chevron-down Created with Sketch Beta.

ARTICLE

Watch Out for Pitfalls in Forensic Discovery

Alexander C Meier

Summary

  • Forensic discovery is often valuable because of the relationship and arrangement of data found on the source, as well as metadata related to files on the source.
  • Attorneys can avoid losing critical data and allegations of spoliation by recognizing the unique fragility of forensic data and taking measures to preserve that data when it may be relevant.
  • Initial preparation and analysis of forensic discovery can create efficiency and avoid problems from arising later.
Watch Out for Pitfalls in Forensic Discovery
Laurence Dutton via Getty Images

Imaging someone’s computer or cell phone used to be an exceptional ask. But with changes in technologies and sharp reductions in costs to image these sources, computers and cell phones are increasingly the most important and commonly sought sources of discovery. Forensic discovery refers to not only the collection of relevant electronically stored information but also more specifically to the creation of a mirror image of the source to preserve relevant metadata and normally inaccessible files and history found on a source.

Forensic discovery, however, carries unique risks and considerations. It is often valuable because of the relationship and arrangement of data found on the source, as well as metadata related to files on the source. That data can be inadvertently altered or overwritten by accessing the source or by continuing to use the source. For example, an attorney who reviews or copies files from a USB drive will reset the “last accessed” date for files on the USB drive and, in doing so, may cause critical evidence about when certain files were accessed to be irreversibly altered and potentially lead to spoliation.

Attorneys can avoid losing critical data and allegations of spoliation by recognizing the unique fragility of forensic data and taking measures to preserve that data when it may be relevant. First, counsel should incorporate a discussion about whether preserving forensic data may be necessary as part of the initial fact investigation and tailor the scope of any issued litigation hold to include sources identified by the client.

Second, the client should be instructed not to access relevant devices or sources so that information may be collected in a forensically sound manner. For corporate clients, that should include express directions to the information technology team to avoid a “helpful” IT employee compromising forensic discovery—both in the litigation hold and in a separate communication from internal or outside counsel. Moreover, sources with hard drives may be encrypted or have right restrictions that may otherwise prevent the drive from being imaged without administrative user credentials. Any remote wiping or scheduled data deletion measures for the source should be disabled. Identifying whether these protective measures are in place will help avoid delays in the imaging process or—even worse—being locked out of the drive due to data loss prevention measures.

Third, if forensic data must be preserved, counsel should consider engaging an independent forensic examiner or, if appropriate, an attorney with e-discovery expertise to ensure that the relevant sources are collected and preserved in a forensically sound and complete manner. Independent forensic examiners or forensic experts are often preferable if the dispute may require the submission of an affidavit to substantiate the chain of custody and authenticate information collected from the sources.

Fourth, an active dialogue with the opposing party can prevent allegations of spoliation or concealing evidence. The parties may wish to specifically outline what will be searched and the search criteria used, preferably identified in an agreed protocol or other written agreement governing the production of forensic data.

In sum, initial preparation and analysis of forensic discovery can create efficiency and avoid problems from arising later.

    Author