By Jim KempVanEe, Vice President, Forensic Services
Just as a house is only as stable as its foundation, a civil or criminal case is only as compelling as the soundness of its base. If evidence gathering is not performed appropriately in the beginning stages, the price is paid down the line in spoliation or destruction of evidence claims or failed investigations. Wise counsel will examine the circumstances of the case and consult a forensic expert from the beginning, to determine what digital evidence may be available and the most appropriate way to ensure its preservation is sound. In the infancy of a case, as Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.”
How to best gather digital data should be considered from the beginning, and a spoliation claim may come unexpectedly or your investigation may fail. To prevent being caught off guard later in the case, sound practices should be employed from the beginning. Here are a few tips to avoid these pitfalls by adopting the practices that produce the best possible outcomes for your matters.
5 DIGITAL EVIDENCE BEST PRACTICES
In eDiscovery matters, consideration of Rule 37(e) of the Federal Rules of Civil Procedure (FRCP) signals the need to understand when electronically stored information should be preserved by your client and what constitutes “reasonable steps” to preserve it. With the consequences of potential sanctions, or worse yet, a negative inference at stake in your case, care should be taken in the matter’s earliest stages to build the right team to determine what needs to be preserved, how it should be performed and by whom.
Whether you are dealing with eDiscovery or a digital investigation, one of your overriding imperatives must be to preserve the original digital evidence in pristine form. You must be able to prove uncontestably your preservation efforts produced an exact and complete copy of the original data without spoliation, tampering or alteration.
In my experience, most lawyers really do not have the time to fully understand the complexities of the technology systems involved or the practices that constitute digital forensics. We will explore five basic but pertinent concepts:
- Don’t put your matter at risk by asking your client’s IT department or your internal eDiscovery team to make the preservation decisions alone - build the right team early.
- Understand the difference between a forensic image and a backup.
- Understand the difference between digital forensics and eDiscovery and how they may apply to your specific case.
- Identify when you need to bring in a digital forensics expert.
- Bring in the right partner for your matter.
We’ll now explore each of these in turn.
Whether you are dealing with eDiscovery or a digital investigation, one of your overriding imperatives must be to preserve the original digital evidence in pristine form. You must be able to prove, uncontestably, that your preservation efforts produced an exact and complete copy of the original data, without spoliation, tampering, or alteration.
DON’T PUT YOUR MATTER AT RISK BY ASKING YOUR CLIENT’S IT DEPARTMENT OR YOUR OWN INTERNAL eDISCOVERY TEAM TO MAKE THE PRESERVATION CALL ALONE
You don’t want to put your matter at risk in the early and critical stages of data preservation. The firm’s internal eDiscovery team is tasked with getting access to data in the fastest and most cost-effective manner possible. My colleague, Gulam Zade, wrote a great article about how this process usually works:
- A case comes in
- Custodians identified
- Data types, devices and date ranges identified
- Devices transferred to law firm
- eDiscovery team copies data to local network device or cloud
- eDiscovery team loads data into platform like Xera or Relativity
Once again, the mission of this team is to get access to data quickly; this is often at the cost of adequate preservation. This focus on speed and the perception that self-collection is less costly can be problematic and may undermine the foundation of the entire review.
eDiscovery teams within law firms may be effective in organizing and processing data quickly, but are typically not adequately trained or equipped to handle the preservation of data from the unique and complex environments of each client’s technology systems. Counsel needs to ensure all of their hard work is based on a solid foundation of defensible collection decisions; choices that should have been made by a team and not based on assumptions.
How evidence was preserved and why other potential locations were not preserved (either due to cost and/or “likelihood”) should be well-vetted decisions and documented. Your internal eDiscovery team is only as good as the data they are receiving to process.
Often internal eDiscovery teams rely on the client’s IT department to tell them where the “relevant” data is and to perform data preservation and self-collections. The client’s internal IT teams may not fully appreciate what is relevant to the particular matter or where the data actually resides on their systems. Valuable information is often lost in the translation of lawyer language to geek speak and vice versa.
