space graphicbullet graphic Law.com Homespace graphicbullet graphic Newswirespace graphicbullet graphic LawJobsspace graphicbullet graphic CLE Centerspace graphicbullet graphic LawCatalogspace graphicbullet graphic Our Sitesspace graphicbullet graphic Advertise
 
• Feature Home Page

• Slam the Door on E-Mail Retention Woes

• Gambling on 'Visual E-Mail Analytics'

• Is Your Law Firm Private Enough?

• Dealing With Third-Party Providers

• Preparation Is Key to Your Case









Data Collection Standards
Albert Barsocchini
Law Technology News
01-15-2004

The current methodology for collecting electronic evidence in response to Hart-Scott-Rodino second requests and large electronic discovery cases is about to change dramatically.

Data collection involves copying responsive data from the hard drive of a target computer to a portable drive or other storage device for transport to an EDD vendor for processing. Properly preserving electronic evidence is the goal of data collection.

Unfortunately, a look behind the current process reveals flaws. In a large corporate setting, the harvesting of responsive data is done using portable hard drives linked to the target computer by a USB or FireWire connection. The data is copied from one drive to the other for transport.

Under the direction of an attorney, the data collection technician travels around the country with an assortment of portable hard drives gathering responsive data from laptops, workstations, network servers and PDAs. At the rate of $300 per hour for data collection, this can get expensive quickly. The data collected is downloaded to a central repository and processed by experienced EDD vendors for production online or "blow back" to paper.

There are serious problems with the current collection methodology.

1. Key metadata (including creation, modified and accessed dates of the targeted data) is changed when copying between hard drives.

2. Copying of files often destroys ownership information. If it is necessary to determine, at a later time, who created or had access to a document, this information is tracked by the operating system and is not available unless the collection is done in a proper forensic manner.

3. There is no easy way to verify that the data copied has not been changed during the collection process.

4. The original file location and path of the target data must be manually documented by the collector for future reference.

5. Exact metrics on the type and amount of data that will be collected is usually unknown until the data is in the hands of the processing vendor unless special software is loaded onto the subject drive.

6. If additional data is located or if data is lost during the transfer process, the collector must revisit the custodian and try again.

7. Gathering data using a portable hard drive can be problematic because of compatibility issues and the risk of damaging or destroying evidence on the target computer.

8. The data collected onto a portable hard drive should be encrypted and properly protected for transport.

9. Forensic examination may be necessary to recover deleted files in certain cases, which requires additional travel time and costs.

Data collection using portable hard drives is costly, inefficient, disruptive, inaccurate and not a forensically sound way to collect responsive data in important high-profile cases. The courts will soon require the same methodology and accountability demanded in computer forensic examinations.

This is important because more than 90 percent of the documents now collected in Hart-Scott-Rodino second requests are electronic. Millions of pages of electronic evidence are collected in an average merger. Accuracy and accountability in the collection process is critical because of the importance of electronic evidence.

STANDARDS

As EDD develops and matures, so do the standards in data collection. As you evaluate vendors, here are some factors to look for:

  • Does the software permit remote evidence acquisition?

  • Does it document the chain of custody automatically at the time of acquisition, and is it continually self-verified thereafter?

  • Is it a network-enabled computer forensic tool? Can it provide forensic acquisition and analysis of data on servers and workstations anywhere on your network?

  • From a single network workstation, can it preview, acquire and preserve data from your users?

  • Is the collection process centralized? A centralized system significantly cuts down on travel.

  • Is the data preserved according to forensic protocols?

  • How is the integrity of the data verified?

  • What metrics are delivered?

  • What security is offered during and after the data is collected?

  • Is the system accepted by both courts and law enforcement agencies worldwide?

    Collecting data in mergers and acquisitions and large discovery cases is new. The courts have yet to adopt or recommend protocols for the data gathering process. The sheer volume of electronic data now collected necessitates that proper procedural protocols be established.

    Albert Barsocchini is a member of the LTN Editorial Advisory Board and is principal of The Lawtek Group, based in San Rafael, Calif.



    • About ALM  |  About Law.com  |  Customer Support  |  Reprints  |  Privacy Policy  |  Terms & Conditions