Category Archives: E-Discovery

Meet Bob Woodward, Living Legend

14 Monday Jan 2019

Posted by in E-Discovery, Personal, Uncategorized

4 Comments

Bob WoodwardIt’s almost that time, two weeks from LegalTech New York (okay, LegalWeek for those who hang on for more wintry weather) and the fine folks at Zapproved have again asked me to interview a gifted interviewer–on Broadway, no less–for the annual Corporate E-Discovery Heroes Awards.  I’ve had past fireside chats with Nina Totenberg, Doris Kearns Goodwin and Eugene Robinson.  My subject this year is Bob Woodward.

OMG BOB WOODWARD!

I’ll use the same two words Woodward himself uttered on June 17, 1972 as a cub reporter for the Washington Post covering an arraignment of five well-dressed Watergate burglars.  On hearing perpetrator James McCord whisper “CIA” when asked his employer, Woodward exclaimed:

HOLY SHIT!

I mean, BOB WOODWARD!  Author of nineteen  books, thirteen #1 national bestsellers.  The dean of investigative journalism.  The 2019 PEN America Literary Service Award winner (per this morning’s New York Times).  The man who helped earn two Pulitzer Prizes for the Post.  The man who brought down a President.  Robert Redford played him in All the President’s MenNot pruney 2019 Redford, either.  We’re talking 1976 sex symbol Robert Redford!

So, yeah, HOLY SHIT!  BOB WOODWARD!

I better get this right. Will you help me?  In the comments below, I invite you to suggest questions I might pose to the living legend onstage.  Don’t worry.  Woodward wrote “Fear.”  We will talk Trump.

It’s a very special night in another way.  My dear, dear friend, the Honorable John Michael (yada, yada, yada) Facciola, will receive the 2019 Hon. Shira Scheindlin Lifetime Achievement Award in recognition of a career that has advanced the practice of electronic discovery.  The “yada, yada, yada” denotes that Fatch has more middle names than a British nobleman.  Fitting, as John Facciola is truly a noble man and richly deserving of this award.  I’m excited about who the presenters will be; but, I’m not spoiling that surprise.  You’ll just have to attend.

Honored as well will be four “Corporate E-Discovery Heroes,” nominated by their peers and selected by an esteemed panel of judges.  What? FINE! Esteemed and me.  Who won?  Like I said, you’ll just have to attend.  Please do.

Though seating is limited, tickets are still available, and dinner and drinks are included.  It’s going to be a hell of a party!  Don’t miss it.

Where: Edison Ballroom, 240 W 47th St, New York, NY 10036
When: January 28, 2019 at 6:00pm
Register by: January 25, 2019 11:59 PM Eastern Time

Bring your copy of Fear, All the President’s Men, The Final Days, The Brethren, Wired or one of the others.  No promises, but I bet you can get it signed by the man who inspired a generation of journalists.

Loving Location Histories

01 Saturday Dec 2018

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Uncategorized

1 Comment

I give dozens of talks each years on electronic evidence where I discuss geolocation data and its transformative potential as evidence in criminal prosecutions and civil litigation.  Smart phones constantly track our movements using gyroscopes, accelerometers, global positioning features, geolocation apps, cell tower triangulation and three independent radio systems. Our steps are tallied, altitudes logged, and, for many, vital signs are monitored, too.  We are earthbound astronauts, instrumented and coupled to sensors and telemetry as thoroughly as any who journey into space.

This doesn’t fully resonate with audiences until I guide them through their own phones, showing the level of detail with which movements are tracked.  Some listeners boast that they’ve set their privacy settings to block geolocation.  They’re the ones most surprised to learn that, although they can disable their ability to see their own geolocation history and stop geolocation data from being shared with apps, they can’t disable geolocation broadcasting and still have a functioning phone.  Here’s the bottom line: if a phone can operate as a phone, it must broadcast its geolocation coordinates with a precision of ten meters (~30 feet) or better.  U.S. law requires it.

When I broach geolocation data and see that look of “we already know this” creep across faces, that’s when I ask for a show of hands of how many in the audience use iPhones.  Nearly every hand shoots up.  I then invite them to drill down in their phone’s Settings with me to the Significant Locations logs.  Surprisingly, most have never done this before and are shocked, even frightened, by the richness of detail in the data.

