The legal landscape has undergone a significant transformation in today’s digital age. With the proliferation of electronic data and its increasing importance in litigation, legal professionals must stay ahead of the game regarding ediscovery collection. Ediscovery, or electronic discovery, refers to identifying, preserving, and collecting electronically stored information (ESI) for use as evidence in legal proceedings. However, navigating the complexities of ediscovery can be overwhelming without a clear roadmap. To help you master your legal game and ensure a successful ediscovery process, we have unveiled the 9 Ediscovery Commandments – a set of guiding principles that will empower you with knowledge and expertise in handling ESI data collections.
Don’t Chase The Smoking Gun
Discovering a digital smoking gun can be extremely thrilling. However, not every day is as satisfying. After hours or days of searching and analyzing, it can painfully become clear that what the client hoped to find is not present. Clients can become frustrated and obsessed with the idea that the desired evidence must exist.
If you have a competent, certified forensic examiner, it is wise to trust them when they say they have followed all appropriate procedures and that the evidence you seek is not there. The evidence might have never existed, been overwritten, and become irretrievable, or the drive or specific files may have been wiped, potentially using a specialized tool.
Don’t Disregard or Destroy the Evidence
It is no coincidence that the First Commandment is about preserving electronic evidence. Computer forensics specialists often share clients’ stories who have inadvertently destroyed evidence. When a law firm or corporation identifies a potential legal matter, they usually authorize a member of their IT department to review the evidence. However, unbeknownst to them, this process can alter the dates and times of the files accessed and potentially tamper with information indicating user activity.
While this may not wholly discredit the case, it provides opposing counsel with ammunition to challenge the evidence, resulting in further costly forensic examinations to untangle the tampered evidence. It is unwise for a client to contaminate evidence by allowing in-house personnel to handle it, as it appears biased in the eyes of a judge. Instead, a certified third party’s initial, independent forensic examination is much more credible.
Preserve The Evidence
If the computer is already powered on, it is best to avoid a proper shutdown since it will alter dates and times. However, when it comes to servers, the situation differs. Preserving log file entries and operational events on a server is crucial, so shutting it down in an orderly manner is necessary. After removing a deactivated machine, store it securely. You’d be surprised how much attention a machine can attract if it remains publicly accessible.
It is vital not to assume that others can still use the device until a forensic examination occurs. Usage can alter dates and times and even overwrite deleted files. Back-ups are highly valuable. If the evidence you require is in the opposing party’s possession, promptly send them a preservation of evidence letter.
Courts are growing increasingly irritated with the destruction of ediscovery evidence, so provide the other party with timely and clear notice regarding the evidence that needs to be preserved, including any backup media.
Do Not Duplicate Or Clone Hard Drives
When duplicating a hard drive, many dates are not preserved, which can be problematic if these dates hold significance in a legal case. By default, if you use software like Norton’s “Ghost” to clone or duplicate a hard drive, you will not retrieve information stored in unallocated space. Unallocated space may contain valuable deleted emails and documents and sometimes plays a crucial role in winning a case.
Ignoring this unallocated space can be a critical error because duplication software creates a logical image rather than a physical one. If you are concerned that ediscovery will be presented in court, conduct a proper forensic acquisition to ensure the forensic image is obtained using collections best practices.
Keep Things Honest
While some experts can be hired, good experts are dedicated to finding the truth and will report their findings regardless of what they may be. Having a forensic technologist examine a digital device can be beneficial and harmful. It is possible to discover evidence that proves innocence but also evidence that incriminates. An expert cannot deny conducting a specific search. You can limit your questions when your expert is on the stand, but if any of your questions expose a weakness in the evidence, opposing counsel can take advantage of it.
In many cases, the best outcome is to have testimony stating that the questioned evidence came from a specific machine that a particular person had access. While asking if an expert is comfortable testifying about something is fair, a “no” response should be accepted gracefully, regardless of how much you wanted to hear a “yes.” The same goes for expert reports. While all experts will try to support the side that employed them, they should be cautious not to make unsupported claims. The good news is that hiring experts for reports and testimony often enhances their credibility.
