EDiscovery 101: Collection to Trial Presentation - Connecticut Bar Association
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
eDiscovery 101: Collection to Trial Presentation November 12, 2020 10:00 a.m. – 12:00 p.m. CT Bar Association Webinar CT Bar Institute, Inc. CT: 2.0 CLE Credits (General) NY: 2.0 CLE Credits (AOP) No representation or warranty is made as to the accuracy of these materials. Readers should check primary sources where appropriate and use the traditional legal research techniques to make sure that the information has not been affected or changed by recent developments. Page 1 of 58
Table of Contents Lawyers’ Principles of Professionalism ................................................................................................ 3 Agenda ................................................................................................................................................ 6 Faculty Biographies ............................................................................................................................. 7 eDiscovery 101: From Preservation to Trial ......................................................................................... 8 Page 2 of 58
Approved by the House of Delegates October 19, 2020 LAWYERS’ PRINCIPLES OF PROFESSIONALISM As a lawyer, I have dedicated myself to making our system of justice work fairly and efficiently for all. I am an officer of this Court and recognize the obligation I have to advance the rule of law and preserve and foster the integrity of the legal system. To this end, I commit myself not only to observe the Connecticut Rules of Professional Conduct, but also conduct myself in accordance with the following Principles of Professionalism when dealing with my clients, opposing parties, fellow counsel, self-represented parties, the Courts, and the general public. Civility: Civility and courtesy are the hallmarks of professionalism. As such, I will be courteous, polite, respectful, and civil, both in oral and in written communications; I will refrain from using litigation or any other legal procedure to harass an opposing party; I will not impute improper motives to my adversary unless clearly justified by the facts and essential to resolution of the issue; I will treat the representation of a client as the client’s transaction or dispute and not as a dispute with my adversary; I will respond to all communications timely and respectfully and allow my adversary a reasonable time to respond; I will avoid making groundless objections in the discovery process and work cooperatively to resolve those that are asserted with merit; I will agree to reasonable requests for extensions of time and for waiver of procedural formalities when the legitimate interests of my client will not be adversely affected; I will try to consult with my adversary before scheduling depositions, meetings, or hearings, and I will cooperate with her when schedule changes are requested; When scheduled meetings, hearings, or depositions have to be canceled, I will notify my adversary and, if appropriate, the Court (or other tribunal) as early as possible and enlist their involvement in rescheduling; and I will not serve motions and pleadings at such time or in such manner as will unfairly limit the other party’s opportunity to respond. Honesty: Honesty and truthfulness are critical to the integrity of the legal profession – they are core values that must be observed at all times and they go hand in hand with my fiduciary duty. As such, I will not knowingly make untrue statements of fact or of law to my client, adversary or the Court; I will honor my word; I will not maintain or assist in maintaining any cause of action or advancing any position that is false or unlawful; 1 Page 3 of 58
Approved by the House of Delegates October 19, 2020 I will withdraw voluntarily claims, defenses, or arguments when it becomes apparent that they do not have merit or are superfluous; I will not file frivolous motions or advance frivolous positions; When engaged in a transaction, I will make sure all involved are aware of changes I make to documents and not conceal changes. Competency: Having the necessary ability, knowledge, and skill to effectively advise and advocate for a client’s interests is critical to the lawyer’s function in their community. As such, I will keep myself current in the areas in which I practice, and, will associate with, or refer my client to, counsel knowledgeable in another field of practice when necessary; I will maintain proficiency in those technological advances that are necessary for me to competently represent my clients. I will seek mentoring and guidance throughout my career in order to ensure that I act with diligence and competency. Responsibility: I recognize that my client’s interests and the administration of justice in general are best served when I work responsibly, effectively, and cooperatively with those with whom I interact. As such, Before dates for hearings or trials are set, or if that is not feasible, immediately after such dates have been set, I will attempt to verify the availability of key participants and witnesses so that I can promptly notify the Court (or other tribunal) and my adversary of any likely problem; I will make every effort to agree with my adversary, as early as possible, on a voluntary exchange of information and on a plan for discovery; I will attempt to resolve, by agreement, my objections to matters contained in my opponent's pleadings and discovery requests; I will be punctual in attending Court hearings, conferences, meetings, and depositions; I will refrain from excessive and abusive discovery, and I will comply with all reasonable discovery requests; In civil matters, I will stipulate to facts as to which there is no genuine dispute; I will refrain from causing unreasonable delays; Where consistent with my client's interests, I will communicate with my adversary in an effort to avoid needless controversial litigation and to resolve litigation that has actually commenced; While I must consider my client’s decision concerning the objectives of the representation, I nevertheless will counsel my client that a willingness to initiate or engage in settlement discussions is consistent with zealous and effective representation. 2 Page 4 of 58
