Harvard Law School Berkman Center for Internet & Society The Berkman Center for Internet & Society at Harvard Law School

Go back to the Library

New York Law Journal, January 26, 1998


Copyright 1998 New York Law Publishing Company  
New York Law Journal


January 26, 1998, Monday

Collecting Computer-Based Evidence


Joan E. Feldman is president of Computer Forensics Inc., in Seattle, and was involved in the preliminary planning meeting for the Digital Discovery project at Harvard Law School. Rodger I. Kohn, a litigator, is the company's director of corporate relations.

TODAY it is black letter law that information generated and stored on computers and in other electronic forms is discoverable. n1 It is estimated that as much as 30 percent of the data stored on computers is never reduced to printed form. Moreover, the electronic version of a document may contain information that simply does not appear in the printed version. As a practical matter, finding this information is becoming an important part of the discovery process.

n1 See Anti-Monopoly, Inc. v. Hasbro, Inc., 94 Civ. 2120, 1995 U.S. Dist. Lexis 16355 (SDNY 1995) ("Today it is black letter law that computerized data is discoverable if relevant."); Seattle Audubon Society v. Lyons, 871 F. Supp. 1291 (W.D. Wash. 1994) (ordering production of E-mail).

Many lawyers now ask for electronic evidence, especially E-mail, as a routine part of their discovery efforts. But as a practical matter, most lawyers have little or no experience in collecting and analyzing the data they seek. What follows is some practical advice on how to collect the relevant data, and how to assure that it can be authenticated and admitted as evidence.

[See also, "Checklists for Collecting Computer-Based Evidence", p. S5.]

1. Send a preservation of evidence letter. Because the information stored on computers changes every time a user saves a file, loads a new program or does almost anything else on his or her PC, it is critical that you put all parties on notice that you will be seeking electronic evidence through discovery. The sooner the notice is sent the better. A letter should identify as specifically as possible the types of information to be preserved and note the possible places that information may exist. n2 If necessary, obtain a protective order requiring all parties to preserve electronic evidence and setting out specific protocols for doing so.

n2 Courts are willing to impose discovery sanctions when electronic records are altered or destroyed. See Computer Assoc. Internat'l v. Am Fundware, 135 F.R.D. 166 (D. Colo. 1990); Nat'l Assoc. of Radiation Survivors v. Turnage, 115 F.R.D. 543 (N.D. Cal. 1987). Sanctions may be imposed even when the alteration or destruction occurs in the regular course of business. The common thread in the cases imposing sanctions is the fact that the party altering or destroying its computer records was on notice that such records were relevant to pending or threatened litigation.

2. Include definitions, instructions and specific questions about electronic evidence in your written discovery. This is a continuing process, with three objectives to accomplish:

* First, use a series of interrogatories to get an overview of the target computer system. These will be followed up by a 30(b)(6) deposition of the information systems department.

* Second, all requests for production should make clear that electronic documents as well as paper are being sought. You can accomplish this by defining documents to include items such as data compilations, E-mail and electronically stored data. Requests should also ask specifically for different types of computer-based evidence, such as diskettes, E-mail and backup tapes.

* Finally, if necessary, include a request for inspection so you can examine the computer system firsthand and retrieve any relevant data.

3. Take a 30(b)(6) deposition of the information systems department. This is the single best tool for finding out the types of electronic information that exist in your opponent's computer systems.

4. Collect backup tapes. One of the most fertile sources of evidence is the routine backup created to protect data in case of disaster. This information is normally stored on high-capacity tapes, but may exist on virtually any type of media. Backup tapes normally contain all of an organization's data, including E-mail, as of a certain date. Common procedures call for full backups to be made weekly, with the last tape of the month saved as a monthly backup. While weekly backups are normally rotated, monthly backups are saved anywhere from six months to several years.

When collecting backup tapes in discovery, make sure to gather information on how the tapes were made. This inquiry must include both the procedures followed and the specific hardware and software used to make the backups. Over time, hundreds of different backup methods have been used; in some cases, it may be impossible to restore backups without using the same software and/or hardware that was used to create them.

5. Collect diskettes. Data that has been selectively saved by users to diskettes or other portable media is another fertile, but often overlooked, source of evidence. Users save data to diskettes for any number of reasons. They create "ad hoc backups" of key documents or files; they copy E-mail files to prevent them from being deleted in automatic purging routines. Finally, users will use diskettes to save data they do not want to keep on company computers.

Diskettes are kept indefinitely by the users who create them. Collecting and examining all diskettes created by key witnesses is an essential step in a thorough examination of all electronic evidence.

6. Ask every witness about computer usage. In addition to the discovery directed at the computer system, each witness must be questioned about his or her computer use. Individual users' sophistication varies widely; knowing how each witness uses his or her computer and organizes and stores data may lead to sources of information not revealed by the discovery directed at general system usage. This discovery should also focus on the secretaries and other people assisting key witnesses. Often, documents drafted by the key witness are stored on an assistant's computer.

