This is the fifth in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations. As always, your comments are gratefully solicited.
Don’t Try This at Home
[Originally published in Law Technology News, August 2005]
The legal assistant on the phone asked, “Can you send us copies of their hard drives?”
As court-appointed Special Master, I’d imaged the contents of the defendant’s computers and served as custodian of the data for several months. The plaintiff’s lawyer had been wise to lock down the data before it disappeared, but like the dog that caught the car, he didn’t know what to do next. Now, with trial a month away, it was time to start looking at the evidence.
“Not unless the judge orders me to give them to you,” I replied.
The court had me act as custodian because the discoverable evidence on a hard drive lives cheek by jowl with all manner of sensitive stuff, such as attorney-client communications, financial records and pictures of naked folks engaged in recreational activity. In suits between competitors, intellectual property and trade secrets such as pricing and customer contact lists need protection from disclosure when not evidence. As does all that full-of-surprises deleted data accessible by forensic examination.
“Even if the court directs me to turn over the drive images, you probably won’t be able to access the data without expert assistance.”
I explained that, like most computer forensic specialists, I store the contents of hard drives as a series of compressed image files, not as bootable hardware that can be attached to a computer and examined. Doing so is advantageous because the data is easier to access, store and authenticate, as well as far less prone to corruption by the operating system or through examination. Specialized software enables me to assemble the image files as a single virtual hard drive, identical in every way to the original. On those rare occasions when a physical duplicate is needed, I reconstitute those image files to a forensically sterile hard drive and use cryptographic algorithms to demonstrate that the restored drive is a faithful counterpart of the original. Of course, putting the digital toothpaste back in the tube that way takes time and costs money.
“Do we ask the court for a restored drive?”
“You could,” I said, “and you might get it if the other side doesn’t object.”
Incredibly, lawyers who’d never permit the opposition to fish about in their client’s home or office blithely give the green light when it comes to trolling client hard drives. No matter how much you want to demonstrate good faith or that your client has “nothing to hide,” be wary of allowing the other side to look at the drives.
Even when you’ve checked the contents, you can’t see all that a forensic exam can turn up, and your client may not tell you about all those files she deleted last night.
“But,” I warned, “as soon as you attach the drive to your computer and start poking around, you’ll alter the evidence.”
Microsoft Windows acts like a dog marking territory. As soon as you connect a hard drive to Windows, the operating system writes changes to the drive. Forensic examiners either employ devices called “write blockers” to intercept these alterations or perform their examination using operating systems less inclined to leave their mark all over the evidence. Without similar precautions, opening files, reading e-mail or copying data irretrievably alters file metadata, the data-about-data revealing, inter alia, when a file was last modified, accessed or created. You may find the smoking gun, but good luck getting it into evidence when it emerges you unwittingly altered the data! This is why smart lawyers never “sneak a peek” at digital evidence.
“It’d be a violation of the software licensing to use the programs on the duplicate so you’ll need to have the right software to read the e-mail and other documents and to crack any passwords you run into. However, you can’t load your software on the duplicate drive because that will overwrite recoverable deleted files. Don’t forget to take steps to isolate the system you’ll use for examination from your office network and the internet as well as to….”
She stopped me. “We shouldn’t be doing this ourselves, should we?”
“Not unless you know what you’re doing. Anyway, I doubt the court will allow it without a showing of good cause and some provision to protect privileged and non-discoverable confidential data.”
Now I got the question I was waiting for: “What should we do?”
“As the court’s neutral,” I answered, “I’m not in a position to answer that question, but before I’d burn a lot of time and money pursuing electronic discovery of particular media, I’d work out the answers to, ‘What’s this case about, and what am I really looking for?'”
What I wanted to add is that electronic discovery is no more about hard drives than traditional discovery was “about” paper. The hard drive is just a gigantic file cabinet, locked up like some Houdini vanishing act and packed with contents penned in Sanskrit. We don’t gear discovery to metal boxes, big or small.
Sure, it’s smart to focus on specific media and systems when you seek preservation, but when your goal is discovery, media ceases to be an end in itself. Then, the objectives are the e-mail, documents and other digital evidence relating to the issues in the case, narrowly targeted by time, topic, and custodian. Sorry Marshall McLuhan, it’s not the medium. It’s the message.
The only thing out-of-date in this piece is the reference to Marshall McLuhan–but it was already long in the tooth when I used it ten years ago (McLuhan died in 1980.) For younger readers, McLuhan was a 1950s and ’60s media theorist who famously said, “the medium is the message.” I don’t pretend to know much of McLuhan’s work, but not knowing may carry its own badge of honor.
In Woody Allen’s Oscar winner, Annie Hall, the lead character Woody plays is waiting for movie tickets, and the fellow in line behind him, a Columbia professor, is loudly pontificating about McLuhan’s theories. In one of those great movie comeuppances real life rarely grants, Allen steps behind a placard and produces Marshall McLuhan, who confronts the blowhard with, “I heard what you were saying. You know nothing of my work….How you ever got to teach a course in anything is totally amazing.“
I have a finite list of life goals for e-discovery. Some are ambitious, like weaning lawyers from imaged productions and helping them to see that native productions are better and cheaper. There, I see progress, and I’m confident of victory (not on my account, but because better and cheaper is a winning strategy for all). Other goals are modest, like getting lawyers and judges to see that requesting parties shouldn’t seek or gain unfettered access to an opponent’s digital media (e.g., “Surrender your computer/phone/Facebook credentials, Dorothy!”).
