Sure, but it could also have been started by the user with the intention of performing PC maintenance, that's the point I was trying to raise.
Which doesn't change the fact that under the 2006 revisions to the Federal Rules of Civil Procedure, even allowing the Prefetch defrag to occur can be considered spoliation. I was involved in just such a case.
Once, through the methods illustrated in the article, you know that the defrag was intentionally initiated by the user, you have NO evidence whatsoever he/she was trying to hide anything, or that the user started the defrag for Anti-forensics purposes.
In the US, the duty to preserve is an affirmative duty, not simply an order to do nothing. Craig Ball has commented upon this, very effectively, IMHO, when he argues that the preservation letter/order should be CC'd to the IT people who have direct responsibility for the devices since they should know what kinds of activities could compromise the data.
Entities have been sanctioned for allowing such things as AV scans to take place on computers that were subject to discovery.
It is not only perfectly legal, but also perfectly normal to periodically defrag a hard disk, let's try not to infer something like
since there is evidence that defrag was manually started then the user had the intention of hiding info by performing Anti-forensic activities
I don't disagree with this statement but it must be taken in context. If the subject device is likely to be used as evidence and the contents of unallocated space is likely to become an issue then any activity which alters that could be considered an act of spoliation or evidence tampering; legal or not.
In other words, the simple answer is "it depends".
"Which doesn't change the fact that under the 2006 revisions to the Federal Rules of Civil Procedure, even allowing the Prefetch defrag to occur can be considered spoliation. I was involved in just such a case"
It CAN be considered spoliation and a judge or two might rule that way, however, if you do a little digging you would see that most cases would not warrant a sanction for defrag regardless of how the other side fights for it especially if you have an SOP in place which has been used for years. As well as if the legal dept has gone through that SOP after the FRCP and found it to be acceptable.
"Entities have been sanctioned for allowing such things as AV scans to take place on computers that were subject to discovery."
Once again a very small percentage of cases, very small.
@seanmcl
I don't get most of your post. ?
Let's say that the Police or other LE officer takes into custody a suspect's notebook under a Judge warrant.
The notebook is forensically examined.
It is found that on the notebook defrag was initiated by the user, say, three days before the warrant was notified.
What gives?
What have the "2006 revisions of the Federal Rules of Civil Procedure" to do with it?
Who is Craig Ball?
Where did he wrote the whatever you are commenting?
The mentioned article is by Chad Tilbury.
There is nothing on the article about "preservation order", the title of the article is
De-mystifying Defrag Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 – Windows XP)
the Conclusion is
….
It should be noted that there are plenty of legitimate reasons for running the defragmenter tool. Other contemporaneous actions need to be reviewed to assess a user’s true intent.
….
The title is thus IMHO not accurate, nothing more, nothing less.
jaclaz
"Which doesn't change the fact that under the 2006 revisions to the Federal Rules of Civil Procedure, even allowing the Prefetch defrag to occur can be considered spoliation. I was involved in just such a case"
It CAN be considered spoliation and a judge or two might rule that way,
As I noted, a Federal judge ruled just that way.
however, if you do a little digging
I could dig but since I was in the courtroom as a witness on the case on which this was decided I don't have to.
you would see that most cases would not warrant a sanction for defrag regardless of how the other side fights for it especially if you have an SOP in place which has been used for years.
The following quote is from Craig Ball's paper on the Perfect Preservation Letter. Ball is, of course, an attorney (emphasis mine).
"Adequate preservation of ESI requires more than simply refraining from efforts to destroy or dispose of such evidence. You must also intervene to prevent loss due to routine operations and employ proper techniques and protocols suited to protection of ESI. Be advised that sources of ESI are altered and erased by continued use of your computers and other devices.
As well as if the legal dept has gone through that SOP after the FRCP and found it to be acceptable.
As the above states, SOP may not protect you if, in the opinion of the judge, the SOP contributed to potential spoliation. The questions that I would ask if I were facing such a situation was whether the producing party was aware of the prefetch defrag and, if so, whether they were aware that it could be turned off. The last question, if they answered 'yes' to the previous question would be "Why didn't you?"
"Entities have been sanctioned for allowing such things as AV scans to take place on computers that were subject to discovery."
Once again a very small percentage of cases, very small.
The percentage of cases in which this happens may be irrelevant. More important would be the consequences to the producing party if SOP resulted in a sanction or adverse inference instruction. The chances of large asteroid striking the earth may be remote, but it only has to happen, once.
Craig Ball is a JD and also markets himself as a CF examiner, charges 5 bills an hour.
The FRCP here in the US dictates much of E discovery.
In the situation you mentioned FRCP would have no bearing on a criminal case. There is a kind of gray area in E Discovery where it says if you have a reasonable expectation that there will be litigation on an issue, you have a duty to preserve that evidence. If someone was notified or believed that a computer would be called into litigation then running defrag "could" be considered spoliation of the evidence. Although more times than not this will be argued and be unfruitful. Much as a discovery request for "everything" is found to be too broad, a normal home user or even a small business user with no IT dept would likely not be found to fall into the spoliation category.
Yeah Sean, why dig to prove yourself wrong? Why take 30 rulings against spoliation when you can have one for it?
As far as attorneys go Craig Ball is ONE out of 10's of thousands. His opinion on ESI is just that, his opinion.
I know you have testified in 382 trials, but I have also testified in a few and mostly in Federal court. IME defrag was NOT considered spoliation. So what now? Do we have your judge and the one in my case get together?
