Archive for April, 2007

Making Forensics Elementary at Your Firm

Friday, April 27th, 2007

The electronic-discovery phenomenon is here to stay — and the industry is still exploding.

The percentage of electronically-stored-information evidence in the standard case has increased exponentially, and all signs on the information superhighway and on roads leading to court indicate that ESI in litigation will escalate as time goes by. Along with e-discovery, the field of computer forensics is becoming evermore central to the discovery process. The need for computer forensics analysis is appearing frequently at the state and federal level, and the field’s influence and demands are permeating civil and criminal cases, both large and small.

Attorney and e-discovery expert Tom O’Connor, with the Washington, D.C.-based nonprofit Legal Electronic Document Institute, says that judges in the cases he consults on are ordering e-discovery and computer-forensics investigation much more frequently than ever before. O’Connor is seeing the effect of this change on all kinds of cases.

“Even a small business has a 20 GB hard drive these days,” he notes. “We can’t think of e-discovery as an issue only relevant to large or complex litigation anymore. Nearly everyone has at least one computer at work and one at home, not to mention a cell phone, PDA, GPS system and wireless Internet connection. With all these potential evidence sources for each individual, it’s no wonder that the amount of electronic evidence to be vetted is skyrocketing.”

O’Connor adds that with large criminal cases, huge amounts of electronic data must be harvested and analyzed. In many instances, suspects’ PCs are immediately seized and “imaged” — a euphemism for “cloned” or “copied” — so that their contents can be examined at a later date without the risk of tampering. This kind of work generally needs to be done by a computer-forensics expert who is trained and qualified to do a professional-caliber job.

Besides the usual information sources of hard drives, server data and e-mails, O’Connor is seeing requests for digital surveillance-camera footage and electronic audio recordings. In many cases, law enforcement provides this e-discovery to the defense on CDs or DVDs in its entirety — hundreds of hours of video consolidated on a few disks that the attorney team then watches and sifts through to find the few segments relevant to the case. Parties on both sides agree that searching for, or finding, a needle in a haystack at $400 an hour doesn’t serve the attorneys’ or the clients’ purposes very well.


For civil domestic cases such as divorce proceedings, there’s an enormous amount of forensics investigation occurring. O’Connor says that PCs are being examined to prove or refute claims by one spouse that the other has been engaging in extramarital affairs or hiding financial assets. Forensics experts are trained to search for e-mail exchanges in which the parties are setting dates and carrying on other communications. They can also:

  • Uncover questionable online purchases;
  • Track credit-card transactions; and
  • Detect whether credit cards unknown to one spouse are being used to make illicit purchases.

Stephanie Simons Neal, litigation-support project manager in the New York office of Weil Gotshal & Manges, attests to the burgeoning need for forensics expertise at her firm. Simons Neal’s caseload consists of a number of patent cases, along with other corporate-litigation matters.

“We’ve definitely noticed an increase in request for forensics, as well as requests for review and production of documents in native form as opposed to paper,” she says, adding that while the requests continue to come in, the expertise to meet those requests is lacking and there is a growing “disconnect” between what cases actually require and what the law firms are equipped to provide.

Simons Neal comments that she sees many case teams that are concerned about forensic document collection or preservation of metadata, but whose members don’t understand why they need to be concerned about it in the first place. She says that the amended Federal Rules of Civil Procedure that went into effect Dec. 1 have brought issues regarding electronic discovery to the forefront of conversation — mostly in a good way. But there are plenty of legal professionals who still don’t know what that really means — or how it affects them.

Trial attorney and certified computer forensic examiner Craig Ball of Austin, TX, has seen a marked increase in the use of forensically qualified imaging to preserve data prior to litigation rather than in reaction to it.

“Even in those matters where forensic analysis may be deferred, savvy attorneys are taking steps to preserve data of key players to the most rigorous standards,” notes Ball, an author and frequent speaker on e-discovery and forensics matters.

He adds the observation that judges are increasingly attuned to forensic issues, and the existence of electronic evidence has made them more likely to entertain requests for forensic preservation and compulsory examination. For instance, law-enforcement personnel often are adept at preserving the chain of custody and other forensic methodologies, but their experience is generally more oriented toward criminal rather than civil cases. Unless they can find a law-enforcement expert with the proper qualifications, lawyers must look elsewhere for resources to preserve pre-litigation data.

