Top Things to Do When Collecting Electronic Evidence

By Joan E. Feldman

Before doing anything else, maintain the integrity of the media you have received.

More than 50 percent of information stored on computers is never reduced to printed form. Moreover, the electronic version of a document usually contains information that does not appear in the printed version. Finding the information stored on computers is becoming an important part of discovery.

Send a preservation-of-evidence letter. Because information stored on computers changes every time a user saves a file, loads a new program, or does almost anything else on a computer, at the beginning of the case put all parties on notice that you will be seeking electronic evidence through discovery. Detail the types of information to be preserved and possible places the information may exist. If necessary, obtain a protective order. The Federal Rules of Civil Procedure mandate meet-and-confer sessions to discuss electronic discovery issues. Many of the logistical issues associated with preservation and production of e-documents will be discussed and agreed to at these sessions.

Include definitions, instructions, and specific questions in your written discovery. This is an ongoing process. Get an overview of the target computer system through a series of interrogatories. Follow interrogatories with a 30(b)(6) deposition of the information systems department. This is the single best tool for finding out the types of electronic information that exists in your opponent’s computer systems. Make clear in all requests for production that you are requesting electronic documents as well as paper. Define documents to include items such as data compilations, e-mail, and electronically stored data. Draft requests that specifically ask for different types of computer-based evidence such as hard drives, e-mail, and backup tapes. If necessary, include a request for inspection so that you can examine computer drives firsthand and retrieve any relevant data.

Collect backup tapes and removable media. Routine backups created to protect data in case of disaster can be a fertile source of evidence—particularly if responsive data is no longer available on active drives. This information is normally stored on high-capacity tapes but may exist on virtually any type of media. Backup tapes normally contain all of the organization’s data, including e-mail. Common backup procedures call for full backups to be made weekly, with the last backup of the month saved as a monthly backup. Whereas weekly backups are normally rotated, monthly backups are saved anywhere from six months to several years. Be sure to find out how the tapes were made, including procedures followed and specific hardware and software used. And don’t forget “ad hoc” backups on CDs and other removable media. It is not unusual to find backup CDs in witnesses’ desks.

Ask every witness about computer usage. In addition to the discovery directed at the computer system, question every witness about his or her computer use. Individual users’ sophistication varies widely. Knowing how each witness uses his or her computer and organizes and stores data may unearth sources of data not found by discovery directed at general-system usage. Focus also on secretaries and others who assist key witnesses. Often documents drafted by the key witness are stored on his or her assistant’s computer.

Perhaps the most overlooked source of electronic evidence is the home computer. Data usually ends up on home computers in one of two ways. First, it can be transferred to and from the workplace via e-mail. Second, an employee may transfer data back and forth via CDs or removable drives. Regardless of how data is transferred, find out whether the witness works from home and how data is transferred to and from the home computer.

Palmtop devices such as Black-Berrys include electronic address books and calendars. In addition to storing calendar and contact information, many of these devices allow users to make notes and use e-mail. Notebook computers are often shared among a number of users. Although the notebook computer may not be a witness’s primary workstation, it still may contain important pieces of information. Again, ask how palmtop devices and notebook computers are used and what data they may contain.

Make image copies. It is no secret that deleted files and other “residual” data may be recovered from hard drives and floppy disks. When working with computers, the term “deleted” does not mean destroyed. Rather, when a file is deleted, the computer makes the space occupied by that file available for new data. Reference to the “deleted” file is removed from directory listings and the file allocation table, but the bits and bytes that make up the file remain on the hard drive until they are overwritten by new data or “wiped” through use of utility software. The result is that a file appears to have been deleted but may still be recovered from the disk surface.

Residual data includes “deleted” files, fragments of deleted files, and other data that is still extant on the disk surface. To ensure that this residual data is captured, make an image copy of the target drive. An image copy duplicates the disk surface sector-by-sector. In contrast, a file-by-file copy captures only the data contained in the specific files. Even if all files are selected, a file-by-file copy will not capture any residual data.

Write-protect and virus check all media. Before doing anything else, maintain the integrity of the media you have received. The two key steps in doing this are write-protection and virus checking. Write-protecting media prevents data from being added to that media. It guarantees that the evidence you gather is not altered or erased as you are working with it. Floppy diskettes may be write-protected by moving a tab on the plastic casing of the diskette. Many CDs are “read only,” but if not, be sure to use a software interface to write-protect the CD or drive. Protect all media before doing anything with it.

Virus checking, likewise, prevents evidence from being altered and is the second thing you should do with all media. The key is using up-to-date virus-checking software. If a virus is detected, record all information about the virus and immediately notify the party producing the media. Do not take steps to clean the media because doing so would change the evidence that was provided to you.

Preserve the chain of custody. A chain of custody is critical because electronically stored data can be altered relatively easily, and proving the chain of custody is the primary tool in authenticating electronic evidence. Preserving a chain of custody requires, at a minimum, proving: (1) no information has been added or changed, (2) a complete copy was made, (3) a reliable copying process was used, and (4) all media were secured. Write-protecting and virus checking all media are the key steps in meeting the first requirement, and making image copies is the key step in meeting the second.

Hire an expert. An expert has the tools and skills to search the data for the evidence relevant to your case. An expert can help fine-tune discovery and maximize data recovered, provide resources for copying and examining data, perform forensic analysis, and help recover residual data and other hidden or lost data. The expert can help preserve chains of custody and help prove authenticity, as well as testify about the authenticity and accuracy of this evidence.

For More Information About the Section of Family Law

- This article is an abridged and edited version of one that originally appeared on page 9 of Family Advocate, Winter 2007 (29:3).

- For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.

- Website:

- Periodicals: Family Advocate, 64-page quarterly magazine with three issues that include how-to articles and current trends in family law for lawyers, and a fourth “Client Manual” issue for lawyers and their clients covering aspects of the divorce process; Family Law Quarterly, a scholarly journal that offers an analytical view of family law issues, including “Family Law in the Fifty States.”

- Books and Other Recent Publications: The Family Lawyer’s Guide to Bankruptcy, 2d ed.; The Indian Child Welfare Act Handbook, 2d ed.; The Family Lawyer’s Guide to Stock Options; The Military Divorce Handbook; Assisted Reproductive Technology; How to Build and Manage a Family Law Practice; Creating Effective Parenting Plans; The Divorce Trial Manual.

- CLE and Other Educational Programs: The Trial Advocacy Institute offers an intense learning experience; for more experienced lawyers, there is an Advanced Institute. Other CLE programming includes teleconferences, spring and fall conferences, and our popular Hot Tips program at the ABA Annual Meeting. Past program materials are available for purchase on our website.

- Member Benefits: Discount on Family Law Section publications and CLE materials; Committees on topics such as adoption, custody, law practice management; Case Update, a monthly digest of family law case decisions around the nation; monthly eNewsletter.

Joan E. Feldman was formerly a managing director for Navigant Consulting, Inc., in Seattle, Washington.

Copyright 2008

Back to Top