EDiscovery 101: Collection to Trial Presentation - Connecticut Bar Association

Page created by Joyce Patton
 
CONTINUE READING
eDiscovery 101: Collection to Trial Presentation

                                                     November 12, 2020
                                                  10:00 a.m. – 12:00 p.m.

                                                     CT Bar Association
                                                             Webinar

                                                   CT Bar Institute, Inc.
                                                 CT: 2.0 CLE Credits (General)
                                                  NY: 2.0 CLE Credits (AOP)

No representation or warranty is made as to the accuracy of these materials. Readers should check primary sources where appropriate and
 use the traditional legal research techniques to make sure that the information has not been affected or changed by recent developments.

                                                                                                                               Page 1 of 58
Table of Contents
Lawyers’ Principles of Professionalism ................................................................................................ 3
Agenda ................................................................................................................................................ 6
Faculty Biographies ............................................................................................................................. 7
eDiscovery 101: From Preservation to Trial ......................................................................................... 8

                                                                                                                                 Page 2 of 58
Approved by the House of Delegates October 19, 2020

                    LAWYERS’ PRINCIPLES OF PROFESSIONALISM
As a lawyer, I have dedicated myself to making our system of justice work fairly and efficiently
for all. I am an officer of this Court and recognize the obligation I have to advance the rule of
law and preserve and foster the integrity of the legal system. To this end, I commit myself not
only to observe the Connecticut Rules of Professional Conduct, but also conduct myself in
accordance with the following Principles of Professionalism when dealing with my clients,
opposing parties, fellow counsel, self-represented parties, the Courts, and the general public.
Civility:
Civility and courtesy are the hallmarks of professionalism. As such,
      I will be courteous, polite, respectful, and civil, both in oral and in written
       communications;
      I will refrain from using litigation or any other legal procedure to harass an opposing
       party;
      I will not impute improper motives to my adversary unless clearly justified by the facts
       and essential to resolution of the issue;
      I will treat the representation of a client as the client’s transaction or dispute and not as a
       dispute with my adversary;
      I will respond to all communications timely and respectfully and allow my adversary a
       reasonable time to respond;
      I will avoid making groundless objections in the discovery process and work
       cooperatively to resolve those that are asserted with merit;
      I will agree to reasonable requests for extensions of time and for waiver of procedural
       formalities when the legitimate interests of my client will not be adversely affected;
      I will try to consult with my adversary before scheduling depositions, meetings, or
       hearings, and I will cooperate with her when schedule changes are requested;
      When scheduled meetings, hearings, or depositions have to be canceled, I will notify my
       adversary and, if appropriate, the Court (or other tribunal) as early as possible and enlist
       their involvement in rescheduling; and
      I will not serve motions and pleadings at such time or in such manner as will unfairly
       limit the other party’s opportunity to respond.
Honesty:
Honesty and truthfulness are critical to the integrity of the legal profession – they are core values
that must be observed at all times and they go hand in hand with my fiduciary duty. As such,
      I will not knowingly make untrue statements of fact or of law to my client, adversary or
       the Court;
      I will honor my word;
      I will not maintain or assist in maintaining any cause of action or advancing any position
       that is false or unlawful;

                                                  1
                                                                                             Page 3 of 58
Approved by the House of Delegates October 19, 2020

      I will withdraw voluntarily claims, defenses, or arguments when it becomes apparent that
       they do not have merit or are superfluous;
      I will not file frivolous motions or advance frivolous positions;
      When engaged in a transaction, I will make sure all involved are aware of changes I make
       to documents and not conceal changes.
Competency:
Having the necessary ability, knowledge, and skill to effectively advise and advocate for a
client’s interests is critical to the lawyer’s function in their community. As such,
      I will keep myself current in the areas in which I practice, and, will associate with, or
       refer my client to, counsel knowledgeable in another field of practice when necessary;
      I will maintain proficiency in those technological advances that are necessary for me to
       competently represent my clients.
      I will seek mentoring and guidance throughout my career in order to ensure that I act with
       diligence and competency.
Responsibility:
I recognize that my client’s interests and the administration of justice in general are best served
when I work responsibly, effectively, and cooperatively with those with whom I interact. As
such,
      Before dates for hearings or trials are set, or if that is not feasible, immediately after such
       dates have been set, I will attempt to verify the availability of key participants and
       witnesses so that I can promptly notify the Court (or other tribunal) and my adversary of
       any likely problem;
      I will make every effort to agree with my adversary, as early as possible, on a voluntary
       exchange of information and on a plan for discovery;
      I will attempt to resolve, by agreement, my objections to matters contained in my
       opponent's pleadings and discovery requests;
      I will be punctual in attending Court hearings, conferences, meetings, and depositions;
      I will refrain from excessive and abusive discovery, and I will comply with all reasonable
       discovery requests;
      In civil matters, I will stipulate to facts as to which there is no genuine dispute;
      I will refrain from causing unreasonable delays;
      Where consistent with my client's interests, I will communicate with my adversary in an
       effort to avoid needless controversial litigation and to resolve litigation that has actually
       commenced;
      While I must consider my client’s decision concerning the objectives of the
       representation, I nevertheless will counsel my client that a willingness to initiate or
       engage in settlement discussions is consistent with zealous and effective representation.

                                                  2
                                                                                            Page 4 of 58
Approved by the House of Delegates October 19, 2020

Mentoring:
I owe a duty to the legal profession to counsel less experienced lawyers on the practice of the law
and these Principles, and to seek mentoring myself. As such:
      I will exemplify through my behavior and teach through my words the importance of
       collegiality and ethical and civil behavior;
      I will emphasize the importance of providing clients with a high standard of
       representation through competency and the exercise of sound judgment;
      I will stress the role of our profession as a public service, to building and fostering the
       rule of law;
      I will welcome requests for guidance and advice.
Honor:
I recognize the honor of the legal profession and will always act in a manner consistent with the
respect, courtesy, and weight that it deserves. As such,
      I will be guided by what is best for my client and the interests of justice, not what
       advances my own financial interests;
      I will be a vigorous and zealous advocate on behalf of my client, but I recognize that, as
       an officer of the Court, excessive zeal may be detrimental to the interests of a properly
       functioning system of justice;
      I will remember that, in addition to commitment to my client's cause, my responsibilities
       as a lawyer include a devotion to the public good;
      I will, as a member of a self-regulating profession, report violations of the Rules of
       Professional Conduct as required by those rules;
      I will protect the image of the legal profession in my daily activities and in the ways I
       communicate with the public;
      I will be mindful that the law is a learned profession and that among its desirable goals
       are devotion to public service, improvement of administration of justice, and the
       contribution of uncompensated time and civic influence on behalf of those persons who
       cannot afford adequate legal assistance; and
      I will support and advocate for fair and equal treatment under the law for all persons,
       regardless of race, color, ancestry, sex, pregnancy, religion, national origin, ethnicity,
       disability, status as a veteran, age, gender identity, gender expression or marital status,
       sexual orientation, or creed and will always conduct myself in such a way as to promote
       equality and justice for all.
Nothing in these Principles shall supersede, supplement, or in any way amend the Rules of
Professional Conduct, alter existing standards of conduct against which a lawyer’s conduct might
be judged, or become a basis for the imposition of any civil, criminal, or professional liability.