Ball cites as an example a recent case that focused on pre-litigation data preservation.

“I promulgated a forensic preservation protocol which was then applied to over 100 machines linked with other key players involved in events giving rise to a contemplated litigation,” he explains.

Ball says that this was a pre-emptive measure, that the images gathered may never be examined, but that their being “locked down” was an effective insurance policy against litigation-compliance errors.

“The imaging was not a stand-alone effort,” he continues, “but was part of a broad, concerted effort to preserve potentially relevant data, including server storage areas, e-mail, archival media, voicemail, portable media and, of course, paper.”


As the demand for computer-forensics examiners goes through the roof, everyone wants a piece of the action — and its business. Law firms and corporate counsel are taking many approaches to tackle the issue, with varying degrees of success. The fact remains that there is still no standardized or official certification process for computer-forensics experts in the United States. Simons Neal, for example, has seen many formerly paper-based vendors (copy shops) hanging out shingles saying that they do computer forensics. She regards these qualifications with some suspicion — any company can claim to do the examinations, but how do you determine which ones actually deliver quality, defensible results?

“They’re getting to be a dime a dozen, though that doesn’t mean that they know what they’re doing or that they have much experience,” she says. “It’s up to us to figure out the difference between the true experts and the impostors.”

That takes some old-fashioned common sense, determination to ask questions and get answers, and follow through on the answers found.

Speaking from his expertise as an attorney and certified computer-forensics specialist, Ball acknowledges the scarcity of qualified vendors from which one can choose. He agrees that when it comes to computer forensics, “lawyers are looking for help anywhere they can find it.” Ball cautions that because it’s difficult to gauge the qualifications of service providers, lawyers are being poorly served in many cases and need to be on guard. So, the question remains: How can you find a qualified computer-forensics analyst who will provide the thorough and accurate assistance that you need for your case?

Ball recommends looking for a computer-forensics expert that provides formal training and meaningful certification — something with substantial components of practice examination, peer review and experience, like CCE (certified computer examiner) or EnCe (EnCase certified examiner). He also suggests that your expert have:

  • A record of published work;
  • Respect from peers;
  • Considerable court experience;
  • Report-writing skills; and
  • Extensive focus on the discipline.

Ball emphasizes that forensics is too important and complicated to be a part-time job for an IT person.

Many different approaches exist for meeting the computer-forensics requirements. Also, many EDD vendors claim to have computer-forensics experts on staff, and Ball concedes that a few of these vendors do provide quality service, but that they often enlist the assistance of subcontracted “partners” to do so. He has seen some vendors do little to verify the abilities, experience and other qualifications of these “silent” partners. As the customer, law firms and corporate counsel are well within their rights to ask for the credentials of the person who will actually be doing the examination; otherwise, they’re leaving quality control completely to chance.

Ball adds that corporate counsel and law firms sometimes assign forensics projects to their IT staff, ostensibly to save costs and to reduce the exposure risk of hiring an external provider, but these staffers rarely have the proper training to guard the chain of custody.

“Often they use methodologies that have untoward anti-forensic consequences,” he says. “Further, when the IT staff is among those implicated in the case, they are basically wolves chosen to guard the hen house.”


O’Connor chimes in on the danger of lawyers not pursuing e-discovery knowledge: “Lawyers cannot afford to ignore the importance of electronic discovery and computer forensics anymore,” he warns. “Those who do are bordering on malpractice, especially for cases which involve any digital data component.”

Although a small handful of attorneys have accepted the challenge and have chosen to educate themselves on the technology, Ball says the number of such e-discovery lawyers is tiny.

“We can hold our conventions in a phone booth, so we can make only the tiniest dent in solving the problem,” he says.

He adds, however, that this is changing — that he’s seeing more lawyers embrace their responsibility to master e-discovery obligations, and to understand the forensics piece, too.

But Ball concedes that, while some lawyers have developed this in-depth expertise, for all lawyers to take on a computer-forensics role is hardly cost-effective for the client. As a general rule, paying lawyers to do the forensics work for every case is simply not economically feasible. Because the divergent nature of many forensics examinations can lead to upwardly spiraling hours, having an attorney do the work can be cost-prohibitive.

