|
In This Issue:
 FROM THE BENCH: COURTS RELY ON COMPUTER FORENSIC EXPERTS
Court Reminds Party of Its Power to Appoint Computer Forensic Examination
Koninklijke Philips Elec. N.V. v. KXD Tech., Inc., 2007 WL 879683 (D. Nev. Mar. 20, 2007). In a discovery dispute, the plaintiff filed an emergency motion with the court to clarify its discovery order with respect to the defendants' production of documents. The plaintiff anticipated less than adequate discovery responses from the defendants in responding to the court’s order. The plaintiff did not want the defendants to simply produce an unorganized body of electronic or paper records which would require the plaintiff to search through to locate documents responsive to particular requests. The defendants claimed they did not have to produce the electronic data because during the plaintiff’s original seizure of documents, several hard drives and servers belonging to the defendants were damaged and many documents were lost. The court did not find the defendants’ arguments credible; instead, the court noted the defendants had not produced any evidence to show the hard drives were damaged and that no information could be gleaned from the drives. The court further cautioned that it could order a computer forensic examination of the alleged damaged drives to determine if the defendants were truthful and to establish if any discoverable information was retrievable. Furthermore, the court warned that the costs of the examination and sanctions could be imposed on either party, depending on what the investigation revealed.
Party Uses Computer Forensic Expert to Reveal Stolen Documents
Keystone Fruit Mktg., Inc. v. Brownfield, 2007 WL 788358 (E.D. Wash. Mar. 14, 2007). In a misappropriation of trade secrets case, the plaintiff alleged that one of its former employees opened and used a key document on her laptop after being fired from the plaintiff’s company. The employee was then hired by the defendant who is a competitor in the field. The fired employee stated that she merely opened up the document to view it. She also argued that it was only speculation that the document was given to or used with the defendant’s business. She claimed that any documents belonging to the plaintiff were destroyed. However, the plaintiff conducted a computer forensic analysis on the hard drive of the employee’s laptop and home and work computers. The analysis showed that the employee retained the plaintiff’s data and files on her home computer and some of those files also existed in her e-mail account and on the computers at the defendant’s company. This evidence was contrary to the employee’s testimony that she destroyed all of the plaintiff’s data and did not use the plaintiff’s computer data in her new employment. Based on these facts, the court allowed the plaintiff to amend its complaint to supplement claims against the defendant.
THE BRILL FILES: ANALYZING THE IMPACT OF THE NEW U.S. DAYLIGHT SAVINGS TIME SCHEDULE
On Sunday, March 11, 2007, the United States implemented a new Daylight Savings Time (DST) schedule for 2007, with DST in effect from the second Sunday in March until the first Sunday in November. As you were downloading the various Microsoft® patches to your own personal computer, many of you, like me, probably inquired how this DST schedule change will impact the electronic evidence in cases you are managing with respect to the document dates and times.
Just like your PC, any computer working on litigation data must be patched with the appropriate DST patches as issued by the various software providers (e.g., Microsoft). If your computers have been appropriately patched, your computer’s internal time-clock knew to spring ahead one hour on March 11th. If the patches were not applied, you are probably running one hour late throughout your day. More importantly, any documents you send or e-mails you transmit are off by one hour as well. In a computer forensic investigation where dates and times are often paramount, having the computer’s operating system off by one hour could impact any key timelines and conclusions made in the case.
If you are working with an e-discovery service provider, it is important to understand which time-zone they use when processing and converting the data to a standard file format and what implications the DST change has on processing. The best practice is to use Greenwich Mean Time (GMT) and convert all date and time stamps occurring on customer data into GMT. GMT is the world standard time zone and does not adjust for DST or British Summer Time (BST). Using GMT provides for more efficient organization of documents and e-mail by selecting a universal time-stamp instead of managing, adjusting, or interpreting multiple time zones or daylight savings schedules across the world. If your e-discovery service provider utilizes GMT, the new DST schedule in the United States does not impact their e-discovery processing engine. Documents will be processed in the same manner as they were processed before March 11th. If your e-discovery service provider does not use GMT, you should inquire how it accommodated the new DST schedule.
Lastly, it is important to know if the computer used by the key document custodian or investigation target was appropriately patched with the DST software. Again, if the computer was not patched, any document they create, or e-mail or calendar item they send or receive could be off by one hour. A computer forensic expert can conduct analysis on the suspect’s hard drive to determine if and when the computer was patched. This will help you understand if the document was actually created, sent or received at the same hour as the clock on the wall.
What is the bottom line when it comes to the new DST schedule?
- Inquire as to whether the computer forensic or e-discovery service providers have patched all computers working on data involved in investigations and litigation with the DST operating system patches.
- Understand what time-zone your e-discovery processing vendor uses for document conversion.
- Know if the appropriate DST patches were applied to the suspect’s computer. A computer forensic expert can help determine if the computer’s time-clock was appropriately patched and date and times are not off by one hour.
While DST is a complex issue, qualified computer forensic and e-discovery service providers were prepared in advance for the change and are able to help you understand the impact of the new DST schedule in your case. Consult your service provider for a more complete discussion of DST.
If you would like to explore the opportunity
of Alan Brill speaking at a conference you are supporting
or organizing, please contact Amanda Karls at 952
516 3637 or at akarls@krollontrack.com.
