Top Ten Things to do When Collecting Electronic Evidence

It is now black letter law that information generated and stored on computers and in other electronic forms is discoverable. It is estimated that as much as 30% of the information stored on computers is never reduced to printed form. Moreover, the electronic version of a document usually contains information that simply does not appear in the printed version. As a practical matter, finding the information stored on computers is becoming an important part of the discovery process.

Many lawyers now ask for electronic evidence, especially e-mail, as a routine part of their discovery efforts. But, as a practical matter, most lawyers have little or no experience in collecting and analyzing the data they ask for. This article provides practical advice on how to collect the relevant data and how to assure that data collected can be authenticated and admitted as evidence.

ONE: Send a preservation of evidence letter. Because the information stored on computers changes every time a user saves a file, loads a new program or does almost anything else on a computer, it is critical that you put all parties on notice that you will be seeking electronic evidence through discovery. The sooner the notice is sent the better. The notice should identify as specifically as possible the types of information to be preserved and explain the possible places that information may exist. If necessary, obtain a protective order requiring all parties to preserve electronic evidence and setting out specific protocols for doing so.

TWO: Include definitions, instructions and specific questions about electronic evidence in your written discovery. This is a continuing process, with three objectives to accomplish:

THREE: Take a 30(b)(6) deposition of the Information Systems department. This is the single best tool for finding out the types of electronic information that exists in your opponent.s computer systems.

Checklist For System Discovery

• The layout of the computer system, including the number and types of computers and the types of operating systems and application software packages used. When asking about any types of software make sure to ask for the software maker, program name and version of each program (e.g., Corel, WordPerfect, version 6.0).
• The structure of any electronic mail system, including software used, the number of users, the location of mail files, and password usage.
• The structure of any network, including the configuration of network servers and workstations and the brand and version number of the network operating system in use.
• Specific software used. This includes software applications for things such as calendars, project management, accounting, word processing, and database management. It also includes industry-specific programs, proprietary programs, encryption software and utility programs. When asking about software, inquire when software was installed and when it was upgraded.
• The personnel responsible for the ongoing operation, maintenance, expansion and upkeep of the network.
• The personnel responsible for administering the e-mail system.
• The personnel responsible for maintenance of computer-generated records and the manner in which such records are organized and accessed.
• Backup procedures used on all computer systems in the organization. This should include descriptions of all devices (e.g., tape drives) and software used to create backups, the personnel responsible for conducting the backups, what information is backed up, backup schedules and tape rotation schedules.
• The process for archiving and retrieving backup media both on and off site.
• The procedures used by system users to log on to computers and into the network. This includes use of passwords, audit trails and other security measures used to identify data created, modified or otherwise accessed by particular users.
• Whether and how access to particular files is controlled. Information such as access control list identify which users have access to which files.
• How shared files are structured and named on the system.
• Routines for archiving and purging different types of data.

FOUR: Collect backup tapes. One of the most fertile sources of evidence is the routine backup created to protect data in case of disaster. This information is normally stored on high capacity tapes, but may exist on virtually any type of media. Backup tapes normally contain all an organization.s data, including e-mail, as of a certain date. Common backup procedures call for full backups to be made weekly, with the last backup of the month saved as a monthly backup. While weekly backups are normally rotated, monthly backups are saved anywhere from six months to several years. It is not unheard of for an organization to have kept all its backup tapes from the inception of its computer systems.

When collecting backup tapes in discovery, make sure to also gather information on how the tapes were made. This inquiry must include both the procedures followed and the specific hardware and software used to make the backups. Because, over time, hundreds of different backup programs and equipment have been used, in some cases, it may be impossible to restore backups without using the same software and/or hardware used to create them.

FIVE: Collect diskettes. Data selectively saved by users to diskettes or other portable media is another fertile, but often overlooked, source of evidence. Users save data to diskettes for any number of reasons. Users create "ad hoc backups" of key documents or files to use in case an important document or file is lost. Users may also copy e-mail files to diskette to prevent them from being deleted in automatic purging routines. Finally, users will use diskettes to save data they do not want to keep on company computers.

Diskettes are saved indefinitely by the users that create them. It is not unusual to find a number of diskettes in witness.s desk. Collecting and examining all diskettes created by key witnesses is an essential step in a thorough examination of all electronic evidence.

SIX: Ask every witness about computer usage. In addition to the discovery directed at the computer system, every witness must be questioned about his or her computer use. Individual users. sophistication varies widely. Knowing how each witness uses his or her computer and organizes and stores data may lead to sources of data not revealed by the discovery directed at general system usage. This discovery should also focus on the secretaries and other people assisting key witnesses. Often, documents drafted by the key witness are stored on his or her assistant's computer.

Perhaps the most overlooked source of electronic evidence is the home computer. Data usually ends up on home computers in one of two ways. First, data can be transferred to and from the workplace on diskettes or other portable media. Second, an employee may be able to log on to the company network from home. In this situation, the home computer acts just like the employee.s office workstation. Regardless of how data is transferred, the critical point is to find out whether the witness works from home and how data is transferred to and from that home computer.

Palmtop devices and notebook computers are another good source of evidence. Palmtop devices include electronic address books as well as more powerful devices such as 3Com.s Palm Pilot and Apple.s Newton. In addition to storing calendar and contact information, many of these devices allow users to make notes and use e-mail. Further up the scale, there are notebook computers. Notebook computers are often shared among a number of users. While the notebook computer may not be a witness.s primary workstation, it still may contain important pieces of information. Again, the critical point is to ask how palmtop devices and notebook computers are used and what data they may contain.

SEVEN: Make image copies. It is no secret that deleted files and other "residual" data may be recovered from hard drives and floppy disks. How do you make sure that you capture this data? Answering this question first requires a brief explanation of why "residual" data exists.

