Frequently Asked Questions
Review the Federal and state rules and statutes that address electronic discovery, computer forensics, and the integration of technology in litigation.
What is Electronic Evidence?
Can my internal IT staff conduct an investigation and extract electronic evidence?
What happens to electronic information after it is deleted?
What can I do immediately to safeguard the integrity and admissibility of electronic evidence?
What is spoliation and how can I protect against it?
Can electronic evidence be extracted from PDAs or cellular phones?
Can an employee be required to present a personal computer system for a forensic investigation and discovery proceedings?
What is metadata and why is it important to an investigation?
Which party is responsible for paying the cost of forensic analysis and electronic discovery?
What is the advantage of processing data electronically rather than in paper form for discovery purposes?
Can I determine if a duplicated hard drive is an exact copy of the original?
What is Electronic Evidence?
According to Black's law dictionary, evidence is "any species of proof, or probative matter, legally presented at the trial of an issue, by the act of parties and through the medium of witnesses, records, documents, exhibits, concrete objects, etc. for the purpose of inducing belief in the minds of the court or jury as their contention."
As a general rule, "electronic evidence" can be any information created or stored in digital form that is relevant to a case. This includes, but is not limited to, emails, text documents, spreadsheets, images and graphics, database files, deleted files, and data back-ups. Electronic evidence may be located on floppy disks, zip disks, hard drives, tape drives, CD-ROMs or DVDs, as well as portable electronic devices such as PDAs and cellular phones.
Can my internal IT staff conduct an investigation and extract electronic evidence?
Although internal IT staff are often highly knowledgeable regarding their working environment and the technology employed within, computer forensic investigations are best performed by outside experts.
Specifically, the nature of the forensic analysis process coupled with the requirements by law enforcement agencies and the court system necessitates that computer forensic investigations are performed by external entities equipped with authorized forensic technology and trained to observe forensic protocols. Forensic specialists:
- Employ the proper hardware and software to identify, isolate, and preserve electronic information in a court admissible manner
- Possess the expertise and experience vital to efficiently analyze electronic information and uncover electronic evidence
- Rely upon essential training and experience to ensure the court admissibility of electronic evidence
- Offer truly objective expert testimony that only a third-party computer forensic investigator can
- Expose flaws in opposing counsel's interpretation of electronic evidence and results from their forensic analysis efforts
What happens to electronic information after it is deleted?
A common misconception is that when information or a specific file is deleted, it is permanently erased from the hard drive. In reality, the act of deleting a file does not actively delete any information. What occurs is a small portion of information that points to the location of the file on the hard drive is erased.
This pointer is used by the operating system to compile the directory tree structure and by removing this pointer file, the actual file becomes invisible to the operating system. Overtime, the location of the unwanted file will be overwritten by new information.
Forensic technology exists to locate, reconstruct, and recover information and files that were deleted, however, still exist in total or have been partially overwritten by new data.
What can I do immediately to safeguard the integrity and admissibility of electronic evidence?
The fragile and volatile nature of electronic information requires orchestrated efforts to ensure electronic evidence is protected and maintained to facilitate its thorough analysis by a computer forensic specialist and its introduction into an active litigation.
Internal technology relevant to an investigation or litigation should be immediately removed from operation and isolated from unauthorized use with a clearly documented chain of custody agreement to ensure electronic evidence is not unintentionally corrupted or overwritten.
If relevant technology is under the management of opposing counsel, a notification of the duty to preserve electronic evidence should be transmitted. This letter should detail the information to be preserved, potential locations of suspect information, listing of people that may have access to the technology, and all potential storage media where the information may reside, such as hard drives, CD-ROMs, and backup tapes.
If necessary, an injunction or preservation order forbidding the deletion or manipulation of electronic information can be obtained.
What is spoliation and how can I protect against it?
Spoliation is the intentional or negligent destruction or alteration of evidence when there is current litigation or an investigation or there is reasonable anticipation that either may occur in the near future. Some jurisdictions also define it as a failure to preserve information that may become evidence.
To address spoliation and minimize threats to the forensic integrity of electronic evidence and its admissibility in a litigation, technology potentially containing electronic evidence must be handled methodically and in response to the fragile and volatile nature of electronic information.
When litigation arises, corporate counsel needs to think both offensively and defensively about managing electronic evidence. Preservation memos should be sent to all employees who have potentially relevant data, specifically identifying each type of system records that may have relevance to the case. Monitoring preservation compliance is extremely important to avoid spoliation sanctions.
Technology relevant to an investigation or litigation should be immediately removed from operation and isolated from unauthorized use with a clearly documented chain of custody agreement to ensure electronic evidence is not unintentionally corrupted or overwritten.
