Category Archives: Computer Forensics

Is Transformation Possible?

01 Sunday Nov 2015

Posted by in Computer Forensics, E-Discovery, General Technology Posts

1 Comment

Ernie the AttorneyMost of us want transformation without change.  We want to be healthier, so long as it doesn’t require diet or exercise.  We want more time for family, friends and community, but not if it means passing up new business or earning less. We crave new and better, but feel safer in our comfort zones.

True transformation requires change: change of practice, of pace, of place and of attitude. Change is occasionally exciting, frequently enriching, and change is always easier when we pursue and embrace it than when it’s shoved down our throats.

Change travels fast; transformation creeps.

Except, in the legal technology arena, change takes years, and transformation decades; that is, save for the fortunate few able to reinvent themselves by rejecting the notion that one is ever “too busy to learn to be more efficient.”  One such different drummer and visionary is Ernest Svenson of New Orleans (pictured above).  If that mild-mannered moniker doesn’t ring any bells, perhaps you know him by his superhero name, Ernie the Attorney.

Driven by wind and water (a/k/a Hurricane Katrina), Ernie transformed from bored big firm litigator to energized, automated and in-control solo practitioner.  Ernie invested the time required to figure out how to practice efficiently, tame the paper tiger and exploit the latest techno-apps, -tools and -services.  Ernie thought things over and identified better ways to do what we do every day.  He began blogging about his successes and failures and writing books, always eager to share his wealth of knowledge with any it might help.

But, though Ernie could foster change by blogging and writing books, spawning transformation demanded a more intense and intimate sharing of skills and insights; so, Ernie created the Small Law Firm Bootcamp, a two-day event in New Orleans between Christmas and New Year’s—a time when we take stock of the year gone by and resolve to do better in the next. Continue reading

The Right Not to Know

19 Monday Oct 2015

Posted by in Computer Forensics, E-Discovery

4 Comments

starwars_hear no evilTexasBarToday_TopTen_Badge_SmallI’m sitting outside a courtroom in Texas where I have left the proceedings rather than risk the assertion that I learned confidential information offered as testimony in open court.  Sounds crazy, I know; but when lawyers agree to protective orders and judges enter them (then order that they apply to anyone sitting in the courtroom, signatory or not), judges and lawyers tend not to consider what impact those orders have on persons not parties to the case.  Just as there must be a right to protect truly privileged information and trade secrets, there must be a corollary right not to take on the burden and risk of protecting such information when you neither seek nor require disclosure of confidential data.  We have a right not to know.

Continue reading

Deduplication: Why Computers See Differences in Files that Look Alike

08 Wednesday Jul 2015

Posted by in Computer Forensics, E-Discovery

21 Comments

apples_orangesTexasBarToday_TopTen_Badge_SmallAn employee of an e-discovery service provider asked me to help him explain to his boss why deduplication works well for native files but frequently fails when applied to TIFF images.  The question intrigued me because it requires we dip our toes into the shallow end of cryptographic hashing and dispel a common misconception about electronic documents.

Most people regard a Word document file, a PDF or TIFF image made from the document file, a printout of the file and a scan of the printout as being essentially “the same thing.”  Understandably, they focus on content and pay little heed to form.  But when it comes to electronically stored information, the form of the data—the structure, encoding and medium employed to store and deliver content–matters a great deal.  As data, a Word document and its imaged counterpart are radically different data streams from one-another and from a digital scan of a paper printout.  Visually, they are alike when viewed as an image or printout; but digitally, they bear not the slightest resemblance. Continue reading

The Virtues of Fielding

29 Monday Jun 2015

Posted by in Computer Forensics, E-Discovery

11 Comments

fieldingI am a member of the Typewriter Generation.  With pencil and ink, we stored information on paper and termed them “documents.”  Not surprisingly, members of my generation tend to think of stored information in terms of tangible and authoritative things we persist in calling “documents.”  But unlike use of the word “folder” to describe a data directory (despite the absence of any  folded thing) or the quaint shutter click made by camera phones (despite the absence of shutters), couching requests for production as demands for documents is not harmless skeuomorphism.  The outmoded thinking that electronically stored information items are just electronic paper documents makes e-discovery more difficult and costly.  It’s a mindset that hampers legal professionals as they strive toward competence in e-discovery.

Does clinging to the notion of “document” really hold us back?  I think so, because continuing to define what we seek in discovery as “documents” ties us to a two-dimensional view of four-dimensional information.  The first two dimensions of a “document” are its content, essentially what emerges when you print it to paper or an image format like TIFF.  But, ESI always implicates a third dimension, metadata and embedded content, and sometimes a fourth, temporal dimension, as we often discover different versions of information items over time.

The distinction becomes crucial when considering suitable forms of production and prompts a need to understand the concept of Fielding and Fielded Data, as well as recognize that preserving the fielded character of data is essential to preserving its utility and searchability.

Continue reading

ESI Observations on a Pretty Good Friday

03 Friday Apr 2015

Posted by in Computer Forensics, E-Discovery

8 Comments

demonbunny2Though each merit their own post, I’ve lumped two short topics TexasBarToday_TopTen_Badge_Smalltogether.  The first concerns a modest e-discovery headache, being the cost, friction and static posed by GIF logos in e-mail. The second is a much uglier vulnerability hoppin’ down the bunny trail toward you right now; but rejoice, because you may still have time to avert disaster.  Continue reading

The Conundrum of Competence in E-Discovery: Need Input

07 Saturday Mar 2015

Posted by in Computer Forensics, E-Discovery

24 Comments

NeedInputlitigationworld-200I frequently blast lawyers for their lack of competence when it comes to electronic evidence.  I’m proud to be a lawyer and admire all who toil in the fields of justice; but I cannot hide my shame at how my brilliant colleagues have shirked and dodged their duty to master modern evidence.

