This is the fifth in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations. As always, your comments are gratefully solicited.
Don’t Try This at Home
[Originally published in Law Technology News, August 2005]
The legal assistant on the phone asked, “Can you send us copies of their hard drives?”
As court-appointed Special Master, I’d imaged the contents of the defendant’s computers and served as custodian of the data for several months. The plaintiff’s lawyer had been wise to lock down the data before it disappeared, but like the dog that caught the car, he didn’t know what to do next. Now, with trial a month away, it was time to start looking at the evidence.
“Not unless the judge orders me to give them to you,” I replied.
The court had me act as custodian because the discoverable evidence on a hard drive lives cheek by jowl with all manner of sensitive stuff, such as attorney-client communications, financial records and pictures of naked folks engaged in recreational activity. In suits between competitors, intellectual property and trade secrets such as pricing and customer contact lists need protection from disclosure when not evidence. As does all that full-of-surprises deleted data accessible by forensic examination.
“Even if the court directs me to turn over the drive images, you probably won’t be able to access the data without expert assistance.”
I explained that, like most computer forensic specialists, I store the contents of hard drives as a series of compressed image files, not as bootable hardware that can be attached to a computer and examined. Doing so is advantageous because the data is easier to access, store and authenticate, as well as far less prone to corruption by the operating system or through examination. Specialized software enables me to assemble the image files as a single virtual hard drive, identical in every way to the original. On those rare occasions when a physical duplicate is needed, I reconstitute those image files to a forensically sterile hard drive and use cryptographic algorithms to demonstrate that the restored drive is a faithful counterpart of the original. Of course, putting the digital toothpaste back in the tube that way takes time and costs money.
“Do we ask the court for a restored drive?”
“You could,” I said, “and you might get it if the other side doesn’t object.”
Incredibly, lawyers who’d never permit the opposition to fish about in their client’s home or office blithely give the green light when it comes to trolling client hard drives. No matter how much you want to demonstrate good faith or that your client has “nothing to hide,” be wary of allowing the other side to look at the drives.
Even when you’ve checked the contents, you can’t see all that a forensic exam can turn up, and your client may not tell you about all those files she deleted last night.
“But,” I warned, “as soon as you attach the drive to your computer and start poking around, you’ll alter the evidence.”
Microsoft Windows acts like a dog marking territory. As soon as you connect a hard drive to Windows, the operating system writes changes to the drive. Forensic examiners either employ devices called “write blockers” to intercept these alterations or perform their examination using operating systems less inclined to leave their mark all over the evidence. Without similar precautions, opening files, reading e-mail or copying data irretrievably alters file metadata, the data-about-data revealing, inter alia, when a file was last modified, accessed or created. You may find the smoking gun, but good luck getting it into evidence when it emerges you unwittingly altered the data! This is why smart lawyers never “sneak a peek” at digital evidence.
“It’d be a violation of the software licensing to use the programs on the duplicate so you’ll need to have the right software to read the e-mail and other documents and to crack any passwords you run into. However, you can’t load your software on the duplicate drive because that will overwrite recoverable deleted files. Don’t forget to take steps to isolate the system you’ll use for examination from your office network and the internet as well as to….”
She stopped me. “We shouldn’t be doing this ourselves, should we?”
“Not unless you know what you’re doing. Anyway, I doubt the court will allow it without a showing of good cause and some provision to protect privileged and non-discoverable confidential data.”
Now I got the question I was waiting for: “What should we do?”
“As the court’s neutral,” I answered, “I’m not in a position to answer that question, but before I’d burn a lot of time and money pursuing electronic discovery of particular media, I’d work out the answers to, ‘What’s this case about, and what am I really looking for?'”
What I wanted to add is that electronic discovery is no more about hard drives than traditional discovery was “about” paper. The hard drive is just a gigantic file cabinet, locked up like some Houdini vanishing act and packed with contents penned in Sanskrit. We don’t gear discovery to metal boxes, big or small.
Sure, it’s smart to focus on specific media and systems when you seek preservation, but when your goal is discovery, media ceases to be an end in itself. Then, the objectives are the e-mail, documents and other digital evidence relating to the issues in the case, narrowly targeted by time, topic, and custodian. Sorry Marshall McLuhan, it’s not the medium. It’s the message.
The only thing out-of-date in this piece is the reference to Marshall McLuhan–but it was already long in the tooth when I used it ten years ago (McLuhan died in 1980.) For younger readers, McLuhan was a 1950s and ’60s media theorist who famously said, “the medium is the message.” I don’t pretend to know much of McLuhan’s work, but not knowing may carry its own badge of honor.
In Woody Allen’s Oscar winner, Annie Hall, the lead character Woody plays is waiting for movie tickets, and the fellow in line behind him, a Columbia professor, is loudly pontificating about McLuhan’s theories. In one of those great movie comeuppances real life rarely grants, Allen steps behind a placard and produces Marshall McLuhan, who confronts the blowhard with, “I heard what you were saying. You know nothing of my work….How you ever got to teach a course in anything is totally amazing.“
I have a finite list of life goals for e-discovery. Some are ambitious, like weaning lawyers from imaged productions and helping them to see that native productions are better and cheaper. There, I see progress, and I’m confident of victory (not on my account, but because better and cheaper is a winning strategy for all). Other goals are modest, like getting lawyers and judges to see that requesting parties shouldn’t seek or gain unfettered access to an opponent’s digital media (e.g., “Surrender your computer/phone/Facebook credentials, Dorothy!”).
Success in this has proven elusive. Lawyers still demand and obtain production of opponent’s media without regard to (or perhaps with an eye to) confidential and privileged content that will be compromised.
If an opponent proves incapable or untrustworthy when it comes to identifying and producing electronically store information, the answer is still not direct access, except as a Draconian sanction. The better approach is to put the task in the hands of someone with the technical skill to access and process the information and the experience and motivation to separate discoverable from protected in a fair and balanced manner. The work should be governed by a clearly expressed scope and protocol and include a sensible mechanism for review enabling producing counsel to protect important rights.
Ten years ago, the takeaway was, “get expert help;” today it’s, “you could learn to do some of this yourself.” I don’t expect lawyers to become forensic examiners or IT experts. But, lawyers must become more adept in addressing the most prevalent form of evidence they will deal with for the rest of their careers.
Is it too much to ask that a lawyer know how to peruse the contents of a forensic image when there are tools that make it safe and simple to do so? Example: AccessData’s FTK Imager–as splendid a free tool as one could wish–supports mounting of images as virtual drives.
Is it too much to expect that a lawyer have a tool at hand that processes, views, de-duplicates, searches, tags and exports all the common file types and electronic evidence containers out there? Example: Nuix’ Prooffinder, a $100 miracle that dedicates all proceeds to child literacy programs.
Is it too much to hope that lawyers and others will commit themselves to getting a firm grasp on electronic evidence, like the brave souls who work their asses off at the Georgetown Law E-Discovery Training Academy each summer?
If lawyers devoted a fraction of the energy they expend in telling themselves why they can’t or shouldn’t have to understand information technology to trying to understand it, they would be amazed at how much they can master. It’s simple: The more you know, the more you can do, and the more valuable you are in a competitive marketplace.