Approved by the House of Delegates October 19, 2020 Mentoring: I owe a duty to the legal profession to counsel less experienced lawyers on the practice of the law and these Principles, and to seek mentoring myself. As such: I will exemplify through my behavior and teach through my words the importance of collegiality and ethical and civil behavior; I will emphasize the importance of providing clients with a high standard of representation through competency and the exercise of sound judgment; I will stress the role of our profession as a public service, to building and fostering the rule of law; I will welcome requests for guidance and advice. Honor: I recognize the honor of the legal profession and will always act in a manner consistent with the respect, courtesy, and weight that it deserves. As such, I will be guided by what is best for my client and the interests of justice, not what advances my own financial interests; I will be a vigorous and zealous advocate on behalf of my client, but I recognize that, as an officer of the Court, excessive zeal may be detrimental to the interests of a properly functioning system of justice; I will remember that, in addition to commitment to my client's cause, my responsibilities as a lawyer include a devotion to the public good; I will, as a member of a self-regulating profession, report violations of the Rules of Professional Conduct as required by those rules; I will protect the image of the legal profession in my daily activities and in the ways I communicate with the public; I will be mindful that the law is a learned profession and that among its desirable goals are devotion to public service, improvement of administration of justice, and the contribution of uncompensated time and civic influence on behalf of those persons who cannot afford adequate legal assistance; and I will support and advocate for fair and equal treatment under the law for all persons, regardless of race, color, ancestry, sex, pregnancy, religion, national origin, ethnicity, disability, status as a veteran, age, gender identity, gender expression or marital status, sexual orientation, or creed and will always conduct myself in such a way as to promote equality and justice for all. Nothing in these Principles shall supersede, supplement, or in any way amend the Rules of Professional Conduct, alter existing standards of conduct against which a lawyer’s conduct might be judged, or become a basis for the imposition of any civil, criminal, or professional liability. 3 Page 5 of 58
E‐DISCOVERY 101 – PRESERVATION TO TRIAL PRESENTATION Connecticut Bar Association CLE November 12, 2020 Presenters: James Berriman, Esq.; Dana Conneally, Esq. E‐DISCOVERY 101 ‐ Topics and Schedule 10:00 AM ‐ 10:20 AM (20 minutes) Evolution of the discovery process: paper to electronic to forensics to analytics The primary categories: active‐file ediscovery vs forensic ediscovery 10:20 AM ‐ 10:40 AM (20 minutes) The traditional methodology of active‐file ediscovery The EDRM workflow (Electronic Discovery Reference Model) How the attorney controls cost and scope in the EDRM model 10:40 AM ‐ 11:10 AM (30 minutes) The methodology of forensic ediscovery A sample case scenario: commercial data theft Basic low‐cost elements of forensic analysis 11:10 AM ‐ 11:20 AM (10 minutes) Introduction to discovery of social media 11:20 AM ‐ 11:35 AM (15 minutes) Introduction to trial technology objectives and methods 11:35 AM ‐ 11:50 AM (15 minutes) Introduction to technology‐assisted review 11:50 AM ‐ 12:00 PM (10 minutes) Introduction to ediscovery of cloud‐based data Questions and Answers Page 6 of 58
eDiscovery 101 – Collection to Trial Presentation November 12, 2020 Speaker Bios James Berriman James Berriman is an attorney admitted to practice in the state and federal courts of Massachusetts. He is a certified forensic examiner in digital forensics (EnCE) and has been in the field of litigation technology since 1982. He was formerly the founder and director of the Litigation Technology Group at Goodwin Procter LLP and was the co-founder and CEO of Evidox, a Boston-based ediscovery provider. He has taught Ediscovery and Advanced Civil Procedure at Boston University School of Law, is an annual guest lecturer in the Boston University digital forensics graduate program, and has conducted over 50 CLEs on ediscovery, forensics, metadata, and trial technology. He is currently a consulting expert with Xact Data Discovery. Dana Conneally Dana Conneally is a Managing Director at Xact Data Discovery (XDD). Prior to XDD’s acquisition of Evidox, Dana served as the Chief Strategy Officer at Evidox Corporaton, a leading provider of ediscovery services. Before joining Evidox, Dana was National Manager of Litigation Technology, Goodwin Procter LLP. He has been managing complex litigation discovery projects since 2000. His experience includes electronic data preservation, collection, review, production, and digital forensics. At Evidox, Dana is responsible for identifying developing technologies that can be utilized to mitigate risk, increase productivity, and reduce costs related to the discovery process. He received his law degree from Suffolk University School of Law and his B.A. from Gordon College. Brian Dillon As an eDiscovery Director at Xact Data Discovery, Brian Dillon is responsible for the company’s strategic business development in the Northeast. He has significant experience assisting law firms and corporations on a range of complex litigation matters. Prior to joining Xact, Brian has several years of experience in the industry, managing eDiscovery projects in NYC and servicing clients throughout the world. Brian has also worked with multiple government agencies throughout the U.S. 1 Page 7 of 58 Classified as Public
