Kroll Ontrack's Newly Redesigned Web Site

Visit www.krollontrack.com where you can now navigate better, faster and more efficiently to get the information you need. Our new resource library www.krollontrack.com/resources/ is one click away and includes case law summaries, publications, state e-discovery rules and statutes, additional newsletters and podcasts. Upcoming events and event materials are also available at: www.krollontrack.com/events/

	From the Bench: Courts Rely on Computer Forensic Experts
	The Brill Files: Be Aware of Third Party Storage Facilities
	Technology You Should Know: Best Forensic Practices to Make iPods Sing Out Information Vital to Your Investigation
	News & Events

From the Bench: Courts Rely on Computer Forensic Experts

Magistrate Judge Relies on Computer Forensic Expert in Issuing Sanctions for Bad Faith Spoliation
Super Future Equities, Inc. v. Wells Fargo Bank Minn., N.A., 2008 WL 3261095 (N.D.Tex. Aug. 8, 2008). In this racketeering litigation, the plaintiff filed an objection to the magistrate judge's order that recommended monetary sanctions and a jury instruction allowing for the consideration of spoliation. Previously, the defendants moved for sanctions and contempt against the plaintiff and two counter-defendants, alleging they failed to preserve hard drives as instructed by a preservation order. An independent forensic expert reviewed the two counter-defendants' hard drive images for relevant documents and determined the first hard drive was actually a damaged DVD that contained only active files, excluding unallocated space. When examining an additional drive, the forensic expert noted it was wiped using "Window Washer," which intentionally deleted large quantities of data. Based on this willful spoliation, the magistrate judge recommended monetary sanctions as well as an adverse jury instruction on the remaining counterclaim. After conducting a de novo review, the court overruled the plaintiff's objection and adopted the magistrate judge's order in full.

The Brill Files: Be Aware of Third-Party Storage Facilities

As the ability for one to create electronic information increases, so does one's ability to manipulate and preserve that information. In fact, there are companies that are solely in the business of storing and backing up information for other organizations and individuals. A few of these companies offer limitless storage space, often in locations outside of the United States. This is part of a trend that I've been looking at, where a company, or units of a company, can store information in offline archives that may be largely un-documented. As you might imagine, these offline repositories have the potential to pose discovery dilemmas should an investigation ensue. Therefore, it is critical for counsel to be aware of the potential and plan accordingly.

Employees may choose to upload materials to an Internet-based storage solution for a variety of reasons, including ease of collaboration, or simply as a means to avoid company document retention policies. While the individual employee may not be concerned with future production considerations, the company that employs them must. The fact that an employee has chosen to maintain documents in a remote repository does not relieve the company of their duty to produce the document when it is responsive to a discovery request.

If counsel doesn't think to consider all of the places data may reside, including on third-party servers, will they ask the right questions? To ensure compliance with the Federal Rules and effectively manage costs, it is important for an organization to have an e-discovery plan that includes knowledge of where ESI is located, including the potential for offline repositories controlled by third parties. An efficient e-discovery plan should include an e-discovery task force with members from various company business lines: IT, Legal, HR, etc. This team must proactively determine whether employees maintain third-party operated information repositories and contact those that do to ensure compliance with the company's document retention policy.

Once counsel has recognized that international online storage is technically quite feasible and affordable, this has to be taken into account when developing interrogatories, preparing your questions for use during early meet and confers, and to pose to a company's 30(b)(6) witness.

Second, get out there and see what a Google or Copernic search shows about you. You may not like everything that you find, but if you know about it, you and your counsel can be prepared to deal with it.

Simply put, you want to put the company on record as to whether it is storing data outside of the country either by physically shipping media, or through an online service. If the answer is "yes," obviously you'll inquire into the details. If the answer is "no," don't simply move on, as you may not have the whole story. Ask whether it is possible that individuals or departments relevant to your inquiry could have arranged for the use of these systems—some of which are free—without letting the central IT function know. Ask how the corporation would know if someone had done so. Do they have network monitoring software in place? Did they inquire of those relevant to your case as to whether they had offline archives, either on their local PC, their home computer or in a remote online or offline storage location? If they didn't, should they?

Remember, access to these remote files may be very simple — generally requiring just a user ID and password. From a technical viewpoint, those files would be very accessible, but if you don't know they exist, you don't get the evidence. Alternatively, if they do exist, but someone involved won't grant access, you can take a range of actions to try to compel cooperation.

So when you think about where the evidence may be in a case you're involved in, think outside the box — sometimes thousands of miles outside the box.