Success in this has proven elusive. Lawyers still demand and obtain production of opponent’s media without regard to (or perhaps with an eye to) confidential and privileged content that will be compromised.
If an opponent proves incapable or untrustworthy when it comes to identifying and producing electronically store information, the answer is still not direct access, except as a Draconian sanction. The better approach is to put the task in the hands of someone with the technical skill to access and process the information and the experience and motivation to separate discoverable from protected in a fair and balanced manner. The work should be governed by a clearly expressed scope and protocol and include a sensible mechanism for review enabling producing counsel to protect important rights.
Ten years ago, the takeaway was, “get expert help;” today it’s, “you could learn to do some of this yourself.” I don’t expect lawyers to become forensic examiners or IT experts. But, lawyers must become more adept in addressing the most prevalent form of evidence they will deal with for the rest of their careers.
Is it too much to ask that a lawyer know how to peruse the contents of a forensic image when there are tools that make it safe and simple to do so? Example: AccessData’s FTK Imager–as splendid a free tool as one could wish–supports mounting of images as virtual drives.
Is it too much to expect that a lawyer have a tool at hand that processes, views, de-duplicates, searches, tags and exports all the common file types and electronic evidence containers out there? Example: Nuix’ Prooffinder, a $100 miracle that dedicates all proceeds to child literacy programs.
Is it too much to hope that lawyers and others will commit themselves to getting a firm grasp on electronic evidence, like the brave souls who work their asses off at the Georgetown Law E-Discovery Training Academy each summer?
If lawyers devoted a fraction of the energy they expend in telling themselves why they can’t or shouldn’t have to understand information technology to trying to understand it, they would be amazed at how much they can master. It’s simple: The more you know, the more you can do, and the more valuable you are in a competitive marketplace.
Ball in your Court 
Phil Rodokanakis said:
Isn’t Prooffinder limited to 10 GB of data? And FTK Imager is a great free tool for creating and opening image files, but it offers no search capabilities. I don’t use many open source tools, but aren’t there any open source apps that combine some of the features of Prooffinder and FTK Imager? ProDiscover used to make available a free version of their basic software (was like FTK Imager but also provided some basic search functions), but I don’t hear much about them these days, so I’m not sure what they’re up to.
Although getting attorneys to understand some of the basics about ESI preservation and handling only benefits the attorneys and their clients, the discussion in this post doesn’t address the volume of the electronic data usually involved in today’s litigations. To overcome the obstacles presented by the large volume of data we must deal with, one must be proficient in advanced tools that can optimize how the data is searched. Forensic Examiners spend years becoming proficient in the tools they use and they have to work full time in this field to stay current. I think it’s a bit naive to expect attorneys or paralegals who don’t have the time to become proficient in the use of forensic and eDiscovery tools, to be able to develop and capitalize on such skills.
LikeLike
craigball said:
Phil: Currently, Prooffinder is limited to 15GB of processed data, 50% more than when it was first introduced. All proceeds still benefit children’s literacy programs. I didn’t tout FTK Imager’s value as a search tool, only as a simple, fee means to access and mount a forensic image. If a lawyer mount’s the image, the lawyer can see the image as a read-only lettered drive and can extract files for processing, search and review in other applications. Any tool they want can be thrown at the mounted drive, as any other drive. I think Prodiscover got bought by ex-NYPD examiner, Tony Reyes under the ARC Group banner. It is no longer free, but it’s cheap.
“Naïve is maybe the worst thing you can say about a lawyer, so, ouch! 😉 You hear me advocate that lawyers should do some of the things we do professionally as forensic examiners and think it a bad idea–infeasible, bad for business or both. But, you may mistake my message. There are some basic, low-risk and low-volume tasks that lawyers can do using simple, affordable tools. More, there are basic tasks that lawyers must learn to do with their own hands in recognition that there is not enough money to support a practice whereby all technology tasks attendant to litigation are farmed out to professionals like you. Most in need of legal services are underserved. I’m talking about hard-working, middle class folks. Is the courthouse just going to be closed to them because they can’t pay for both a lawyer and a technologist? Moreover, it’s expedient for a lawyer to be able to take a quick look at data or grab a single file off an image, just as it needn’t traumatize a lawyer to know how to make a copy, type a document or brew a pot of coffee. I don’t expect lawyers to know how to fly the plane (though some should know); but I expect that all of them should damn well know how to board and buckle their seat belts! Put another way, a hammer can be used to sculpt the Pietà or hang a picture. Just because one can’t master the one, doesn’t mean they can’t master the other.
LikeLike
David Tobin said:
classic scene from Annie Hall
LikeLike
Pingback: What Is The Case About And What Are You Looking For? | The Researching Paralegal