eDiscovery 101: From Preservation to Trial Connecticut Bar Association CLE March 21, 2020 Presented by: James Berriman, Esq., EnCE Dana Conneally, Esq., EnCE Xact Data Discovery 03-10-2020 Page 1 A Preliminary Comment “Issue spotting” applies to the practice of ediscovery just as to any other field of law. How do we spot issues? Same as always: • Abstraction • Conceptualization • Pattern recognition • Focus on scenarios 03-10-2020 Page 2 The Evolution of Discovery Paper Discovery to Active-File Ediscovery to Forensic Ediscovery 03-10-2020 Page 3 Page 8 of 58 1
1. Traditional Paper Discovery • Source files are manually collected, copied • Attorney conducts "linear" review - top to bottom • Attorney "tags” for relevance, issues, privilege • Manual annotations, post-it notes • Tagged documents are pulled, numbered, endorsed, redacted, copied again for production • Copies are produced (as many copies as parties) • Privilege log is created manually 03-10-2020 Page 4 1. Traditional Paper Discovery • “Sizing” the traditional paper case • Standard unit - the Banker’s Box Data equivalents: • 1 box = 10 MB • 10 boxes = 100 MB • 100 boxes = 1 GB • (Based on max. 5,000 characters per full page, 80 x 60) 03-10-2020 Page 5 2. The Ediscovery Epiphany • Many paper documents were originally electronic • Printed from email, word processed files, etc. • What if we stopped printing everything? • What if we focused on the electronic sources? • Same philosophy, same goal, better tools: • Automated collection, searching, sorting, deduping, analytics, copying, production • The digital extension of traditional paper discovery 03-10-2020 Page 6 Page 9 of 58 2
3. Forensics: A New Type of Evidence • Not just traditional “documentary” evidence • You can also analyze digital artifacts & history • Data about the documents: • Metadata, doc properties, envelope data • What was done with a computer: • Files deleted, apps run, searches run • What was done with a cellphone: • Phone logs, geolocation data, web history 03-10-2020 Page 7 Ediscovery is “Custodian-Centric” (1 of 2) • F.R.Civ.P. 26: Must produce “all ... electronically stored information ... that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses” • The person with “posession, custody, or control” is called a “custodian” • Ediscovery (like all discovery) is inherently custodian-centric 03-10-2020 Page 8 Ediscovery is “Custodian-Centric” (2 of 2) • A custodian typically has login credentials to the relevant repositories (email accounts, online accounts, cellphone accounts, etc.) • A custodian often has physical possession of the relevant devices (cell phones, laptops, etc.) • A custodian often has virtual possession of online resources (Dropbox, webmail, etc.) • By identifying the relevant custodians, you also identify the relevant repositories 03-10-2020 Page 9 Page 10 of 58 3
Two Major Categories of Ediscovery Active-File Forensic Ediscovery Ediscovery 03-10-2020 Page 10 Active-File Ediscovery Scope of Active-File Ediscovery: • “Active” files -- not deleted files • “User” files -- not system files • In short: “human readable” files • Created by users, accessed by users • Usually in “business-oriented” formats • Emails, word-processed documents, spreadsheets, presentations, media files, etc. 03-10-2020 Page 11 Active-File Ediscovery Scope of Active-File Ediscovery: • Communications, reports, financials, marketing materials, work product, etc. • In short: electronic business records • The digital equivalent of traditional paper files • Often highly voluminous • Relevance depends on substantive content 03-10-2020 Page 12 Page 11 of 58 4
Active-File Ediscovery What matters is “on the face of the document” 03-10-2020 Page 13 Active-File Ediscovery Evidence “on the Face of the Document”: • What is stated in this communication? • What are the terms of this offer? • What are the warranties in this contract? • What is the scope of this specification? • What is the invention claimed in this patent? • What is represented in this advertisement? 03-10-2020 Page 14 Active-File Ediscovery This is traditional legal issue-spotting: Relevance, Materiality, Privilege These determinations do not require technical expertise regarding the electronic format of the document These determinations are made by the lawyer 03-10-2020 Page 15 Page 12 of 58 5
Two Major Categories of Ediscovery Active-File Forensic Ediscovery Ediscovery 03-10-2020 Page 16 Forensic Ediscovery Scope of Forensic Ediscovery: • A different goal and a different methodology • To look behind the face of the active user files • To assess the digital context of the evidence • To assess conduct (or misconduct) of the user: • What the user did with the documents • What the user did with the computer 03-10-2020 Page 17 Scope of Forensic Ediscovery (1 of 5) • Spoliation: • Was relevant evidence deleted? • When? By whom? • Can it be recovered? • Authenticity: • Is the document authentic? • Edited? Altered? • Fabricated? 03-10-2020 Page 18 Page 13 of 58 6