To try it on your iPhone,navigate through Settings>Privacy>Location Service>System Services> Significant Locations.  Unless you’ve disabled your ability to see geolocation data, you’ll arrive at the phone’s History list setting out locales visited, and the number of sites gone to within those locales.

But, wait!  There’s more! Continue reading

Cloud Takeouts: Can I Get That to Go?

07 Wednesday Nov 2018

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Uncategorized

6 Comments

Apple take outTwo-and-a-half years ago, I concluded a post with this bluster:

“Listen, Amazon, Apple, Microsoft and all the other companies collecting vast volumes of our data through intelligent agents, apps and social networking sites, you must afford us a ready means to see and repatriate our data.  It’s not enough to let us grab snatches via an unwieldy item-by-item interface.  We have legal duties to meet, and if you wish to be partners in our digital lives, you must afford us reasonable means by which we can comply with the law when we anticipate litigation or respond to discovery. You owe us that.  Alexa, are you listening?”

Amazon hasn’t listened; but, Apple lately gave users the ability to download our data.  Credit for this awakening goes to the European Union’s Global Data Protection Regulation (GDPR) that went into effect on May 25.

Data takeout capabilities are essential to protecting civil liberties and meeting legal duties.  Google’s given users a simple, effective means to repatriate data (including Gmail and calendar data) for five years, although search histories have only been supplied for two.  Twitter’s supported robust data takeout for five years; and eight years ago, Facebook became the first big social media site to offer its users the ability to download contributed content.

Apple is late to the party but it didn’t come empty-handed.  The Apple takeout is extensive and can be huge.  My download comprised 63GB in 26 compressed Zip archive files.  It took Apple five days to assemble the data and make it available for download; then, I had to download each file, one-by-one.  There’s no way to download them all, leaving the distinct impression that Apple doesn’t want takeout to be too easy.  In fairness, had I opted to have Apple deliver my data in 25GB chunks (the largest chunk option) instead of the 5GB file limit I specified, it would have been easier.

In my case, almost all the volume were photos replicated in iCloud.  Notably absent was my messaging, which Apple can’t archive and thus can only be obtained from the iPhone or a backup of same (see my post Mobile to the Mainstream). Continue reading

Mad About Metadata

02 Friday Nov 2018

Posted by in Computer Forensics, E-Discovery, Uncategorized

2 Comments

mad about metadataIt’s the month for giving thanks, and I’m ever-grateful for the daily e-discovery blog penned by my friend, Doug Austin, for CloudNine.  It’s tough to get out a post every business day, and Doug’s done it splendidly for, what, nine years now?  Kudos!  Doug’s EDiscovery Daily blog is often my first heads-up for new e-discovery cases, true again for the decision he featured this morning,  Metlife Inv’rs. USA Ins. Co. v. Lindsey, No. 2:16-CV-97 (N.D. Ind. Oct. 25, 2018)

It’s a familiar scenario.  The requesting party expressly demands native file production.  The responding party, a big insurance company, produces static image formats as non-searchable PDFs.  When the requesting party objects, the carrier argues that the metadata it strips from the evidence isn’t relevant and that the request for native forms is disproportionate, again challenging relevance, and also claiming that producing in the native forms sought would be cumulative because (chutzpah!) they’d already produced in PDF over their opponent’s timely objection.

To its credit, the Court makes short work of MetLife’s high-handedness and orders native production but stumbles a bit on the relevance and scope issues.  The Court addresses the relevance objection by noting that native production may shed light on who accessed information and that this may inform whether the insurer had a duty to investigate the policy application.  Maybe.  More likely, it won’t.  But, the Court shouldn’t have let itself be drawn in by a specious relevance challenge.

There are two varieties of file metadata: application metadata and system metadata.  Relevance should never matter for application metadata or dog tag system metadata.  If a file is sufficiently relevant to be responsive, no requesting party should be required to further demonstrate that metadata within the file is independently relevant.  The burden to prove a right to excise parts of relevant files should rest with the party altering the evidence.  Moreover, a file’s name, path and last modified date (“dog tag” metadata) are so patently useful that their utility more than relevance should serve as  sufficient basis for the production of essential system metadata. Continue reading