Furthermore, the nature of the forensic analysis process coupled with the requirements by law enforcement agencies and the court system necessitates that computer forensic investigations are performed by certified experts equipped with authorized forensic technology and trained to observe forensic protocols to greatly reduce the risk of error, omission, or direct damage to the forensic integrity of electronic evidence.
Can electronic evidence be extracted from PDAs or cellular phones?
As PDA's, cellular phones, and other portable electronic devices become increasingly powerful, their capabilities and functions resemble traditional personal computers. With the ability of using advanced applications, access the Internet, and send and receive email, these electronic devices often contain an abundance of information pertinent to an investigation or litigation.
Forensic investigative techniques can be readily employed on PDA's, cellular phones, and other electronic devices to identify, isolate, and analyze data in full accordance with court admissible guidelines.
Can an employee be required to present a personal computer system for a forensic investigation and discovery proceedings?
An employee may be required to present personal computer systems and technology devices for discovery if an employer has reason to believe that information pertinent to an investigation or litigation has been accessed or stored by an employee on a computer system outside of the immediate control of the employer.
With the increased corporate acceptance of telecommuting and the capabilities of remote access software, employees working on company-related projects on personal computers at home have direct access to corporate files and email, which is discoverable.
Privacy concerns and objections by an employee have been addressed by courts, in that protective orders can be issued to restrict the scope of a forensic investigation on a personal computer system and prevent exposing unrelated information.
What is metadata and why is it important to an investigation?
Metadata is basically data about data. Specifically, metadata describes how, when, and by whom a particular electronic file was created, modified, and where it was transmitted. These technical aspects of a file often yield information and insight relevant to an investigation or litigation as it conveys a detailed account of a document's history and distribution.
Additionally, metadata can often be used to reconstruct a timeline of events, produce additional investigative leads, and establish a user's knowledge regarding the existence and content of files.
Which party is responsible for paying the cost of forensic analysis and electronic discovery?
Federal and state procedural rules pertaining to discovery clearly extend to electronic information and evidence stored in digital form on computer systems and technology devices.
Regarding cost allocation, the US Supreme Court has stated "the presumption is that the responding party must bear the expense of complying with discovery requests, but [the responding party] may invoke the district court's discretion under Rule 26(c) to grant orders protecting him from 'undue burden or expense' in doing so, including orders conditioning discovery on the requesting party's payment of the costs of discovery."
However, discovery costs may still be shifted and allocated to the requesting party. A series of case precedents outline cost-shifting approaches, including what has become a standard known as "Zubulake factors", which are as follows:
- The extent to which the request is tailored to discover relevant data.
- The availability of that data from other sources.
- The total cost of production, relative to the amount in controversy.
- The total cost of production, relative to the resources available to each party.
- The relative ability and incentive for each party to control its own costs.
- The importance of the issues at stake in the litigation.
- The relative benefits to the parties in obtaining that data.
For more information, please see Zubulake v. UBS Warburg LLC, 2003 U.S. Dist. LEXIS 7939, 91 Fair Empl. Prac. Cas. (BNA) 1574 (S.D.N.Y. May 13, 2003).
What is the advantage of processing data electronically rather than in paper form for discovery purposes?
Electronic documents and data files greatly enhance and expedite the discovery process, as vast amounts of information may be easily filtered and processed to extract relevant information through basic keyword searches and Boolean search criteria. Additionally, electronic documents possess a wealth of auxiliary information in the form of metadata, providing valuable insight and electronic evidence to support an investigation or litigation.
Electronic documents are significantly less expensive to duplicate, store, and transmit, further reducing the costs of discovery. The capabilities and functionality instilled within electronic documents allows their authenticity to be easily validated, protected against alteration, and restricted from unauthorized access, establishing discovery of electronic documents and data files as a clear benefit to any litigation.
Can I determine if a duplicated hard drive is an exact copy of the original?
Demonstrating that a forensically duplicated hard drive or other media device is precisely identical to the original is critical to ensuring the court admissibility of electronic information.
To address this issue, a computer forensic specialist employs hardware and software to prevent the manipulation or corruption of data on the original device, while facilitating a true bit-by-bit duplication. To validate a successful forensic duplication and to verify the original is identical to the new copy, a hash value is calculated.
This hash value is a sophistical mathematical algorithm known as MD5 (Message Digest 5) that computes a unique hexadecimal alphanumeric identifier based on the entirety of the data stored on a hard drive. This hash value is computed individually on the original hard drive and any subsequent duplications to confirm that they match, thus demonstrating an exact and identical copy.
|
|