Scope of Forensic Ediscovery (2 of 5) • History: • When was the file actually created? • When? By whom? • Edited? Printed? Other versions? • Access: • Who accessed the document? • From where? When? 03-10-2020 Page 19 Scope of Forensic Ediscovery (3 of 5) • Transmittal: • Was the file copied to a USB device? • Was the file attached to an email? • Was the file uploaded to DropBox? • Was the file converted to PDF? • Was the file printed? 03-10-2020 Page 20 Scope of Forensic Ediscovery (4 of 5) • User Activity: • What was the user doing a certain date and time? • What applications did the user install? Use? • What web sites did the user visit? • What searches did the user conduct? • What communications did the user have? 03-10-2020 Page 21 Page 14 of 58 7
Scope of Forensic Ediscovery (5 of 5) • Cell Phones & Tablets: • What is the user’s call history? • Where did the user travel? • What WiFi locations did the user access? • Texts, contacts, photos, videos? 03-10-2020 Page 22 Sources of Forensic Evidence (1 of 2) • File system metadata (creation date, saved date) • The “Master File Table” in Windows systems • System caches (automatic system copies): • Browser caches, shadow copies, temp files, hibernation files, page files • System databases (like the Windows Registry) • USB connection data, user settings, application settings 03-10-2020 Page 23 Sources of Forensic Evidence (2 of 2) • System logs: • Event logs (system event history) • Office Alert logs (all user warnings) • Index.dat (document and search history) • Technical data within files (transmission headers, access logs, internal attributes) • Unallocated space: • Residue of deleted data and past disk activity 03-10-2020 Page 24 Page 15 of 58 8
Forensic Ediscovery This requires technical issue-spotting and technical expertise These determinations are made by the forensic expert 03-10-2020 Page 25 Active-File vs. Forensic Ediscovery Active-File Ediscovery Forensic Ediscovery Where is the Active user documents Digital environment evidence? (electronic business records) of hard drive or device What is the Substantive content User conduct (or misconduct) focus? on face of documents behind face of documents What is the Find relevant documents Find technical clues objective? What kind of Legal issue-spotting Technical issue-spotting expertise? Who does the Lawyer (with technical help) Forensic expert (with legal help) assessment? What is the Document production Expert opinion / report result? 03-10-2020 Page 26 The Traditional Methodology of Active-File Ediscovery 03-10-2020 Page 27 Page 16 of 58 9
The EDRM Workflow 03-10-2020 Page 28 Major Repositories of Electronic Evidence Mail File Database Web Cloud DR Backups Server Servers Servers Server Repositories Archives Workstations Portable Devices Media 03-10-2020 Page 29 Active-File Ediscovery: The Methodology • Identify relevant custodians • Identify relevant repositories (custodian-centric) • Implement preservation plan (repository-centric) • Interview custodians (learn criteria for relevance) • Select sub-repositories of interest • Develop culling and processing criteria • Conduct disclosures / preliminary conference • Create review set (culled, deduped, processed) • Review documents for actual responsiveness • Produce responsive subset 03-10-2020 Page 30 Page 17 of 58 10
Traditional (Keyword) Winnowing Process • Entire Client Network (all sources) • Preserved Subset (broad; all potentially-relevant custodians/repositories) • Selected Subset (initial priority selections; can be supplemented iteratively) • Processed Subset (per objective criteria) = Review Set • Responsive Subset (per subjective review) = Production Set • Incoming Production (added to review platform) • Trial Subset (post-depositions, post-discovery, key documents) 1 Review Production Incoming Trial Platform Set Production Exhibits 03-10-2020 Page 31 The EDRM Workflow 03-10-2020 Page 32 How the Attorney Controls Cost in Active-File Ediscovery 03-10-2020 Page 33 Page 18 of 58 11
How the Attorney Controls Cost Basic Concepts of Cost Control: • Valuation • Proportionality • Selection • Completeness vs Undue Burden 03-10-2020 Page 34 How the Attorney Controls Cost Implementation of Cost Control Concepts: • Preserve broadly - your protection • Identify highest-priority subsets • Develop & test criteria to meet target cost • Disclose criteria to opposing counsel • Negotiate and finalize first-pass criteria • Agree to consider supplemental requests • Go back to preserved pool as necessary 03-10-2020 Page 35 The General Methodology of Forensic Ediscovery (We will focus on Windows systems) 03-10-2020 Page 36 Page 19 of 58 12
The Basics: What is a Byte? • Think of a byte as a single “character” • Letter, number, symbol • Control or formatting code (tab, return, etc.) • Unit of data or value 03-10-2020 Page 37 The Basics: What is a Sector? • A sector is the smallest storage unit that a hard drive can physically read or write • 512 bytes per sector is a common size • This allows the system to handle bytes in groups • It allows a smaller number of storage addresses and faster data handling 03-10-2020 Page 38 The Basics: What is a Cluster? • A cluster is the smallest storage unit handled by a file system • It cannot be smaller than one sector (because that is a physical limitation of the hard drive) • 8 sectors per cluster (4096 bytes) is common • This allows the file system to be configured to handle bytes in larger groups than a sector • Cluster size is set during formatting; it is a trade-off between efficiency and economy of space 03-10-2020 Page 39 Page 20 of 58 13
