Go back to the Library
New
York Law Journal, January 26, 1998
Copyright
1998 New York Law Publishing Company
New York Law Journal
January
26, 1998, Monday
Collecting
Computer-Based Evidence
BY
JOAN E. FELDMAN AND RODGER I. KOHN.
Joan
E. Feldman is president of Computer Forensics Inc., in
Seattle, and was involved in the preliminary planning meeting
for the Digital Discovery project at Harvard Law School.
Rodger I. Kohn, a litigator, is the company's director of
corporate relations.
TODAY it is black letter law that information generated and
stored on computers and in other electronic forms is
discoverable. n1 It is estimated that as much as 30 percent of
the data stored on computers is never reduced to printed form.
Moreover, the electronic version of a document may contain
information that simply does not appear in the printed
version. As a practical matter, finding this information is
becoming an important part of the discovery process.
n1 See Anti-Monopoly,
Inc. v. Hasbro, Inc., 94 Civ. 2120, 1995 U.S. Dist. Lexis
16355 (SDNY 1995) ("Today it is black letter law that
computerized data is discoverable if relevant."); Seattle
Audubon Society v. Lyons, 871 F. Supp. 1291 (W.D. Wash. 1994)
(ordering production of E-mail).
Many lawyers now ask for electronic evidence, especially
E-mail, as a routine part of their discovery efforts. But as a
practical matter, most lawyers have little or no experience in
collecting and analyzing the data they seek. What follows is
some practical advice on how to collect the relevant data, and
how to assure that it can be authenticated and admitted as
evidence.
[See also, "Checklists for Collecting Computer-Based
Evidence", p. S5.]
1. Send a preservation of evidence letter. Because the
information stored on computers changes every time a user
saves a file, loads a new program or does almost anything else
on his or her PC, it is critical that you put all parties on
notice that you will be seeking electronic evidence through
discovery. The sooner the notice is sent the better. A letter
should identify as specifically as possible the types of
information to be preserved and note the possible places that
information may exist. n2 If necessary, obtain a protective
order requiring all parties to preserve electronic evidence
and setting out specific protocols for doing so.
n2 Courts are willing to impose discovery
sanctions when electronic records are altered or
destroyed. See Computer
Assoc. Internat'l v. Am Fundware, 135 F.R.D. 166 (D.
Colo. 1990); Nat'l
Assoc. of Radiation Survivors v. Turnage, 115 F.R.D. 543 (N.D.
Cal. 1987). Sanctions may be imposed even when the
alteration or destruction occurs in the regular course of
business. The common thread in the cases imposing sanctions is
the fact that the party altering or destroying its computer
records was on notice that such records were relevant to
pending or threatened litigation.
2. Include definitions, instructions and specific questions
about electronic evidence in your written discovery. This is a
continuing process, with three objectives to accomplish:
* First, use a series of interrogatories to get an overview of
the target computer system. These will be followed up by a
30(b)(6) deposition of the information systems department.
* Second, all requests for production should make clear that
electronic documents as well as paper are being sought. You
can accomplish this by defining documents to include items
such as data compilations, E-mail and electronically stored
data. Requests should also ask specifically for different
types of computer-based evidence, such as diskettes, E-mail
and backup tapes.
* Finally, if necessary, include a request for inspection so
you can examine the computer system firsthand and retrieve any
relevant data.
3. Take a 30(b)(6) deposition of the information systems
department. This is the single best tool for finding out the
types of electronic information that exist in your opponent's
computer systems.
4. Collect backup tapes. One of the most fertile sources of
evidence is the routine backup created to protect data in case
of disaster. This information is normally stored on
high-capacity tapes, but may exist on virtually any type of
media. Backup tapes normally contain all of an organization's
data, including E-mail, as of a certain date. Common
procedures call for full backups to be made weekly, with the
last tape of the month saved as a monthly backup. While weekly
backups are normally rotated, monthly backups are saved
anywhere from six months to several years.
When collecting backup tapes in discovery, make sure to gather
information on how the tapes were made. This inquiry must
include both the procedures followed and the specific hardware
and software used to make the backups. Over time, hundreds of
different backup methods have been used; in some cases, it may
be impossible to restore backups without using the same
software and/or hardware that was used to create them.
5. Collect diskettes. Data that has been selectively saved by
users to diskettes or other portable media is another fertile,
but often overlooked, source of evidence. Users save data to
diskettes for any number of reasons. They create "ad hoc
backups" of key documents or files; they copy E-mail
files to prevent them from being deleted in automatic purging
routines. Finally, users will use diskettes to save data they
do not want to keep on company computers.
Diskettes are kept indefinitely by the users who create them.
Collecting and examining all diskettes created by key
witnesses is an essential step in a thorough examination of
all electronic evidence.
6. Ask every witness about computer usage. In addition to the
discovery directed at the computer system, each witness must
be questioned about his or her computer use. Individual users'
sophistication varies widely; knowing how each witness uses
his or her computer and organizes and stores data may lead to
sources of information not revealed by the discovery directed
at general system usage. This discovery should also focus on
the secretaries and other people assisting key witnesses.