When working with computers, the term "deleted" does not mean destroyed. Rather, when a file is deleted, the computer makes the space occupied by that file available for new data. Reference to the "deleted" file is removed from directory listings and from the file allocation table, but the bits and bytes that make up the file remain on the hard drive until they are overwritten by new data or "wiped" through use of utility software. The result is that a file appears to have been deleted, but may still be recovered from the disk surface.

Residual data includes "deleted" files, fragments of deleted files and other data that is still extant on the disk surface. To assure that this residual data is captured, you must make an image copy of the target drive. An image copy duplicates the disk surface sector by sector, thereby creating a mirror image of the target drive. In contrast, a file-by-file copy (what is made when you simply select the files you want copied) captures only the data contained in the specific files selected. Even if all files are selected, a file-by-file copy will not capture any residual data.

Electronic Media Collection Checklist

Data Files*

• office desktop computer/workstation
• notebook computer
• home computer
• computer of personal assistants/secretary/staff
• palmtop devices
• network file servers/mainframes/mini-computers

*To assure that all data, including residual data, is captured, an image copy is recommended when copying data from local computer hard drives.

Backup Tapes

• system-wide backups (monthly/weekly/incremental)
• disaster recovery backups (stored off site)
• personal or "ad hoc" backups (look for diskettes and other portable media)

Other Media Sources

• Tape Archives
• Replaced/Removed Drives
• Floppy Diskettes & Other Portable Media (e.g., CDs, Zip cartridges)

EIGHT: Write protect and virus check all media. Now that you have obtained the data, how do you look at it? You likely have a mix of image copies, backup tapes, diskettes, CDs and other media. Before doing anything else, you must maintain the integrity of the media you have received. The two key steps in doing this are write protection and virus checking.

Write protecting media prevents data from being added to that media. Write protecting the media produced guarantees that the evidence you gather is not altered or erased when you are working with it. You should write protect all media before doing anything else with it. The process for write protecting media varies, but is usually fairly simple.

Virus checking, likewise, prevents evidence from being altered and is the second thing you should do with all media. The key is using up-to-date virus checking software. If a virus is detected, record all information about the virus detected and immediately notify the party producing the media. Do not take steps to clean the media, because doing so would change the evidence that was produced to you.

NINE: Preserve the chain of custody. A chain of custody tracks evidence from its original source to what is offered as evidence in court. With electronic evidence, a chain of custody is critical because electronically stored data can be altered relatively easily, and proving the chain is the primary tool in authenticating electronic evidence.

Preserving a chain of custody for electronic evidence, at a minimum, requires proving:

• no information has been added or changed,
• a complete copy was made,
• a reliable copying process was used, and
• all media was secured.

Write protecting and virus checking all media are the key steps in meeting the first requirement in preserving the chain and making image copies is the key step in meeting the second.

A reliable copy process has three critical characteristics. First, the process must meet industry standards for quality and reliability. This includes the software used to create the copy and the media on which the copy is made. A good benchmark is whether the software is used and relied on by law enforcement agencies. Second, the copies made must be capable of independent verification. In short, your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof.
Securing the media simply assures that your original copies are preserved. Just as you would make working copies of any documents produced, you should create working copies of data.

When you work with data restored from the media you collected, make sure you can track individual files and documents back to their original source. The checklist below sets out one way of doing this.

Checklist For Electronic Media Examination

• Assign a unique number to each piece of media. (The number series used for numbering electronic media should be distinct from that used for paper documents.)
• Write protect all media.
• Virus check all media. Record any viruses discovered and immediately notify the producing party.
• Print directory listings for each piece of media. Make sure the listing has the media number printed on it.
• Virus check the drive that you are restoring the data to and make sure the drive is free from any other data. (Restoration should be to a distinct drive, dedicated to a single case.)
• Restore each piece of media to a file with a name that corresponds to the number assigned to the media being restored (e.g., a diskette numbered 123 should be restored to a file named "Disk 123").
• Verify that all files on the directory listing appear in the copy restored.
• Run an undelete or salvage utility and restore any residual data to a separate sub-file for the media (e.g., Disk 123residual).
• Secure the source media.
• When printing a particular document, insert a distinct header or footer that gives the full directory listing for document printed (e.g., Disk 123corrsmokinggun.txt).

TEN: Hire an expert. There are many reasons that you should consider retaining an expert to assist in your electronic discovery. The reasons to hire an expert and the qualifications to look for in that expert include:

• An expert should have the experience and the equipment to handle the diverse array of software and hardware you will inevitably encounter. The combinations of hardware and software used to create, store manipulate and communicate data are growing daily. An expert will help you navigate through this maze to get what you need . the evidence.
• An expert can help fine tune your discovery and maximize the amount of relevant data you recover.
• An expert provides resources for copying and examining data being produced. For example, restoring backup tapes and image copies takes large amounts of drive space (unused computer memory) . far more space than most lawyers or their clients have available.
• An expert should have the tools and skills to search the data you obtain for the evidence relevant to your case.
• An expert should be able to perform forensic analysis and help recover residual data and other hidden or lost data.
• An expert will help preserve chains of custody and help prove authenticity. Retaining an expert to collect and analyze electronic evidence removes you from the potentially difficult position of having to testify about the authenticity and accuracy of this evidence.

Conclusion. With the ever-growing use of computers as business and communication tools, data generated and stored electronically are becoming an increasingly important target for discovery. As with all other discovery, the goal in the discovery of electronic information is finding useful information and collecting that information in a manner that assures it can be admitted into evidence. There is no magic to accomplishing this goal . what is required as a proven, methodical approach. While technology will undoubtedly continue to change, the basic techniques for collecting electronic evidence should continue to prove effective.

*article courtesy of Glasser LegalWorks.