"The percentage of cases in which this happens may be irrelevant. More important would be the consequences to the producing party if SOP resulted in a sanction or adverse inference instruction. The chances of large asteroid striking the earth may be remote, but it only has to happen, once."
And it's still a very small percentage, now we are talking about asteroids?
It is found that on the notebook defrag was initiated by the user, say, three days before the warrant was notified.
What gives?
I don't understand the question.
What have the "2006 revisions of the Federal Rules of Civil Procedure" to do with it?
The FRCP, among other things, establishes when begins the duty to preserve evidence. It establishes that such a duty begins at the moment that a party becomes aware of the threat of legal action.
As an example, an employee who has signed a non-compete clause as well as non-disclosure or confidentiality agreement announces to his employer that he is leaving to work for another firm. The (former) employer reminds him that he has signed the above and warns him that he may be subject to legal action if he violates the terms of these agreements. At that moment, the employee has acquired a duty to preserve any evidence that might be used against him by the former employer, even if he isn't sued for another 9 months.
Who is Craig Ball?
An attorney and forensic consultant who has written, extensively, on the duty to preserve, eDiscovery, and other things.
Where did he wrote the whatever you are commenting?
It is on his web site.
….
It should be noted that there are plenty of legitimate reasons for running the defragmenter tool. Other contemporaneous actions need to be reviewed to assess a user’s true intent.
….
My point is that this is no longer completely correct. Prior to 2006, there was a wider definition of what constituted a "safe harbor" and most would have agreed that normal operation of a computer, as long as there was no deliberate attempt to alter the evidence, was permitted.
The 2006 revisions were put in place, in part, because it was recognized that computers are far more complex than the old law anticipated and that there are many things that go on in the background which can affect the evidentiary value of ESI. In part, this also means that SOPs are not a defense if they could reasonably be expected to destroy or alter evidence.
Yeah Sean, why dig to prove yourself wrong? Why take 30 rulings against spoliation when you can have one for it?
Defensive are we?
As far as attorneys go Craig Ball is ONE out of 10's of thousands. His opinion on ESI is just that, his opinion.
Nonsense. That is like saying Christian Barnard was just a heart surgeon.
I know you have testified in 382 trials, but I have also testified in a few and mostly in Federal court. IME defrag was NOT considered spoliation. So what now? Do we have your judge and the one in my case get together?
First of all, to get different rulings in different jurisdictions happens all the time. One of the reasons for the existence of the Sedona Conference was to address the issue of jurisdictional variations in the application of such things as the FRCP. If it wasn't a problem we wouldn't need a solution.
Second, you seem to be ignoring the fact that even having to defend against a claim such as this is going to cost someone some money. I'm in the business of trying to keep my client's costs of litigating to a minimum which means that while I might make more money successfully defending their practices in court, I'd much rather keep them from having to go to court on such an issue.
Third, the degree to which a user initiated defragmentation (not limited to the Prefetch folder), is determined, in part, by the likelihood that evidence had been on the computer, the extent to which the system was fragmented (which can be hard to determine after the fact), the likelihood that defragmention would have overwritten the free space where traces of the document would have been found, and the general question of whether there exists other evidence that establishes a reasonable likelihood that the person had done what they were accused to have done.
In other words, to say that the court ruled one way or another is pointless since the real question is the factual basis for the court's opinion and whether the court's opinion is sustained on appeal.
Since the case to which I referred was settled before trial, there was no appeal of the Court's ruling on spoliation so, for now, it stands.
Very interesting stuff, folks…. )
Let me take this one step further. (Hypothetical Situation Names have been changed to protect the innocent *G*)
Civil Case. Opposing party is an IT savvy person (Network Engineer, HelpDesk, WebDeveloper etc etc). You *think* the person has not been totally forthcoming and that they may have deleted stuff. SavvyDude has an Attorney who fought imaging of the computer for months before they were asked to produce it.
1. *IF* they were to initiate a defrag manually, could you make a case for spoliation?
2. *IF* they knew about the system defrag and did not do anything to stop it, could you make a case for spoliation?
This would be different from a generic user (like my "I think I know computers" Uncle *grin*) either manually defragging or letting system defrag run.
On an aside IS THERE a way to disable the system defrag? Can you find out if the user disabled it via registry??
Regards….
-=ART=-
Civil Case. Opposing party is an IT savvy person (Network Engineer, HelpDesk, WebDeveloper etc etc). You *think* the person has not been totally forthcoming and that they may have deleted stuff. SavvyDude has an Attorney who fought imaging of the computer for months before they were asked to produce it.
Which means nothing in terms of their affirmative duty to preserve.
1. *IF* they were to initiate a defrag manually, could you make a case for spoliation?
Most definitely. You would likely have to establish other grounds to support the notion that this action was done expressly for the purposes of overwriting free space and, of course, the defense will try to establish that even a system defrag is not guaranteed to wipe all traces of evidence. But that may not matter if you can establish that the risks of defragmentation on the destruction of evidence are of sufficient concern to legal and eDiscovery professionals to warrant suspension of the activities (See below).
2. *IF* they knew about the system defrag and did not do anything to stop it, could you make a case for spoliation?
In a word, yes. This might even be more damaging in the sense that the Prefetch defragmention is typically run every three days and, therefore, about 10 times a month.
On an aside IS THERE a way to disable the system defrag? Can you find out if the user disabled it via registry??
Yes. I could tell you but then Harlan would have to kill me for denying him the credit which comes with you buying his book.