So, you might assume I’d be tickled by the efforts of the American Bar Association and the State Bar of California to weave technical competency into the rules of professional conduct.  And I am, a little. Requiring competence is just part of the solution to the competence crisis.  The balance comes from supplying the education and training needed to become competent.  You can’t just order someone who’s lost to “get there;” you must show them the way.  In this, the bar associations and, to a lesser extent, the law schools have not just failed; they’ve not tried to succeed.

The legal profession is dominated by lawyers and judges.  I state the obvious to expose the insidious: the profession polices itself.  We set the standards for our own, and our standard setters tend to be our old guard.  What standard setter defines himself out of competence?  Hence, it’s extraordinary that the ABA commentary to Model Rule 1.1 and the proposed California ethics opinion have emerged at all.

These laudable efforts just say “get there.”  They do not show us the way. Continue reading

Do-It-Yourself Digital Discovery, Revisited

07 Saturday Feb 2015

Posted by in Computer Forensics, E-Discovery

3 Comments

keep-calm-and-do-it-yourselfThis is the thirteenth in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations.  As always, your comments are gratefully solicited.

Do-It-Yourself Digital Discovery

[Originally published in Law Technology News, May 2006]

Recently, a West Texas firm received a dozen Microsoft Outlook PST files from a client.  Like the dog that caught the car, they weren’t sure what to do next.  Even out on the prairie, they’d heard of online hosting and e-mail analytics, but worried about the cost.  They wondered: Did they really need an e-discovery vendor?  Couldn’t they just do it themselves?

As a computer forensic examiner, I blanch at the thought of lawyers harvesting data and processing e-mail in native formats.  “Guard the chain of custody,” I want to warn.  “Don’t mess up the metadata!  Leave this stuff to the experts!”  But the trial lawyer in me wonders how a solo/small firm practitioner in a run-of-the-mill case is supposed to tell a client, “Sorry, the courts are closed to you because you can’t afford e-discovery experts.”

Most evidence today is electronic, so curtailing discovery of electronic evidence isn’t an option, and trying to stick with paper is a dead end.  We’ve got to deal with electronic evidence in small cases, too.  Sometimes, that means doing it yourself. Continue reading

Data Recovery: Lessons from Katrina, Revisited

31 Saturday Jan 2015

Posted by in Computer Forensics, General Technology Posts

2 Comments

wet HDDThis is the twelfth in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations.  As always, your comments are gratefully solicited.

Data Recovery: Lessons from Katrina

[Originally published in Law Technology News, April 2006]

When the sea reclaimed New Orleans and much of the Gulf Coast, hundreds of lawyers saw their computers and networks submerged.  Rebuilding law practices entailed Herculean efforts to resurrect critical data stored on the hard drives in sodden machines.

Hard drives operate within such close tolerances that a drop of water or particle of silt that works its way inside can cripple them; yet, drives aren’t sealed mechanisms.  Because we use them from the beach to the mountains, drives must equalize air pressure through filtered vents called “breather holes.”  Under water, these breather holes are like screen doors on a submarine.  When Hurricane Katrina savaged thousand of systems, those with the means and motivation turned to data recovery services for a second chance. Continue reading

Locard’s Principle, Revisited

27 Tuesday Jan 2015

Posted by in Computer Forensics, E-Discovery, General Technology Posts

3 Comments

ShellbagsThis is the tenth in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations.  As always, your comments are gratefully solicited.

Locard’s Principle

[Originally published in Law Technology News, February 2006]

Devoted viewers of the TV show “CSI” know about Locard’s Exchange Principle: the theory that anyone entering a crime scene leaves something behind or takes something away.  It’s called cross-transference, and though it brings to mind fingerprints, fibers and DNA, it applies to electronic evidence, too.  The personal computer is Grand Central Station for smart phones, thumb drives, MP3 players, CDs, floppies, printers, scanners and a bevy of other gadgets.  Few systems exist in isolation from networks and the Internet.  When these connections are used for monkey business like stealing proprietary data, the electronic evidence left behind or carried away can tell a compelling story. Continue reading

The Path to E-Mail Production IV, Revisited

22 Thursday Jan 2015

Posted by in Computer Forensics, E-Discovery, General Technology Posts

1 Comment

path of email-4This is the ninth in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations.  As always, your comments are gratefully solicited.

The Path to Production: Are We There Yet?

(Part IV of IV)

[Originally published in Law Technology News, January 2006]

The e-mail’s assembled and accessible.  You could begin review immediately, but unless your client has money to burn, there’s more to do before diving in: de-duplication. When Marge e-mails Homer, Bart and Lisa, Homer’s “Reply to All” goes in both Homer’s Sent Items and Inbox folders, and in Marge’s, Bart’s and Lisa’s Inboxes.  Reviewing Homer’s response five times is wasteful and sets the stage for conflicting relevance and privilege decisions.

Duplication problems compound when e-mail is restored from backup tape.  Each tape is a snapshot of e-mail at a moment in time.  Because few users purge mailboxes month-to-month, one month’s snapshot holds nearly the same e-mail as the next.  Restore a year of e-mail from monthly backups, and identical messages multiply like rabbits. Continue reading