Internal IT teams are usually already overtaxed with the daily operations of keeping the client’s network secure and operational. Data preservation or in-depth investigation into a person’s activities is not high on their priority list. The time they have to devote to the additional preservation and investigation tasks is limited and often quality suffers. This extra demand on their time may promote the use of shortcuts, which can compromise evidence and often results in digital artifacts being overlooked or misinterpreted.
I have been involved in many cases where internal IT has produced preserved data on hard drives that contain remnants of other data not related to the litigation, have produced incorrect or incomplete data or misinterpreted digital artifacts, which resulted in incorrect accusations or incorrectly clearing a user of malicious activities.
The takeaway here is simple - be very cautious about asking either of these two types of teams to do something that is contrary to their mission. Having a shaky foundation in a digital investigation or eDiscovery matter can reduce client trust in the firm’s competencies. Making use of a third-party expert for these tasks can reduce the burden on the client’s IT team and will afford the firm a degree of separation from problems that may arise or from frustrations the client may feel during the process.
UNDERSTAND THE DIFFERENCE BETWEEN A FORENSIC IMAGE AND A BACKUP
Many attorneys do not understand the difference between a forensic image and a data backup. An ordinary data backup is like a person with selective memory – it is not a true representation of all existing information. Conversely, a forensic image captures all data from the device/media, making investigation and collection defense possible. The latter is the strongest possible defense against spoliation and claims that critical evidence was relevant to the case existed but was intentionally left out.
Perhaps the most important aspect of a forensic image is that it will be verifiable as an exact duplicate of the entire data set through mathematical calculation, or hash algorithm. A mathematical algorithm, or hash, is simply a set of repeatable processes followed by a computer to make a calculation of a particular data set. The binary data is evaluated and assigned a hash value based on its contents.
Why is this important? Since something as small as a space or a period on a document is more than enough to change a hash value, your digital forensic expert can testify a match of hash values as mathematical verification of the data’s integrity.
When the original data set and its forensic image are an exact match, as verified by comparing hashes, you have all of the available data. When you have all the available data, it is very difficult for someone to claim you left anything out.
Keep in mind, just because you have imaged the data does not necessarily mean you have to search it. This is where the skill of your eDiscovery team shines. A big factor in eDiscovery costs come from per gigabyte processing fees. When you have a full image of the data, your team has more flexibility in deciding what data within that image is likely to contain relevant information. They can focus processing on that limited subset of data, thus reducing the amount of data that requires processing.
If opposing counsel makes a claim not all data was reviewed, you will be prepared to explain the processing decisions you made to the court, bolstering your position that these other locations within the forensic image are not likely to hold relevant data. You can show you have taken the steps to ensure the data was preserved. If opposing counsel continues to disagree with your assessment of your client’s data, you can offer to process and review the remaining portions of the forensic image - but at their expense. This usually results in opposing counsel reconsidering their position.
If additional searches are ultimately required, these searches will not require work by your client’s IT department. You can simply go back to the forensic image - thus reducing burden and cost to your client while keeping costly spoliation litigation at bay.
Bottom line: If your review activities begin after a forensic image has been created and verified by hash analysis, spoliation claims are far less credible. Put yourself in the best position to shoot-down spoliation claims by having a forensic image, not just an unverifiable backup of select data.
UNDERSTAND THE DIFFERENCE BETWEEN eDISCOVERY AND DIGITAL FORENSIC INVESTIGATIONS
There is often confusion about the difference between digital forensic investigations and eDiscovery. Let me attempt to briefly clear this up.
eDiscovery usually involves well-defined custodians, media types, and date ranges. eDiscovery proceeds on the assumption that you are looking for specific evidence, often by key-word searches or other parameters. In eDiscovery, you basically know what you’re looking for, where you are looking for it, and what you are likely to find.
In the past, eDiscovery has been almost entirely focused on information found within servers, workstations and email. This is beginning to change as eDiscovery can now include relevant information found on mobile devices, IoT (internet of things) and other cloud-based services.
Forensically sound preservation should be foundational to eDiscovery but that does not make the project a forensic investigation. Alternatively, not every forensic investigation turn into an eDiscovery case - though they often result in civil and/or criminal litigation of some sort.
