Deciphering the “Mystery of the PST”


Exciting news yesterday on two open-source tools released by Microsoft that now give software developers remarkable insight into .PST files.

This is vitally important and exciting to the world of e-discovery. One of the first places we look for information today is e-mail. And if we want e-mail, there’s a high probability that it will come from a Microsoft Outlook / Exchange environment. And if the e-mail comes from Microsoft Outlook / Exchange, we’ll probably receive a .PST file.

Craig Ball (as always) does a great job of explaining how we encounter .PST files in e-discovery matters in “How to Go Native Without Going South.”

Any IT professional that manages a Microsoft Exchange server can export .PST files. Anyone that uses Microsoft Outlook can export a .PST file from their desktop (File > New > Outlook Data File, or I usually click File > Import and Export).

The .PST is a common file format for transporting multiple e-mail messages, but a .PST file can also contain calendar information, notes, and contact information. When we request e-mail from a client, we either receive a complete .PST file or a “reconstituted file” (as Craig Ball puts it) that contains select, relevant e-mail messages.

The problem is that when lawyers get a .PST file, the apparently irrepressible instinct is to immediately open it in Outlook to see what it contains (since we know that’s where the juiciest stuff lives). This is a bad idea for several reasons, but no doubt it’s important to crack into that .PST file as soon as possible. This is what I call the “mystery of the .PST,” a phrase I used in my review of Wave Software’s Trident software that was never published (until I uploaded it here).

Up until yesterday, we had to have Outlook to peek inside a .PST file. Many litigation support / e-discovery tools process .PST files including Trident,  CT Summation, LAW PreDiscovery, Discovery Cracker, etc. But to do so, they had to have access to Microsoft Outlook to interpret the complexities of the .PST through the Messaging Application Programming Interface (MAPI) and the Outlook Object Model.

The new tools from Microsoft (the PST Data Structure View Tool and the PST File Format SDK released as open-source software) now negate the need to have Microsoft Outlook installed on a system that’s processing .PST files. This is a huge boon to the e-discovery software industry. No lawyer will need to touch these tools, but if you develop e-discovery software today, you should put your best folks on this immediately if you haven’t already. This will dramatically streamline many of the tools already on the market, and provide opportunities for additional, more robust, behind-the-scenes, invasive indexing of .PST files for finding the relevant messages necessary for litigation.

You know this is important for our industry becuase Microsoft’s own press release even mentions e-discovery as one of the “complex scenarios” where these tools will be useful.

The tools in their current state offer read-only capabilities, but this video promises that full write capabilities are on the roadmap.

(My appreciation to Paul Bain who posted links to related stories on The Litigation Support List)

UPDATE 2010.05.27: Another great story from CNET on Microsoft opening-up access to Outlook .PST files, including the possibility of opening .PST files in Google Apps or Thunderbird. This is significant because we will now have the ability to open .PST files in applications other than Outlook. Again, this will not always be the most prudent method of exploring the “mystery” of a .PST, but it’s fantastic to have options WITHOUT the need for squirrelly, third-party utilities.

Clearwell Views E-Discovery With Ease (My Review of v.5.0)


Clearwell is clearly a leader in the e-discovery market. My review of version 5.0 was published by a few months ago and I was very impressed.

Most notable was the “Pre-Processing” module now incorporated into the Clearwell environment that provides insight into data before it gets populated into a review database.

I’ve always been a big fan of how Clearwell displays e-mail “threads” – in fact, I think they do it better than just about any other platform that truly attempts this.

Right around the time my review was published, Clearwell announced version 5.5 and they have also begun work on version 6.

You can read “Clearwell Views E-Discovery With Ease” on

The Masters Conference 2009

Masters LogoI am attending The Masters Conference today (October 13, 2009) in Washington, D.C. I’ve attended the conference for the past two years and blogged about it both times.

The highlights from last year included the keynote address from Judge John Facciola and a fascinating panel I referred to as “the e-discovery three” made up of Judge Facciola, Judge Paul Grimm, and Judge Ronald Hedges.

Organizer Sasha Hefler and her team have put together another great conference this year expanding the focus a bit from simply e-discovery to a broader risk management discussion.

I will blog a post or two from the conference, a few tweets, (#MastersConference) and a write-up for on what’s new from the exhibitor floor.

