GPSolo Magazine - December 2005
Preparing for Electronic Discovery
Recently, the U.S. military provided a perfect example of the horrors that can await all of us when trying to protect data. It posted to the Pentagon website a document from the military in Iraq, from which classified information had been removed. The censor had used shading behind the text in the original Word document to make the text invisible, which would have been fine had that version been posted. Unfortunately, the censor then generated a PDF, made from the redacted Word doc, for the online use. Once the document was converted to PDF, it was a simple matter for any visitor to the site to use Adobe’s “Select Text Tool” in order to retrieve the classified information. Whoops.
A German hacker noted that he wasn’t even challenged by this one. But it’s likely he nonetheless enjoyed the discomfiture of the American military when he released the classified information, which contained names of soldiers manning Baghdad-area checkpoints, training procedures, and rules of engagement that might be quite useful to the enemy. Egg splattered on its collective face, the military acknowledged glumly, “We need to improve our procedures.”
No Gray Areas
Disaster awaits at every corner. Requested data is produced pursuant to electronic discovery, and what happens? It proves to have damaging metadata. It contains attorney-client communication. It’s chock full of proprietary information. Redacted documents prove easy to “unredact.” The list goes on and on, but you get the picture: Extreme care must be taken to lock down confidential data during the discovery process.
Unaccountably, many attorneys deal with electronic evidence (e-evidence) problems when they are already far down the discovery road. They assume a defensive posture too late, trying to claw back information that has already been disclosed. Far preferable is a proactive approach, in which counsel for both sides meet early to discuss and agree on an e-evidence protocol. In the event that opposing counsel cannot reach a harmonious resolution, a judge will be happy to dictate a protocol, but that is rarely in anyone’s best interests, not only because of cost but also because so many judges lack the technical skills to draft an appropriate protocol.
In a world where 95 percent of all documents are electronic and most will never be converted to paper, it is essential that the legal profession come up to speed on the methodology of computer forensics. Most attorneys will never become technologists, but they should grasp at least the fundamentals of electronic discovery if they want to serve their clients well.
In most cases, each side does not need its own expert and its own production process (a bitter divorce case might be an exception). As long as you hire a true computer forensic expert, the data acquisition can be handled professionally, and images can be produced to each side for its own experts to analyze, if needed. To ensure you have a real expert, check out the two best professional indicators: certification and curriculum vitae (CV). Currently, the most prestigious private certification is “EnCE” (EnCase Certified Forensic Examiner), but several vendor-neutral certifications are gaining in respect. As for an expert’s CV, ideally it will show a host of other technical certifications, years of computer forensics experience, and a large number of courts in which the expert has qualified. Generally, the expert will have a computer forensics or electronic evidence retainer agreement for you to sign when you retain him or her—larger law firms often have their own forms of these contracts, and a blended version tends to be the ultimate result.
A confidentiality agreement is the cornerstone for protecting data during discovery. Anyone—and we mean anyone—who will come into contact with the data during the process should sign off on the agreement, including the forensic expert. The document should clarify that disclosure of confidential data has no adequate remedy at law in case a temporary restraining order or preliminary injunction may be in order. Although no penalty is generally specified in the agreement, having a confidentiality agreement makes it far easier to obtain a preliminary injunction if the information nonetheless is released. Also, of course, someone who violates such an agreement is going to be miserable if sued and forced to acknowledge that the confidentiality agreement was violated.
Allow a reasonable time period and assume Murphy’s Law will be a factor. Making a bit-by-bit image is a much slower process than copying or “ghosting” a hard drive. If feasible, it’s best to have the computers in issue examined at the expert’s lab, where the expert has all the hardware, software, and reference materials close at hand in the event of complications. Notwithstanding the need to transport the hardware to and from the expert, examining the computers at the lab is generally faster than doing it on-site.
Nevertheless, sometimes the acquisition must be done on-site, either to minimize business impact or because the other side will not agree to any other kind of acquisition. This can be economically painful because the expert must “babysit” the acquisition, irrespective of time consumed. As an example, it may take 12 to 36 hours to acquire a single server. It is possible to run multiple acquisitions simultaneously, which can help cut costs, but most often only a single server is involved. Experts in their own lab can kick off the acquisition for your case and then go do other billable work while your acquisition proceeds unattended, but experts working on-site must simply wait it out—and bill accordingly.
Clients tend to be very impatient about the costs of on-site acquisition, but it simply takes as long as it takes. Be sure the protocol specifies that the work will be done only after hours or on weekends, and extend the time period for acquisition as necessary to accommodate the slower pace. But keep in mind that after hours and weekends will be billed as overtime.