Digital forensic investigations usually have a much broader focus than eDiscovery. In forensic investigations, the goal of the investigator is to understand both the data and the user’s activities. They differ in key ways:
- Digital forensic experts can be brought into a case during the pre-litigation phase, during or after discovery has started or as a means of trying to prevent litigation altogether.
- Digital forensics experts are capable of conducting investigations on nearly any device that contains electronically stored information, including computers, mobile phones, tablets, IoT systems, and other devices.
- Digital forensic experts will follow the evidence wherever it takes them, including beyond the bounds of any pre-defined set of custodians, devices, or data-sets. The skill of the examiner in interpreting digital artifacts is imperative. This is usually a get-to-the-truth process.
Successful attorneys should understand the differences between digital forensic investigations and eDiscovery. If you have tidy parameters and your case is more of a “find the document” matter, an eDiscovery approach might be appropriate. However, if you need investigative skills to even determine how to proceed or what may have occurred, you are likely in need of a digital forensics investigation. No matter what type of case you are handling, a preservation mind-set is key in putting your case on a solid foundation.
IDENTIFY WHEN YOU NEED TO BRING IN A DIGITAL FORENSIC EXPERT
Here are some key indicators that you need a digital forensic expert.
Questions concerning user activity: Suppose a high-level executive has left a corporation and there are allegations of stolen customer information. Having a forensic expert review this person’s company computer (hopefully the computer’s memory and hard drive were properly preserved when it was initially returned) can be key on how to proceed. There are likely artifacts available on the user’s computer which will provide a much clearer picture of what has occurred.
This additional information can expose the user’s intent and can include their internet activity, identify use of cloud storage or USB devices, use of personal web-based emails and the documents they interacted with prior to them disclosing their intent to leave. Simply stated, having all the information that is available gives you much deeper insight into user behavior and motives and may help to chart the appropriate course for your case.
Unknown scope or suspicious activity: Suppose a client calls you and says, “I think my computer is being monitored,” or “Someone is acting suspiciously by closing windows every time we walk past their desk,” or “We think files might be missing but we’re not sure.” In these instances, you won’t know a date range, document types or other important parameters used in eDiscovery. Each of these situations require answers to the who, what, when, where, why and how of investigations. Clearly, they are best handled by a digital forensic expert.
BRING IN THE RIGHT PARTNER FOR YOUR MATTER
The digital forensics industry has been around for over three decades, but it has remained in a state of relative infancy because of the ever-changing technologies being introduced into our society almost daily. As data sources have evolved, devices have become increasingly woven into every aspect of modern life and both digital evidence and the need for digital forensic services will continue to grow exponentially.
This constant state of flux means the provider pool for digital forensics services is quite large and diverse. The pool of forensic experts range from multi-national companies who provide managed service agreements all the way down to individual operators working out of their homes. How can you know which type of provider is right for you?
Here are several things you can look for in a digital forensics service provider. Specifically, I recommend that you look for a team member, not just vendor, who:
- Is competent in the fundamentals of digital forensics, interpreting digital forensic artifacts and the principles of investigation; not just someone who is pushing buttons and producing “reports” or data dumps. Digital forensic reports usually require interpretation and explanation.
- Has a background in investigations and understands how they work. Many of the best digital forensic experts come from a law enforcement background or have extensive experience in in-depth and long term investigations of varying types.
- Has some general knowledge of the law, the processes and stages your case may go through and the ability to credibly appear in court to defend and explain their work. The ability to adequately explain to a layman the very technical aspects of digital evidence is a critical attribute to a successful forensic expert.
- Wants to partner with their clients and will give them the individualized attention their matters deserve.
- Has a clearly defined methodology based on the needs of the case and provides documented investigation results that you can easily communicate to clients.
- Has great technology and chain of custody capabilities. At LOGICFORCE, we deploy a sequestered laboratory with cutting edge technology systems and experienced examiners. This provides our clients with defensible results.
The most important characteristic about your digital forensic expert is that you trust them and can communicate with them in a way that helps you and your client realize successful outcomes.
If you don’t today have the kind of relationship with a digital forensics expert that I’ve described above, it might make sense for us to have a conversation. The best way to get this conversation started is with a phone call to our main office at 800.866.1635. We look forward to hearing from you.