Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Consider the following hypothetical: A company has been tipped off that some recently departed employees may have left with more than they were entitled to — namely, proprietary information that might amount to a theft of trade secrets. After a month of strategic planning, the litigation team retains a third-party computer forensics consultant to analyze the company’s server. Their efforts are successful; evidence of wrongdoing is discovered. The next step is to corroborate the information found on the server with corresponding evidence on the former employees’ workstations. As it turns out, the company has a perk allowing employees to purchase their work computers, a policy designed to cull obsolete machines. The employees in question purchased theirs and took them when they gave notice. The plaintiff and their forensics experts are eventually able to gain access to these machines through a court order. However, by the time they get there, much of the data they were seeking had been overwritten and otherwise “scrubbed,” rendering it irretrievable and irrelevant. Had the plaintiff had the foresight to have the court quarantine these computers at the outset, damning evidence may have been preserved in an admissible format. EARLY INTERVENTION There are a number of logical reasons for conducting a level of forensics analysis and intervention at the outset of a case. From a case management standpoint, deploying forensics experts can constitute a wise allocation of a litigator’s most valuable commodity: time. While a litigator will be well versed in his or her chosen specialty area (securities, for example), a forensics expert will possess a strong understanding of common digital evidence issues that arise in securities litigation. After all, every case a computer forensic expert gets involved in will entail computer forensics, but there is little question that most litigators could get up to speed on e-discovery issues. The question is, does such prep work constitute a good use of the litigator’s time? Thanks to their focused experience, forensics consultants can offer some unique perspectives and strategies that the attorney may not have thought of or been exposed to. From a case strategy standpoint, early computer forensics consultation can prove invaluable, as it might prevent you from accidentally bargaining away digital evidence integral to a case. In too many cases, computer forensics firms are called in midway through litigations only to find that key evidence is beyond their grasp, unattainable because of discovery deals that had been struck between opposing counsel. Without knowing which data is of interest, it is easy to concede certain pieces of potential evidence. Many unknown factors come into play later that can affect where pertinent information may reside. Specifically, different applications and operating environments store information in different places. It is often hard to know up front if the smoking gun is on a server or on an individual’s workstation. If one or the other is bargained away up front, the forensic expert may be limited in her ability to help. Through depositions the question as to where to focus the search can often be answered, but it is important to preserve the data before these factors are known. THE SMOKING GUN Perhaps more compelling are the technical and legal implications that recommend early computer forensics intervention. With digital evidence, there are several layers of information interest to the litigator. Of course, there is the smoking gun — for example, the e-mail showing sexual harassment or the spreadsheet displaying financial irregularities. The second layer of “meaning” comes in the form of metadata — information about the data, such as when it was created, how many times it was revised, who revised it, and so on. Metadata can be a wonderful tool to illustrate how a computer may have been used to perpetrate a crime or harbor evidence. Moreover, metadata remains intact even after the smoking gun file has been deleted. However, it is extremely fragile; metadata changes each time a computer is used. Every time a computer is turned on and programs are launched, thousands of pieces of information are changed. Most of this data relates to times/dates, system resources and, to a lesser extent, deleted files. All of these affected areas contain critical information related to the activities of the user in question. Besides the potential for data to be overwritten, it is also possible for data to be compromised or tainted even if it is still retrievable. This often occurs when proper procedures are not followed while analyzing computer media. For instance, if the discovery requester entrusts the other side with that process, they may be unwittingly compromising data integrity. Often, the producing party will simply print electronic files to be produced or at best burn them to a CD-ROM. Although this seems a good solution, any manipulation of the file in question (even printing the file without opening it or simply clicking on the file) can change attributes and compromise the chain of custody and its evidentiary potency, potentially resulting in data spoliation. Many do not realize that preservation is the most important part of any electronic discovery plan, more so than the discovery itself. A common mistake in the e-discovery process is to fail to quarantine a machine or put the other side on notice