General Practice, Solo & Small Firm DivisionMagazine

Volume 17, Number 2
March 2000




This article provides a general overview of discovery strategies for information stored on computers.

A discovery strategy starts with the "data files" created by software applications-word-processed documents, reports generated by databases, spreadsheets, and e-mail. Discovery tactics that do not include the opposition's electronic data may overlook important evidence, primarily e-mail, which tends to be casual, candid, and careless. With the readily available data files, software can search through gigabytes of data for key words or phrases faster and more efficiently to find key documents than one could with hours of sifting done by an army of paralegals.

After the data files, there are the so-called "replicant data" or "file clones." Many software manufacturers build in automatic backup features that create and periodically save copies of a file being worked on by a user. File clones are useful because they create a copy or multiple copies of a document that users would not normally erase and are usually not aware of. On most networked systems, file clones are saved to the user's hard drive rather than to a centralized network file server. As a result, a document that was purged from the file server may still exist as a file clone on a user's hard drive.

There are also backup data to consider. Networks are normally backed up on a routine schedule. Network backups normally capture only the data saved on the centralized storage media (such as the file server) and do not capture all the data stored on individual users' hard drives. Reviewing a series of backup tapes can provide a wealth of information about how a particular matter progressed over several weeks or months. The difficulty with using backup data is that the media hold a large amount of data that is only loosely organized. Finding relevant data requires restoring a tape, viewing its directories, and searching within the directories for specific files. If the file is not on the tape, the process must be repeated for each backup tape.

Next consider the "residual data." This is information that appears to be gone but is still recoverable from the computer system. It includes "deleted" files still extant on hard drives and data existing in other system hardware such as buffer memories of printers, copiers, and fax machines. Until data are overwritten or wiped, they can be restored through use of undelete or restore commands. As deleted files may be overwritten when a new file is saved, new software is loaded, or unused space is wiped, the amount and type of residual data that can be recovered varies. In the case of a partially overwritten file, pieces of the file-file fragments-may also be recovered. Residual data can be buried in a number of other places on disks and drives. Forensic specialists have tools that allow them to examine the entirety of a drive for residual data.

Computers also contain information about the information they store. Every computer contains its own kind of audit trail. All files are date- and time-stamped, and networked computers contain computer logs about who, when, where, and how long a user was on the system. That information can be golden in the face of a witness' denial that he or she had knowledge of certain facts. Also recorded within a computer's own self-maintenance system may be information about who modified a file last and when the modification was made. An audit trail may indicate when and by whom files were downloaded to a particular location, copied, printed out, or purged. In addition to using a network's audit trail, an increasing number of companies are installing software designed to monitor employees' use of company computers. This software records information such as programs used, files accessed, e-mail sent and received, and Internet sites visited.

Networked computers allow a large number of people to share information and keep it all in one central place-the network server. Networks have their own logic that goes beyond any single workstation. For example, "access control" lists limit users' rights to access, view, and edit various files otherwise available on a network. Access rights often depend on the employee's particular job duties and position in the company, and different personnel may have different access rights. If litigation centers on a particular file or group of files, identifying who had access rights to the files and the type of access each person was allowed can establish data ownership/authenticity of files.

If prosecuting a case, a concern exists that the adversary is going to cover its tracks, and that defense counsel will raise arguments about how intrusive, overreaching, and burdensome it is to "shut down" a company's computers just so you can forage around in them, often in areas that are confidential or privileged. From the plaintiff's perspective, you and your expert must meet the challenge that making mirror-image copies of hard drives is not intrusive, and that the process is an easy and straightforward task. Be prepared to enter into a protective order for your client that will allow the opposition to claim that certain identified files are off limits.

The cheapest way for the plaintiff's lawyer to preserve evidence is to send the opposition a written notice to preserve that evidence. A more potent approach is to immediately serve a request for production of documents and items to the opposing party requesting that you wish to "copy" all the adversary's equipment, then to follow that up with a Rule 30(b)(6) deposition of the person most knowledgeable about the opposing party's computer system.

The request for production of documents should explain that the information sought may exist actively in places such as network file servers, mainframe computers or minicomputers, stand-alone PCs, and network workstations. Data may also reside on off-line data storage media including backups and archives, floppy diskettes, tapes, and other removable electronic media. The request should specify that no potentially discoverable data be deleted or modified and that procedures that may affect such data not be performed unless all potentially discoverable data have been copied and preserved.

If you are concerned that critical data may be removed before you have a chance to conduct discovery, it may be necessary to obtain a restraining order, followed by a hearing to obtain a preliminary injunction. With respect to system users that may have discoverable information on their computers, the restraining order should state that no new software should be loaded and no data compression and disk defragmentation or optimization routines run until there has been an inspection or until image copies of the hard drive have been made. With respect to backup systems, ask that the rotation and reuse of backup media cease until relevant data can be copied. Requesting parties should ask that existing tapes be held aside and not recycled. Parties should be instructed not to dispose of any electronic media storage devices that are being replaced because of failure or system upgrades.

For defense lawyers, the best defense is a comprehensive protective order that allows for an orderly inspection of both sides' computers. The protective order should provide defense counsel with adequate opportunity to remove from "mirrored" copied hard disks those files that are work product, privileged, or confidential trade secrets of the client. Defense counsel should be entitled to conduct discovery as to the methods and practices of any expert hired by plaintiff's counsel to assure data integrity and chain of custody of any evidence acquired from his or her client.

Litigants with limited resources should focus on e-mail. E-mail is where people tell the unadorned truth. For the lawyer who simply wishes to advise his or her client to be aware of potential liabilities down the road, it is an almost impossible task to control the flow and proliferation of e-mail. Still, an employer should implement a policy that prohibits private use of e-mail, and to remind employees that e-mails are like postcards, available for all to read, including the employer. From time to time, employee e-mail should be monitored for compliance. Old e-mail should be routinely deleted and expunged.

Joan E. Feldman is president of Computer Forensics Inc. in Seattle. Larry G. Johnson is a lawyer in Seattle.

For more Information About the Business Law Section

  • This article is an abridged and edited version of one that originally appeared on page 18 of Business Law Today, May/June 1999 (8:5).
  • For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.
  • Website:
  • Periodicals: Business Law Today, bimonthly magazine; The Business Lawyer, quarterly law journal.
  • Books and Other Recent Publications: The Securities Enforcement Manual: Tactics and Strategies; Web-Linking Agreements: Contracting Strategies and Model Provisions; Corporate Director's Guidebook; Guidebook for Directors of Nonprofit Corporations; Model Business Corporation Act Annotated; Reorganizing Failing Businesses; Financial Statement Analysis for the Practical Lawyer; Documenting the Attorney-Client Relationship; and The New Article 9. Visit for more information.

Back to Top