Still, these experts say, this doesn’t absolve the attorney of his or her responsibility to become familiar with the technology; indeed, if for nothing else, legal professionals must inform themselves about the technology so that they can provide competent counsel to clients in the modern courtroom environment. That means that attorneys must understand at least enough about technology, electronic discovery and the computer-forensics process to represent their client’s interests zealously, to evaluate expert-witness testimony and to develop case strategy. They must also be able to explain coherently these forensic search techniques and methods to a judge or jury, or both, because much of today’s evidence is virtual rather than physical.

“Lawyers are still looking for the shortcut to avoid the full brunt of EDD, or they err on the side of unrealistic, oversimplified advice (i.e., “save everything”),” Ball says. “Lawyers need to buckle down and learn to do it right, in a balanced manner where potential relevance is the touchstone.”


Like it or not, computer forensics is a new but permanent fixture in the world of electronic discovery, but the precise future of this science is uncertain at the moment. For now, many players are boldly planting their flags in the ground to stake their claim to a part of the business.

Simons Neal sums up the vendor situation as she sees it.

“The fever pitch of vendors jumping into the EDD game will probably get more chaotic in the short-term until the cream rises to the top and others fall away,” she notes. “Given the heavy demand for this expertise, the marketplace will be able to sustain a large number of computer forensic providers, but the vendors will have to prove themselves in order to keep the business. They will have ample incentive to control the quality of their forensics product since this is where their future lies.”

O’Connor stresses that legal counsel and corporate America alike need to figure out forensics now. On the high end of the market, this has begun: Big corporations and law firms are aware of it, with some hiring ex-FBI and ex-military personnel trained in the technology to be their in-house security gurus. At the mid-sized and smaller end of the scale, the evolution of forensics will be determined by how different states handle e-discovery cases. O’Connor predicts that there will be a vast disparity between states — some will be on the forefront and others will lag behind.

Ball sees a common nomenclature (and shortcuts) emerging to describe e-discovery scope and production. Litigants will come to have common expectations regarding preservation and production. Ball also thinks that lawyers will realize that the technologies relied on now — such as keyword searches — are flawed and will remain that way until lawyers improve framing the searches and applying multidimensional search techniques. They’ll be forced to learn more about the computer-forensics realm so that they can evaluate the information, services, performance and results that they’re getting. He adds that attorneys must appreciate that discovery and e-discovery aren’t disparate undertakings, and to see that case evidence is so ESI-dominated that there truly is no going back now.

Computer forensics is still a young science that’s being shaped by the electronic-discovery rules as they continue to evolve and change. This expanding industry simultaneously presents huge opportunities and great responsibility. Lawyers who choose to face the importance of e-discovery and computer forensics sooner rather than later will have a distinct advantage over those who prefer to ignore them or to underestimate their impact.

Christy Burke is a New York City writer who covers law and technology. Reach her at

By Christy Burke
e-Discovery Law & Strategy
April 19, 2007

Source :

Computer Forensics & Data Preservation

Friday, April 27th, 2007

Court-appointed trustees and receivers, or fiduciaries, identify, recover and evaluate assets and historical financial information. They are aided by a team of professionals, including attorneys, accountants, financial advisors, appraisers, investment bankers and others, depending on the nature of the matter. In the past, this meant sifting through reams of paper records and issuing subpoenas for bank records and other documents.

Today, about 93 percent of information is electronically created, according to a University of California, Berkeley, study. And with as much as 50 percent of data created electronically never being printed, fiduciaries might miss vital information when relying on conventional discovery alone.

Computer forensics professionals work as part of a fiduciary’s team by taking data preservation and network security actions to preserve relevant business records, including financial information and email. They are able to identify what information is available, where it is located and in what form it is stored.

For example, computer forensics examiners can find email, word processing documents and spreadsheets residing in workstations, laptops, servers, backup tapes and portable storage, including external hard drives, Mp3 players and cell phones. In addition, they can find other critical data in antiquated business applications, phone systems and closed-circuit surveillance systems.

First, this information must be secured to prevent it from being destroyed remotely or otherwise purged. Once critical data has been identified for preservation, computer forensics examiners can create exact copies of the data, while maintaining the chain of custody.