Mobile to the Mainstream

17 Wednesday Oct 2018

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Uncategorized

12 Comments

Mobile data burden and relevance scorecard

Click f/ PDF

Once you’ve preserved the contents of a mobile device, how do you extract responsive content in forms that are searchable and amenable to review?  Most information items on mobile devices aren’t “documents” that can be printed to a static format for review.  Instead, much mobile content is fielded data that must retain a measure of structural integrity for intelligibility.  This article looks at simple, low-cost approaches to getting relevant and responsive mobile data into a standard e-discovery review workflow, and offers a Mobile Evidence Scorecard designed to start a dialogue leading to a consensus about what forms of mobile content should be routinely collected and reviewed in e-discovery, without the need for digital  forensic examination. Continue reading

On the Road Again: PREX and FEST

24 Monday Sep 2018

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Personal, Uncategorized

Leave a comment

PREXFEST_SMThe Texan in me can’t hear the phrase “on the road again” without also hearing Willie Nelson’s nasal voice singing it.  But, the life I love IS making music with my friends, if by “music” we mean bringing “aha” moments to lawyers and others interested in e-discovery and forensic technology.

Today, I head to Portland, for the 2018 Preservation Excellence or PREX Conference put on annually by the good folks at Zapproved.  It’s a splendid faculty congregated in an always-lovely venue and punctuated by good conversation, fine food and the splendor that is Oregon in September.  PREX is always worth the trip; so, if you have the chance to go, by all means, attend.

This year I have a lot to do at PREX.  I have the privilege to host a keynote discussion with CNN and The New Yorker magazine legal commentator, Jeffrey Toobin.  You can be sure that the U.S. Supreme Court, the Mueller investigation and Brett Kavanaugh’s confirmation hearing will all come up.  Toobin is a bestselling author of seven books, including several on the Supreme Court and on the O.J. Simpson murder case and kidnapped heiress Patty Hearst.  Talking with Toobin rounds out my opportunity to do Charlie Rose-style conversations with Doris Kearns Goodwin and Nina Totenberg at earlier Zapproved events.

I’ll also moderate a “People’s Court” debate between Brett Tarr and Dan Nichols.  Brett is Chief Counsel for E-Discovery and Information Governance at gaming conglomerate Caesars Entertainment, and Dan is a partner with Redgrave LLP, the far-flung corporate e-discovery consultancy.  These two really despise each other, so there’s sure to be a lot of eye-gouging and attacks on legitimate parentage.  (That’s my story, and I’m sticking to it).

Finally on Wednesday, I’ll be doing a little speaking of my own in a lonely breakout session where we will talk about preserving and discovering evidence on mobile phones.  They’ve titled it, OMG, SMS & ESI: Preserving & Collecting from Mobile Devices.  The session description reads:

How does one craft a discovery request for text messages? What are the different techniques for preservation, collection and review of mobile data? When does it make sense to complete a full forensic collection on a mobile device? This session will deliver foundational information and practical examples of process and policy management for mobile devices in ediscovery.

if you haven’t yet come to grips with mainstreaming mobile devices into day-to-day e-discovery, know you’re not alone–everyone is struggling, or more likely closing their eyes, hoping mobile will go away.  Perhaps we can make some progress together.

PREX  September 25 – 27, 2018  |  Portland, OR

Then, no-rest-for-the-dreary, I wing to the Windy City of Chicago (so-called NOT due to weather, but for the propensity of its politicians to pontificate at length).  I’m heading to the annual Relativity Fest, a stupendous amalgamation of e-discovery education and evangelical tent meeting cum rock concert.  If there were the slightest doubt that Relativity dominates the e-discovery review space (and is hungry to gobble up the rest of the EDRM), such foolish doubt will be crushed by the power of Fest.

I enjoy Fest for many reasons, not the least of which is the chance to work with the always-engaging David Horrigan, Relativity’s discovery counsel and legal content director.  David is a fine writer, insightful commentator and skilled teacher.  Eclipsing that is his distinction as a great guy, someone always fun to be around and adept at eliciting the best from those he hosts.

At Fest, David will moderate a panel I’m on called The Internet of Things from a Legal, Regulatory, and Technical Perspective.  I’m fortunate to join Gail Gottehrer, Partner and Co-Chair of the Privacy, Cybersecurity, and Emerging Technology Practice at Akerman, who will give the regulatory perspective, and Ed McAndrew, Partner at Ballard Spahr and former DOJ cybercrime coordinator, who’s charged with the legal point of view.  I guess that leaves the technical stuff to me, which is where I’m happiest anyway.