                                                 3
                                                                                            Page 5 of 58
E‐DISCOVERY 101 – PRESERVATION TO TRIAL PRESENTATION
                            Connecticut Bar Association CLE
                                   November 12, 2020

Presenters: James Berriman, Esq.; Dana Conneally, Esq.

                            E‐DISCOVERY 101 ‐ Topics and Schedule

10:00 AM ‐ 10:20 AM (20 minutes)

      Evolution of the discovery process: paper to electronic to forensics to analytics
      The primary categories: active‐file ediscovery vs forensic ediscovery

10:20 AM ‐ 10:40 AM (20 minutes)

      The traditional methodology of active‐file ediscovery
      The EDRM workflow (Electronic Discovery Reference Model)
      How the attorney controls cost and scope in the EDRM model

10:40 AM ‐ 11:10 AM (30 minutes)

      The methodology of forensic ediscovery
      A sample case scenario: commercial data theft
      Basic low‐cost elements of forensic analysis

11:10 AM ‐ 11:20 AM (10 minutes)

      Introduction to discovery of social media

11:20 AM ‐ 11:35 AM (15 minutes)

      Introduction to trial technology objectives and methods

11:35 AM ‐ 11:50 AM (15 minutes)

      Introduction to technology‐assisted review

11:50 AM ‐ 12:00 PM (10 minutes)

      Introduction to ediscovery of cloud‐based data
      Questions and Answers

                                                                                           Page 6 of 58
eDiscovery 101 – Collection to Trial Presentation
                 November 12, 2020

                                                            Speaker Bios

                 James Berriman
                 James Berriman is an attorney admitted to practice in the state and federal courts of
                 Massachusetts. He is a certified forensic examiner in digital forensics (EnCE) and has been in the
                 field of litigation technology since 1982. He was formerly the founder and director of the
                 Litigation Technology Group at Goodwin Procter LLP and was the co-founder and CEO of
                 Evidox, a Boston-based ediscovery provider. He has taught Ediscovery and Advanced Civil
                 Procedure at Boston University School of Law, is an annual guest lecturer in the Boston
                 University digital forensics graduate program, and has conducted over 50 CLEs on ediscovery,
                 forensics, metadata, and trial technology. He is currently a consulting expert with Xact Data
                 Discovery.

                 Dana Conneally
                 Dana Conneally is a Managing Director at Xact Data Discovery (XDD). Prior to XDD’s
                 acquisition of Evidox, Dana served as the Chief Strategy Officer at Evidox Corporaton, a leading
                 provider of ediscovery services. Before joining Evidox, Dana was National Manager of
                 Litigation Technology, Goodwin Procter LLP. He has been managing complex litigation
                 discovery projects since 2000.

                 His experience includes electronic data preservation, collection, review, production, and digital
                 forensics. At Evidox, Dana is responsible for identifying developing technologies that can be
                 utilized to mitigate risk, increase productivity, and reduce costs related to the discovery process.
                 He received his law degree from Suffolk University School of Law and his B.A. from Gordon
                 College.

                 Brian Dillon
                 As an eDiscovery Director at Xact Data Discovery, Brian Dillon is responsible for the
                 company’s strategic business development in the Northeast. He has significant experience
                 assisting law firms and corporations on a range of complex litigation matters. Prior to joining
                 Xact, Brian has several years of experience in the industry, managing eDiscovery projects in
                 NYC and servicing clients throughout the world. Brian has also worked with multiple
                 government agencies throughout the U.S.

                                                                                                                        1

                                                                                                            Page 7 of 58
Classified as Public
eDiscovery 101:
        From Preservation to Trial
           Connecticut Bar Association CLE

                       March 21, 2020

                       Presented by:
                 James Berriman, Esq., EnCE
                 Dana Conneally, Esq., EnCE
                    Xact Data Discovery

                                               03-10-2020 Page 1

            A Preliminary Comment

     “Issue spotting” applies to the practice of
    ediscovery just as to any other field of law.

How do we spot issues? Same as always:
 • Abstraction
 • Conceptualization
 • Pattern recognition
 • Focus on scenarios
                                               03-10-2020 Page 2

          The Evolution of Discovery

               Paper Discovery
                        to
             Active-File Ediscovery
                        to
              Forensic Ediscovery

                                               03-10-2020 Page 3

                                                                   Page 8 of 58

                                                                                  1
1. Traditional Paper Discovery

• Source files are manually collected, copied
• Attorney conducts "linear" review - top to bottom
• Attorney "tags” for relevance, issues, privilege
• Manual annotations, post-it notes
• Tagged documents are pulled, numbered,
  endorsed, redacted, copied again for production
• Copies are produced (as many copies as parties)
• Privilege log is created manually

                                                              03-10-2020 Page 4

            1. Traditional Paper Discovery

• “Sizing” the traditional paper case
• Standard unit - the Banker’s Box

                                    Data equivalents:
                                    •    1 box        =     10 MB
                                    • 10 boxes = 100 MB
                                    • 100 boxes =           1 GB

• (Based on max. 5,000 characters per full page, 80 x 60)
                                                              03-10-2020 Page 5

             2. The Ediscovery Epiphany

• Many paper documents were originally electronic
• Printed from email, word processed files, etc.
• What if we stopped printing everything?
• What if we focused on the electronic sources?
• Same philosophy, same goal, better tools:
   • Automated collection, searching, sorting,
     deduping, analytics, copying, production
• The digital extension of traditional paper discovery

                                                              03-10-2020 Page 6

                                                                                  Page 9 of 58

                                                                                                 2
3. Forensics: A New Type of Evidence

• Not just traditional “documentary” evidence
• You can also analyze digital artifacts & history
• Data about the documents:
   • Metadata, doc properties, envelope data
• What was done with a computer:
   • Files deleted, apps run, searches run
• What was done with a cellphone:
   • Phone logs, geolocation data, web history
                                                  03-10-2020 Page 7

  Ediscovery is “Custodian-Centric” (1 of 2)

• F.R.Civ.P. 26: Must produce “all ... electronically
  stored information ... that the disclosing party has
  in its possession, custody, or control and may
  use to support its claims or defenses”

• The person with “posession, custody, or control”
  is called a “custodian”

• Ediscovery (like all discovery) is inherently
  custodian-centric

                                                  03-10-2020 Page 8

  Ediscovery is “Custodian-Centric” (2 of 2)

• A custodian typically has login credentials to the
  relevant repositories (email accounts, online
  accounts, cellphone accounts, etc.)

