The Information Management Journal/September / October 2007- Today’s explosion of electronic data, coupled with the December 2006 amendments to the Federal Rules of Civil Procedure (FRCP) concerning electronically stored information (ESI), requires information and legal professionals to expand their knowledge about handling electronic discovery. The recent changes to the FRCP include:

* Definitions and safe harbor provisions for the routine alterations of electronic files during routine operations such as back ups [Amended Rule 37(f)]

* Information about how to deal with data that is not reasonably accessible [Amended Rule 26(b)(2)(B)]

* How to deal with inadvertently produced privileged material [Amended Rule 26(b)(5)]

* ESI preservation responsibilities and the pre-trial conference. [Amended Rule 26(f)]

* Electronic file production requests [Amended Rules 33(d), 34, 26(f)(3), 34(b)(iii)]

There are many opinions about how ESI should be planned for, managed, organized, stored, and retrieved. Some of the available options are extremely costly in terms of their required financial and time commitments. Constantly changing technologies only add to the confusion. One area of confusion is the distinction between computer forensics and electronic discovery; there is a significant difference. These are described in the sidebar Computer Forensics vs. Electronic Discovery.

Making the Right Choices

Successfully responding to e-discovery within the constraints of the amended FRCP requires organizations to make many critical decisions that will affect the collection and processing of ESI.

Collection Decisions

The following questions need immediate answers:

1. Are e-mail files part of this project? If so, do any key people maintain an Internet e-mail account, in addition to their corporate accounts?

The sheer volume of transactions for large e-mail providers prohibits the storage of massive amounts of mail files. Many Internet e-mail account providers, such as AOL, BellSouth, and Comcast, retain their e-mail logs no longer than 30 days. If a case could potentially require the exploration of e-mail from Internet accounts, the discovery team must expeditiously request the records, or they may be gone forever. This usually requires a subpoena. In rare cases, fragments of Internet e-mail may be recovered forensically from an individual’s hard drive.

2. Is there any chance illegal activity may be discovered?

Many cases involving electronic data uncover wrongdoings. These situations may involve a member of the technology department or a highly technical employee. In these cases, an organization’s first inclination may be to terminate the employee(s) involved and determine the extent of any damage prior to notifying law enforcement agencies.

This may be exactly the WRONG thing to do. If the wrongdoing is by a technical person, there is a chance that he or she is the only person who knows how to access the files, find the problem, or fix it. This is often the person who knows the passwords for mission-critical applications. The technical employee usually has the ability to work and access company files remotely. Unless such access is eliminated prior to the employee’s termination, it is possible that a terminated or disgruntled employee may access the network and do great damage.

A better solution is to restrict the employee’s complete access privileges, both local and remote. The employee is then notified of management’s knowledge of the situation and given an opportunity to cooperate to minimize the damage. If the situation involves criminal matters, especially if financial or medical records have been compromised, a good decision is to involve law enforcement as early as possible. Electronic criminals frequently disappear and destroy all evidence of their activities.

3. Is it possible that deleted or hidden files may play an important role in this case?

There are three ways to collect electronic files for discovery:

* Forensically ะ as described in the sidebar

* Semi-forensically ะ using non-validated methods and applications to capture files

* Non-forensically using simple cut and- paste copy methods to move copies of files from one location to another. These methods do not include hashing files to ensure the files have not changed, which involves using a hash algorithm to create a mathematical fingerprint of one or more files that will change if any change is made to the collection.

For some matters, the content of electronic documents is all that matters. The context of the files ะ who created them, how they are kept, how they have been accessed, if they have been changed or deleted ะ is not as important.

For other cases, contextual information, including finding deleted files, is vital and requires a forensic collection. This includes

* Ensuring legal search authority of the data

* Documenting chain of custody

* Creating a forensic copy using validated forensic tools that create hash records

* Using repeatable processes to examine and analyze the data

* Creating a scientific report of any findings

Determining the value of electronic forensic file collection must be done prior to any data being captured. Once semi- or non-forensic methods have been used, it is impossible to return records to their original states.