Here is a tip that can help with both security and efficiency: The best time to acquire a server is often Saturday morning. This allows a full backup to be run on Friday night. If anything goes amiss during the acquisition, you can restore the data. Also, of course, many businesses are closed (or at least slower) on a weekend, and acquisitions can be completed quickly and efficiently in a quiet environment. Finally, in case Saturday’s work presents an unexpected challenge, the technologist has Sunday to rebound.
Do a full backup before the acquisition begins, just in case the forensic technologist makes some sort of blunder (unlikely, but possible) or the drive magically decides to go belly-up for no reason at the same time as the acquisition (improbable, but it has happened). Recriminations and finger-pointing will not bring your data back. One of our very unlucky friends had a drive turn to toast while in his hands—and of course, it hadn’t been backed up. With all the consequent unpleasantness, our friend was forced to send the toasted drive out for reconstruction at a white lab (also known as a clean room, where dust is virtually non-existent and specialized laboratory procedures, equipment, and software are utilized), at a cost of thousands and without any guarantee of success. His story had a happy ending, but not all do.
Scope of Acquisition
It is imperative that the protocol define the scope of the acquisition. Each workstation or server to be examined for data should be specifically identified. Similarly, if backup media is to be restored (generally a more time-consuming and costly process) or if digital cameras, digital printers, PDAs, or other peripherals will be acquired, identify and enumerate each. If the case involves loose media (CD-ROMS, DVDs, floppy disks, zip disks, flash drives, etc.), specify these as well. Sometimes this is a very tedious job, especially if there is a large volume of loose media. However, it is important to be able to specifically identify each individual piece of evidence (by its original label if it exists, otherwise the expert will need to number the disks sequentially) in order to make the location of data unmistakable.
Sometimes this step proceeds in parts: The parties agree to acquire certain obvious workstations and/or servers and to determine whether further forensic acquisition and analysis will be required after evaluating the results from the initial work.
For each device, separately consider whether proprietary or confidential data must be protected. This is particularly important when the device is an employee’s home computer or even an office work-station if no one is certain who actually used it, when, or for what.
Without meaning to engage in spoliation, many folks who are targets of an imaging request inadvertently stomp all over the evidence, changing access dates and so on simply because they want to find out what the computer shows or how much trouble they may be in.
Preview the Evidence
If the parties cannot agree to a full-scale acquisition, a preview of the evidence may be the best option. In fact, courts seem increasingly amenable to previews in cases where one side adamantly insists there is no relevant evidence on its computers. A forensic preview allows the expert to look at the evidence in a read-only mode, without actually acquiring it. The expert can generate a report of this examination, but it is not repeatable; it represents a “point in time” and cannot produce a permanent, frozen image of the data.
The best part of previews, in many defendants’ view,is that they limit access to the data. If the preview shows no relevant evidence, the remainder of the data will never be seen by the other side. Previews can be a throw of the dice—if you’re lucky, the discovery ends right there. If not, the court will be much more likely to order full-blown acquisition and analysis.
Here is an example in which the defendant threw the dice and lost: The plaintiff had charged the defendant with appropriating its proprietary data and application. The defendant insisted that it had not. The plaintiff’s expert made a set of hash values (mathematical algorithms that digitally “fingerprint” a file) representing the files that made up the database. A preview of the defendant’s computers showed more than 900 files matching the database files. Given that report, the defendants lost interest in discussing a full-scale forensic examination and promptly settled the case.
The parties should agree on the type of hardware and software to be used and note the choices in the protocol. Private experts commonly use FastBloc (hardware write-blocker) and EnCase (forensic software that has more than 12,000 licensed users and has been successfully admitted into evidence in thousands of criminal and civil court cases). Acquisitions done with these programs result in a complete bit-by-bit image of the media and permit analysis on the imaged evidence—the original media is not impacted in any way. EnCase acquires the data and saves it into a proprietary evidence format that is continuously hashed and verified for errors and is compared against the original at the conclusion of the acquisition. There are no known instances of sustained objections to computer evidence generated by EnCase on authentication grounds relating to the program itself. Be mindful, however, that any program is only as good as the expert using it, and the expert may be subject to attack for lack of expertise.
Once the evidence is acquired, it should be locked in a secure environment; the names of those with access to the evidence should be listed. The degree of care necessary at this point varies somewhat by case. Where a law firm’s data is involved, make sure that it is in reputable hands and that careful security procedures are followed. Of course, chain of custody should be maintained in writing throughout the course of any acquisition and analysis. In a remarkable number of cases, we have seen shoddy or nonexistent chains of custody. Clearly, a professional firm will make this a priority each time the evidence changes hands.
