Mark St. Peter
Computing Source
You do not need to be a computer forensics expert or a digital evidence specialist to be familiar with some of the stories about the costs and consequences of failing to preserve and protect critical electronic evidence.
An emerging field that is evolving rapidly, specialized litigation support services that provide e-discovery expertise and support have moved quickly from a niche luxury to a mainstream legal necessity. At a time when an estimated 97 percent or more of all information is stored and communicated electronically, the ability of electronic discovery and computer forensics professionals to locate, authenticate and preserve relevant data in a timely, efficient and effective manner is essential to resolving a wide range of legal disputes.
And while there is plenty of discussion and debate about the technical, legal and logistical elements of the e-discovery process, the single most important piece of the e-discovery puzzle is actually quite straightforward: preservation. For attorneys looking to learn more about the process, one fundamental certainty is that the failure to properly preserve electronic evidence can be the most fatal blow to a legal case. And because decisions made fairly early on in the litigation process about what to preserve and how to preserve it can make or break a case further down the road, knowing when, why and how to preserve electronic evidence should be part of the professional toolkit of every litigator.
Preserve and protect
The legal duty to preserve electronically stored information is triggered by different events in different jurisdictions, but there are some circumstances when it is prudent to be proactive and preserve data as a precautionary measure:
• Employee departures. It is important to move to protect employee information before their computer is re-deployed, and also to save a copy of their network based mailbox before their user account is deleted. This is especially crucial in situations where an employee is going to be terminated for cause-it may be a good idea to preserve their data before the termination, as many employees have had an “electronic shredding party” after learning that they have been let go.
• Upon the occurrence of events likely to lead to litigation or upon a threat of litigation. While this may seem obvious, it is remarkable how often attorneys and their clients fail to take full advantage of the critical window of opportunity before a legal action is filed.
• During litigation. Remember that electronic evidence preservation is an ongoing process, not a discrete event. Litigation often takes a long time, and business does not stand still-servers need to be replaced or upgraded, new computers arrive, and things change. In order to avoid losing critical information and (just as importantly) to avoid accusations of spoiling or corrupting key evidence, attorneys need to be both careful and diligent to continue to identify, gather and protect vital data.
Key considerations
For legal professionals, understanding the technical details is less important than appreciating the broad principles that should guide your decision-making with regard to electronic evidence preservation:
Less is not more
Remember that while you may not need or use everything you preserve, the relevance of key pieces of information might not always be immediately obvious, and it is always nice to have the option to access and present important evidence as its relevance becomes clear. So take heed: it is always better to collect more than you require because you cannot go back.
Consider the value equation
Consider this underappreciated fact: while the preservation of data is the least expensive stage of electronic discovery, its omission can be the most expensive. Structure your preservation priorities accordingly. It might seem difficult to justify the cost of electronic discovery in the early stages of a case, but it is almost always worth it to exercise an abundance of caution with respect to the volume of data you recover. When in doubt: preserve, preserve, preserve.
Proceed with caution
Electronic evidence is omnipresent; it is (no pun intended) virtually everywhere. But electronic evidence is also very fragile: it can be destroyed with a single click of a mouse or by automatic system processes. Attorneys should make a point to work with a trusted and experienced computer forensics and electronic evidence preservation specialist who understands the unique obligations of the legal process.
Tips and techniques
While the detailed and technical work should always be left to trained professionals, here are some of the important Dos and Don’ts for preserving electronic information:
Do…
…sequester data
Sequestering a hard drive or even a whole computer is a crude, but effective technique. When sequestering a hard drive, simply remove it from computer (do not forget to store it in a static protective bag and label the drive as to which machine and which user it came from, as well as any other relevant information).
…use forensic drive imaging
A forensic or “bit-stream” copy of a hard disk drive copies every sector of data whether used by a file or not. This type of copy even captures inactive or deleted files, which might turn out to be crucial if a case ends up hinging on information that “used to be there”.
Don’t…
…change the metadata
It is important to not let IT departments or other casual interested parties “browse” through potentially sensitive or relevant files. Accessing files changes the access dates and other information stored on the system and can confuse or corrupt critical information. It is better to conduct your reviews on write-protected copies of files.
…forget e-mail pruning
Many corporate email systems are programmed to delete emails after they have reached a certain age. When sensitive information is at stake, these “pruning” operations need to be suspended. Alternatively, a copy of the potentially relevant e-mails should be made before the clock runs out on them.
…ignore cloud-based information
As cloud-based storage continues to become more popular, it is important to recognize that this information is uniquely vulnerable: it can be accessed from anywhere on the internet, and- unlike information stored on stand-alone hard drives-it is difficult (if not impossible) to recover once deleted. It is vitally important to preserve this data before you find yourself compromised or empty handed.
In short, the outcome of many cases hinge upon the recovery of information deleted. It is critical to note, if you act promptly, you have a higher chance of recovering information. The longer you delay, the lower the probability of the information being discovered.
As you can see, there are many detailed parts and pieces related to e-preservation. We have just scratched the surface here into the often overwhelming world of what lies beneath the computer screen.
————————
Mark St. Peter is managing director of Southfield-based Computing Source.
––––––––––––––––––––
Subscribe to the Legal News!
http://legalnews.com/Home/Subscription
Full access to public notices, articles, columns, archives, statistics, calendar and more
Day Pass Only $4.95!
One-County $80/year
Three-County & Full Pass also available