Perhaps the most overlooked source of electronic evidence is the home computer. Data usually ends up on these machines in one of two ways: First, it can be transferred to and from the workplace on diskettes or other portable media; second, an employee may be able to log on to the company network from home. In this latter situation, the home computer acts just like the employee's office workstation.

Palmtop devices and notebook computers are also good sources of evidence. Palmtop devices include electronic address books as well as more powerful devices such as 3Com's PalmPilot and Apple's Newton. In addition to storing calendar and contact information, many of these devices allow users to make notes and use E-mail. Further up the scale, there are notebook computers, which are often shared among a number of users. While a notebook may not be a witness's primary workstation, it still may contain important pieces of information.

7. Make image copies. It is no secret that deleted files and other "residual" data may be recovered from hard drives and floppy disks. How do you make sure that you capture this data? Answering this question first requires a brief explanation of why residual data exists.

With respect to computers, the term "deleted" does not mean destroyed. Rather, when a file is deleted, the computer makes the space occupied by that file available for new data. Reference to the deleted file is removed from directory listings and from the file allocation table, but the bits and bytes that make up the file remain on the hard drive until they are overwritten by new data, or "wiped" through the use of utility software. The result is that a file "appears" to have been deleted, but may still be recovered from the disk surface.

Residual data includes deleted files, fragments of deleted files and other data that is still extant on the disk surface. To assure that this residual data is captured, you must make what is known as an "image copy" of the target drive. An image copy duplicates the disk surface sector by sector, thereby creating a mirror image of the target drive. In contrast, a file-by-file copy (what is made when you simply select the files you want copied) captures only the data contained in the specific files selected. Even if all files are selected, a file-by-file copy will not capture any residual data. n3

n3 When collecting computer data for evidentiary purposes, a party has a duty to "utilize the method which would yield the most complete and accurate results." Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996). In Gates, the court criticized the plaintiff for failing to make image copies and for failing to preserve undeleted files properly.

8. Write protect and virus check all media. Now that you have obtained the data, how do you look at it? You likely have a mix of image copies, backup tapes, diskettes, CDs and other media. Before doing anything else, you must maintain the integrity of the media you have received. The two key steps in doing this are write protection and virus checking.

Write protecting prevents data from being added to the media, guaranteeing that the evidence you gather is not altered or erased when you are working with it. You should write protect all media before doing anything else with it.

Similarly, virus checking prevents evidence from being altered and is the second thing you should do with all media. The key is to use up-to-date virus checking software. If a virus is detected, record all information about it and immediately notify the party producing the media. Do not take steps to clean the media, as doing so will change the evidence that was produced.

9. Preserve the chain of custody. A chain of custody tracks evidence from its original source to what is offered as evidence in court. With electronic evidence, a chain of custody is critical because the data can be altered relatively easily.

Preserving a chain of custody requires, at a minimum, proving that: (a) no information has been added or changed; (b) a complete copy was made; (c) a reliable copying process was used; and (d) all media was secured. Write protecting and virus checking all media are the key steps in meeting the first requirement; making image copies is the key to meeting the second.

A reliable copy process has three critical characteristics. First, the process must meet industry standards for quality and reliability. This includes the software used to create the copy and the media on which the copy is made. A good benchmark is whether the software is used and relied on by law enforcement agencies. Second, the copies must be capable of independent verification. In short, your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof.

Securing the media simply assures that your original copies are preserved. Just as you would make working copies of any documents produced, you should create working copies of data.

When working with data restored from the media you have collected, make sure that you can track individual files and documents back to their original source. The checklist below sets out one way of doing this.

10. Hire an expert. There are important reasons to consider retaining an expert to assist in your electronic discovery:

* An expert can help fine-tune your discovery and maximize the amount of relevant data you recover.

* An expert provides resources for copying and examining data being produced. For example, restoring backup tapes and image copies takes large amounts of drive space -- far more space than most lawyers or their clients have available.

An expert will help preserve chains of custody and prove authenticity. Retaining an expert to collect and analyze electronic evidence removes you from the potentially difficult position of having to testify about the authenticity and accuracy of this evidence.

In all cases, an expert should have the experience and equipment to handle the diverse array of software and hardware you will inevitably encounter. He or she should also be able to perform forensic analysis and help recover residual data.

With the ever-growing use of computers as business and communication tools, data generated and stored electronically is becoming an increasingly important target for discovery. As with all other discovery, the goal is to find useful information and collect it in a manner that assures it can be admitted into evidence. There is no magic to accomplishing this goal -- what is required is a proven, methodical approach. While technology will undoubtedly continue to change, the basic techniques for collecting electronic evidence should continue to prove effective.