One of the pleasures of my practice is staying abreast of what others have to say about e-discovery and computer forensics.  I try not to miss much, though the chorus of voices has grown markedly in the last five years,  The challenge is choosing wisely for the quality of discourse hasn’t kept pace with the volume.  I’m in the debt of vigilant folks like Rob Robinson, a really nice guy who takes the time to run the traps of blogs and publications to insure that many voices worth hearing are heard.

Rob is Vice President of Marketing for e-discovery service provider, Orange Legal Technologies in Salt Lake City, but like your’s truly, Rob’s based in Austin.  Rob publishes his Unfiltered Orange list through all the major networking streams, so if you want Tweet updates, you can follow @OrangeLT.  I prefer the weekly compendiums which can be seen HERE, subscribed to HERE or added as an RSS feed.

Thanks, Rob!  Great work!

Today, December 1, 2011, marks the fifth “birthday” of the federal e-discovery rules amendments. Five is the age when we leave the idle idylls of early childhood and take our first steps on the road to becoming a skilled, educated and productive adult. Five years out from the rules amendments, we’ve yet to see the legal community embrace the ABCs of e-discovery.  Educational resources remain sparse and superficial. Worse, many lawyers cling to the delusion that they can be competent advocates without understanding digital evidence in a world where nearly all evidence is digital. Most lawyers lack any training or tools to examine, sort or search electronically stored information.  Lawyers have lost touch with evidence.

Birthdays and gifts go together, and I can’t imagine a better or more timely “gift” to the e-discovery community than the introduction of a spectacularly powerful software tool called Proof Finder.  For the breakthrough price of $100 dedicated entirely to supporting child literacy, purchasers of Proof Finder will snag a tool having the core capabilities of e-discovery platforms costing thousands of dollars more.  It’s a tool with the power and price tag to get lawyers back in touch with evidence. Continue reading →

Ah, porn.  The fabric free entertainment that folks just won’t leave at home.  In his concurring opinion in Jacobellis v. Ohio 378 U.S. 184 (1964), Justice Potter Stewart famously said of hardcore pornography, “I know it when I see it.”  If Justice Stewart had practiced in the era of e-discovery, he’d know it well indeed.

Forensic examiners joke that porn is a perk of the job because we come across it so often on workplace systems, mainly in e-mail.  Most is softcore stuff or cheesecake shared more for humor than titillation; but some can be pretty raw.  It can be tortious, as well…and when subjects skew too young, a felony.

Workplace porn is a problem, perhaps nowhere more so than when it’s inadvertently produced to the other side in e-discovery.  You may wonder, “Does that really happen?”  Let me assure you it occurs with astonishing regularity; and I expect it to happen more as we trade human review for mechanized categorization techniques like predictive coding.  Say what you will about bored contract reviewers, pictures of naked folks afrolic tend to catch their eye.  Not so machines…unless tasked to look for skin tones, and even then baby pictures pass for ‘oh baby’ pictures.

As I sit here shaking my head at a production set where porn crossed over, I ask you dear reader: Do we need a porn pass?

Continue reading →

They’re talking about changing the federal e-discovery rules to lessen the fear and loathing attendant to preservation of ESI.

The unstated impetus is that federal judges can’t be trusted to weigh preservation and mete out sanctions in ways fairly attuned to facts and culpability. The proposed amendments seek to wrest the gavels from cranky judges whose 20/20 hindsight and outsize expectations operate to impose an impossible, perilous standard nationwide.  Or so goes the rhetoric.

It’s a crock.  We give federal judges a job for life, but can’t trust them to do that job wisely and well?!?  Did we not learn anything from the debacle of mandatory sentencing guidelines?

The proposed changes are driven by the second silent goal of sparing litigants (really their technologically challenged counsel) the chore of knowing enough about electronic evidence and information technology to make defensible decisions about preservation.  “Don’t make us learn anything,” they plead, “just make rules specific enough to protect us from not knowing.” The rub with grafting such specificity onto e-discovery is that information technology moves far more swiftly than rule making, such that amendments like those proposed principally benefit those who can’t or won’t keep up. Continue reading →

“You can get anything back from a computer, can’t you?  Even the deleted stuff!”

I get that that a lot, and tend to respond, “Pretty much.”  My lawyer side wants to add, “but it depends.”  Like most in computer forensics, I tend to downplay the challenges and uncertainties of data recovery, not so much to promote forensic examination as to discourage data destruction.  Until a forensic examiner processes the evidence, it’s hard to say whether we can recover particular deleted data; but dollars-to-diamonds, a forensic exam will shed light on the parties and issues.

Lately, the likelihood of recovering deleted files on late-model Windows systems has gone way, way up, even if the data’s been thoroughly flushed from the Recycle Bin.  Microsoft has been gradually integrating a feature called Volume Snapshot Service (a/k/a Volume Shadow Copy Service) into Windows since version XP; but until the advent of Windows 7, you couldn’t truly say the implementation was so refined and entrenched as to permit the recovery of anything a user deletes from a remarkable cache of data called Volume Shadow Copies.

Volume shadow copies are old news to my digital forensics colleagues, but I suspect they are largely unknown to the e-discovery community.  Though a boon to forensics, volume shadow copies may prove a headache in e-discovery because their contents represent reasonably accessible ESI; that is, much more potentially probative evidence that you can’t simply ignore. So, for heaven’s sake, don’t tell anybody. 😉 Continue reading →

If you’re on this turf, chances are you already know that de-NISTing is a technique used in e-discovery and computer forensics to reduce the number of files requiring review by excluding standard components of the computer’s operating system and off-the-shelf software applications like Word, Excel and other parts of Microsoft Office.  Everyone has this  digital detritus on their systems; things like Windows screen saver images, document templates, clip art, system sound files and so forth.  It’s the stuff that comes straight off the installation disks, and it’s just noise to a document review.

It’s called “de-NISTing” because those noise files are identified by matching their hash values (i.e., digital fingerprints) to a huge list of software hash values maintained and published by the National Software Reference Library, a branch of the National Institute for Standards and Technology (NIST).  The NIST list is free to download, and pretty much everyone who processes data for e-discovery and computer forensic examination uses it.  If you’re paying a vendor to de-NIST, you probably think you’re getting value for the service.  I expect nearly everybody who de-NISTs believes that they’re culling the most common operating system and application files.  I mean, that’s the whole point, right?

Sorry to burst your bubble. Continue reading →