Anecdotes and Lessons Learned in Corporate E-Discovery

I am thrilled to be participating in a live Webinar today with Tom O’Connor from the Legal Electronic Document Institute, co-hosted by Orange Legal Technologies and ILTA.
Anecdotes and Lessons

Rob Robinson of Orange Legal Technologies has invited Tom and me to share a few stories that we’ve collected throughout our careers, and provide some handy tips and “lessons learned.” I always enjoy visiting with Tom, so this promises to be a blast.

(If you don’t already follow Rob on Twitter and his excellent “Unfiltered Orange” e-discovery update service, you’re missing out on a lot of information.)

The Webinar is today (Wednesday 9/9) at 12 noon Eastern. You can register on this page, or view the Webinar directly from this page.)

ABA TECHSHOW 2009: “Litigation Hold Q&A”

After an Expo Hall break, both Craig Ball and Patrick Oot returned for a fabulous roundtable session where they invited the audience to ask questions and even pose specific scenarios from their own projects for collective discussion. This was an amazing opportunity to get input from two well-respected luminaries in the e-discovery space and I frankly thought that more folks would have attended. On the other hand  there were some othere terrific sessions in the same slot (such as the Keyword Search session with Jason Baron and Judge Rosenbaum).ABATECHSHOW2009

I can frankly listen to both of these gentlemen for hours on end because I have such high appreciation for their experience and perspective, but it was tough to get questions from the audience. I finally asked Patrick if he could share a little bit more about Verizon’s decision to create a “homegrown” litigation hold system instead of purchasing a system from one of the vendors in the space.

Patrick explained again how they looked at some vendors like Exterro and PSS Systems, but when he discussed the situation with his security professional, Patrick was shown a similar notification system that was already in place for another purpose. As Patrick stated in the earlier session, not everyone has the luxury of skilled programmers on staff, but in Verizon’s case, it worked out best to develop the system in-house.

Patrick also mentioned that Verizon has purchased EnCase Enterprise and Patrick has the vision that one day the EnCase product will integrate with their current litigation hold notification system and their e-mail system so that they can hit one button, have notices sent out, track those notices through auto-responders, and all the while have EnCase collect the relevant data.

Another question came from my good friend Jeff Beard who now works with Daticon-EED – he asked about tracking the systems once a litigation hold comes into play.

Craig Ball answered that the biggest problem is getting a lackluster response from the folks that are responding to the litigation hold, which is usually an indication that top-down buy-in is lacking. Craig suggested that the hold notification should come from the business side and perhaps NOT the lawyer.

Craig then asked a question of the audience, inquiring about their biggest complaint when it comes to litigation holds.

One audience member bemoaned the fact that most complaints and document requests are so overly broad that the matters become unmanageable. Craig stated that the mistake most lawyers make is that they simply visit an e-discovery vendor’s Website and download a form which says “save everything.”

Craig then had an insightful comment to close the session:

I consider preservation letters a gift because it gives me insight into the other side’s real intention. If it says “save all the metadata,” then I know they are an ignoramous. But if they are specific in their request, then I know that I have to have my ducks in a row because they know exactly what they’re doing.

ABA TECHSHOW 2009: “Planning and Implementing the Litigation Hold”


UPDATED April 8, 2009: I have subsequently learned that Patrick Oot works for a subsidiary of “Verizon Wireless” and have changed his company’s name to simply “Verizon.”

The first session I attended at ABA TECHSHOW was “Assessing the Big Picture: Planning and Implementing the Litigation Hold” ably handled by the mallifluent Craig Ball and the dapper Patrick Oot (of Verizon).

Both Craig and Patrick are seasoned speakers in this space and the session flowed smoothly. I’ve elected to share snippets of their conversation below:

Patrick Oot: We (Verizon) looked at tools like Exterro and PSS Systems but we ultimately decided to design our own application to do internal identification/collection work. Granted, not everyone has access to a group of programmers and web designers, but it was the right decision for our company.

Craig Ball: Don’t make the first time you meet someone from your client’s IT department be the day you do data collection – take them out to lunch or meet them some other way. IT calls things by different words and there is a massive lack of communication.

Oot: You still have to conduct an investigation to find out the facts of the case. At Verizon, they haver a former IT person that works closely with the legal team, and he knows where all the “dead bodies” lie. Also, it’s important to pinpoint the owner of systems: for example, the owner of the billing system at Verizon is NOT the billing department, it is someone in IT. The owner of their collection program is NOT the legal department, it’s someone in IT.

Park Row, Apr 2, 2009Question from the Audience: How can you know if you have the right person that knows where the data resides?