with a well-crafted preservation letter. It is far more preferable to preserve everything and process a small portion of the available universe of data than to allow portions of potentially critical information to disappear forever. Besides, it usually takes more time to figure out where key information resides than it does to find hardware and media of potential significance. For example, a targeted computer may reside in a company that has 20 systems. It is not unreasonable to spend a day or two on-site creating mirror image backups of all the office computers until depositions are conducted to find out which systems/workstations the defendant accessed. The time spent up front is great insurance for potential discoveries down the road. If the litigation team is not able to access those 20 computers until a year has passed, it might be too late. DATA INTEGRITY Maintaining data integrity goes hand-in-hand with maintaining the admissibility of electronic evidence. To preserve admissibility, it is critical that proper procedures are followed and that the expert in question has the proper knowledge and background to understand where the data is coming from and how it got there. If a smoking gun is found, but there are doubts as to how the data was procured or where the data originated, the validity of the evidence can easily be compromised. This often occurs when issues are handled internally rather than involving a third-party expert. A well-meaning employee may want to poke around the computer or network to see if he can find something before an expert is hired and money is “wasted.” The worst-case scenario here is that the employee actually finds the smoking gun, and he becomes, de facto, the forensics expert. If the other side feels they can discredit this “expert,” they can also discredit the evidence. Involving a competent computer forensics consultant early on allows an assessment of which computer media is important to a case, and can help in the development of a rapid response plan to present to the court to ensure key information is preserved. Convincing the court to support discovery requests can be tricky. Often, opposing counsel will battle discovery requests on the basis that digital data will infringe upon attorney-client privilege, divulge trade secrets and generally cause interruption to business as usual. To assuage the court’s concerns, a forensics expert will make the case that attaining a mirror image backup is the only way to ensure proper chain of custody, allow for access to all potential evidence and avoid data spoliation. Once these issues are clearly outlined and the issue of privilege through protective orders is resolved, the road to accessing pertinent computer media is generally smooth and straightforward. EARLIER IS CHEAPER There’s another equally compelling reason for consulting a computer forensics expert early in the e-discovery process: It often costs less. Digital discovery is usually treated in a manner similar to traditional paper discovery. Using the paper model, litigation teams will proceed in e-discovery as follows: � Active files: Print and review, scan and OCR, and convert to TIFF file and commit to database � Archival files: Convert to printable format, print and review, scan and OCR, and convert to TIFF file and commit to database � Residual data: Perform forensic processing to identify deleted files and telling computer user activity, report findings, selectively convert to TIFF file and commit to database The computer forensics approach departs from the paper model in that all data is reviewed in electronic format, using various forensic software tools. Many steps are removed from the process, all data is reviewed, and the litigation team receives preliminary results with much faster turnaround for a fraction of the cost. As an example, consider the hypothetical mentioned at the outset. Assume the computers of several of the employees suspected of stealing trade secrets and the server used for these machines contain 20 gigabytes of data. Applying the paper approach, all data — about 7.5 million pages — is printed and reviewed, scanned, converted to TIFF file format. Based on a conservative estimate of 5 cents a page for the process, the cost would be $375,000. Processing data of this magnitude takes a minimum of two weeks. Reviewing the 20 gigs of data using computer forensics, the process would go as follows: � Make a mirror image bit-stream backup of the machines in question (so data is preserved in admissible format); � Work with counsel to determine short list of key words for searching; � Use forensics tools to provide counsel with a preliminary report, including a complete list of file names, times and dates, and results of key-word searches, which serve to narrow the potential e-discovery universe at the outset of the case, illuminating the path for further discovery efforts. Resources are not wasted processing and converting data that has little impact upon the case. Time and date information may help pinpoint telling computer activity, such as when the suspected employee downloaded a group of proprietary designs from the server to his local machine. Cost for this forensics service will generally run from $15,000 to $20,000. And with luck, preliminary searches might even turn up the smoking gun. Scott Stevens is director of business development for New Technologies Inc., based in Gresham, Ore.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.