• A custodian often has physical possession of the
  relevant devices (cell phones, laptops, etc.)

• A custodian often has virtual possession of online
  resources (Dropbox, webmail, etc.)

• By identifying the relevant custodians, you also
  identify the relevant repositories

                                                  03-10-2020 Page 9

                                                                      Page 10 of 58

                                                                                      3
Two Major Categories of Ediscovery

     Active-File                      Forensic
     Ediscovery                      Ediscovery

                                                03-10-2020 Page 10

              Active-File Ediscovery

Scope of Active-File Ediscovery:
• “Active” files -- not deleted files
• “User” files -- not system files
• In short: “human readable” files
• Created by users, accessed by users
• Usually in “business-oriented” formats
• Emails, word-processed documents,
  spreadsheets, presentations, media files, etc.

                                                  03-10-2020 Page 11

              Active-File Ediscovery

Scope of Active-File Ediscovery:

• Communications, reports, financials, marketing
  materials, work product, etc.

• In short: electronic business records

• The digital equivalent of traditional paper files

• Often highly voluminous

• Relevance depends on substantive content

                                                03-10-2020 Page 12

                                                                       Page 11 of 58

                                                                                       4
Active-File Ediscovery

                What matters is
      “on the face of the document”

                                                   03-10-2020 Page 13

             Active-File Ediscovery

Evidence “on the Face of the Document”:

• What is stated in this communication?

• What are the terms of this offer?

• What are the warranties in this contract?

• What is the scope of this specification?

• What is the invention claimed in this patent?

• What is represented in this advertisement?

                                                   03-10-2020 Page 14

             Active-File Ediscovery

       This is traditional legal issue-spotting:
         Relevance, Materiality, Privilege

       These determinations do not require
        technical expertise regarding the
        electronic format of the document

          These determinations are made
                  by the lawyer
                                                   03-10-2020 Page 15

                                                                        Page 12 of 58

                                                                                        5
Two Major Categories of Ediscovery

      Active-File                  Forensic
      Ediscovery                  Ediscovery

                                                 03-10-2020 Page 16

                  Forensic Ediscovery

Scope of Forensic Ediscovery:

• A different goal and a different methodology

• To look behind the face of the active user files

• To assess the digital context of the evidence

• To assess conduct (or misconduct) of the user:

   • What the user did with the documents

   • What the user did with the computer

                                                 03-10-2020 Page 17

     Scope of Forensic Ediscovery (1 of 5)

• Spoliation:
   • Was relevant evidence deleted?
   • When? By whom?
   • Can it be recovered?
• Authenticity:
   • Is the document authentic?
   • Edited? Altered?
   • Fabricated?
                                                 03-10-2020 Page 18

                                                                      Page 13 of 58

                                                                                      6
Scope of Forensic Ediscovery (2 of 5)

• History:
   • When was the file actually created?
   • When? By whom?
   • Edited? Printed? Other versions?
• Access:
   • Who accessed the document?
   • From where? When?

                                              03-10-2020 Page 19

     Scope of Forensic Ediscovery (3 of 5)

• Transmittal:
   • Was the file copied to a USB device?
   • Was the file attached to an email?
   • Was the file uploaded to DropBox?
   • Was the file converted to PDF?
   • Was the file printed?

                                              03-10-2020 Page 20

     Scope of Forensic Ediscovery (4 of 5)

• User Activity:
   • What was the user doing a certain date and
     time?
   • What applications did the user install? Use?
   • What web sites did the user visit?
   • What searches did the user conduct?
   • What communications did the user have?

                                              03-10-2020 Page 21

                                                                   Page 14 of 58

                                                                                   7
Scope of Forensic Ediscovery (5 of 5)

• Cell Phones & Tablets:
  • What is the user’s call history?
  • Where did the user travel?
  • What WiFi locations did the user access?
  • Texts, contacts, photos, videos?

                                              03-10-2020 Page 22

    Sources of Forensic Evidence (1 of 2)

• File system metadata (creation date, saved date)

  • The “Master File Table” in Windows systems

• System caches (automatic system copies):

  • Browser caches, shadow copies, temp files,
    hibernation files, page files

• System databases (like the Windows Registry)

  • USB connection data, user settings, application
    settings
                                              03-10-2020 Page 23

    Sources of Forensic Evidence (2 of 2)

• System logs:
  • Event logs (system event history)
  • Office Alert logs (all user warnings)
• Index.dat (document and search history)
• Technical data within files (transmission headers,
  access logs, internal attributes)
• Unallocated space:
  • Residue of deleted data and past disk activity

                                              03-10-2020 Page 24

                                                                   Page 15 of 58

                                                                                   8
Forensic Ediscovery

              This requires technical issue-spotting
                     and technical expertise

                These determinations are made
                    by the forensic expert

                                                                        03-10-2020 Page 25

          Active-File vs. Forensic Ediscovery

                  Active-File Ediscovery             Forensic Ediscovery

Where is the    Active user documents         Digital environment
evidence?       (electronic business records) of hard drive or device
What is the     Substantive content            User conduct (or misconduct)
focus?          on face of documents           behind face of documents
What is the
                Find relevant documents        Find technical clues
objective?
What kind of
                Legal issue-spotting           Technical issue-spotting
expertise?
Who does the
                Lawyer (with technical help)   Forensic expert (with legal help)
assessment?
What is the
                Document production            Expert opinion / report
result?

