You May be Surprised to See How Computer Forensics Can Assist Your Case
Computer Forensics is typically not the first thing you think of in any type of complex litigation. But in today’s era of communications and electronically stored information (ESI), it is not surprising to find that computer forensics plays a larger and more crucial role than one might have thought in recent years. The days of copying or scanning box upon box of documents are not over by any means, but paper documents have been replaced by electronic documents in thousands of lawsuits scattered across the country.
Collecting electronic information is not child’s play. It requires knowledge of both the Federal Rules of Electronic Evidence (which are changing) and an understanding of proper methodologies regarding data collection of networks, servers, mobile devices, social media accounts, and cloud based files like DropBox, Google Drive and we can never forget cloud based or server based email.
It requires knowledge of different types of tools and software to use for collections, whether it is on a cell phone, a cloud based email or an image of a hard drive. All must be done to protect the vital integrity of the data.
Remote and targeted collections are popular forms of data collections used today to reduce the cost of collecting ESI during the discovery phase. Remote collections are simply what they say. Using the internet to gain access to another device and forensically collect data while not being physically present. Remote collections are not meant for every case. For example it does not make sense to remotely collect two terabytes of data across the internet to a remote location. This would be more efficient and more cost effective to be done on-site. Remote collections are designed to be cheaper than flying a forensic examiner to another city and placing them directly in front of the device for a small amount of data. Each case is different in weighing which is better for the client/case.
Targeted collections are becoming a viable way to reduce the cost of electronic collections as well. A targeted collection simply defines a specific custodian and or timeline of which to collect the data from. A classic example would be an email account with all emails between July1st 2013 and October 5th, 2014. They are useful when the parties know who the custodians are and the role they likely play in the case. They also make more sense when you know the data retention policy of the custodians involved.
This leads me into the topic of computer forensic electronic collections vs. electronic discovery collections. Some colleagues might argue they are one in the same. Allow me to make my point as I think they are not.
Gardening allows you to grow things above ground and below ground. My personal garden boasts raspberries, strawberries, blackberries, peas, and tomatoes to name a few. All of these can be found above ground and can be seen in plain sight while standing in or near the garden from a harvesting standpoint. This is my idea of electronic discovery in a case. What can be seen in plain sight that can be harvested above ground.
Computer forensics and its goal in electronic collections dives into the garden to harvest the potatoes, radishes and onions that one cannot normally see when standing in the garden. This is known as collecting unallocated space or free space in order to find every possible morsel of data/evidence. In order to collect this type of data, you must collect entire hard drive, servers, phones, external hard drives etc. Standard electronic discovery collections only focus on the data found within the operating system.
This allows you to ask the same questions that you would have asked before in your normal electronic discovery collection, but now allows you to see deleted data that could hold the potential evidence that one might need to prove or disprove a case.
Keep in mind that this may not always be necessary. If all you need are email records from a particular group of custodians from the last nine months and the company has an email retention policy that is supposed to hold emails for two years for example, then this would not apply. Though if one of the items you wished to review in the discovery request was internet history and no retention policy existed for it, then this might be a good time to look at grabbing all of the data from a particular custodian.
In times past while sitting in a conference room with an attorney, the argument automatically becomes, “you are exceeding the scope of the request” or, “you are making this look like a fishing expedition”. This may be true on the surface. It is the natural response from opposing counsel when one would make a request of this nature. It can be solved in a fairly simple way circumventing the look and feel of the fishing expedition within the request.
In a recent case we accomplished this by convincing opposing counsel and the Judge to allow us to take the full forensic image (meaning deleted data and all) and then search through the forensic image for our keywords. The results were given to opposing counsel before they were given to our client. Opposing counsel was then allowed to review the data pulled from the keyword search and then given an opportunity to create a privilege log and exclude anything deemed by counsel to be privileged in nature, or beyond the scope of the request.
Does this take extra time on the part of counsel and opposing counsel? Yes it does. Are more costs involved? Yes they are. This is the reason to consult with your client and with your digital forensic expert to weigh the options/benefits based on the needs and already known evidence of the case. What works in one case most certainly will not be a perfect fit in the next case.
Many considerations and questions must be asked when starting a new case involving electronic discovery as well as computer forensics. One needs to ask many questions involving custodians, dates, types of evidence such as cell phones, laptops and servers as an example. An entire multimillion dollar case can literally hinge on a single email and its contents.
A list of keywords is a typical starting point. Once these have been searched and the results given, it is typical for more detailed questions or furthermore additional technical questions be asked. These questions will likely bring about the answers that will in many instances make or break a case.
In criminal cases deleted data is typically closely observed and noted. It seems that in numerous civil cases, that deleted data is overlooked because one doesn’t know that it can be recovered, or that it is terribly difficult and expensive to do.
Truth be known, using deleted data costs no more to go through than standard data, beyond the time allotted to go through it. Computer forensics is not the first thing an attorney thinks of in his or her case, but it can prove to be essential in multiple case types of litigation. Law Enforcement earmarks large budgets every year for the purpose of making cases based on the evidence found using computer forensics. Savvy litigation attorneys have found a place for computer forensics in their cases as well. It is well worth the time and cost on behalf of the client.