4 minute read
Think About Digital Forensics When You Conduct E-Discovery
By Robert A. Stines
Society’s dependence on digital platforms and networks has changed our legal system. Digital evidence is now a critical component of both civil and criminal proceedings. Documents and electronically stored information are maintained and stored using software such as tagged image file format (TIFF), portable display format (PDF), electronic mail, text messages, databases, and so forth, all of which are electronically stored information (ESI).
With ESI, litigators are searching for relevant digital evidence, which is information that is either transferred or stored in binary format. Litigators tend to overlook that relevant digital evidence is potentially stored on many devices — laptops, desktops, mobile phones, tablets, digital cameras, flash drives, CDs, DVDs, and even wearable devices.
In e-discovery, there are, at a minimum, two different duties that practitioners should always consider: (1) the duty to preserve ESI and (2) the duty to produce the ESI in proper format. The duty to preserve is derived from Federal Rule of Evidence 37, which allows sanctions for failure to preserve ESI. A court may sanction a party if ESI that should have been preserved in the anticipation or conduct of litigation is lost because reasonable steps were not taken to preserve it, and it cannot be restored or replaced through additional discovery.
The duty to produce ESI in proper format is based on Rule 34, which provides that when receiving a request to produce, if the request does not specify a form for producing ESI, a party must produce it in a form in which it is ordinarily maintained or in a reasonably usable form or forms.
DIGITAL FORENSICS IN E-DISCOVERY
The Sedona Conference defines e-discovery as the process of identifying, locating, preserving, collecting, preparing, reviewing and producing ESI in the context of the legal process. Successful e-discovery relies heavily on digital forensics tools and expertise.
Similar to e-discovery, computer forensics is the use of analytical and investigative techniques to identify, collect, examine and preserve information that is magnetically stored or encoded. Recently, because computer forensics has expanded to include more than just computers, the term “digital forensics” has become the term of choice for forensic examiners.
In civil litigation, when a party receives a request for discovery (even without a specific request for ESI), the responding party must identify, preserve, collect and examine information for production. The type of analytical or investigative technique that the responding party uses will differ depending on the circumstances. But, make no mistake, if the requested information is at rest on a digital device, then digital forensics, by definition, is involved in the e-discovery process.
In business litigation, preserving and collecting ESI is a priority — even before the initiation of the civil proceedings. If a party maintains information in electronic format, they must preserve the information as it is ordinarily maintained. The critical aspect of preserving and collecting ESI is to avoid changing the data or data about data (metadata). In other words, the data needs to be preserved and collected in a forensically sound manner. A common example of changing data is when litigants preserve emails that are typically in .pst or MBOX format by saving them to TIFF or pdf. When emails are preserved in TIFF, this changes data and possibly strips all metadata.
Preserving and collecting social media posts, website information, proprietary databases, messaging platforms, text messages, and encrypted or deleted data is complex and difficult. For these complex types of data structures, a forensic examiner is better equipped to handle the preservation and collection.
Parties should take the preservation and collection process seriously because there are cases where litigants were sanctioned for inadvertently destroying metadata.
Although the terms vary, there are two common types of forensic images: logical and physical. A logical image captures only accessible files in specific locations and does not include deleted or hidden files. Anyone with some training and proper software can collect a logical image. A physical image is a bit-by-bit duplicate of an entire drive, including any deleted or hidden files that were missed in a logical image. A physical image requires special software tools and should be performed by a digital forensic specialist.
In many cases, a logical image will meet litigants’ discovery obligations and the court’s requirements. In some cases, especially those involving personal devices, a physical forensic image is a better and safer option for preservation and collection.
BEWARE WHAT YOU PRODUCE
Litigants should be extremely cautious about producing a physical image of a device to the opposing side. In fact, it should be avoided as much as possible. A physical image contains every “bit” of data. It may include pictures, online browsing history, GPS location, passwords, personally identifiable information, deleted files that have not been overwritten and history of backups to other devices, which may result in requests to inspect these other devices.
If a court orders the inspection or production of physical images, litigants should seek protocols or other protective measures that consider any applicable privacy rights and privileges, as well as the need to avoid producing ESI that is not relevant.
With the advent of the Internet of Things (IoT), 5G networks and widespread adoption of remote work, we can expect an exponential growth in data, information technology and storage locations. Companies and individuals may thus have difficulty managing the unique sources of ESI. Litigants will need to understand e-discovery and digital forensics or retain a consultant to assist with navigating the growing complexity of the discovery process. Failure to appreciate the complexity and implement proper protocols may result in uncomfortable conversations with a judge to explain the reason why data or metadata was not preserved, collected and produced.