                                                                        03-10-2020 Page 26

                           The Traditional
                            Methodology
                            of Active-File
                             Ediscovery

                                                                        03-10-2020 Page 27

                                                                                             Page 16 of 58

                                                                                                             9
The EDRM Workflow

                                                                    03-10-2020 Page 28

   Major Repositories of Electronic Evidence

   Mail      File           Database    Web             Cloud       DR Backups
  Server   Servers           Servers   Server        Repositories

                                                                      Archives

             Workstations                       Portable Devices     Media

                                                                    03-10-2020 Page 29

    Active-File Ediscovery: The Methodology

• Identify relevant custodians
• Identify relevant repositories (custodian-centric)
• Implement preservation plan (repository-centric)
• Interview custodians (learn criteria for relevance)
• Select sub-repositories of interest
• Develop culling and processing criteria
• Conduct disclosures / preliminary conference
• Create review set (culled, deduped, processed)
• Review documents for actual responsiveness
• Produce responsive subset
                                                                    03-10-2020 Page 30

                                                                                         Page 17 of 58

                                                                                                         10
Traditional (Keyword) Winnowing Process
•   Entire Client Network (all sources)
•   Preserved Subset (broad; all potentially-relevant custodians/repositories)
•   Selected Subset (initial priority selections; can be supplemented iteratively)
•   Processed Subset (per objective criteria) = Review Set
•   Responsive Subset (per subjective review) = Production Set
•   Incoming Production (added to review platform)
•   Trial Subset (post-depositions, post-discovery, key documents)

                                  1

                                           Review     Production    Incoming           Trial
                                           Platform      Set       Production         Exhibits

                                                                                03-10-2020 Page 31

                        The EDRM Workflow

                                                                                03-10-2020 Page 32

                 How the Attorney Controls
                Cost in Active-File Ediscovery

                                                                                03-10-2020 Page 33

                                                                                                     Page 18 of 58

                                                                                                                     11
How the Attorney Controls Cost

Basic Concepts of Cost Control:
• Valuation
• Proportionality
• Selection
• Completeness vs Undue Burden

                                               03-10-2020 Page 34

       How the Attorney Controls Cost

Implementation of Cost Control Concepts:
• Preserve broadly - your protection
• Identify highest-priority subsets
• Develop & test criteria to meet target cost
• Disclose criteria to opposing counsel
• Negotiate and finalize first-pass criteria
• Agree to consider supplemental requests
• Go back to preserved pool as necessary
                                               03-10-2020 Page 35

              The General Methodology
               of Forensic Ediscovery

       (We will focus on Windows systems)

                                               03-10-2020 Page 36

                                                                    Page 19 of 58

                                                                                    12
The Basics: What is a Byte?

• Think of a byte as a single “character”
   • Letter, number, symbol
   • Control or formatting code (tab, return, etc.)
   • Unit of data or value

                                                 03-10-2020 Page 37

         The Basics: What is a Sector?

• A sector is the smallest storage unit that a hard
  drive can physically read or write

• 512 bytes per sector is a common size

• This allows the system to handle bytes in groups

• It allows a smaller number of storage addresses
  and faster data handling

                                                 03-10-2020 Page 38

        The Basics: What is a Cluster?

• A cluster is the smallest storage unit handled by a
  file system
• It cannot be smaller than one sector (because that
  is a physical limitation of the hard drive)
• 8 sectors per cluster (4096 bytes) is common
• This allows the file system to be configured to
  handle bytes in larger groups than a sector
• Cluster size is set during formatting; it is a trade-off
  between efficiency and economy of space

                                                 03-10-2020 Page 39

                                                                      Page 20 of 58

                                                                                      13
Large Versus Small Clusters

• Jim's school bus analogy:
   • Sending children by one school bus versus
     many individual taxis
   • Group efficiency at the cost of empty seats
• Jim's post-it note analogy:
   • Small post-it notes versus large post-it notes
   • Need many small ones to do the job of one
     large one, but one large one may be wasted for
     a small note

                                                     03-10-2020 Page 40

                   Cluster Scenario

• The following scenario is an over-simplification, a
  conceptual schematic.

• It shows bytes and clusters but omits sectors.

• The principles of space allocation are the same.

                                                     03-10-2020 Page 41

             An Unformatted Drive

               •   An unformatted “drive”
               •   Lots of byte locations (3200 bytes)
               •   No clusters
               •   No files

                                                     03-10-2020 Page 42

                                                                          Page 21 of 58

                                                                                          14
A Formatted Drive

   •   A formatted drive
   •   Same number of byte locations
   •   Now grouped into 50 clusters
   •   64 bytes per cluster in this example
   •   Fewer addresses to worry about
   •   Still no files
   •   All clusters are therefore “unallocated”

                                          03-10-2020 Page 43

A File on a Formatted Drive

   •   Here is a file (blue)
   •   It occupies 1 cluster
   •   That cluster is “allocated” to the file
   •   “Logical” size (blue) = 54 bytes
   •   “Physical” size (cluster) = 64 bytes
   •   “Leftover” space = “slack” = 10 bytes
   •   “Unallocated” space = 49 clusters

                                          03-10-2020 Page 44

A File on a Formatted Drive

   •   The file is now larger (blue)
   •   It occupies 2 clusters
   •   Those 2 clusters are “allocated”
   •   “Logical” size (blue) = 100 bytes
   •   “Physical” size (clusters) = 128 bytes
   •   “Leftover” space = “slack” = 28 bytes
   •   “Unallocated” space = 48 clusters

                                          03-10-2020 Page 45

                                                               Page 22 of 58

                                                                               15
A File on a Formatted Drive

                •   The file is now even larger (blue)
                •   It occupies 4 clusters
                •   Those 4 clusters are “allocated”
                •   “Logical” size (blue) = 193 bytes
                •   “Physical” size (clusters) = 256 bytes
                •   “Leftover” space = “slack” = 63 bytes
                •   “Unallocated” space = 46 clusters

                                                      03-10-2020 Page 46

The Basics: The File System & File Deletion

What happens when you “format” a drive?
• A new drive has “capacity” (e.g., 100 GB)
• But it has no file system yet
• It has “bytes” and “sectors” but no “clusters”
• When you format a drive:
   • The cluster size is defined (e.g., 4K)
   • The clusters are mapped and addressed
   • A Master File Table (MFT) is created

                                                      03-10-2020 Page 47

The Basics: The File System & File Deletion

The Master File Table
• The MFT is itself a file
• Think of it as the “Table of Contents” for the drive
• Contains a data record for each file on the drive
• Points to file’s address (the clusters that store it)
• Contains many fields of metadata about each file
• Metadata = data about the file, not on the face of
  the document
                                                      03-10-2020 Page 48

                                                                           Page 23 of 58

                                                                                           16
The Basics: The File System & File Deletion

    Metadata in the Master File Table
    • File name, file extension, full path
    • Status: active or deleted
    • Type: file or folder (a folder is a special type of file)
    • Dates/times of creation, last access, last save
    • Attributes (read only, hidden, system)
    • Permissions (which users can access, save)
    • Logical size (size of the document's own bytes)
    • Physical size (in whole cluster increments)
                                                        03-10-2020 Page 49

    The Basics: The File System & File Deletion

    • Does any of this sound familiar? It should.
    • MFT is the source of Windows Explorer data:

                                     •   Filenames, extensions
                                     •   Datestamps
                                     •   Attributes
                                     •   All from the MFT

                                                        03-10-2020 Page 50

    The Basics: The File System & File Deletion

    • MFT is also the source
      of “Properties” data in
      Windows Explorer:

•   “Size” = logical size
•   “Size on disk” = physical size
•   Datestamps
•   Attributes
•   All from the MFT

                                                        03-10-2020 Page 51

                                                                             Page 24 of 58

                                                                                             17
A Disgruntled Employee Scenario

                                  03-10-2020 Page 52

A Disgruntled Employee Scenario

                                  03-10-2020 Page 53

A Disgruntled Employee Scenario

                                  03-10-2020 Page 54

                                                       Page 25 of 58

                                                                       18
A Disgruntled Employee Scenario

                                  03-10-2020 Page 55

A Disgruntled Employee Scenario

                                  03-10-2020 Page 56

A Disgruntled Employee Scenario

                                  03-10-2020 Page 57

                                                       Page 26 of 58

                                                                       19
A Disgruntled Employee Scenario

                                  03-10-2020 Page 58

A Disgruntled Employee Scenario

                                  03-10-2020 Page 59

A Disgruntled Employee Scenario

                                  03-10-2020 Page 60

                                                       Page 27 of 58

                                                                       20
A Disgruntled Employee Scenario

                                  03-10-2020 Page 61

A Disgruntled Employee Scenario

                                  03-10-2020 Page 62

A Disgruntled Employee Scenario

                                  03-10-2020 Page 63

                                                       Page 28 of 58

                                                                       21
A Disgruntled Employee Scenario

                                  03-10-2020 Page 64

A Disgruntled Employee Scenario

                                  03-10-2020 Page 65

A Disgruntled Employee Scenario

                                  03-10-2020 Page 66

                                                       Page 29 of 58

                                                                       22
A Disgruntled Employee Scenario

         If this were a system drive (C:\ drive)
            it would also contain system files,
          system caches, executables, drivers,
                libraries, icons, help files ….

                                         03-10-2020 Page 67

A Disgruntled Employee Scenario

                                         03-10-2020 Page 68

A Disgruntled Employee Scenario

                Active-File Ediscovery:
                • Only the active user files
                • Not system files
                • Not slack space
                • Not unallocated space

                                         03-10-2020 Page 69

                                                              Page 30 of 58

                                                                              23
A Disgruntled Employee Scenario

            Forensic Ediscovery – Everything:
            • Active user files
            • System files
            • Slack space
            • Unallocated space

                                                03-10-2020 Page 70

    Forensic Ediscovery: The Methodology

Forensic Preservation:
• Objective: to preserve the exact existing state of
  the entire digital storage device
• Every byte in every cluster, top to bottom
• Do not boot it up, do not turn it on:
   • This could change the state
• Use a “write blocker” to avoid changes
• Use specialized forensic preservation software

                                                03-10-2020 Page 71

    Forensic Ediscovery: The Methodology

Forensic Preservation:
• This approach preserves everything:
   • The Master File Table
   • All active user files
   • All active system files and caches
   • All recoverable deleted files, user and system
   • All residue of past disk activity
   • All slack space (“unused” space at cluster end)
   • All unallocated space
                                                03-10-2020 Page 72

                                                                     Page 31 of 58

                                                                                     24
Forensic Ediscovery: The Methodology

Forensic Preservation:
• The resulting archive is called a “forensic image”
• Call it a “forensic image” (a well-defined term)
• Do not call it a “mirror” (an ambiguous term)
• A forensic image basically converts the entire
  digital storage area into one huge searchable file
• The forensic expert can search, scroll through,
  and review the entire space at the byte level

                                                  03-10-2020 Page 73

               What You Can Do
             With a Forensic Image
              at Minimal Expense

          (Using Windows Examples)

                                                  03-10-2020 Page 74

         Forensic Analysis: The Basics

Extract and Review MFT Contents:
• MFT contents can be extracted in Excel format
• You can review the name of every file and folder
  listed in the MFT, both active and deleted
• You can sort by any of the fields of data
• You can run searches on the file names and folder
  names (not the files themselves)
• Tremendous bang for the buck

                                                  03-10-2020 Page 75

                                                                       Page 32 of 58

                                                                                       25
Forensic Analysis: The Basics

Sort the MFT to Find Interesting Data:

• Sorting by full path allows you to find the user
  accounts and see the names of the files and icons
  on the desktop and the user folders

• Sorting by extension allows you to see the names
  of the user files (PDF, DOCX, XLSX, etc.)

• Sorting by date allows you to see the last activities
  before the computer was shut down

                                                03-10-2020 Page 76

         Forensic Analysis: The Basics

Extract Active User Files:

• Remember: A forensic image ALSO contains all of
  the active user files: Word documents, PDFs,
  Excel spreadsheets, PowerPoint decks

• Have them extracted so you can review them just
  like normal active-file ediscovery

                                                03-10-2020 Page 77

         Forensic Analysis: The Basics

Extract Mailboxes:

• A forensic image often contains a local copy of the
  user’s active mailbox (*.ost) and archives (*.pst)

• Have them extracted so you can review them just
  like normal active-file ediscovery

                                                03-10-2020 Page 78

                                                                     Page 33 of 58

                                                                                     26
Forensic Analysis: The Basics

Extract Recoverable Deleted User Files

• A forensic image also contains all recoverable
  deleted files (i.e., not yet overwritten)

• Have them restored and extracted so you can
  review them just like normal active-file ediscovery

                                               03-10-2020 Page 79

         Forensic Analysis: The Basics

Recent Link Analysis:
• Windows automatically creates “Recent Links” that
  point to recently-accessed user files
• Recent Links store information regarding full path
  and access date for each accessed file, even if the
  file itself has been deleted or was never located
  on that computer
• A “Link Analysis” extracts that information and
  provide you with a report that shows the user’s file
  access history
                                               03-10-2020 Page 80

         Forensic Analysis: The Basics

History Analyses:
• Windows maintains “history” data on files, network
  locations, and URLs accessed by users
• These are found in History files, NTUSER.dat files,
  Index.dat files, and other system logs

                                               03-10-2020 Page 81

                                                                    Page 34 of 58

                                                                                    27
Forensic Analysis: The Basics

USB Analysis:
• The Windows Registry keeps track of every USB
  device ever attached to the computer
• This includes the type of device, manufacturer,
  model number, serial number, date of installation
• You can see what USB devices the user attached
  and when
• Especially useful in a data theft or spoliation
  scenario