Relativity Fest  Sep. 30 – Oct. 3, 2018 | Hilton Chicago

I hope to see you at one or both of these exciting confabs, enjoying two fine faculties in wonderful venues.  The joy and value of these events isn’t just what’s planned, but the interactions around and outside of the sessions, too.

Meet Tom O’Connor

10 Monday Sep 2018

Posted by in E-Discovery, Uncategorized

5 Comments

toc_smallAnyone who’s been around electronic discovery for long is sure to know my old friend, Tom O’Connor of New Orleans. Understand, I don’t call Tom “old friend” because we’ve known each other for a long time (though we have).  I do it because Tom’s OLD.  He’s freaking ancient. But, the centuries haven’t been entirely wasted on Tom because in addition to a three-foot ponytail and a beard to rival Santa’s, Tom has acquired a surfeit of wisdom and friends.  Tom has his finger squarely on the pulse of the e-discovery industry and possesses a refined sense of what’s coming and the personalities pulling strings.  People enjoy talking to Tom, and Tom listens.  He’s a guy to have on your team; someone who makes things better just by being part of them.

I mention Tom (and will now quit yanking his chain age-wise) because he often invites me to join him on a YouTube series called The eDiscovery Channel.  I took over co-hosting from the late, great Browning Marean.  Browning’s are big shoes to fill, but the stakes are low: we reach less than 100 viewers.  It’s just for the fun of it, and we have a lot of fun.  We record in offbeat NOLA venues like Tom’s favorite cigar shop or sitting in a park.  Our production values rival the Zapruder film and, despite a topic in mind when we start recording, we inevitably stray with antic results.  At least we’re laughing.

In our latest one-hour episode on drafting forensic examination protocols, we digressed to a discussion of innovation in litigation, touching the obligatory stations of the cross, predictive coding, artificial intelligence and blockchain.  I’m deeply concerned by diminished resources for lawyers to gain basic technical competency.  Buzzword technologies have sucked the air from the room when it comes to e-discovery education.  Lawyers have abdicated responsibility for the left side of the EDRM.

The problem I see is this:

Advanced review technologies like predictive coding and AI are routinely deployed against data lousy with errors in collection, culling and processing—errors born of poor e-discovery skills and fostered by a rush to apply fancy joinery to rotten wood.  As a requesting party, do you think that your interests are best served by a contentious push for predictive coding when you haven’t scrutinized the effectiveness of collection and exclusion?  E-discovery needn’t be a choice between bad collections and good tools or good collections and bad tools.

Lawyers must fight for quality before review.  Sure, review is the part of e-discovery most lawyers see and understand, so the part many fixate on.  As well, review is the costliest component of e-discovery and the one with shiny new tools. But here’s the bottom line: The most sophisticated MRI scanner won’t save those who don’t survive the trip to the hospital.  It’s more important to have triage that gets people to the hospital alive than the best-equipped emergency room. Collection, culling and processing are the EMTs of e-discovery.  If we don’t pay close attention to quality, completeness and process before review, review won’t save us.

We need balance and a focus on fundamentals.  We’ve lost the first; we never had enough of the second.  And if you need more e-discovery mirth and merriment, stop by the E-Discovery Channel and meet Tom O’Connor, REALLY FAMOUS consultant,  speaker,  writer.

P.S. I think I owe an explanation of the photo of Tom that begins this post.  Tom told a story about an author who always came to the ABA Techshow carrying a banner inviting attendees to meet him in person.  As a prank, I had a tongue-in-cheek banner made for Tom and was surreptitiously hanging it off his porch in New Orleans when he caught me red-handed,  Tom would never toot his own horn that way; but, he was a great sport about it .  And as for Tom being old, I have to concede that he’s not that far ahead of me.  I’m 20 in my mind’s eye, so that makes Tom around 25.

Easing the Pain of Protective Orders

03 Monday Sep 2018

Posted by in Computer Forensics, E-Discovery, Uncategorized

3 Comments

protective_orderDoes anyone read what they sign anymore?  We all click through EULA’s; but shouldn’t lawyers and experts pay close attention to the terms of protective orders?

Here’s a familiar scenario:

Client says, “we have discovery responses you need to review, sign this acknowledgement to be bound by a protective order.”  I read the order and respond, “I can’t,” adding, “Like you, I have work product to protect, and like you, I back up my data.  I can’t ‘return’ data residing on backups.  I’ll carefully protect the data, but I can’t commit to destroy or return it when the case concludes.”

