Electronic discovery and digital forensics continue to play ever-increasing roles in case law. Negligent e-discovery conduct has been sanctioned in all 12 federal judicial circuits.
Two local cases, Mechling v. City of Monroe and O'Neill v. City of Shoreline, highlight the importance of email metadata. In the latter case, the court ruled that if the defendant is obligated
to provide the emails, then it also is obligated to provide the metadata.
Electronic Discovery vs. Digital Forensics
Electronic discovery is typically the gathering, filtering and production of large volumes of relevant data for legal review. It may leave important information undiscovered. The data are
accessed, but not analyzed, and typically do not include discarded, hidden or deleted data. File time stamps - one form of metadata - are usually altered by the electronic discovery
collection process.
In contrast, computer forensics, a subset of digital forensics, involves investigative and detailed analysis on one or more hard drives or PCs in search of both active and latent
information to determine who did what and when. The data are preserved - unaltered - before analysis. Then during analysis, critical events are recreated and, if necessary, passwords
or encryption are cracked.
Digital forensics uses these same techniques applied to networks, PDAs, cell phones, and even some printers and copiers that may retain copies of documents internally.
Because of the different objectives and strategies, electronic discovery frequently ignores useful information. In some cases, it may even destroy data that could be useful to a
forensic analyst.
Some Data Are Available Only To Forensic Analysis
A forensic analyst examines all of the data that electronic discovery would reveal and then probes latent data, slack space and protected system files. Metadata is far more
important than what is implied in the first paragraph as it frequently enables determining when files were created, viewed, or printed.
System files can indicate what external storage, such as USB or thumb drives, were attached and when, as well as what programs were run and when. Analysis linking metadata
across various files can often link a person with an activity. Slack space can contain names of deleted files even if the files have been overwritten.
Case Study
In a recent case, a business owner asked his IT consultant to image a computer hard drive for a planned forensic analysis and to try to recover files.
First, as is typical of electronic discovery, only active data were imaged for analysis. These are files that the computer user has access to and hasn’t deleted and
ignores latent data in unallocated space and slack space. From a forensics perspective, the most interesting information is in the latent data. Latent data are data from previous
operations that the computer no longer uses or keeps track of.
Next the IT person looked around to see what was on the drive and what files might be recoverable. Simply turning on the computer and looking at the directory listings changes
the metadata a forensic analyst uses to reconstruct when events occurred. In addition, some versions of Windows automatically defragment the drive when the computer is running.
This overwrites significant portions of deleted files and destroys the associated latent data.
Next, data recovery software was installed on the hard drive in an attempt to recover files. This step overwrote and destroyed even more latent data and possibly even files that may
have been recoverable before the software was installed.
In the end, no useful files were recovered and the case had to be based entirely on attempting to prove that the computer user deliberately destroyed data. Although there was
enough information to show that the disk had been overwritten and the operating system re-installed, the quantity of data destroyed by a well-intentioned, but uninformed IT team cast
a cloud of uncertainty over who destroyed the data.
What Should Have Happened
In this case, because the concern was to recover files and prove that files had been deliberately destroyed, the computer should have been powered off and left off. A forensic image
should have been made of the hard drive by a digital forensic expert. Then a forensic analyst would be able to analyze the data to determine what transpired and recover any recoverable
files. Any findings would not have had the burden of uncertainty.
However, if the concern is intrusion, the computer should be left powered on, disconnected from the network, and a digital forensics expert called. Some forms of malware reside only
in memory and will be lost by removing power.
The Possible Consequences
The Consequences of improper analysis can include lost cases and sanctions from the court. In Chen V. Dougherty, the court reduced the rate for one attorney because her “inhibited
ability to participate meaningfully in electronic discovery” was indicative of “novice skills in this area” and not “experienced council”. As noted at the beginning of this article, negligent
e-discovery conduct has been sanctioned in all 12 federal judicial circuits.
In conclusion, it is important to understand the difference between Electronic Discovery and digital Forensics and to demonstrate expertise in managing the two approaches.
Glossary
Active data
Data visible to the system's operating
system. Active data are accessible without modification or reconstruction.
Allocated
space
Disk
space that the operating currently considers in use. Allocated space includes
active data as well as slack space.
Defragment
Also referred to as defrag, Defrag
is a Windows system maintenance tool. It is normally used to improve system
performance when a hard drive has become fragmented. Defrag also has
the effect of making it difficult to recover information that was previously deleted.
Latent Data
Latent data is any data that the operating
system no longer accesses or uses. It includes deleted files and, more importantly, information or metadata about the deleted files. This metadata is often
available long after the files have been
deleted and overwritten. Latent data can only be observed with special software tools.
Metadata
Literally data about data.
Metadata is information about the history and management of a document or computer file. It is generally
not visible in the ordinary display or printing of the document.
Slack
space
Space
that is allocated but not currently in use. It may contain information from
previous usage, but is not accessible without special software tools.
Unallocated
Space
This is
space that is marked by the operating system as available. Unallocated space, however, can contain all or part of previously deleted files. When a file is
deleted, the operating system marks the space as available for use, but does
not delete the file. The file remains intact until the space once
occupied by the file is partially or completely overwritten. Data located in
unallocated space is also called latent or ambient data. Data in unallocated
space are not accessible by normal methods, and requires special software tools
to access it in a meaningful manner.