4. Are backup tapes part of an active collection?

Some cases involve historical issues, making the method of handling computer backups important to address immediately.

Most businesses use a schedule of rotating their backup media. For example, in a four-week rotation, daily backups are done for a week and then those tapes (or drives) are taken offsite for storage. A new set of media is used for the second, third, and fourth weeks, and then those three tapes are stored offsite. On the fifth week, the tapes/drives from the first week are reused. This process is done for financial reasons, as it is extremely cost-efficient.

Backup tapes may become part of the active information required to be kept under a litigation hold. This requires cessation of any rotation schedule, and the 2006 amendments to the FRCP make it critical for the legal team to convey that information to the technology employees responsible for business continuity processes.

The Information Management Journal/September / October 2007- Todayีs explosion of electronic data, coupled with the December 2006 amendments to the Federal Rules of Civil Procedure (FRCP) concerning electronically stored information (ESI), requires information and legal professionals to expand their knowledge about handling electronic discovery. The recent changes to the FRCP include:

* Definitions and safe harbor provisions for the routine alterations of electronic files during routine operations such as back ups [Amended Rule 37(f)]

* Information about how to deal with data that is not reasonably accessible [Amended Rule 26(b)(2)(B)]

* How to deal with inadvertently produced privileged material [Amended Rule 26(b)(5)]

* ESI preservation responsibilities and the pre-trial conference. [Amended Rule 26(f)]

* Electronic file production requests [Amended Rules 33(d), 34, 26(f)(3), 34(b)(iii)]

There are many opinions about how ESI should be planned for, managed, organized, stored, and retrieved. Some of the available options are extremely costly in terms of their required financial and time commitments. Constantly changing technologies only add to the confusion. One area of confusion is the distinction between computer forensics and electronic discovery; there is a significant difference. These are described in the sidebar Computer Forensics vs. Electronic Discovery.

Making the Right Choices

Successfully responding to e-discovery within the constraints of the amended FRCP requires organizations to make many critical decisions that will affect the collection and processing of ESI.

Processing Choices

Because of the volume of information available in even the smallest of collections, it becomes necessary to manage the process to control time and budget. The following questions need to be answered:

1. Who are the key people?

The people important to a case should be identified. These key individuals include not only executives, but also assistants and other support personnel from the technology, accounting, sales and marketing, operations, and human resources departments.

2. Where are the files located?

All the potential locations of electronic evidence should be identified. These include home computers and all computers that a key person would use elsewhere (such as a girlfriend or boyfriendีs home), cell phones, PDAs, Blackberries, and any other digital device that might be used. It is important to note that MP3 players, such as iPods, can also be used to store documents or important files.

3. How can the collection be culled?

Methods for limiting the number of files collected may include collecting only those in certain date ranges or only those containing selected key words or terms. This can be done either before or after an entire hard drive is collected forensically. Known file filtering can also reduce the collection by removing standard application files common to all computers (such as the Microsoft Windowsจ logo file).

4. How should password-protected/encrypted files be handled?

Encrypted files cannot be processed until the encryption is broken. In some instances, files with exact or similar names may be available without using passwords or encryption. File locations may also provide information about the value decryptions provide. Decryption may require significant time. Sometimes a password can be obtained simply by asking for it, so this should be the first step. If that fails, using a subpoena may be successful.

5. How should duplicate and near-duplicate documents be handled?

Electronic file collections almost always include duplicates. Multiple individuals may have the same e-mail, with the same attachments. Two or more people may have reviewed key documents, saving them on their hard drives during the process. In processing electronic collections, it is possible to identify exact duplicate files and limit the number of documents that require review.

Identifying exact duplicates usually occurs during the phase in which the metadata is identified and extracted from the files. De-duping the collection will minimally delay the processing.

Standard de-duping involves identifying files that are exact duplicates and eliminating them. If anything has changed within a document, including formatting such as a change of font, it is no longer an exact duplicate and is not de-duped.

It is imperative that both sides of a case agree on what is meant by าde-duping.ำ Many electronic discovery systems literally delete the files so they are gone from the collection. The forensic tools used in law enforcement, however, usually do not delete the duplicates, but merely identify them for future use.