                                                03-10-2020 Page 82

         Forensic Analysis: The Basics

Prefetch Analysis:
• Windows stores data about the applications that
  the user runs in order to help them launch faster
• This data can be analyzed to show which apps
  were run, how many times they were run, and
  when they were most recently run
• They can show things such as whether the user
  ran a file clean-up utility before producing the
  computer

                                                03-10-2020 Page 83

         Forensic Analysis: The Basics

Print Spooler Analysis:
• When documents are sent to the printer, they are
  stored as temporary graphic files to await printing
• These files can sometimes be recovered, allowing
  you to see what documents the user sent to the
  printer

                                                03-10-2020 Page 84

                                                                     Page 35 of 58

                                                                                     28
Forensic Analysis: The Basics

Event Log Analysis:
• Windows maintains system logs that keep track of
  various system events
• These can show when a computer was booted up,
  when an application was installed, when a device
  was installed, when a file was accessed, etc.
• “Office Alerts” event log analysis: Windows stores
  the content of every Office Alert, with datestamps.
• (“Are you sure you want to delete that folder?”)

                                                 03-10-2020 Page 85

         Forensic Analysis: The Basics

Carve and Recover Deleted Files:

• If a deleted file is no longer accessible through the
  file system, it may be recovered with file carving

• This involves searching for the characteristic
  “header” at the beginning of the file type (e.g.,
  %PDF for PDF files) and then extracting the bytes
  that follow

                                                 03-10-2020 Page 86

         Forensic Analysis: The Basics

Run keyword searches in unallocated space

• Even if a deleted file is partially overwritten (and
  therefore not recoverable as a “file”) it is possible
  that surviving fragments contain searchable text

• Embedded text in user files is often in standard
  ASCII or Unicode formats

• This text remains human readable and searchable
  even if the surrounding formatting is lost

                                                 03-10-2020 Page 87

                                                                      Page 36 of 58

                                                                                      29
Cellphone Analysis: The Basics

• Cellphones typically use a database system rather
  than a traditional file system to store data and files

• A cellphone can be forensically preserved in a
  manner similar to a computer

• The cellphone’s database can then be extracted
  and parsed to generate a comprehensive report of
  user activity

                                                  03-10-2020 Page 88

          Cellphone Analysis: The Basics

• A cellphone report can include:

   •   All texts, organized by sender/recipient
   •   Call logs, incoming and outgoing
   •   WiFi connection history
   •   Location history
   •   Photographs and videos
   •   Application installation history
   •   Web browser history
   •   Saved files

                                                  03-10-2020 Page 89

           Forensic Analysis: The Basics

Advanced Analysis

• There are many other things that a forensic expert
  can do, depending on circumstances, objectives,
  and budget

                                                  03-10-2020 Page 90

                                                                       Page 37 of 58

                                                                                       30
Online & Social Media - Overview

   Active-File                           Forensic
   Ediscovery                           Ediscovery

                      Online &
                     Social Media

                                                   03-10-2020 Page 91

      Online & Social Media Ediscovery

Scope of Online & Social Media:
• Typically hosted on web sites: Facebook, Twitter,
  YouTube, Instagram, Reddit, etc.
• Typically personal rather than business-oriented
• Typically interactive (i.e., users can comment)
• Typically dynamic (frequent updates & deletes)
• Can be public, semi-public, or private
• Sometimes anonymous or semi-anonymous

                                                   03-10-2020 Page 92

      Online & Social Media Ediscovery

Scope of Online & Social Media:

• Social media is a hybrid:

   • It is like Active-File Ediscovery in that
     relevance is typically “on the face” of the
     document (i.e., the web page content)

   • It is like Forensic Ediscovery in that the
     methods of preservation and analysis typically
     require forensic expertise

                                                   03-10-2020 Page 93

                                                                        Page 38 of 58

                                                                                        31
Online & Social Media Ediscovery

Special Issues with Social Media Ediscovery:
• A social media website is essentially an
  “application” accessed remotely through a web
  browser
• The custodian’s access is therefore constrained
  by the limitations of the interface and the tools
  and settings supplied by the provider
• Certain data regarding the site (e.g., server logs,
  connection history, IP addresses) might not be
  available to the user

                                               03-10-2020 Page 94

                  Introduction to
                 Trial Technology

                                               03-10-2020 Page 95

                 The Objectives

• To persuade
• To change someone's mind (judge / jury)
• Using evidence and argument

What is the role of technology?
• It is an "evidence delivery" medium
• It is an "evidence enhancement" medium

                                               03-10-2020 Page 96

                                                                    Page 39 of 58

                                                                                    32
How Technology Enhances Evidence

• Access: You can store everything
• Immediacy: near-instant recall of evidence
• Fluidity: no clumsy paper shuffling
• Speed: display without manual distribution
• Orientation: Easily show identifying criteria
• Focus: Jump straight to the relevant parts
• Clarity: Use callouts and highlighting tools
• Dynamism: Real-time coordination with the
  testimony of the witness
                                         03-10-2020 Page 97

      The 3 Purposes of Trial Evidence

• To Establish
• To Corroborate
• To Contradict
Technology enhances all 3 purposes
Especially when using a split-screen to show
either corroboration or contradiction between
two items of evidence

                                         03-10-2020 Page 98

    17 U.S.C. 101     vs   1976 House Report

                                         03-10-2020 Page 99

                                                              Page 40 of 58

                                                                              33
17 U.S.C. 101   vs   1976 House Report

                               03-10-2020 Page 100

17 U.S.C. 101   vs   1976 House Report

                               03-10-2020 Page 101

17 U.S.C. 101   vs   1976 House Report

                               03-10-2020 Page 102

                                                     Page 41 of 58

                                                                     34
17 U.S.C. 101       vs      1976 House Report

                                          03-10-2020 Page 103

         The Trial Support Objective

Avoid Disasters!
• Avoid technical disasters
• Avoid logistical disasters
• Avoid effectiveness disasters
• Avoid legal disasters

                                          03-10-2020 Page 104

      Elements of a Mobile Trial Setup

• Sources of evidence (e.g., digital files)
• Evidence control software (TrialDirector)
• Evidence display devices
• Switching and connecting devices
• Ancillary devices

                                          03-10-2020 Page 105

                                                                Page 42 of 58

                                                                                35
Sources of Evidence

• Live testimony - introduces the other kinds
• Electronic files in production format (TIFF)
• Electronic files in native formats
• Transcripts of past testimony
• Media files (photos, depo video, animations)
• Demonstratives, summaries, chalks
• Paper documents, physical evidence
                                         03-10-2020 Page 106