Preserved data may then be mined to produce relevant information in a usable and convenient format. A fiduciary may specify certain keywords that the computer forensics examiner would use to tailor data searches. Such targeted analyses can dramatically lower the price of electronic discovery while increasing the value of the information produced.

Also, data can be extracted quickly from antiquated business applications into user-friendly databases. Email, documents, spreadsheets and other data may be imported into Summation and Concordance software programs for easy manipulation, analysis and sharing.

Fiduciaries, investigators and forensic accountants rely on preserving, mining and producing data electronically to help uncover hidden assets, identify unknown claimants and analyze fraudulent payments or transactions.
Computer forensics is an important addition to a fiduciary’s toolbox, enhancing their ability to achieve successfully their appointed duties.

Arieh Davidoff is the manager of Rachlin’s Computer Forensics group. He can be reached at

A similar version of this article appeared in the South Florida Legal Guide.


Separating E-Discovery Myths from Realities

Thursday, April 26th, 2007


By Conrad J. Jacoby, Esq.

As the legal community continues to puzzle through the impact that digital information is having on the practice of law, many practitioners are guided by long-standing misconceptions and misunderstandings about electronic discovery. Whatever seed of truth exists in these platitudes, taking them at face value can lead to poor strategic decisions that limit the effectiveness of otherwise competent legal advice. Several particular “rules of thumb” seem particularly common in the legal community, even with extensive education efforts.

Myth: E-Discovery Is Now Required In Every Case

Reality: False. Since December 1, 2006, discovery of electronically stored information (“ESI”) has been a mandatory topic of conversation in every federal case and in an increasing number of state court matters. However, simply discussing e-discovery doesn’t materially change the basis for a legal claim or the factual evidence that supports or disproves the case. While individuals and businesses alike rely on computers for many reasons, e-discovery comes into play only when relevant information is stored digitally.

In some situations, even though electronic evidence is available, it may be possible to resolve a dispute based on other evidence. Such an analysis is necessarily case specific, and the outcome is never a foregone conclusion, because so much useful information is often found in electronic evidence. However, situations can occur in which electronic evidence is strategically less important than other evidence. For example, in a breach of contract case, voluminous electronic information may pertain to how a business contract was negotiated.

Typical electronic evidence would include e-mail messages, draft documents, and spreadsheets of estimated profitability. However, the corporate decision that legally bound to specific guarantees and covenants took place at meetings of its board of directors. The handwritten notes of board members, along with annotations they made on printouts of electronically-prepared documents that were distributed at each of their meetings, may contain the most relevant and probative evidence in the entire case. It may be possible to resolve the case on the basis of only those traditional hardcopy materials.

An increasing percentage of cases already require the preservation and production of ESI. However, a legal team still has full discretion to work up a case any way that it believes will achieve best results for its client. Mandatory discussion about electronic discovery does not preclude the possibility that digital evidence will only have secondary importance in the case. However, attorneys must be prepared to analyze the extent to which it is a factor in their cases.


E-Discovery: The Times, They Are A Changing

Saturday, April 21st, 2007

Fasten your seatbelts legal mavens – in less than six months electronic discovery as we know it will undergo some important changes. These changes are being driven by amendments to the Federal Rules of Civil Procedure (FRCP) that become effective on December 1, 2006.

While one of the intentions behind these changes is to reduce litigation costs, it very well may be that electronic discovery costs will increase as a result of the amendments, especially with respect to work that must be performed within the first 120 days after a lawsuit has commenced.

Under amendments to FRCP 16(b), parties must get ready for a scheduling conference to consider electronic discovery plans within 120 days of the start of a lawsuit. And, at least 21 days before this scheduling conference, parties must meet and confer to discuss and try to agree upon electronic discovery procedures for the case, pursuant to FRCP 26(f). This means that parties must be formulating their electronic discovery plans within the first 100 days of the life of a case.

While the purpose of these new rules is to provide early structure, uniformity and predictability, the reality is that right from the get-go of a lawsuit a party must start evaluating with its IT team and its outside counsel where it stands in terms of its own electronic data. Data can be located live on the network, on various servers, in hard drives, in share drives, on laptops and PDAs, as well as on backup tapes.

It is not always an easy task to ascertain where electronic information that is responsive to the allegations of a lawsuit resides, and figuring this out helps to determine what electronic discovery to demand from the other side in a case. Plainly, a party should not expect to demand a category of electronic discovery that itself is not willing to produce.