Large Versus Small Clusters • Jim's school bus analogy: • Sending children by one school bus versus many individual taxis • Group efficiency at the cost of empty seats • Jim's post-it note analogy: • Small post-it notes versus large post-it notes • Need many small ones to do the job of one large one, but one large one may be wasted for a small note 03-10-2020 Page 40 Cluster Scenario • The following scenario is an over-simplification, a conceptual schematic. • It shows bytes and clusters but omits sectors. • The principles of space allocation are the same. 03-10-2020 Page 41 An Unformatted Drive • An unformatted “drive” • Lots of byte locations (3200 bytes) • No clusters • No files 03-10-2020 Page 42 Page 21 of 58 14
A Formatted Drive • A formatted drive • Same number of byte locations • Now grouped into 50 clusters • 64 bytes per cluster in this example • Fewer addresses to worry about • Still no files • All clusters are therefore “unallocated” 03-10-2020 Page 43 A File on a Formatted Drive • Here is a file (blue) • It occupies 1 cluster • That cluster is “allocated” to the file • “Logical” size (blue) = 54 bytes • “Physical” size (cluster) = 64 bytes • “Leftover” space = “slack” = 10 bytes • “Unallocated” space = 49 clusters 03-10-2020 Page 44 A File on a Formatted Drive • The file is now larger (blue) • It occupies 2 clusters • Those 2 clusters are “allocated” • “Logical” size (blue) = 100 bytes • “Physical” size (clusters) = 128 bytes • “Leftover” space = “slack” = 28 bytes • “Unallocated” space = 48 clusters 03-10-2020 Page 45 Page 22 of 58 15
A File on a Formatted Drive • The file is now even larger (blue) • It occupies 4 clusters • Those 4 clusters are “allocated” • “Logical” size (blue) = 193 bytes • “Physical” size (clusters) = 256 bytes • “Leftover” space = “slack” = 63 bytes • “Unallocated” space = 46 clusters 03-10-2020 Page 46 The Basics: The File System & File Deletion What happens when you “format” a drive? • A new drive has “capacity” (e.g., 100 GB) • But it has no file system yet • It has “bytes” and “sectors” but no “clusters” • When you format a drive: • The cluster size is defined (e.g., 4K) • The clusters are mapped and addressed • A Master File Table (MFT) is created 03-10-2020 Page 47 The Basics: The File System & File Deletion The Master File Table • The MFT is itself a file • Think of it as the “Table of Contents” for the drive • Contains a data record for each file on the drive • Points to file’s address (the clusters that store it) • Contains many fields of metadata about each file • Metadata = data about the file, not on the face of the document 03-10-2020 Page 48 Page 23 of 58 16
The Basics: The File System & File Deletion Metadata in the Master File Table • File name, file extension, full path • Status: active or deleted • Type: file or folder (a folder is a special type of file) • Dates/times of creation, last access, last save • Attributes (read only, hidden, system) • Permissions (which users can access, save) • Logical size (size of the document's own bytes) • Physical size (in whole cluster increments) 03-10-2020 Page 49 The Basics: The File System & File Deletion • Does any of this sound familiar? It should. • MFT is the source of Windows Explorer data: • Filenames, extensions • Datestamps • Attributes • All from the MFT 03-10-2020 Page 50 The Basics: The File System & File Deletion • MFT is also the source of “Properties” data in Windows Explorer: • “Size” = logical size • “Size on disk” = physical size • Datestamps • Attributes • All from the MFT 03-10-2020 Page 51 Page 24 of 58 17
A Disgruntled Employee Scenario 03-10-2020 Page 52 A Disgruntled Employee Scenario 03-10-2020 Page 53 A Disgruntled Employee Scenario 03-10-2020 Page 54 Page 25 of 58 18
A Disgruntled Employee Scenario 03-10-2020 Page 55 A Disgruntled Employee Scenario 03-10-2020 Page 56 A Disgruntled Employee Scenario 03-10-2020 Page 57 Page 26 of 58 19
A Disgruntled Employee Scenario 03-10-2020 Page 58 A Disgruntled Employee Scenario 03-10-2020 Page 59 A Disgruntled Employee Scenario 03-10-2020 Page 60 Page 27 of 58 20
A Disgruntled Employee Scenario 03-10-2020 Page 61 A Disgruntled Employee Scenario 03-10-2020 Page 62 A Disgruntled Employee Scenario 03-10-2020 Page 63 Page 28 of 58 21
A Disgruntled Employee Scenario 03-10-2020 Page 64 A Disgruntled Employee Scenario 03-10-2020 Page 65 A Disgruntled Employee Scenario 03-10-2020 Page 66 Page 29 of 58 22
A Disgruntled Employee Scenario If this were a system drive (C:\ drive) it would also contain system files, system caches, executables, drivers, libraries, icons, help files …. 03-10-2020 Page 67 A Disgruntled Employee Scenario 03-10-2020 Page 68 A Disgruntled Employee Scenario Active-File Ediscovery: • Only the active user files • Not system files • Not slack space • Not unallocated space 03-10-2020 Page 69 Page 30 of 58 23
A Disgruntled Employee Scenario Forensic Ediscovery – Everything: • Active user files • System files • Slack space • Unallocated space 03-10-2020 Page 70 Forensic Ediscovery: The Methodology Forensic Preservation: • Objective: to preserve the exact existing state of the entire digital storage device • Every byte in every cluster, top to bottom • Do not boot it up, do not turn it on: • This could change the state • Use a “write blocker” to avoid changes • Use specialized forensic preservation software 03-10-2020 Page 71 Forensic Ediscovery: The Methodology Forensic Preservation: • This approach preserves everything: • The Master File Table • All active user files • All active system files and caches • All recoverable deleted files, user and system • All residue of past disk activity • All slack space (“unused” space at cluster end) • All unallocated space 03-10-2020 Page 72 Page 31 of 58 24