          Evidence Control Devices

• Call up the evidence, control it, and send it
  to the display device
• Often stores the evidence too
• Examples:
   • Laptop
   • Tablet
   • Touch screen
   • Document camera
   • Video playback devices
                                         03-10-2020 Page 107

      Software for “Static” Presentations

• Primary tool: PowerPoint
• Linear display order (slideshow)
• Best for "scripted" presentations (opening,
  closing, direct, expert testimony)
• Slides are made in advance
• Very precise design control
• Ability to add captions and labels
• Labor-intensive and time-consuming
• Easy to use in the courtroom
                                         03-10-2020 Page 108

                                                               Page 43 of 58

                                                                               36
Software for “Dynamic” Presentations

• TrialDirector, Sanction, etc.
• Random access (non-linear)
• Good for less-predictable examinations
  (crossing an adverse witness)
• Can use with huge repositories
• Realtime markup tools
• Less precise design control
• No heavy advance labor
• More skill required to use
                                          03-10-2020 Page 109

                Video Playback

• Static or dynamic (PPT or TrialDirector, etc.)
• Can synchronizes video with transcript
• Transcript scrolls like captioning
• Words plus text adds clarity
• Easy to jump to page-line coordinates
• Easy to make video excerpts and clips
• Clips can be called up in real time like other
  evidence

                                          03-10-2020 Page 110

          Evidence Display Devices

• Projector and screen (shadow issues)
• Large flat screen
• Individual screens for judge, clerk, steno,
  podium, counsel tables, tech, jury, gallery
• Speakers for audio playback

                                          03-10-2020 Page 111

                                                                Page 44 of 58

                                                                                37
Switching and Connection

• To controls which input device is active
• To controls which displays are active
• Switches between parties
• A matrix of inputs and outputs
• "Kill switch" to isolate jury

                                          03-10-2020 Page 112

             Other Critical Things

• Hardcopies. Your team will always need
  physical copies of the documents displayed
  electronically
  • To be marked for the record
  • If judge wants a copy
  • If something goes wrong
• Clean memory keys. The parties are often
  called upon to exchange data.

                                          03-10-2020 Page 113

                 Pretrial Checklist

• Contact info
• Judge’s protocols
• Security protocols
• Courtroom schedule
• Courtroom survey / sketch
• Existing equipment
• Stenographer
• Vendor cost sharing
                                          03-10-2020 Page 114

                                                                Page 45 of 58

                                                                                38
Introduction to
              Technology-Assisted Review

                                           03-10-2020 Page 115

              Technology-Assisted Review

           Active-File             Forensic
           Ediscovery             Ediscovery

                                           03-10-2020 Page 116

              Technology-Assisted Review

           Active-File             Forensic
           Ediscovery             Ediscovery

Straight        With       With
Linear       Clustering-   TAR
Review       Threading

                                           03-10-2020 Page 117

                                                                 Page 46 of 58

                                                                                 39
Linear Review

• Electronic equivalent of banker's box review
• Linear - straight through the document set
• Tagging - electronic equivalent of yellow stickies
  • Responsive / non-responsive
  • Privileged / non-privileged
  • Issue coding
  • Hot documents
  • Batch coding
                                           03-10-2020 Page 118

            Clustering - Threading

• An algorithmic process is run
• The process identifies "similar" documents
• Also known as "near duplicates"
• The process applies an arbitrary "pivot" value
• Similar documents have closely-grouped values
• Dissimilar documents have distant values
• If you sort by pivot value, the similar documents
  will be grouped together

                                           03-10-2020 Page 119

            Clustering - Threading

Benefits of clustering:
• Similar documents can be found even if they
  come from different repositories (different
  custodians, different mailboxes)
• Multiple drafts of the same document
• Standardized forms
• Email threads
• A single reviewer can review all similar
  documents -- promotes consistent coding

                                           03-10-2020 Page 120

                                                                 Page 47 of 58

                                                                                 40
Technology Assisted Review ("TAR")

• A random sample of documents (e.g., 2000
  "family" sets) is taken across all custodians and
  repositories
• A single "expert" reviewer codes the sampling
  for relevance
• This is now regarded as the "seed" set
• An algorithmic process is run that uses the seed
  set to predict relevance in the larger universe

                                                        03-10-2020 Page 121

             Technology Assisted Review ("TAR")

• The predictively-coded universe will be
  generally grouped into three categories:
            • Those predicted to be likely relevant
            • Those predicted to be likely irrelevant
            • Those that remain uncertain
• There are no "bright lines" -- just likelihoods
• Subsequent review and coding can be used to
  improve the results
                                                        03-10-2020 Page 122

             Technology Assisted Review ("TAR")

               Likely                          Likely
               Irrelevant                    Relevant
Documents

                              Uncertain
             Relevance

                                                        03-10-2020 Page 123

                                                                              Page 48 of 58

                                                                                              41
When Does TAR Make Sense?

• Very large documents sets
• Low percentage of relevance
• Amorphous criteria for relevance (i.e., relevance
  is not well-correlated with objective criteria)
• Willingness to rely on the process to avoid
  review of irrelevant documents (otherwise, you
  are just going to do a linear review anyway)
• Cost of process lower than cost of linear review

                                          03-10-2020 Page 124

     When Does TAR Not Make Sense?

• Smaller documents sets
• High percentage of relevance (e.g., subject-
  specific folders; critical custodians)
• Well-defined criteria for relevance
• Good correlation between relevance and
  keywords and other objective criteria
• Lawyer's (or client's) insistence upon reviewing
  everything anyway

                                          03-10-2020 Page 125

              When Your Evidence
                Is In the Cloud

                                          03-10-2020 Page 126

                                                                Page 49 of 58

                                                                                42
Traditional Corporate Network Repositories

         “Possession, Custody, or Control”

                                                          03-10-2020 Page 127

Traditional Corporate Network Repositories

 Mail       File     Database       Web     DR Backups
Server    Servers     Servers      Server

                                             Archives

                    Workstations

                                                          03-10-2020 Page 128

Traditional Corporate Network Repositories

 Mail       File     Database       Web     DR Backups
Server    Servers     Servers      Server

                                             Archives

                                                    The “Four Walls”
                                                     of the Network.
                                                      The evidence
                                                      lives at home.

                    Workstations

                                                          03-10-2020 Page 129

                                                                                Page 50 of 58

                                                                                                43
Pros and Cons of the Traditional Network

Pros:
• Complete and direct dominion and control
Cons:
• Capital intensive (hardware, software)
• Labor intensive, maintenance intensive
• Expertise, staff, payroll
• Requires budget allocations and approvals
• Requires major lead time
• Security obligations, patching, defensive systems

                                                  03-10-2020 Page 130

 The Original Corporate View of the Internet

                    Internet

                               Two primary functions:
                               • Email communications
                               • Access to online content

                               Evidence still lived at home.