Ball: You have to identify the core person. But I often find that the biggest problem is that no one has really paused and considered what the case is all about. There is a tension between IT and legal that is not going away anytime soon. Outside counsel, however, are getting called to the carpet for the actions of their clients. If a client works behind the curtain, then you have a problem with your client, and you must have a talk with your client. You may need to tell them that you can’t represent them if they won’t let you in.

Oot: I have a little different perspective – I own a process within my company. Some lawyers that I work with internally want very little involvement from outside counsel. Other internal lawyers want outside counsel to handle the bulk of the work. We are fortunate that we can accommodate either perspective. One thing that outside counsel can do, however, is make it known to your clients that you ARE willing to speak with their IT folks, and that it is important to you. I also require outside counsel that I work with to update a preservation memo.

Ball: That brings up a great point about recording your work. You must have a solid mechanism for keeping track of your collection and presentation activities so that you can defend your processes when they are attacked. Also, you MUST go to your client’s office to look for responsive data. Even if an employee replies that they don’t have any old data sitting around, more times than not you’ll find when you visit their office that they have an old laptop sitting on a file cabinet or some USB thumbdrives in a desk drawer.

Ball: One of my best tools for litigation hold is a label maker. So often computers get wiped and data gets deleted because the IT professional didn’t know that it was something to be preserved. Sometimes I’ll even put a label inside the computer so that when someone opens the box they see it.

Oot: Verizon gets a lot of calls at their customer service centers that end with “you’ll hear from my lawyer.” We actually did a study and found that only ONE of those threats ever came true. Reasonable suspicion is a moving target, it oftentimes is based on a gut instinct.

Ball: Everyone talks about a “trigger” event. I don’t want you to think of it as a trigger because a litigation hold doesn’t go BOOM and it’s all over. Rather think of the litigation hold as a valve that opens a little bit at a time. First you might open the valve to preserve the machine of the person who was fired. Next you might open the valve a little more to preserve the machine of that person’s supervisor. You can keep opening the valve, but at some point the valve can be shut off when necessary.


If you’re within a few hours driving distance of Chicago, you must consider attending a day or two of the ABA TECHSHOW happening tomorrow through Saturday (April 2-4).

You say, “it’s too expensive – I have no money to spend on conferences.”

I say, “if you have questions about using technology in your law practice, you cannot afford to miss TECHSHOW since it is the most comprehensive collection of legal tech gurus and vendors in the country. You’ll learn more about technology just walking through the halls and asking questions than you will spending a day in software training.”

A one day pass to attend the educational sessions for either Thursday or Friday is only $450 and Saturday is only $195 (Sat is a half day). If you’re a law student, the entire conference is free. If you’re just interested in visiting the Exhibit Hall, it’s ENTIRELY FREE!

If you can’t tell, I get excited about TECHSHOW and no one leaves disappointed. I am honored to be speaking on three panels this year:

  • IT Toolbox: Essential Apps to Get the Job Done
  • A Project Management Approach to E-Discovery
  • Mac@Trial

Please consider attending the conference if at all possible – I guarantee you will benefit from the time spent away from the office, as long as you follow Matt Homann’s “Ten Rules for Conference Attendees” (pay special attention to #9).

And if you just can’t make it at all, keep an eye on the TECHSHOW BUZZ.

Northern Kentucky E-Discovery Symposium Post 03

I attended the Northern Kentucky Law Review’s Spring Symposium entitled “E-Discovery: Navigating the Changing Ethical and Practical Expectations” yesterday sponsored by the Chase College of Law. Here’s the first and second posts.

The last panel was broadly entitled “Best Practices in E-Discovery” and featured a great group:

Each participant on this panel was assigned a topic to address, but it really worked out best that they all had a sort of free-for-all in a meta-discussion.

Wier: The Federal Rules of Civil Procedure are meant to codify common sense. Cooperation is a common sensical endeavor. The rules are meant to ensure the just, speedy, and inexpensive determination of every action (FRCP 1) – that is the mindset I use when I approach e-discovery issues. The rules SHOULD anticipate problems with an e-discovery and ease concern. Each rule is designed to establish cooperation, just like some cooperative element is required for every motion that is filed. Cooperation extends to third parties as well.

Allman: I’ll put in a plug here for the Sedona Conference’s Cooperation Proclamation – it is the “tip of the iceberg” effort from Sedona to support what Judge Wier just discussed. Although I will admit that coming recently from a large corporate legal department, I have mixed feelings about the Cooperation Proclamation.