Forensic Ediscovery: The Methodology Forensic Preservation: • The resulting archive is called a “forensic image” • Call it a “forensic image” (a well-defined term) • Do not call it a “mirror” (an ambiguous term) • A forensic image basically converts the entire digital storage area into one huge searchable file • The forensic expert can search, scroll through, and review the entire space at the byte level 03-10-2020 Page 73 What You Can Do With a Forensic Image at Minimal Expense (Using Windows Examples) 03-10-2020 Page 74 Forensic Analysis: The Basics Extract and Review MFT Contents: • MFT contents can be extracted in Excel format • You can review the name of every file and folder listed in the MFT, both active and deleted • You can sort by any of the fields of data • You can run searches on the file names and folder names (not the files themselves) • Tremendous bang for the buck 03-10-2020 Page 75 Page 32 of 58 25
Forensic Analysis: The Basics Sort the MFT to Find Interesting Data: • Sorting by full path allows you to find the user accounts and see the names of the files and icons on the desktop and the user folders • Sorting by extension allows you to see the names of the user files (PDF, DOCX, XLSX, etc.) • Sorting by date allows you to see the last activities before the computer was shut down 03-10-2020 Page 76 Forensic Analysis: The Basics Extract Active User Files: • Remember: A forensic image ALSO contains all of the active user files: Word documents, PDFs, Excel spreadsheets, PowerPoint decks • Have them extracted so you can review them just like normal active-file ediscovery 03-10-2020 Page 77 Forensic Analysis: The Basics Extract Mailboxes: • A forensic image often contains a local copy of the user’s active mailbox (*.ost) and archives (*.pst) • Have them extracted so you can review them just like normal active-file ediscovery 03-10-2020 Page 78 Page 33 of 58 26
Forensic Analysis: The Basics Extract Recoverable Deleted User Files • A forensic image also contains all recoverable deleted files (i.e., not yet overwritten) • Have them restored and extracted so you can review them just like normal active-file ediscovery 03-10-2020 Page 79 Forensic Analysis: The Basics Recent Link Analysis: • Windows automatically creates “Recent Links” that point to recently-accessed user files • Recent Links store information regarding full path and access date for each accessed file, even if the file itself has been deleted or was never located on that computer • A “Link Analysis” extracts that information and provide you with a report that shows the user’s file access history 03-10-2020 Page 80 Forensic Analysis: The Basics History Analyses: • Windows maintains “history” data on files, network locations, and URLs accessed by users • These are found in History files, NTUSER.dat files, Index.dat files, and other system logs 03-10-2020 Page 81 Page 34 of 58 27
Forensic Analysis: The Basics USB Analysis: • The Windows Registry keeps track of every USB device ever attached to the computer • This includes the type of device, manufacturer, model number, serial number, date of installation • You can see what USB devices the user attached and when • Especially useful in a data theft or spoliation scenario 03-10-2020 Page 82 Forensic Analysis: The Basics Prefetch Analysis: • Windows stores data about the applications that the user runs in order to help them launch faster • This data can be analyzed to show which apps were run, how many times they were run, and when they were most recently run • They can show things such as whether the user ran a file clean-up utility before producing the computer 03-10-2020 Page 83 Forensic Analysis: The Basics Print Spooler Analysis: • When documents are sent to the printer, they are stored as temporary graphic files to await printing • These files can sometimes be recovered, allowing you to see what documents the user sent to the printer 03-10-2020 Page 84 Page 35 of 58 28
Forensic Analysis: The Basics Event Log Analysis: • Windows maintains system logs that keep track of various system events • These can show when a computer was booted up, when an application was installed, when a device was installed, when a file was accessed, etc. • “Office Alerts” event log analysis: Windows stores the content of every Office Alert, with datestamps. • (“Are you sure you want to delete that folder?”) 03-10-2020 Page 85 Forensic Analysis: The Basics Carve and Recover Deleted Files: • If a deleted file is no longer accessible through the file system, it may be recovered with file carving • This involves searching for the characteristic “header” at the beginning of the file type (e.g., %PDF for PDF files) and then extracting the bytes that follow 03-10-2020 Page 86 Forensic Analysis: The Basics Run keyword searches in unallocated space • Even if a deleted file is partially overwritten (and therefore not recoverable as a “file”) it is possible that surviving fragments contain searchable text • Embedded text in user files is often in standard ASCII or Unicode formats • This text remains human readable and searchable even if the surrounding formatting is lost 03-10-2020 Page 87 Page 36 of 58 29