Often, documents drafted by the key witness are stored on an
assistant's computer.
Perhaps the most overlooked source of electronic evidence is
the home computer. Data usually ends up on these machines in
one of two ways: First, it can be transferred to and from the
workplace on diskettes or other portable media; second, an
employee may be able to log on to the company network from
home. In this latter situation, the home computer acts just
like the employee's office workstation.
Palmtop devices and notebook computers are also good sources
of evidence. Palmtop devices include electronic address books
as well as more powerful devices such as 3Com's PalmPilot and
Apple's Newton. In addition to storing calendar and contact
information, many of these devices allow users to make notes
and use E-mail. Further up the scale, there are notebook
computers, which are often shared among a number of users.
While a notebook may not be a witness's primary workstation,
it still may contain important pieces of information.
7. Make image copies. It is no secret that deleted files and
other "residual" data may be recovered from hard
drives and floppy disks. How do you make sure that you capture
this data? Answering this question first requires a brief
explanation of why residual data exists.
With respect to computers, the term "deleted" does
not mean destroyed. Rather, when a file is deleted, the
computer makes the space occupied by that file available for
new data. Reference to the deleted file is removed from
directory listings and from the file allocation table, but the
bits and bytes that make up the file remain on the hard drive
until they are overwritten by new data, or "wiped"
through the use of utility software. The result is that a file
"appears" to have been deleted, but may still be
recovered from the disk surface.
Residual data includes deleted files, fragments of deleted
files and other data that is still extant on the disk surface.
To assure that this residual data is captured, you must make
what is known as an "image copy" of the target
drive. An image copy duplicates the disk surface sector by
sector, thereby creating a mirror image of the target drive.
In contrast, a file-by-file copy (what is made when you simply
select the files you want copied) captures only the data
contained in the specific files selected. Even if all files
are selected, a file-by-file copy will not capture any
residual data. n3
n3 When collecting computer data for evidentiary purposes, a
party has a duty to "utilize the method which would yield
the most complete and accurate results." Gates
Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90,
112 (D. Colo. 1996). In Gates, the court criticized the
plaintiff for failing to make image copies and for failing to
preserve undeleted files properly.
8. Write protect and virus check all media. Now that you have
obtained the data, how do you look at it? You likely have a
mix of image copies, backup tapes, diskettes, CDs and other
media. Before doing anything else, you must maintain the
integrity of the media you have received. The two key steps in
doing this are write protection and virus checking.
Write protecting prevents data from being added to the media,
guaranteeing that the evidence you gather is not altered or
erased when you are working with it. You should write protect
all media before doing anything else with it.
Similarly, virus checking prevents evidence from being altered
and is the second thing you should do with all media. The key
is to use up-to-date virus checking software. If a virus is
detected, record all information about it and immediately
notify the party producing the media. Do not take steps to
clean the media, as doing so will change the evidence that was
produced.
9. Preserve the chain of custody. A chain of custody tracks
evidence from its original source to what is offered as
evidence in court. With electronic evidence, a chain of
custody is critical because the data can be altered relatively
easily.
Preserving a chain of custody requires, at a minimum, proving
that: (a) no information has been added or changed; (b) a
complete copy was made; (c) a reliable copying process was
used; and (d) all media was secured. Write protecting and
virus checking all media are the key steps in meeting the
first requirement; making image copies is the key to meeting
the second.
A reliable copy process has three critical characteristics.
First, the process must meet industry standards for quality
and reliability. This includes the software used to create the
copy and the media on which the copy is made. A good benchmark
is whether the software is used and relied on by law
enforcement agencies. Second, the copies must be capable of
independent verification. In short, your opponent and the
court must be able to satisfy themselves that your copies are
accurate. Third, the copies created must be tamper proof.
Securing the media simply assures that your original copies
are preserved. Just as you would make working copies of any
documents produced, you should create working copies of data.
When working with data restored from the media you have
collected, make sure that you can track individual files and
documents back to their original source. The checklist below
sets out one way of doing this.
10. Hire an expert. There are important reasons to consider
retaining an expert to assist in your electronic discovery:
* An expert can help fine-tune your discovery and maximize the
amount of relevant data you recover.
* An expert provides resources for copying and examining data
being produced. For example, restoring backup tapes and image
copies takes large amounts of drive space -- far more space
than most lawyers or their clients have available.
An expert will help preserve chains of custody and prove
authenticity. Retaining an expert to collect and analyze
electronic evidence removes you from the potentially difficult
position of having to testify about the authenticity and
accuracy of this evidence.
In all cases, an expert should have the experience and
equipment to handle the diverse array of software and hardware
you will inevitably encounter. He or she should also be able
to perform forensic analysis and help recover residual data.
With the ever-growing use of computers as business and
communication tools, data generated and stored electronically
is becoming an increasingly important target for discovery. As
with all other discovery, the goal is to find useful
information and collect it in a manner that assures it can be
admitted into evidence. There is no magic to accomplishing
this goal -- what is required is a proven, methodical
approach. While technology will undoubtedly continue to
change, the basic techniques for collecting electronic
evidence should continue to prove effective.