TECHNOLOGY YOU SHOULD KNOW: HOW TO BE PREPARED FOR DATA COLLECTION
Collecting electronic data can be a complex task in a computer forensic investigation or e-discovery exercise due to the wide variety of electronic storage locations, the vast amount of data available and the ever increasing file-types used. Initial data collection steps are the most critical part of the process, and errors can be costly for a case or investigation. When looking to conduct a data collection, lawyers should examine whose data is really necessary, where the data is located, how much data might need to be collected and most importantly whether a mirror image or active data capture is needed. This article will explore the differences between a mirror image and an active data capture.
Mirror Imaging
Once the location of the relevant data is identified, it must be retrieved. Computer forensic experts can retrieve data from virtually all storage and operating systems, including many antiquated systems. Regardless of how the data is collected, a forensic copy of all media (computer hard drives, servers, disks, etc.) must be made using appropriate and usually proprietary imaging software. This imaging process provides clients and computer forensic investigators with a complete snapshot, or mirror image, of the active, deleted, and partially overwritten data contained on the media, and ensures alterations to the original media are not made.
The imaging process is non-destructive to the data and does not require the operating system to be booted, which ensures the system is not altered in any way during the imaging process, thus preserving its evidentiary value. Many lawyers and IT professionals are unaware that the mere act of booting a computer will damage critical evidence and may change metadata, such as created dates or modified dates associated with particular files. Also, booting the system may cause the hard drive to be reconfigured in a way that overwrites data that would have remained more accessible if the boot did not occur.
Active Data Capture
Data harvesting uses specialized tools, both commercially available and proprietary, to capture active data without changing any of the file metadata. While data harvesting maintains metadata properties, it does not retrieve deleted and/or partially overwritten data. Typically, data harvesting is used in e-discovery document productions where parties are seeking accessible active data.
Data copying, which can be conducted using standard tools like Windows Explorer, also retrieves only active data. As copying will almost always change some metadata properties, such as the last accessed date and time of files, it should not be used for collections in investigations or litigation. Additionally, copying will fail to collect certain types of data, such as deleted data, that are typically needed in a computer forensic investigation.
In-house and External Experts
Whether mirror imaging or harvesting data, litigation teams have the option of using an expert to perform an onsite data collection or “do-it-yourself” data collection software. Discrete onsite data collections performed by experts are particularly useful in cases where ongoing misconduct is suspected and there are risks associated with keeping the target of an investigation from becoming aware that the data collection has occurred. In addition, the use of external forensic experts and tools to retrieve data has the benefit of rapid collection, neutrality and minimizing business disruption.
Regardless of which collection method is chosen, the litigation team handling a case should make certain that the individuals collecting the data are adequately trained to understand various topologies of information technology systems to ensure the data gathering process is efficient and conforms to data handling best practices.
NEWS & EVENTS
KROLL ONTRACK LAUNCHES NEW E-MAIL INVESTIGATION & ANALYTICS SOFTWARE
On March 22, 2007, Kroll Ontrack announced the launch of Ontrack® Firstview™, an e-mail investigation analytics tool that helps in-house attorneys appraise the scope, volume and potential significance of e-mail communication. Enabling attorneys to investigate incidents of employee misconduct, form legal case strategy and intelligently collect data in preparation for discovery, this technology allows corporate counsel to gain more control of internal investigations upfront and minimize costs by reducing the volume of information processed during e-discovery. Through the use of this desktop platform, in-house counsel are better equipped to evaluate what happened and whether misconduct occurred, as well as what data should be processed for e-discovery and whether to retain an outside expert for further forensic or discovery analysis.
Specifically, Ontrack Firstview’s features and functionality enables users to:
- Reveal the dominant themes present within e-mail communications.
- Establish the timeline for the events giving rise to the investigation or suit.
- Graphically display communication lines between internal and external people.
- Search for key people, words and phrases, or dates and times.
- Create graphs, charts and reports to help demonstrate conclusions and present to corporate executives, opposing parties or judges.
For more information about Ontrack Firstview, visit www.ontrackfirstview.com.
Meet our representatives at the following
events:
| 4/24/2007 |
Audio Data Discovery: The Next Frontier |
Online Seminar |
4/24/2007 - 4/25/2007 |
Legal Works A to Z |
Atlanta, GA |
5/1/2007 - 5/2/2007 |
Legal Works A to Z |
Toronto, Canada |
5/15/2007 - 5/16/2007 |
Legal Works A to Z |
Denver, Colorado |
6/3/2007 - 6/6/2007 |
Techno Security |
Myrtle Beach, SC |
6/7/2007 - 6/8/2007 |
Electronic Discovery Certification Course |
Eden Prairie, MN |
| 6/12/2007 - 6/13/2007 |
LegalWorks A to Z |
Chicago, IL |
6/20/2007 - 6/21/2007 |
LegalTech West Coast |
Los Angeles, CA |
| 7/26/2007 - 7/27/2007 |
Paralegal Managers Institute |
Washington, D.C. |
9/10/2007 - 9/11/2007 |
Electronic Discovery Certification Course |
Eden Prairie, MN |
11/8/2007 - 11/9/2007 |
Advanced Electronic Discovery Certification
Course |
Eden Prairie, MN |
12/6/2007 - 12/7/2007 |
Electronic Discovery Certification Course |
Eden Prairie, MN |
Visit www.krollontrack.com/upcomingevents for more information on these events and others.
Back To Top
WE REQUEST YOUR INPUT
Our legal consultants, project managers, and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.
This newsletter is written by Michele C.S. Lange, a staff attorney with Kroll Ontrack. Ms. Lange has published numerous articles and speaks regularly on the topics of e-discovery, computer forensics, and technology’s role in the law. She can be contacted by writing to mlange@krollontrack.com.
For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or www.krollontrack.com.
|
 |