I’m the bad guy because everyone else signs.

First, let me further explain the conundrum.  Continue reading

Drafting Digital Forensic Examination Protocols

28 Tuesday Aug 2018

Posted by in Uncategorized, E-Discovery, Computer Forensics

4 Comments

A computer or smart phone under forensic examination is like a sprawling metropolis of neighborhoods, streets, buildings, furnishings and stuff–loads of stuff.  It’s routine for a single machine to yield over a million discrete information items, some items holding thousands of data points.  Searching so vast a virtual metropolis requires a clear description of what’s sought and a sound plan to find it.

In the context of electronic discovery and digital forensics, an examination protocol is an order of a court or an agreement between parties that governs the scope and procedures attendant to testing and inspection of a source of electronic evidence.  Parties and courts use examination protocols to guard against compromise of sensitive or privileged data and insure that specified procedures are employed in the acquisition, analysis, and reporting of electronically-stored information (ESI).

A well-conceived examination protocol serves to protect the legitimate interests of all parties, curtail needless delay and expense and forestall fishing expeditions.  Protocols may afford a forensic examiner broad leeway to adapt procedures and follow the evidence, or protocols may tightly constrain an examiner’s discretion, to prevent waiver of privilege or disclosure of irrelevant, prejudicial material.  A good protocol helps an examiner know where to start his or her analysis, how to proceed and, crucially, when the job is done.

As a litigator for over 35 years and a computer forensic examiner for more than 25 years, I’ve examined countless devices and sources for courts and litigants.  In that time, I’ve never encountered a forensic examination protocol of universal application.  “Standard” procedures change over time, adapted to new forms of digital evidence and new hurdles–like full-disk encryption, solid-state storage and explosive growth in storage capacities and data richness.  Without a protocol, a forensics examiner could spend months seeking to meet an equivocal examination mandate.  The flip side is that poor protocols damn examiners to undertake pointless tasks and overlook key evidence.

Drafting a sensible forensic examination protocol demands a working knowledge of the tools and techniques of forensic analysis so counsel doesn’t try to misapply e-discovery methodologies to forensic tasks.  Forensic examiners deal in artifacts, patterns and configurations.  The data we see is structured and encoded much differently than what a computer user sees.  The significance and reliability of an artifact depends on its context.  Dates and times must be validated against machine settings, operating system functions, time zones and corroborating events.

Much in digital forensics entails more than meets the eye; consequently, simply running searches for words and phrases “e-discovery-style” is far less availing than it might be in a collection of documents.

If you can conceive of taking the deposition of a computer or smart phone, crafting a forensic examination protocol is like writing out the questions in advance.  Like a deposition, there are basic inquiries that can be scripted but no definitive template for follow-up questions.  A good examiner–of people or computers–follows the evidence yet hews to relevant lines of inquiry and respects boundaries.  A key difference is, good advocates fit the evidence to their clients’ narrative where good forensic examiners let the evidence tell its own story.

If you’ve come here for a form examination protocol, you’ll find it; but the “price” is learning a little about why forensic examination protocols require certain language and above all, why you must carefully adapt any protocol to the needs of your case. Continue reading

Preserving MAC Times Collecting Files in E-Discovery

20 Wednesday Jun 2018

Posted by in Computer Forensics, E-Discovery

5 Comments

MAC timesChecking the mailbag, I received a great question from a recent Georgetown E-Discovery Training Academy attendee.  I’m posting it here in hopes my response may be useful to you.

My student wrote: I have a question in regard to zipping eDiscovery data. We’ve always used 7zip to zip our collections. The filenames are too long for Microsoft to be happy with them in their original state. One of our consultants is now telling me that I’m changing metadata. Can you clear this up for me? Am I changing metadata just by zipping a file? If I am, are there other simple tools that I can use? 

Metadata is always changed in the copying of files within a Windows environment.  Anytime you copy data to new media, Windows changes some of its metadata.  Some e-discovery collection tools change the values back to the originating values as part of the collection process.  Thus, the metadata changes, then changes back to undo the change.  If you want to use such tools, they are out there.

I think the more important concern is whether the tools and methods you employ reconstruct the metadata that matters and preserve the integrity of the evidence files.  There is a simple way for you to assess that: check the MAC (modified/accessed/created) dates and hash the files in and out!  You did some exercises of this nature in my Georgetown Academy workbook. Continue reading