Cellphone Analysis: The Basics • Cellphones typically use a database system rather than a traditional file system to store data and files • A cellphone can be forensically preserved in a manner similar to a computer • The cellphone’s database can then be extracted and parsed to generate a comprehensive report of user activity 03-10-2020 Page 88 Cellphone Analysis: The Basics • A cellphone report can include: • All texts, organized by sender/recipient • Call logs, incoming and outgoing • WiFi connection history • Location history • Photographs and videos • Application installation history • Web browser history • Saved files 03-10-2020 Page 89 Forensic Analysis: The Basics Advanced Analysis • There are many other things that a forensic expert can do, depending on circumstances, objectives, and budget 03-10-2020 Page 90 Page 37 of 58 30
Online & Social Media - Overview Active-File Forensic Ediscovery Ediscovery Online & Social Media 03-10-2020 Page 91 Online & Social Media Ediscovery Scope of Online & Social Media: • Typically hosted on web sites: Facebook, Twitter, YouTube, Instagram, Reddit, etc. • Typically personal rather than business-oriented • Typically interactive (i.e., users can comment) • Typically dynamic (frequent updates & deletes) • Can be public, semi-public, or private • Sometimes anonymous or semi-anonymous 03-10-2020 Page 92 Online & Social Media Ediscovery Scope of Online & Social Media: • Social media is a hybrid: • It is like Active-File Ediscovery in that relevance is typically “on the face” of the document (i.e., the web page content) • It is like Forensic Ediscovery in that the methods of preservation and analysis typically require forensic expertise 03-10-2020 Page 93 Page 38 of 58 31
Online & Social Media Ediscovery Special Issues with Social Media Ediscovery: • A social media website is essentially an “application” accessed remotely through a web browser • The custodian’s access is therefore constrained by the limitations of the interface and the tools and settings supplied by the provider • Certain data regarding the site (e.g., server logs, connection history, IP addresses) might not be available to the user 03-10-2020 Page 94 Introduction to Trial Technology 03-10-2020 Page 95 The Objectives • To persuade • To change someone's mind (judge / jury) • Using evidence and argument What is the role of technology? • It is an "evidence delivery" medium • It is an "evidence enhancement" medium 03-10-2020 Page 96 Page 39 of 58 32
How Technology Enhances Evidence • Access: You can store everything • Immediacy: near-instant recall of evidence • Fluidity: no clumsy paper shuffling • Speed: display without manual distribution • Orientation: Easily show identifying criteria • Focus: Jump straight to the relevant parts • Clarity: Use callouts and highlighting tools • Dynamism: Real-time coordination with the testimony of the witness 03-10-2020 Page 97 The 3 Purposes of Trial Evidence • To Establish • To Corroborate • To Contradict Technology enhances all 3 purposes Especially when using a split-screen to show either corroboration or contradiction between two items of evidence 03-10-2020 Page 98 17 U.S.C. 101 vs 1976 House Report 03-10-2020 Page 99 Page 40 of 58 33
17 U.S.C. 101 vs 1976 House Report 03-10-2020 Page 100 17 U.S.C. 101 vs 1976 House Report 03-10-2020 Page 101 17 U.S.C. 101 vs 1976 House Report 03-10-2020 Page 102 Page 41 of 58 34
17 U.S.C. 101 vs 1976 House Report 03-10-2020 Page 103 The Trial Support Objective Avoid Disasters! • Avoid technical disasters • Avoid logistical disasters • Avoid effectiveness disasters • Avoid legal disasters 03-10-2020 Page 104 Elements of a Mobile Trial Setup • Sources of evidence (e.g., digital files) • Evidence control software (TrialDirector) • Evidence display devices • Switching and connecting devices • Ancillary devices 03-10-2020 Page 105 Page 42 of 58 35
Sources of Evidence • Live testimony - introduces the other kinds • Electronic files in production format (TIFF) • Electronic files in native formats • Transcripts of past testimony • Media files (photos, depo video, animations) • Demonstratives, summaries, chalks • Paper documents, physical evidence 03-10-2020 Page 106 Evidence Control Devices • Call up the evidence, control it, and send it to the display device • Often stores the evidence too • Examples: • Laptop • Tablet • Touch screen • Document camera • Video playback devices 03-10-2020 Page 107 Software for “Static” Presentations • Primary tool: PowerPoint • Linear display order (slideshow) • Best for "scripted" presentations (opening, closing, direct, expert testimony) • Slides are made in advance • Very precise design control • Ability to add captions and labels • Labor-intensive and time-consuming • Easy to use in the courtroom 03-10-2020 Page 108 Page 43 of 58 36
Software for “Dynamic” Presentations • TrialDirector, Sanction, etc. • Random access (non-linear) • Good for less-predictable examinations (crossing an adverse witness) • Can use with huge repositories • Realtime markup tools • Less precise design control • No heavy advance labor • More skill required to use 03-10-2020 Page 109 Video Playback • Static or dynamic (PPT or TrialDirector, etc.) • Can synchronizes video with transcript • Transcript scrolls like captioning • Words plus text adds clarity • Easy to jump to page-line coordinates • Easy to make video excerpts and clips • Clips can be called up in real time like other evidence 03-10-2020 Page 110 Evidence Display Devices • Projector and screen (shadow issues) • Large flat screen • Individual screens for judge, clerk, steno, podium, counsel tables, tech, jury, gallery • Speakers for audio playback 03-10-2020 Page 111 Page 44 of 58 37
