Category: Spoliation

My latest column “Ghosts and Forensic Images” is up on InsideCounsel.com.

I’m obviously capitalizing on a popular upcoming Fall holiday, but I detail the important differences between a forensically-sound “image” of a hard drive and a “Ghost” copy.

Link to article.

A concise list of seven misconceptions that businesses have about ESI and their e-discovery obligations entitled “Why Your Business May Be At Risk…” from The Metropolitan Corporate Counsel. The authors are three attorneys from the New Jersey law firm Norris McLaughlin & Marcus.

Here are 5 of my favorite from the list:

1. Since we are not presently involved in a lawsuit, there is no need to concern ourselves with these new rules. The reality is that there need not be an active lawsuit or court order in place for there to be an obligation on a business to preserve ESI.
2. If we were required to save data every time a lawsuit is threatened, our company would be crippled and we’d lose our business. The reality is that the new rules recognize this problem and provide that a party need only preserve relevant ESI.
3. Even if we were to lose relevant ESI evidence, the loss was accidental and not intended to destroy harmful information; surely a court would understand. The reality is that even accidental or innocent loss of relevant ESI is sanctionable when it could have reasonably been prevented.
4. Many of our employees work from home and use their own personal computers; therefore, we don’t have to worry about those computers. The reality is that the new rules widen the scope of ESI to include personal home computers, cell phones, copy machines, fax machines, voice-mail, instant messaging, PDAs, websites, flash drives, etc. As long as your employees are working for you, it does not matter where they are located or what device they are using to generate electronic information related to your business.
5. We’re too small of a business to have to worry about these changes. The reality is that if you are a business with a computer or any other device that generates electronic data, you are within reach of the new rules.

Link to story.

I found a small treasure trove of articles on e-discovery and computer forensics today from Burgess Forensics. I especially liked the article “How is data written, stored on, and erased from hard disks?” by Steve Burgess, where he likens hard drives to “a hybrid of a record album and pizza pie … or a dartboard” in an attempt to describe how data is stored on computer hard drives.

Last week I had the pleasure to present a Webinar for LegalSpan (Manexa) entitled “How and When to Use Computer Forensics Professionals.” In my research for this presentation, I realized how difficult it is to explain how operating systems store data on computer hard disks to non-technical folks. It’s always made perfect sense to me due to my background, but it’s tough to smoothly explain how bits, bytes, sectors, and clusters build upon each other, and why hard drives have “slack space,” and why data is rarely saved in consecutive clusters, etc. etc.

The Steve Burgess article does a great job of introducing the terminology, but the masterful Craig Ball takes your hand and gracefully leads you through the woods of bits and bytes in his concise compendium entitled ”4 on Forensics: Four Articles on Computer Forensics for Lawyers.” If you’re a lawyer that needs to understand how to preserve a computer’s hard drive, Craig’s “4 on Forensics” is an absolute must read. And due to Craig’s easy style, I guarantee that you will have a solid foundation on computer forensics when you’re done reading. The first of the four articles, “Computer Forensics for Lawyers Who Can’t Set a Digital Clock,” is the longest and the most relevant. Read that one if you can’t get to anything else.

I would be remiss if I did not mention Sensei Enterprises, Inc., the digital home of Sharon D. Nelson, Esq. and John W. Simek. Not only have the two collaborated on the terrific The Electronic Evidence and Discovery Handbook: Form, Checklists and Guidelines ABA book, but Sharon Nelson now authors the informative (and often entertaining) electronic evidence blog entitled “ride the lightning.” You can find a wonderful chunk of articles on their Website, and I will specifically recommend “Finding Wyatt Earp: Your Computer Forensics Expert” which provides a compact set of suggestions to consider when you need the services of a computer forensics examiner.

Computer forensics has always had a ”CSI mystique” about it, mainly because so many people have never had to worry (or care) about how their computer stores data on the hard drive. And while you really don’t need to know how the innards of a computer works to send e-mail or type a document, you should have a basic understanding of the technology in use so you can confidently communicate with the computer forensics professional you hire.

The blanket rule when it comes to computer forensics is DON’T DO IT YOURSELF (or don’t let your client do it themselves). Many IT professionals wrongly assume that they can make a full copy of the hard drive themselves that will preserve the data. Unfortunately, many of these copies will NOT be considered forensically sound images of the hard drive, and will reveal changes made to the data, which could lead to claims of spoliation.

It’s never worth the gamble – always call a professional, certified computer forensics professional when you need to preserve the data on a computer hard drive.