The protocol may also provide that the expert will destroy the evidence files upon receipt of such written, signed instructions from the parties at the conclusion of the case. Alternatively, the protocol may decree that the evidence is to be returned to the originating party. Frequently, any order entered with the court will require that the expert, at the conclusion of the case, submit an affidavit to the court certifying that the court’s orders have been complied with. The protocol typically states that all work on the imaged drive will be documented and included within a forensic report.
Scope of Analysis
In order to help narrow the scope of relevant evidence, both sides may agree upon the period of time at issue, the list of names or e-mail addresses to search for, or other keywords that will target the relevant evidence. Make sure the protocol gives a time limit for agreement on the search parameters, a date when the expert will be required to turn over the evidence for screening, and a date when the screening party must produce the evidence to the other side.
A reasonable, mutually beneficial agreement is the best-case scenario. Unfortunately, lawyers are not agreeable creatures. Given a chance for dispute, they’ll generally take it—hence the high traffic at courthouses on motions days.
You don’t want to agree with opposing counsel? Not a problem. Judges do not become judges because they dislike control. The courts have been fairly firm on the basic guidelines. The search criteria must be relevant, must be as narrow as possible, and must not cross the line into a fishing expedition. The burden on the producing party must be reasonable. In some cases, costs may be shifted (more on that later).
Beyond such basics, however, relying on the judge to draft the scope of analysis is not much different from spinning a roulette wheel—but with worse odds of success. A judge may simply say, pick ten search terms and that’s it. The judge may give each side 20 keywords. The judge may appoint a neutral party to oversee the electronic discovery. The judge may come up with 100 offbeat solutions.
Sometimes there is nothing you can do if your opponent is unreasonable. However, if both sides are accommodating and draft a narrowly tailored and reasonable scope of analysis, they are usually better off.
Once the scope is identified, establish timelines for the various steps. Beware, however: No expert can precisely predict the time needed for analysis before seeing the “size of the elephant,” and that will not happen until the analysis has begun. It is a good idea to include in the protocol a clause indicating that the timetable will be adjusted as agreed by the parties if the volume of evidence so requires.
Screening for Privilege
The protocol will generally provide that, once the expert has completed the analysis, documents and data will be extracted and forwarded to defendant’s counsel, who will review them for privilege and proprietary information prior to producing all nonprivileged documents to opposing counsel. As part of that process, counsel must create a privilege log identifying the documents that will not be turned over and the privilege claimed; any data or documents that are claimed to be privileged will be available to the judge for an in camera inspection upon the appropriate motion by the moving party. The protocol should provide that all data and documents the judge deems not confidential or privileged will be released to opposing counsel pending the resolution of any and all objections and/or motions from parties. If proprietary information needs protection, a protective order may be issued or other measures may be taken by the court to ensure that certain data is locked down during the litigation process.
Special problems of law firms. There is no question that privileged communications may exist on law firm computers. You know going in that there will be massive amounts of confidential client data, attorney- client communications, etc., that must be protected. Law firm computers that are the target of an investigation present special and pervasive problems. Generally, these are best handled by narrowing the scope of analysis—and by the opposing side’s acknowledgement and acceptance of the fact that there is likely to be a very long privilege log.
A typical electronic evidence protocol will address the issue of cost. Typically, the producing party bears the costs of evidence production. However, it is sometimes smarter for the other side to pick up the costs, especially where it is fairly certain that damning evidence exists. If the proposed discovery is not overbroad and is designed to unearth relevant evidence with a minimum of business impact, and if the party requesting discovery has agreed to pick up the expenses, the other party’s claims of hardship will generally meet with strong judicial disapproval.
If money is a major issue, it may not be feasible to offer to pick up expenses. However, in accordance with the Zubulake v. UBS Warburg line of cases, it may be possible to achieve cost shifting depending upon the following (in order of priority):
- the extent to which the request is tailored to discover relevant information;
- whether the information is available from other sources;
- the cost of production compared to the amount in controversy;
- the cost of production compared to each party’s resources;
- the ability and incentive of each party to control costs;
- the importance of the issues at stake; and
- the relative benefits to the parties of obtaining the information requested.
Keeping your data secure requires careful drafting of an electronic evidence protocol. Working with the other side may achieve the fringe benefit of a balanced document that avoids many of the preliminary skirmishes so often the hallmark of discovery wars. If the other side can’t or won’t work with you, drafting a responsible and reasonable protocol to present to the court will often result in that protocol’s being adopted wholesale by the court. No court wants to endanger attorney-client communications or proprietary information that properly deserves court protection if such data are not relevant to the claims in the case. Make it easy for the court to find you reasonable in your approach to the discovery process, and the court will generally do everything in its power to assist you in guarding your data.
Sharon D. Nelson and John W. Simek are, respectively, president and vice president of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, Virginia. They can be reached at firstname.lastname@example.org.