If you would like to explore the opportunity of world-renowned forensics expert, Alan Brill, speaking at a conference you are supporting or organizing, please contact Kristin Husom at 952 516 3781 or at khusom@krollontrack.com.

Technology You Should Know: Best Forensic Practices to Make iPods Sing Out Information Vital to Your Investigation

Contrary to their popular misconception as simple music players, iPods are also multi-functional storage devices with significant memory capabilities and a media devise that investigators can no longer ignore. The current generation of iPods can play and store music and movies; record and store voice recordings; and store contact information, calendar entries, photographs and files — including encrypted files. Given iPods' enormous functional capabilities as well as their ubiquitous presence in modern society, they often contain valuable information. For example, an iPod could be used to record an impromptu meeting which is later disputed. Or an innocent looking iPod could be used to copy sensitive data and remove it from an office. And of course, an iPod could contain illicit photographs, contact information of conspirators or victims, relevant calendar entries related to a suspect's conduct and so forth.

It is important to be aware that files can be hidden on an iPod so they will not appear while browsing through the device's content. This is easily accomplished by putting the iPod in "disk mode" so it acts as an external hard drive to a host computer, and then transferring files onto the iPod through a program other than iTunes, such as Windows Explorer. To locate these files, a forensic examination of the iPod is necessary; to ensure data is not lost, forensic best practices must be followed. The following are some important considerations when conducting an iPod forensic investigation.

Data Integrity Considerations During Collection: A qualified forensic collections expert should collect any iPod which is connected to a computer or mounted to a charger. Do-it-yourself collection is especially dangerous in these circumstances because an iPod could be booby-trapped with a malicious program that will destroy data if the iPod is disconnected without a code. If the collection expert determines there may be a malicious program installed, a physical removal of the hard drive at the collection scene is the best option. Also, utilizing a collection expert is important under these circumstances because an iPod's hard drive can be damaged if it not properly disconnected from a computer system.

Operating File System Type Considerations: Determining what operating file system the iPod uses is of paramount importance for a sound forensic examination. iPods initialized to Macintosh computers will operate using an HFS+ file system and iPods initialized to Windows-based computers will use an FAT32 file system, unless iPodLinux or another alternative file system was subsequently installed. What file system is being used affects the iPod's operation, and in turn affects which forensic tools are necessary to correctly interpret and display stored information.

Also, knowledge of the file type system will generally make it easier to match the iPod with the computer it has been used with, thus providing an additional source of potential information regarding the conduct under investigation. However, the fact that an iPod was initialized with either a Macintosh or Windows-based computer does not mean that it has not subsequently been used on other machines.

The bottom line is that iPods are a great source of information that cannot be ignored in any investigation. Given the complexities involved in conducting a sound iPod forensic examination, it is crucial to partner with an experienced forensic expert to ensure that the iPod at issue will sing with information rather than painfully screech that data has been lost due to failure to follow best forensic practices.

Back To Top

NEWS & EVENTS

#1 E-Discovery Provider 7th Year in a Row
Kroll Ontrack has been named the #1 electronic discovery provider in the 13th Annual Am Law Tech Survey. This survey, appearing in the October issue of Law Firm Inc., marks the seventh consecutive year that Kroll Ontrack has been awarded this honor. Of the firms surveyed, 62% of the respondents identified Kroll Ontrack as their electronic discovery provider of choice. Polling CIOs and IT directors from the largest 200 law firms in America since 1995, the Am Law Tech Survey aims to reveal information about hardware, software, budgets, new developments and the latest legal trends.

Kroll Ontrack Offers Redesigned Certification Course for 2008
The industry's legal technology thought leader has revamped its E-Discovery Certification Course for 2008 with updated topics, additional speakers and dual track, customizable sessions to appeal to beginner, intermediate and advanced learners. The redesigned course curriculum is ideal for legal and technical professionals of all levels, including in-house counsel, law firm attorneys, litigation support professionals, paralegals and IT staff. Due to overwhelming attendance, we have decided to offer an additional course in December. For more information and to register, visit: http://www.krollontrack.com/certification-courses/.

Meet our representatives at the following events:

Visit http://www.krollontrack.com/upcoming-events/ for more information on these events and others.

Back To Top

We Request Your Input

Our legal consultants, project managers and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please contact us by writing to jshogren@krollontrack.com.

This newsletter was written by Gina Jytyla and Joni Shogren, Kroll Ontrack Staff Attorneys, with assistance from Kelly Kubacki and Meredith Socha, Kroll Ontrack Law Clerks. Ms. Shogren can be contacted by writing to jshogren@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or http://www.krollontrack.com.