Let there be no mistake – electronic discovery is expensive. There have been many times that cases have resolved before the parties and counsel have been immersed in the burdens and expense of electronic discovery search, retrieval and production processes. By forcing these processes early on in a case, at least in federal courts by way of the new FRCP amendments, parties really have no choice but to move forward with electronic discovery at the start of a case.

Of additional significance is the fact that Rule 26(a) will broaden the definition of electronic items that may be subject to discovery from “documents” or “data compilations” to include all electronically stored information. Thus, whereas before parties might have been able to try to shield certain types of electronic information from discovery, conceivably the other side now can demand everything from standard Word documents and emails to voicemail messages, instant messages, blogs, backup tapes, and database files.

Of course, parties still can argue that the burden of any particular demand outweighs the potential probative value of the electronic information sought. For example, demanding parties cannot automatically expect that responding parties will restore and produced backup tapes. Responding parties can assert that these tapes are not reasonably accessible, their production would cause undue burden, and the value of the tapes pales in comparison to the recovery and production efforts that would be required.

Given that the provision of electronic discovery is burdensome and could be extremely costly if every bit of electronic data were reviewed very carefully prior to production, Rule 26(b)(5) will allow parties to retrieve inadvertently produced privileged information as part of clawback agreements. To be safe, and because it is not difficult to mistakenly produce privileged or proprietary electronic information, some very sensitive trade secret information should be designated as “Highly Confidential” for the eyes of outside counsel only.

There has been a lot of worry about potential spoliation (destruction of evidence) arguments when certain electronic information has not been saved. Under Rule 37(f), a judge now will have the discretion to disallow sanctions when a party has lost electronic information as a result of the regular good faith running of an electronic information system. Still, parties must have in place solid data retention policies and practices and litigation hold procedures when it comes to information that could be appropriate for discovery.

None of the foregoing requirements are easy or cheap. We now are in the electronic age, and we need to deal with its burdens and not just its benefits.

Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP ( where he focuses on litigation matters of various types, including information technology and intellectual property disputes.  His Web site is and he can be reached at  To receive a weekly email link to Mr. Sinrod’s columns, please send an email to him with Subscribe in the Subject line.

This column is prepared and published for informational purposes only and should not be construed as legal advice.  The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners

Is Digital Different? Electronic Disclosure and Discovery in Civil Litigation

Friday, April 20th, 2007

By Kenneth J. Withers

I. Introduction

A new phenomenon has surfaced in civil litigation in the United States, or rather in the media coverage of significant cases. In the Microsoft antitrust litigation, the investigation of President Clinton by Judge Starr, Raytheon Corporation’s suit against its own employees for libel, countless employment-related actions, and even routine divorce cases, the evidence takes a new form. E-mail, chat room transcripts, databases, spreadsheets, web browser history files, and information derived from system backup tapes are replacing conventional paper documents.

This phenomenon is not confined to the United States and its tradition of broad discovery. In 1997, the British press reported that insurance giant Norwich Union paid a  450,000 settlement to a rival company after disclosure of internal e-mail containing libelous allegations. In 1999, BG (formerly known as British Gas) paid more than  225,000, half of which represented legal fees, to settle a similar case. As in the United States, e-mail is emerging in UK employment-related litigation.

The legal and business press in other common law countries, such as Canada, South Africa, and Australia, have noted the phenomenon. Even in Scotland, proud of its civil law heritage, a commentator in the popular press wrote that “these cases emphasize the growing importance of companies adopting policies to deal with requests [for electronic documentation] that might arise as a result of legal action.”

The emergence of evidence in electronic form, and the emergence of entirely new forms of evidence, present a number of cultural, practical, and legal challenges to both bench and bar.

This paper concentrates on one area: discovery. Part Two of this paper summarizes the rules of e-discovery, and some of the conflicting philosophies and cultural attitudes towards discovery, in the United Kingdom and the United States. Part Three asks whether “digital is different,” and summarizes the recurring themes found in approximately 200 academic, professional, business and popular press articles on electronic discovery. Finally, this paper proposes areas in which further research is needed, particularly if changes in civil procedure rules or judicial management are contemplated to address electronic discovery challenges.