±Forensic Focus Partners
|New Today: 0||Overall: 35535|
|New Yesterday: 1||Visitors: 113|
Collecting And Preserving Electronic MediaBack to top Back to main Skip to menu
Collecting And Preserving Electronic Media
Computer Forensics Inc.
Courts have routinely held that information generated and stored on computers and other electronic forms is discoverable. While this is good news, most attorneys have little or no experience in collecting electronic data and have absolutely no experience in analyzing the data collected. This is particularly troubling as the vast majority of electronically stored data is never reduced to printed form. Thus, it is important for attorneys to learn how to collect and analyze electronic data.
Once a suit has been filed, or at times, even before the suit is filed, it is important that all parties and their counsel are placed on notice that you will be seeking electronic evidence. As information stored on computers is ephemeral and changes every time a user saves a file, loads new software, or performs a myriad of other mundane functions, it is critical that you apprise all parties of your impending requests as soon as they are contemplated. The letter should outline the type and location of the information to be preserved. If parties are unwilling to stipulate to the preservation of electronic data, it may be necessary to file and obtain a protective order outlining the data to be saved and the methods of preservation.
Hire An Expert
After the initial letter has put all parties on notice of the information that will be sought, it may be time to consider hiring a forensic expert. A forensic expert can assist in the drafting of precise interrogatories and requests for production designed to solicit relevant data, as well as preparation for and participation in the 30(b)(6) deposition of a record custodian. Once the media is identified, an expert can ensure that all the data is securely collected, restored, and compiled in a manner that is accessible to an attorney. The expert may need to restore backup tapes and/or make evidentiary image copies of computer hard drives. With the increased use of computers as business and communication tools, failing to request such information could jeopardize your client's case or, worse yet, subject you to a malpractice claim.
Preserve Chain Of Custody To Ensure Admissibility
After the expert has been hired, all subsequent actions must be undertaken with the realization that the admissibility of evidence will depend upon a reliable chain of custody protocols. First, one must be able to demonstrate that no information has been added or altered. Write protecting and virus checking all media helps satisfy this requirement. Secondly, you will need to demonstrate to the court that what is purported to be a complete copy of a specific medium is, in fact, what it purports to be.
You must show the court that a recognized and reliable copying process was used. Using appropriate forensic tools to make an evidentiary image copy of hard drives or other media, confirms that a complete copy was made. To be deemed reliable, the process must meet industry standards for quality and reliability, be able to withstand independent verification and the copies must be tamper proof. Meeting the industry standards is accomplished by using recognized forensic software to create the copy and by saving the data on a recognized medium. Using the same software relied upon by law enforcement agencies certainly legitimizes the process. As long as the court and the opposing counsel can independently verify the information, they can confirm the reliability of the results.
Understanding Your Opponents' Information System
Interrogatories. Having placed all parties on notice of the impending discovery request and having established the protocols for preserving and authenticating the evidence that will be collected, you are ready to begin the search. One of the easiest and least expensive methods for gathering the basic information about a company's information system department is through the use of interrogatories. However, as attorneys generally answer the interrogatories, the responses can be inadequate. This will necessitate scheduling a deposition with key information systems employees. In order to know whom to depose at a later date, make sure to ask the following questions in your interrogatories:
- The personnel responsible for the ongoing operation, maintenance, expansion, backup, and upkeep of the network.
- The personnel responsible for administering email.
- The personnel responsible for the maintenance of computer generated records.
Requests for Production. Requests for production afford a party the opportunity to examine opposing parties' computer systems and to copy all relevant electronic data. When you formulate your request for production, make sure you ask for backup tapes, loose media such as diskettes or CDs, and request evidentiary image copies when necessary.
Backup tapes. Backup tapes generally contain all of an organization's centralized data stores, including email, as of a certain date. This information can be extremely useful. Common procedures call for full backups to be made weekly, with the last tape of the month saved as a monthly backup. While weekly backups are normally rotated, monthly backups are saved anywhere from six months to several years. The backup process is usually indiscriminate. It saves all the information that is on the system at a given point. Thus, the tape may contain information that is damaging to the company.
When collecting backup tapes, make sure to gather information on how the tapes were made, including hardware and software used. In some instances, it may be impossible to restore backup tapes without using the same software and/or hardware used to create the backup.