Discussing this definition during the pre-trial conference to ensure that all sides of a case use the same definition is imperative to ensuring that there is not a discrepancy in the number of files that each side later has.

A more significant portion of any collection will be าnear duplicates.ำ This includes files that have been significantly altered or contain only a portion of the main document. For some projects, the sheer file volume requires that near duplicates be identified and reviewed as a group. This significantly reduces review time and costs when compared to traditional linear review.

Identifying near duplicates requires comparing each document to every other document or using sophisticated software applications that require additional processing time. This technology increases consistency of review categories, reducing the chance of near-duplicate documents being identified as both privileged and non-privileged.

6. What form should the collection take?

The new rules state that the parties will meet and determine the format in which they wish to receive electronic evidence. In the absence of an agreement, the format will be that าin which it is ordinarily maintainedำ or in a าreasonably usableำ format.

The choices a legal team has include whether each side prefers to receive the electronic evidence in native file format, converted to TIF or PDF, or in some other form. Often, this will depend upon the teamีs standard litigation review system.

Such systems handle both native and converted files, with or without associated metadata and full text. There are pros and cons for both options. Native files with extracted metadata reflect the exact original file; however, they cannot be Bates labeled, which is a technique to mark documents with a unique identification code as they are processed, and are subject to inadvertent change.

Converting native files to TIF or PDF is time-consuming and is the most expensive task in electronic discovery. Because 60 to 80 percent of the files in a collection may be non-responsive or irrelevant, both the time and finances expended in conversion may be counter- productive.

The best compromise involves receiving files in native format, reviewing them for relevancy, and choosing only those that may be produced or used extensively for conversion to image format.

Managing the vast amount of electronic files for litigation requires preparation planning for the production, organization, and retrieval of pertinent and relevant documents and managing both cost and time budgets. Because every case presents unique circumstances, there are no absolute correct answers to the questions above. But a team that understands the choices and their ramifications is prepared to make the informed decisions that will result in the best possible outcomes for the case and the organization.

Computer Forensics

The field of computer forensics was developed primarily by law enforcement personnel for investigating drug and financial crimes. It employs strict protocols to gather information contained on a wide variety of electronic devices, using forensic procedures to locate deleted files and hidden information.

Computer forensics tasks include capturing all the information contained on a specific electronic device by using either a forensic copy technique or by making an image of all or a portion of the device. A forensic copy provides an exact duplicate of the hard drive or storage device. None of the metadata, including the าlast accessed date,ำis changed from the original. However, the copy is a าliveำversion, so accessing the data on the copy,even only to าsee what is there,ำcan change this sensitive metadata.

By contrast, making a forensic image of the required information puts a protective electronic wrapper around the entire collection. The collection can be viewed with special software, and the documents can be opened, extracted from the collection, and examined without changing the files or their metadata.

Other forensic tasks include locating and accessing deleted files, finding partial files, tracking Internet history, cracking passwords, and detecting information located in the slack or unallocated space. Slack space is the area at the end of a specific cluster on a hard drive that contains no data; unallocated space contains the remnants of files that have been าdeletedำ but not erased from the device, as าdeletingำ simply removes the pointer to the location of a specific file on a hard drive, not the file itself.

Electronic Discovery

Electronic discovery has its roots in the field of civil litigation support and deals with organizing electronic files using their attached metadata. Because of the large volume encountered, these files are usually incorporated into a litigation retrieval system to allow review and production in an easy methodology. Legal data management principles are used, including redaction rules and production methodologies.

Electronic discovery tasks usually begin after the files are captured. File metadata is used to organize and cull the collections. Documents can be examined in their native file format or converted to TIF or PDF images to allow for redaction and easy production.

Common Capabilities, Different Philosophies

Computer forensics and electronic discovery methodologies share some common capabilities. One is the ability to produce an inventory of the collection, allowing reviewers to quickly see what is present. Another is the ability to determine a common time zone to standardize date and time stamps across a collection. Without this standardization, an e-mail response may appear to have been created before the original e-mail.