Bennett: I am not a computer programmer and not extremely technical, but I am capable of working with experts and I can become an “expert for a day” long enough to explain e-discovery issues to a judge or jury. Some broad guidelines that I’ve developed: 1) be prepared – you don’t want to be making this stuff up in the middle of litigation; and 2) always remember that technology is NOT the solution – technology is ONE PART of the solution. At the end of the day, you must be prepared to negotiate – when you go into a meeting and say “I can give you this, this, this, and this right now, what more do you want?” then this makes you look better and more cooperative. But of course if you promise something, you better be able to deliver.

Gensler: There is NO duty in the rules to mandate cooperation, but there ARE some rewards for cooperation. Why do parties cooperate? It really comes down to self-interest. As a theme, cooperation is dead-on – there are ways to do things better if we stop fighting all the time.

Bennett: Such a fluid vendor environment – in the first instance, there was an enormous explosion of vendors involved in this area but we are now experiencing a consolidation in this area. There is a shedding of less effective players, especially in this economic environment. We may eventually see what looks like a “big 6” of vendors in this area but we’re not there yet – it will probably take another 5-10 years But in the current environment, we have any number of folks that promise to solve everything.

Allman: The role of a vendor on the team is touchy – regardless of whether it’s the inside or outside lawyers who dominate the project, the vendors NEED supervision. One of the fascinating points in the Qualcomm case was the focus on the ethical rules of supervision.

Wier: What I always look for in a dispute is who is acting reasonably and un-reasonably – the un-reasonable party is who I glare at. How do you get un-reasonable? You cannot reasonably approach a topic for scope or burden without a lot of planning and due diligence. I find that many lawyers go into a meet & confer and have only devoted a passing thought to these issues. You can’t fly by the seat of your pants – these duties are now built into the new rules. Under FRCP 26(g), you’re signing something that states you have done your due diligence and considered burden and thought it through.

Gensler: There are different tiers of vendors out there. A good practice is to have an up-to-date data map for each of your clients. During the ramp-up to the FRCP amendments, one of the biggest complaints that the committee received was on the cost of privilege review because each attorney said they had to review every document PERFECTLY. As an example, imagine that every person in this room was a document – would I just wave my hand over the crowd for review? Would I do a pat down? Would I do a full-body cavity search? Most lawyers want to do a full-body cavity search.

Allman: When we were looking at proposed FRE 502, we were not specifically concerned with how a “quick peek” would go, rather we were concerned about the fact that each state had different rules to deal with inadvertent waiver so that you never knew what you would be faced with. FRE 502 does a beautiful job at addressing this mainly by applying the rules to every state. So now the drug company as part of an MDL that may have a document waived on one state can prohibit that same document to be admitted in another state.

Wier: FRE 502 applies to attorney/client and work categories, but it does not apply to legal malpractice type claims. Consider the power of an agreement with the power of a court order. Certainly an agreement between parties has some power, but would NOT have an effect on non-parties. But if you get a court order, then you have more enforceability beyond the case – it extends to protect you in other federal courts and state courts.

Allman: I would like to draw your attention to Rule 37(e) – this little notice rule was included in the 2006 FRCP amendments and this brings common sense into the sanctions process. The words to emphasize here are “good faith,” which is a phrase stuck in here in conjunction with sanctions in the federal rules. In some ways it is a more useful tool than the cooperation mantra that we’ve discussed. Even Qualcomm has a long quote on good faith. People are beginning to understand that they have a duty to act in good faith – the rules and court decisions are picking up on that.

Wier: Judges are generalists and not experts. If you have an issue in e-discovery, you need to present the information in a manageable way to educate the judge on how the intricacies fit together.

Bennett: The past is prologue – what you see in front of you is one of the last lawyers who learned how to do e-discovery on paper. In law school today, you have been raised on digital media and instant access – there is no going back – it is critical to the commerce of the country and the world. But things are going to get more complicated, more voluminous. At some point in the near future, there may be molecularly or biologically stored data.

Gensler: My crystal ball is “reasonableness” – go back through the standards that are developing and you’ll see that reasonableness is being woven into all of this.

Northern Kentucky E-Discovery Symposium Post 02

I attended the Northern Kentucky Law Review’s Spring Symposium entitled “E-Discovery: Navigating the Changing Ethical and Practical Expectations” yesterday sponsored by the Chase College of Law. Here’s the first post.

