e-Discovery and the intentional confusion around Forensics

Well the latest Federal Rules of Civil Procedure 2006 revision covers ESI and electronic information.

Changes to the Federal Rules of Civil Procedure - Computer Forensics and E-Discovery

But, what about deleted files? What about home computers, non-volatile storage such as USB drives and similar? Do they fall under ESI? Do they belong under e-discovery?

Yes if the parties or the judge agree that deleted files are to be included.

It is all part of a large scope of how electronic information will be handled in litigation and legal matters. "Computer forensics" and "e-discovery" are buzzwords (that I am certainly guilty of marketing with) that don't necessarily explain anything about the substance of the topics. As the gatekeepers for information we are responsible for educating our clients, employers and the public what those terms really mean.

The work of the Electronic Discovery Reference Model www.edrm.net is great.

I think a computer forensic examiner can provide assistance along the entire e-discovery model. We can provide guidance on where the data lives, how to get it and when to delete it. Then as a legal hold or litigation occurs, we can be agents for collection and preservation of data in a court worthy matter. That I find is becoming overlooked by many e-discovery vendors and that can be a huge pitfall with issues of spoliation. That left hand of the model is where many of us live but 60% of the costs for e-discovery happen on right hand for process and review. I feel that if there was more interaction with CF vendors or agents earlier in the model, the process and review costs could be DRASTICALLY cut because only relevant data would be culled instead of everything under the sun. To continue along the discovery path, computer forensic examiners can be called in for consulting of reports process and review, depositions, expert review and trail testimony.

Electronic data has a life span and organizations should handle it in a manner that will allow it to be admitted into civil or criminal disputes easily, cost effective and accurate. Computer forensic techniques and tools can greatly help with this effort.

(I guess my frustration is with lawyers not knowing what they want, yet demand everything yesterday, at no cost, perfectly, and then they patronize you when you try to explain it will take more time then "yesterday"… Confused )

I have found that 70% of the business when doing work in the litigation area is that of an educator. Lawyers just do not want to know about technology. If you are consulting in that area, it can be frustrating but you build great long term clients by being their "go to" person about answering technology questions.

There is an increased amount of consolidation among e-discovery vendors which is likely the reason for the marketing push you're seeing. The potential pie of business also got smaller this year, so you have vendors changing their marketing efforts in an effort to generate business.

As far as what is included in ESI, it can be whatever is relevant to the matter at hand. That's the rub if you're working on a large litigation or investigation where there are 100 or more people who were involved, what exactly do you preserve, process and review? The answer is that someone needs to a) understand the universe of potentially relevant ESI, b) understand what is relevant to the litigation or investigation, and c) be able to negotiate effectively to define the scope.

If you can accomplish a, b and c above, and translate your knowledge into non-technical language for the legal team, you will have gone a long way to defining the scope of the discovery effort and helping the attorneys to understand what would be involved in the effort.

E-discovery, by my understanding allows the discovery of electronically stored information (ESI).

I find this to be a very a poor definition of E-Discovery, infact you were more accurate in defining E-Discovery in your below statement,

defined and defendable methods of identification, collection, processing, review and production of data

E-Discovery is the whole process, planning, collection, preservation, processing, reviewing and producing of ESI.

what is required to be included in the ESI?

To me, ESI is means anything you can find (logical or unallocated) on digital media (HDD, CD'S, Tapes etc…)

This doesn't mean that all ESI should be collected and processed for each and every E-Discovery case.

I think what you are not considering here is that the use of the term E-Discovery is mostly for the litigation world and certain specifications and restraints are put in place (scope, as someone has already mentioned).

In most litigation cases it is more then just one computer, it is terabytes and terabytes of data which is too much to realistically process every bit and byte of data. Instead you filter all of the data you think you don't need to be processed, some cases that may mean don't process unallocated or only process office documents.

Can a flash drive falls under this e-discovery? What about a employee-owned device? Can a corporation force an employee to release their iPhone, or home computer for discovery?

Why wouldn't flash drives fall under e-discovery? It just depends on the scope of the case.

I am not a lawyer or a cop and do not know the law that well but I am pretty sure that the collection of employee owned device is illegal without consent from the employee or warrants. But I am sure there are people on this forum who know the specific laws.

has to be happening consistently. (That is, one off forensic methods do not count, by my interpretation.)

Yeah….This would be very nice but I have been in the field for five years and all I can say is that the best you can do is have a solid framework and go from there. I mean how can you expect to have consistent procedures for a field that is always changing?

