A Rose by Any Other Name... Paying Attention to the Thorns
The purpose for examining data thought to contain electronic evidence typically is to determine who-knew-what/did-what-and-when. Companies often attempt to perform their own examination of data, but lack the forensic knowledge, tools, and human resources to provide accurate results in a timely manner. In addition, opposing counsels often seize upon the purported lack of neutrality by employees who produce data for their company relative to legal matters. Should the matter reach a jury, having a corporate IT resource testify as to how and when certain activities were performed is a scary enough thought, but how scary is it to think about opposing counsel planting the seed of doubt in the jurors' heads when it is suggested that the resource selectively produced information under pressure from company executives.
The neutrality of third-party services cannot be stressed enough when it comes to electronic evidence productions. Even though expert vendors may utilize some of the same technology available to general corporate IT departments, the mere fact that a party with no vested interest in the outcome of the matter produced the data offers credence to the evidence.
So - with this being said - where is the data stored and how is it accessed?
Severs, PC's & Laptops tell you what is happening today. Backups (typically either on tape or disk) tell you what happened yesterday and before. Therefore any investigation worth its weight in salt, needs to look at any and all media potentially pertaining to a case. Service providers, such as eMag, utilize the best tools possible that match the specific requirements of each of our customers' needs. There are literally hundreds of tools available and we employ a team of forensic experts whose responsibility it is ensure that when our services are utilized relative to a forensic matter, we can confidently testify to the tool and our methodology, should our work ever be challenged. Part of any good investigation is to define a search window - as to examine everything would be prohibitive, both in time and cost. Usually a list of file types and email users, along with a date range and keyword list is provided. Data processing then commences.
Once data is extracted, it then has to be examined. There are two primary manners to examine data in the electronic evidence arena: natively or in a converted format. Native files require the application to which the file is created or a separate viewer application to examine the file contents. The benefits of such examination are few, as access to embedded objects, hidden formulas, metadata, e-mail attachments and other important information is extremely difficult and requires the use of additional software.
Converted formats, such as PDF files and TIFF images, by themselves are of no more benefit than native files. What is of benefit is the outcome of the processes utilized to create them. When files are converted to PDF or TIFF format, the conversion process typically extracts the metadata and other potentially relevant data along with the generic file content. The same can be performed to native files, but when native files are accessed the associated metadata is modified. The converted files can reference the original files, but can be redacted (marked-up), Bates numbered, or have many other activities performed against them.
We are just scratching the surface with this article. The whole process is thorny and technically challenging, even for the most experienced examiners and with data volumes literally more than doubling each year, the challenge of finding the proverbial needle in a haystack grows ever harder. At the same time, as the tools and techniques used continue to mature and get more intelligent, the discovery proposition gets a little rosier for the examiners. In the third part of this series we will look at the various classes of tools used by Forensic examiners. And in the meantime, if you have any questions or need our help in any related Litigation Support manner, from a neutral third party, please contact us here at eMag, as we are happy to help.
This article may be re-published as long as the following resource box is included at the end of the article and as long as you link to the email address and the URL mentioned in the resource box:
Article by eMag Solutions. For more articles on eDiscovery and Data Restoration, subscribe to our e-mail Newsletter by sending a blank email to newsletter@emaglink.com or by going to http://www.emaglink.com/.