                                                  03-10-2020 Page 131

  The Beginning of the “Cloud” Conception

• Transition from "static" (read-only) to "dynamic"
  (interactive) web technology
• Database-backed web sites proliferate
• Ability to embed logical elements in web pages;
  scripting languages; Java
• Result: The ability to build applications that can
  run in the web browser and use remote
  databases and resources
• "Salesforce" and "Dropbox" type applications
                                                  03-10-2020 Page 132

                                                                        Page 51 of 58

                                                                                        44
Corporate Networks Offload Functions

                                             03-10-2020 Page 133

     Attractions of Cloud-Based Services

 • No capital expenditures, no capex budget
 • Just a monthly expense
 • Fast implementation
 • No server maintenance, no updates to test
 • Always the latest version
 • Less need for in-house administrative expertise
 • Reduced headcount/payroll issues
 • Security obligations are the vendor’s

                                             03-10-2020 Page 134

   Characteristics of Many Cloud Systems

• Standalone apps rather than integration
• Access via a web page; limited browser interface
• Often no direct control of the remote system
• Often no administrative access; only user access
• Often no access across multiple accounts
• You must trust the vendor on backups
• You may need to rely on vendor for exports
• You may own the data, but you don't own the
  system that runs your data
                                             03-10-2020 Page 135

                                                                   Page 52 of 58

                                                                                   45
Characteristics of Cloud-Based Access

“Possession, custody, or control” is indirect

                                             03-10-2020 Page 136

                  A Scenario

The company is an advertising company
• They create multimedia content
• They conduct product campaigns
• Technology intensive; network intensive
• Demanding clients; fast-moving projects
• Friction between creative and administrative
• Frustration with corporate bureaucracy

                                             03-10-2020 Page 137

                  A Scenario

The creative division begins to use the Cloud
• Cloud-based storage for large video projects
• Cloud-based FTP to transfer data to customers
• Online collaboration tools
• Online video distribution platforms
• Promotional blogging for customers
• Online networking
• Astroturfing through online review sites

                                             03-10-2020 Page 138

                                                                   Page 53 of 58

                                                                                   46
A Scenario

The sales division catches on
• Cloud-based prospecting and sales databases
• Cloud-based document sharing: sales materials,
 proposals, responses to RFIs, contracts
• Cloud-based evites and event scheduling
• Cloud-based text and communication apps
• Use of web mail when traveling

                                            03-10-2020 Page 139

                 A Scenario

A few complications arise
• Adoption is bottom-up, not top down
• Each user is researching and choosing their own
  providers
• Sometimes, different users choose different
  providers for the same type of service
• Sometimes, users change providers
• There is turnover at the company

                                            03-10-2020 Page 140

                 A Scenario

Company administration gets worried
• The GC starts to worry about compliance with
  corporate retention and destruction policies
• The CIO starts to worry about company data no
  longer under the direct control of company IT
• The CMO starts to worry about lack of
  governance and oversight
• But the CEO loves the company's new-found
  flexibility and reduced expenses

                                            03-10-2020 Page 141

                                                                  Page 54 of 58

                                                                                  47
A Scenario

Disaster strikes
• A high-profile lawsuit
• Multiple allegations of fraud & misrepresentation
Discovery is demanded:
• All marketing materials for the relevant period
• All proposals and draft contracts
• All communications with certain customers
• All advertisements, videos, and campaign
  materials for certain customers
                                             03-10-2020 Page 142

    What Did Outside Counsel Learn?

• No one had overall knowledge of how the
  company's cloud repositories were organized.
• No one had a master list of all cloud vendors,
  past and present.
• No one had a master list of all login
  credentials for the cloud-based systems.
• There was no "data map" of the company's
  outsourced collections. Everything was ad
  hoc, often at the individual user level.

                                             03-10-2020 Page 143

    What Did Outside Counsel Learn?

• There was no easy way to perform server-
  level preservation operations.

• There was no way to perform server-level
  "batch" operations, like keyword searching,
  since each repository was a separate island.

• Each repository had to be addressed
  separately.

                                             03-10-2020 Page 144

                                                                   Page 55 of 58

                                                                                   48
What Did Outside Counsel Learn?

• There were no historic archives of the
  outsourced collections. At most, there were
  only short-term disaster recovery backups.
• There were no historic archives of web mail
  contents other than the current contents.
• There was no way to recover web mail
  contents of long-departed employees.
• There was no way to recover the contents of
  abandoned storage and data systems.

                                           03-10-2020 Page 145

    What Did Outside Counsel Learn?

• For many systems, there was no
  administrative access; the only access was
  through the end-user web interface.

• This meant that the contents of each system
  had to be laboriously preserved one at a time.

                                           03-10-2020 Page 146

    What Did Outside Counsel Learn?

• For some of the collaborative systems, there
  were no archival copies of earlier drafts.

• There was sometimes no record of what had
  initially been provided to the customers.

• There was no way to prove who had
  accessed some of the documents and when,
  or to determine which collaborator might have
  made which edits to which documents.

                                           03-10-2020 Page 147

                                                                 Page 56 of 58

                                                                                 49
What Did Outside Counsel Learn?

• Old content had expired on some of the blogs
  and networking sites.

• As a result, there was no way to verify or
  disprove some of the allegations made by the
  plaintiff regarding public statements.

                                            03-10-2020 Page 148

    What Did Outside Counsel Learn?

• The company had no way to "lock down"
  some of the outsourced repositories. There
  was no easy way to ensure that the contents
  were preserved pending collection.
• This was a concern because the company
  believed that a few of its employees might
  have an incentive to alter or purge evidence
  to cover their tracks.
• It was also a concern for sites that allowed
  third parties to alter the contents.

                                            03-10-2020 Page 149

    What Did Outside Counsel Learn?

• Obtaining copies of outsourced repositories
  sometimes required protracted administrative
  processes with vendors over which the
  company had no direct control.

• Some vendors were slow and uncooperative.

• Some sites had unfavorable Terms of Service
  regarding obligations to assist with data
  export or migration. Nothing had been vetted
  by the legal department.
                                            03-10-2020 Page 150

                                                                  Page 57 of 58

                                                                                  50
Duty to Disclose; Duty to Produce

                      “Possession, Custody, or Control”

                                                      03-10-2020 Page 151

                            The EDRM Workflow

                                                      03-10-2020 Page 152

                            Question & Answers

Copyright 2006-2020                                   03-10-2020 Page 153

                                                                            Page 58 of 58

                                                                                            51
You can also read