Adopt A Kid’s Mindset
Most people are impressed by how well young people use the Internet, navigate computer programs, and even operate multiple remote controls. Those who grew up with traditional paper-based systems often struggle to adapt to electronic versions.
In contrast, our children embrace the endless possibilities the digital world offers. When examining electronic evidence, it is beneficial to adopt a childlike mindset. Kids understand that if they want to hide specific files from their parents, they can give them innocent names and change the file extension, for instance, disguising a collection of explicit images as innocuous Word documents with names like “sciencepaper.pdf.” Nowadays, skilled forensic investigators actively search for such techniques, which are relatively easy to discover.
Vet Your Experts
Buyer beware. Many people in computer forensics claim to be experts but may not be qualified. Be skeptical. Genuine forensic technologists have extensive experience and credentials. They have been involved in legal cases numerous times and are willing to provide references and discuss their past involvements. Consider if they are certified and by whom.
Did they simply pay for a certification that holds little value? It is also important to know about their training and experience level. Have they written expert reports, and if so, how many? What other certifications do they hold? How long have they been working in computer forensics? How many cases have they personally worked on? Make sure to review their CV, considering all of these factors thoroughly.
Expertise Matters. A Lot.
It is surprising how often lawyers treat forensics experts with little respect as if they were mechanics performing a simple task. These lawyers often have unrealistic expectations and demand immediate results, placing the burden of preparation on the experts.
The experts then have to drop everything else and produce what the lawyer needs, even if they were not given sufficient information about the case. This is a foolish misuse of their expertise.
When the technologists are fully informed and involved in the case, they can provide better results. It’s also frustrating when lawyers fail to communicate with their experts, leaving them unable to provide guidance when needed. Just as lawyers have their preferences for experts, experts also have their preferred lawyers who are collaborative and responsive.
Success in eDiscovery requires the right people and process. If you have chosen competent forensics technologists, trust them, listen to them, and involve them in your legal strategy. Ignoring these principles can lead to trouble.
Set Good Expectations
Clients often have unrealistic expectations and do not fully understand the complexity of a computer forensics examination. The process involves:
- Documenting evidence and procedures.
- Setting up equipment.
- Taking photographs of physical equipment.
- Creating a forensic case file takes more than an hour to complete correctly.
It is essential to acknowledge that there are limits to what can be achieved within a specific timeframe, and attempting to rush the process is not feasible. The time required for imaging, which creates a physical image of the data, varies depending on factors such as the amount of data and the technology used.
Many people underestimate the difference in cost between acquisitions performed in a computer forensics lab and those done on-site. Acquiring data in a lab is faster and more cost-effective because it is often mistakenly equated with simple copying.
On-site acquisitions can take significantly longer due to limitations in processing power and memory of portable devices used for the acquisition. Data transfer rates are slower, as the evidence must be stored on an external drive.
For example, an acquisition that takes four hours in the lab might take eight to ten hours on-site due to various variables, such as the amount of data stored on the hard drive and the speed of the computer being analyzed.
Additionally, there may be cases where the technologist needs reference materials or specific tools from their forensic toolkit, which may not be available on-site. The technologist will make the best decision based on the information in these situations.
On-site acquisitions are sometimes necessary when clients are unwilling to part with their servers, despite the advantages of shipping them to the forensics lab. However, it is essential to note that on-site acquisitions are significantly more expensive, even before factoring in travel costs, typically being 2-3 times more expensive.
In conclusion, mastering the legal game requires a deep understanding of ediscovery and its commandments. By following these nine principles, legal professionals can navigate the complex world of electronic data and ensure a fair and efficient litigation process.
From preserving evidence to conducting thorough document reviews, adhering to these commandments will help lawyers stay ahead in an increasingly digital landscape. So, let us embrace these ediscovery commandments and elevate our legal practice to new heights.
Take charge of your ediscovery journey today and witness the transformative power it can have on your legal game.