First panel of the morning was entitled “Ethics in E-Discovery” that included:

Professor Kreder did an excellent job moderating the panel and started off by asking how ethical issues are different when e-discovery is involved:

Bassett: In general, ethical issues around e-discovery arise in the same manner as they do with physical documents although the biggest difference is the sheer volume and number of documents. The average users creates approximately 75 e-mails a day; but no average user would create 75 pieces of paper per day!

Next, Prof. Kreder asked if e-discovery requires a different level of competence:

Harrison: No – Model Rule 1.1 only states that we need competence that is reasonably necessary to represent the client.

Carroll: Judges of my generation “have no idea” what we’re talking about when it comes to e-discovery. So to be competent today, you have to show up and be ready to discuss many issues related to ESI, you have to understand the infrastructure of your client’s technology (even if you’re representing an individual) and you have to be ready to tell your client how to NOT delete anything.

Prof. Kreder: How are attorneys using e-discovery to advance their clients’ position?

Carroll: there is a great potential for abuse in this area – the cost of e-discovery can become so expensive that the party settles to avoid unnecessary costs.

Prof. Kreder then asked the panel if they could share their thoughts on “reasonably anticipating” litigation:

Harrison: I find that the most difficult area is NOT the defense side because they have some kind of knowledge that litigation is coming. The bigger problem is from the plaintiff’s side since they have to anticipate filing the complaint at a time when they’re not particularly thinking about preserving information.

Prof. Kreder then asked for a general “lay of the land” in the ethical issues with e-discovery:

Bassett: Most would argue that Qualcomm is the biggest post-Zubulake case. There are two main lessons from Qualcomm: 1) attorney supervision of their clients data collection activities plays a much larger role – there is no safe haven; and 2) the looming area of cooperation – the court explained that attorneys and clients must work together to understand how and where ESI is maintained.

Harrison: Qualcomm is one of the most important cases from an ethical perspective and it creates a potential wedge between the attorney and their client when dealing with e-discovery. The whole basis for the rules is in defining the relationship between the attorney and client historically based on trust, confidence, and loyalty. As the law changes, it sets up standards that create tension between a lawyer and their client. You get lawyers covering their hindquarters instead of zealously representing their client.

Lastly, Prof. Kreder asked the panel to address new Federal Rule of Evidence 502:

Carroll: The cost of privilege review for a million e-mails is mind-boggling, and the rules have struggled with how to adequately represent a client without ensuing this cost. FRE 502 has addressed the issue of inadvertent waiver.

Harrison: This is a scary issue for a practitioner. You can’t un-ring the bell when there is inadvertent waiver. FRE 502 provides some comfort, but it’s “pretty cold comfort” because yes you COULD get something back but it’s already out there. Also, will state judges actually follow this like they’re supposed to?

Northern Kentucky E-Discovery Symposium Post 01

Fantastic turnout at the Northern Kentucky Law Review’s Spring Symposium entitled “E-Discovery: Navigating the Changing Ethical and Practical Expectations.” I just assumed that this was for the general public’s consumption, but it looks like the entire student body of the Chase College of Law turned out. Someone mentioned they were limited to 180 seats in the conference room and they were all full.

I am very encouraged by this turnout. I know that most of the law students were probably “highly encouraged” to attend, but this is the future of the profession, and these are future litigators, and if they can get exposed to e-discovery basics while they are still impressionable as students, then that gives me hope that the profession of law will eventually appreciate a comfort level with the world of technology.

First up with the obligatory “intro to e-discovery” presentation was Roland Bernier from Forensics Consulting Solutions Inc. Mr. Bernier did a tolerable job of setting the foundation for the two following panels.

After defining a few terms and running through the EDRM, Mr. Bernier had a couple of great points that I’ll paraphrase:

Most lawyers consider “data” to be something only generated by accounting programs or spreadsheets or something similar. But today there are so many automated processes that constantly create relevant data that are never considered.

From a distance, the worlds of IT and law should have a lot in common – they are both built on logic and established structures. But these two disciplines have so much trouble communicating. Actually, IT is a mix of multiple disciplines and the legal world many need may need individual disciplines for each litigation matter.

Mr. Bernier referred several times to George Paul’s excellent book “Foundations of Digital Evidence” and repeated Paul’s point that established canons such as the “best evidence rule” are broken when it comes to pure digital evidence.