(I guess my frustration is with lawyers not knowing what they want, yet demand everything yesterday, at no cost, perfectly, and then they patronize you when you try to explain it will take more time then "yesterday"… Confused )

HAHA…Welcome to working with lawyers, they are the highest paid procrastinators in the world (sorry to the lawyers on the forum….who am I kidding, lawyers don't read this stuff).

My view on the whole thing is that part of your job when doing E-Discovery is to layout everything for the client. Explain the amount of data you have, explain the ways to cull/filter, if you feel unallocated or removable media pertains to the case then show them. It is a lot of work but saves your a*s in the end.

Besides, they are paying you for your expertise. If they knew how to do it, they wouldn't be calling you (which I cannot lie could be a good thing ) I do not miss the 2 AM client calls!!)

Hmmm… Why wouldn't a flash drive be discoverable?

I suppose that it may be. But, if I read it correctly FRCP 30 (b)(6)

In its notice or subpoena, a party may name as the deponent a public or private corporation, a partnership, an association, a governmental agency, or other entity and must describe with reasonable particularity the matters for examination. The named organization must then designate one or more officers, directors, or managing agents, or designate other persons who consent to testify on its behalf; and it may set out the matters on which each person designated will testify. A subpoena must advise a nonparty organization of its duty to make this designation. The persons designated must testify about information known or reasonably available to the organization. This paragraph (6) does not preclude a deposition by any other procedure allowed by these rules.

Obviously there is the last sentence caveat, but what about my highlighted section? What is reasonably available? How reasonably available a deleted file? What about the flash drive on the person?

Ultimately it makes no difference what I think, if my side is not too swift on things, and allows the subpoena to be so broad as to ask for my grandma's chickens…

This is ultimately a balancing act of sorts balancing what is reasonably accessible vs. what is unique and relevant to the matter. The primary source of ESI should be actively stored information. That is where you start. If your matter involves sexual harassment via e-mail, prohibited Internet activity and so forth, then forensic imaging of a hard drive and the accompanying analysis would likely be within the scope of the work to be done. If your matter involves information theft, and it is believed that the person carried out their theft via a USB drive, then of course the USB drive would be relevant and the opposing side would seek to discover it. All of these decisions are based on the specific case and the applicable rules and laws. The time spent up front to understand the case, plan your approach and educate your legal team is of critical importance.

I've been involved in a number of these and I can honestly say that the answer is "it depends". As others noted, whether a routine search of free space is justified or not seems to have been considered differently by different jurisdictions and, in many cases, the decision rests on whether there was a prediscovery meeting between opposing counsel for the purposes of determining what would be allowed/requested for discovery purposes. The 2006 revisions to the FRCP (which only apply to Federal jurisdiction, not state), recommend such a pre-discovery conference.

In the absence of such an agreement and/or a specific a specific request to examine or require production of documents other than those visible to a regular user, the courts tend to view a subsequent request for additional discovery to be unnecessary or an undue hardship. As I said, however, this is not consistent across all jurisdictions.

As a result of the ambiguity I generally recommend to counsel for my client that they describe, fully, what it is that they intend to affirm or deny so that I can advise them as to the most appropriate or most desirable form of production.

Another issue in forensics that seems to be regarded, differently, in e-discovery, is the notion of "native format" being the most reponsive production of ESI. Many e-discovery solutions/service providers do not provide responsive documents in native format (where metadata is preserved). Instead, they produce documents in PDF or TIFF format (with exceptions being such things as spreadsheets where the functionality must be preserved). Again, the courts are not consistent with respect to whether native format is the assumed form of production when it has not been specified in the motion for discovery.

In other words, from a legal perspective, there is no right answer, in my humble opinion, at least not currently.

As a result of the ambiguity I generally recommend to cousel for my client that they describe, fully, what it is that they intend to affirm or deny so that I can advise them as to the most appropriate or most desirable form of production.

That is an excellent paragraph. Mind if I use it next battle, I mean meeting I have with our law department?

I didn't think of the native format either.

Thanks!

As a result of the ambiguity I generally recommend to cousel for my client that they describe, fully, what it is that they intend to affirm or deny so that I can advise them as to the most appropriate or most desirable form of production.

That is an excellent paragraph. Mind if I use it next battle, I mean meeting I have with our law department?

I didn't think of the native format either.

Thanks!

Sure. Except spell "counsel" correctly as I didn't.