstances, Rule 34 has been interpreted to permit an inspection of an individual or corporate computer system by performing searches on computer data or by creating a forensic or "bitstream" image copy of the storage media for later analysis. Under certain circumstances direct seizure of a computer is permitted.

FED. R. CIV.P.45 authorizes similar options for the inspection of ESI of a nonparty.

One of the most fundamental issues about electronic discovery is how a court should respond to requests for electronic materials that have been "deleted." Courts consistently have held that discoverable ESI includes files that have been "deleted". Courts consistently have held that discoverable ESI includes "deleted" files. If restored, this information could be invaluable for exposing patterns of conduct, behavior or motives surrounding its deletion. However, it usually is necessary to present evidence of the relevance and "specific facts" justifying a request for the "deleted" data or the courts may label the request a "fishing expedition".

Forensic images of a hard drive or other storage media can be created to preserve the data for later searching and analysis. The images can then be searched for deleted or altered files, unauthorized copies of software, or other artifacts.

It is normal to allow a party and/or their expert to be present during the imaging process.

Generally, courts hesitate to grant the requesting party on-site access to conduct the actual search because of the risk that data may be inadvertently altered. If access is permitted to the computer system, the producing party’s IT staff or a neutral third party such as a forensic expert is usually retained to perform the necessary computer tasks.

While a sizeable portion of a computer inspection may include conducting a keyword search to locate relevant documents and e-mails, a computer forensic examination of computer hard drives and other storage media has the potential of uncovering a vast amount of lesser known electronic "facts" pertaining to the case that would otherwise never surface. For examples of these ESI artifacts and how they might contribute to a case matter, click on the "Beyond the Smoking Gun" link below.

CyberControls is not a law firm. We are experienced specialists in the in the field of electronic discovery and production, computer forensics and the integration of computer technology and the rules of discovery. Our professional services teams are comprised of pretrial litigation consultants and field technicians and forensic experts. CyberControls’ expertise in computer forensics and investigative experience has proven to be an invaluable resource to hundreds of legal professionals across the country. Visit CyberControls at www.cybercontrols.net.

Author’s Note: This year I got to blog the ABA Technology Show once again as I did last year in this pair of posts here and here. In addition, this year I was given the opportunity to publish my work in the prestigious publication TechnoLawyer. And on a related (and equally important) note, this was the second year in a row that I was sponsored by the august DuPage County Bar Association, thanks to the hard work of directrix and champion of technology, Glenda Sharp. To Glenda and this year’s bar President, Fred Spitzzeri, a great big Thank You! Here’s to doing it again next year …

I Attended ABA TECHSHOW 2008 and All I Got Was This Lousy Blog Post

Eliminating the Paper Chase: From Boxes to Bytes (Paperless Office Track)

A Real World EDD Motion Hearing (Litigation Track)

The Mobile Office: Take Your Desktop in Your Pocket (Mobile Technology Track)

Outlook Tips and Tricks (Roundtables Track)

So You Want to Be an ABA Author? (Special Session)

Beating the Startup Blues: A Tech Survival Guide (Solo/Small Firm II Track)

Grand Finale: 60 Sites In 60 Minutes

Crazy Mazy’s Best of Show: SQ Global Solutions

Crazy Mazy’s Best of Show: Legal Bar by BEC Legal Systems

Crazy Mazy’s Best of Show: Electronic Discovery

Crazy Mazy’s Best of Show: Adobe Acrobat Professional

A Report from the Exhibit Hall and Suggestions for TechShow 2009

Court Approved Forensic Computer Examination

Inevitably, most commercial litigators have or will be facing an electronic discovery dispute that develops in such a way that a computer examination order is necessary to satisfy the reasonable demands of a requesting party. Of course, if your client is on the producing side, a computer examination request may not seem so reasonable.Nevertheless, a court order to allow the requesting party to conduct the forensic imaging and subsequent search and examination for relevant electronically stored information (ESI) is a process that most state and federal courts will exercise their prerogative to implement a suitable protocol should the counsel for both parties fail to submit such a protocol.

Our firm strongly recommends that every effort be made in anticipation of a court ruling which would permit a forensic computer examination, to develop a fair and reasonable protocol that would cover the complete process and methodology to be followed by the forensic technician. Some considerations for the protocol might be:

1. Provisions for opposing partys computer expert to be present in order to observe the assigned forensic technicians practices in acquiring the bit-stream copies of the subject computers and/or media storage devices.

2. Provisions for two copies of each forensic bit-stream image to be produced-one for the examiner and the other for the producing party.

3. Instructions for the forensic examiner to conduct the search and recovery of ESI within the agreed upon search parameters:

a. List of search terms e.g., specific words, terms, sentences, names, specific dates, e-mail addresses, distinct descriptions etc. developed by both parties.

b. Search and recovery of computer users Internet history if applicable.

c. Examination and review of computer users software/hardware installation and de-installation history.

d. Search and review of all relevant computer system artifacts pertaining to the relevant actions of the user in timeline of interest.

4. Instruct the forensic examiner to generate a search hit summary report to both parties which is a numeric tally of hit results associated with each search term used to conduct the word search phase of the forensic examination. This provides full disclosure to both parties and the Court of the initial results.

5. Provisions to have the forensic examiner copy all search results onto a CD or DVD and have delivered to the producing party for their pre-production review process.

6. Upon completion of the pre-production review, the producing party will submit a privilege log along with their production less any identified privileged ESI.

You can call Cybercontrols at 847-756-4890 or find them online at www.cybercontrols.net.

A recently released pocket guide designed to help federal judges manage the discovery of electronically stored information (ESI) is available to CyberControls clients and monthly newsletter recipients. The guide covers many of the issues unique to discovery of ESI including scope, allocation of costs, production issues, waivers of privilege, work product protection, data preservation, and spoliation. Throughout 2007 Cybercontrols tracked federal and state rulings on e-discovery issues: it should be no surprise to readers that state courts across the country are rapidly applying many of the e-discovery amendments incorporated into the Federal Rules of Civil Procedure. The pervasive use of digital technology means that commercial disputes will, more often than not, involve items that were created, stored, or accessed, electronically. What you choose to do about ESI in your commercial cases is of significant importance. All throughout 2006, the courts have demonstrated a heightened attention to the issues surrounding electronic discovery and this pocket guide for judges is now available to you. As you will see in the guide’s conclusion page, 20, the author strongly encourages its readers (presumably judges), judges must require attorneys to take seriously their obligation to meet and confer under Rule 26(f) and to submit a meaningful discovery plan that addresses ESI issues, and judges must ensure that adequate disclosures are made pursuant to Rule 26(a)(1). This means that lawyers need to come prepared to discuss ESI issues and plans at the pretrial stage of a case. To be prepared, lawyers must devote sufficient time and expertise to assess their own client’s information systems along with all applicable litigation-hold procedures necessary to preserve relevant ESI. Once that’s taken care of, lawyers also need to envision what specific types of ESI should be expected to be produced by the opposing side in order to ask the right questions at the Rule 26(f) meet and confer.

Conducting forensic computer examinations often requires an intensive collaboration between the expert and legal counsel. CyberControls’ expertise has proven to be an invaluable resource to hundreds of legal professionals across the country. Contact Cybercontrols at 847-756-4890 or visit them at www.cybercontrols.net.