Your Account

Locating evidence on computers is an important part of today’s discovery process. The reasons for pursuing computerbased
evidence are compelling. It is estimated 30% to 50% of data stored
on computers such as email and database files are never reduced to
printed form. In addition, computerbased files often contain embedded
information that can only be viewed in the electronic version. True date and time information may only be available in a computer file.

Discovery without a review of computer files is incomplete. Although electronic evidence is often vital to the outcome of a case, many investigative and legal professionals have no experience collecting and analyzing the data they seek. Here is some practical advice on how tocollect relevant data and assure it can be authenticated and admitted as evidence.

1. Send a preservation of evidence letter. It is critical to put all parties
on notice early, informing them that electronic evidence will be sought
through discovery. A letter should identify as specifi cally as possible the
types of information to be preserved. If necessary, obtain a protective
order requiring all parties to preserve electronic evidence and set out specifi c protocols for doing so.

2. Include defi nitions, instructions and specific questions about electronic evidence in your written discovery. Make clear that electronicdocuments, as well as paper, are being sought. Defi ne documents as data compilations, electronic mail and electronically stored
data. Use a series of interrogatories to get an overview of the target computer system. If necessary, include a request for inspection to examine the computer system fi rsthand and retrieve any relevant data.

3. Take a 30(b)(6) deposition (a type of custodial deposition) of staff from the information systems department. This may be the single best tool for discovering types of electronic information stored on your opponents’ computer systems. Include questions about specifi c hardware and software used and how data is used and stored. Include questions about backup procedures. Backup tapes can be an important source of historical information.

4. Collect backup tapes. Routine data backups, created to help companies recover from a disaster (either system failure or natural disaster), are normally stored on high-capacity tapes. Backups
are often created daily and or weekly. It’s common for one backup set (such as data backed up on the last day of the month) to be pulled from rotation (not re-used or overwritten) and stored for one year. Using this backup schedule, a company would have 12 monthly backups on hand for the year. That is often enough data to provide a highly detailed picture of corporate activity.
5. Collect disks, zip drives and other removable media. Collect and examine all media with fi les created by key witnesses. Computer users often create ad hoc backups of fi les and email. Such data sets can be kept indefi nitely by users.
6. Ask every witness about computer usage. Witnesses and their assistants must be questioned about how they organize and store data on
their computers. Perhaps the most overlooked source of electronic evidence is witnesses or assistants’ home computers. Data can be transferred to and from the workplace via disks and portable media or by logging onto the company network from home. Palmtop devices, another source of evidence, can allo w users to make notes and use email. Notebook computers, often shared among users, can also be a rich
source of evidence.

7. Make image copies. To capture residual data, you must make an image copy of the target drive. The copy duplicates the disk surface sector by sector as opposed to a fi le-by-fi le copy, a process that does
not capture residual data. Residual data can be recovered from hard drives and fl oppy disks. It includes deleted fi les, fragments of deleted files and other data that is still extant on the disk surface. With computers, the term “deleted” does not mean destroyed. When a fi le is deleted, the computer makes the space occupied by that file available for new data. However, the bits and bytes of the fi le remain on the hard drive until they are overwritten by new data or wiped through the use of specialized software. If neither has occurred, a deleted fi le may still be recovered from the disk surface.

8. Write protect and virus check all media. To maintain the integrity of electronic media you must write protect it before doing anything else. This ensures the evidence you gather is not altered or erased. All media should be checked with current virus software to keep evidence from being altered. If a virus is detected, record all information and notify the
party producing the media. Do not clean the original media or this could change the evidence produced.

9. Preserve the chain of custody. Electronic evidence can be easily altered. Maintaining a clean chain of custody is critical. At a minimum, be prepared to assure that: no information has been added or changed, a complete copy was made, a reliable copying process was used, and all media was secured.

A reliable copy process has three characteristics: It must meet industry standards for quality and reliability, including image capture software and media. The copies must meet the independent verifi cation standard.
In other words, their expert must be able to read and verify your
expert’s copy. The copies created must be tamperproof.

10. Hire an expert. An expert will help fine-tune your discovery and maximize the amount of relevant data you recover. The expert can also provide resources for copying and examining data. Restoring backup tapes and image copies often exceeds the technical talent and system resources of clients and lawyers.

Direct forensic examination of data, tape restoration and
copying or printing services range from US$150 to US$375
an hour. Experienced experts can help draft deposition outlines, sit in
on depositions, help educate the court or discovery magistrates,
and help parties prepare stipulations for protocol and cost
sharing. Rates for these services range from US$375 to US$600 an
hour.

The goal of computer-based discovery is to find useful information and collect it in a manner that assures it can be admitted into evidence. While technology will undoubtedly continue to change, these basic techniques for collecting electronic evidence should continue to be effective.