Thank you for sharing!

Your article was successfully shared with the contacts you provided.
You’ve just landed a career-making case: an intellectual property suit against Huge Co., which manufactures that wonderful Widget that the world can’t do without. It’s accused of stealing the idea from a little “mom and pop” company. When they first spoke with you, Mom and Pop showed you printouts of e-mails from Huge Co., telling them how much they looked forward to developing the Widget, and going into details of how they might improve it, and how profitable it will be for everyone. Then Mom hands over the letter from the vice president of something-or-other advising her that he regrets that they cannot justify the product, and are canceling. Of course, a few months later the Widget showed up on store shelves. A slam-dunk! You dream about the zeros on the settlement check. So what do you do now? It’s not enough anymore to subpoena business records. A company’s records could be stored on corporate servers, desktop computers, backup tapes, even home PCs of officers and managers. Some hard drives are so small they can attach to your keychain. Rule 34 of the Federal Rules of Civil Procedure basically says that you can seize documents stored on computer equipment the same way you could from a file cabinet. But there are two big differences. First, electronic evidence is latent, just like fingerprints or DNA evidence. You can’t just look at a laptop (or PDA, or hard drive, or floppy disk) and see the document entitled “This is how I did it.doc.” Data must be processed through the operating system and application software in order to view and print it, and must be done properly, while preserving the integrity of the data on the subject computer. To be accepted as evidence in court, the data must be duplicated, recovered and documented by someone trained in computer forensics. Just like fingerprints or DNA, electronic evidence must be processed and presented by professionals. Otherwise, you may not get a second chance at it, because much of it can only be recovered through the use of specialized software. Second, files on a computer can be easily erased with a click of a mouse button, and it can be difficult to prove who held the mouse. On top of that, once they’re erased they’re in danger of being overwritten, just through the normal operation of the computer. That’s why it’s so important to follow proper forensic procedures in seizing the data you need — you could destroy it if you just start up the PC and start exploring the hard drives. Hollywood loves to portray law officers serving a warrant on the bad guy, finding his PC and going through it right then and there to find the evidence of his crimes. Can you say “inadmissible?” The biggest single cause for impeachment of electronic evidence is mishandling in the seizure and acquisition phase. All too often, “first responders” make the critical mistake of exploring a subject computer to find evidence before they submit it to a forensic investigator. Or worse: installing software on the seized computer to recover deleted files. Not only have you damaged or destroyed the evidence, you’ve tainted it and guaranteed that it won’t be admitted. John Gosser owns TotalESecure.com, which trains IT and law enforcement personnel. “The first minute of activity from the first responder can make or break a civil or criminal case,” he says. “It means the difference in having the evidence with which to litigate your position, or having nothing and placing yourself at the mercy of your opponent.” CHECKLIST To get recovered data admitted as evidence, you need to specify: � exactly what data you want in your discovery motions, in detail (e.g., e-mail traffic, financial information, correspondence); � that you need the deleted data from the media. If you’re not sure how to structure the discovery motion to address electronic evidence, talk to a consultant to help prepare your discovery plan; � what computers, backup archives or other media you want to search. It’s not uncommon for a discovery motion to take several pages just to describe the computer systems you want to seize. Once you’ve determined that evidence is in electronic form, every hour counts. Corporate servers can be incredibly dynamic, especially in terms of e-mail traffic. Many companies clean out e-mail every week (or daily) when they back up the servers. If computer systems are so dynamic, how can you guarantee that your evidence won’t be overwritten by the time you get to it? You may not be able to. Protective orders are nice, but in today’s business climate they’re impractical — you can’t hold up the business operations of a company until your forensic experts can get there to seize the data. That’s where the backup archives come in. Even if the defendants decide to get shady and clean the data from their computers and the servers, it’s likely to still be on the backup tapes. PROPER DOCUMENTATION The second biggest cause of electronic evidence getting tossed is lack of proper documentation. Data seized and entered as evidence (and sometimes entire cases) have been thrown out because there was never a chain-of-custody for the seized computer media, or worse yet, because there was a hole in whatever chain existed. If you can’t document where the computer came from, who seized it, who had access to it and who investigated it, all you have is a bunch of files. In addition to a complete chain-of-custody, there should be a detailed inventory of the media involved, including make, model, serial number, condition and capacity. As in any forensic investigation, detail is critical to success. Any documentation that you feel helps your case should be included. L.M. Larsen is director of investigations at Austin, Texas’ Renew Data Inc.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.