Switching and Connection • To controls which input device is active • To controls which displays are active • Switches between parties • A matrix of inputs and outputs • "Kill switch" to isolate jury 03-10-2020 Page 112 Other Critical Things • Hardcopies. Your team will always need physical copies of the documents displayed electronically • To be marked for the record • If judge wants a copy • If something goes wrong • Clean memory keys. The parties are often called upon to exchange data. 03-10-2020 Page 113 Pretrial Checklist • Contact info • Judge’s protocols • Security protocols • Courtroom schedule • Courtroom survey / sketch • Existing equipment • Stenographer • Vendor cost sharing 03-10-2020 Page 114 Page 45 of 58 38
Introduction to Technology-Assisted Review 03-10-2020 Page 115 Technology-Assisted Review Active-File Forensic Ediscovery Ediscovery 03-10-2020 Page 116 Technology-Assisted Review Active-File Forensic Ediscovery Ediscovery Straight With With Linear Clustering- TAR Review Threading 03-10-2020 Page 117 Page 46 of 58 39
Linear Review • Electronic equivalent of banker's box review • Linear - straight through the document set • Tagging - electronic equivalent of yellow stickies • Responsive / non-responsive • Privileged / non-privileged • Issue coding • Hot documents • Batch coding 03-10-2020 Page 118 Clustering - Threading • An algorithmic process is run • The process identifies "similar" documents • Also known as "near duplicates" • The process applies an arbitrary "pivot" value • Similar documents have closely-grouped values • Dissimilar documents have distant values • If you sort by pivot value, the similar documents will be grouped together 03-10-2020 Page 119 Clustering - Threading Benefits of clustering: • Similar documents can be found even if they come from different repositories (different custodians, different mailboxes) • Multiple drafts of the same document • Standardized forms • Email threads • A single reviewer can review all similar documents -- promotes consistent coding 03-10-2020 Page 120 Page 47 of 58 40
Technology Assisted Review ("TAR") • A random sample of documents (e.g., 2000 "family" sets) is taken across all custodians and repositories • A single "expert" reviewer codes the sampling for relevance • This is now regarded as the "seed" set • An algorithmic process is run that uses the seed set to predict relevance in the larger universe 03-10-2020 Page 121 Technology Assisted Review ("TAR") • The predictively-coded universe will be generally grouped into three categories: • Those predicted to be likely relevant • Those predicted to be likely irrelevant • Those that remain uncertain • There are no "bright lines" -- just likelihoods • Subsequent review and coding can be used to improve the results 03-10-2020 Page 122 Technology Assisted Review ("TAR") Likely Likely Irrelevant Relevant Documents Uncertain Relevance 03-10-2020 Page 123 Page 48 of 58 41
When Does TAR Make Sense? • Very large documents sets • Low percentage of relevance • Amorphous criteria for relevance (i.e., relevance is not well-correlated with objective criteria) • Willingness to rely on the process to avoid review of irrelevant documents (otherwise, you are just going to do a linear review anyway) • Cost of process lower than cost of linear review 03-10-2020 Page 124 When Does TAR Not Make Sense? • Smaller documents sets • High percentage of relevance (e.g., subject- specific folders; critical custodians) • Well-defined criteria for relevance • Good correlation between relevance and keywords and other objective criteria • Lawyer's (or client's) insistence upon reviewing everything anyway 03-10-2020 Page 125 When Your Evidence Is In the Cloud 03-10-2020 Page 126 Page 49 of 58 42
Traditional Corporate Network Repositories “Possession, Custody, or Control” 03-10-2020 Page 127 Traditional Corporate Network Repositories Mail File Database Web DR Backups Server Servers Servers Server Archives Workstations 03-10-2020 Page 128 Traditional Corporate Network Repositories Mail File Database Web DR Backups Server Servers Servers Server Archives The “Four Walls” of the Network. The evidence lives at home. Workstations 03-10-2020 Page 129 Page 50 of 58 43
Pros and Cons of the Traditional Network Pros: • Complete and direct dominion and control Cons: • Capital intensive (hardware, software) • Labor intensive, maintenance intensive • Expertise, staff, payroll • Requires budget allocations and approvals • Requires major lead time • Security obligations, patching, defensive systems 03-10-2020 Page 130 The Original Corporate View of the Internet Internet Two primary functions: • Email communications • Access to online content Evidence still lived at home. 03-10-2020 Page 131 The Beginning of the “Cloud” Conception • Transition from "static" (read-only) to "dynamic" (interactive) web technology • Database-backed web sites proliferate • Ability to embed logical elements in web pages; scripting languages; Java • Result: The ability to build applications that can run in the web browser and use remote databases and resources • "Salesforce" and "Dropbox" type applications 03-10-2020 Page 132 Page 51 of 58 44
Corporate Networks Offload Functions 03-10-2020 Page 133 Attractions of Cloud-Based Services • No capital expenditures, no capex budget • Just a monthly expense • Fast implementation • No server maintenance, no updates to test • Always the latest version • Less need for in-house administrative expertise • Reduced headcount/payroll issues • Security obligations are the vendor’s 03-10-2020 Page 134 Characteristics of Many Cloud Systems • Standalone apps rather than integration • Access via a web page; limited browser interface • Often no direct control of the remote system • Often no administrative access; only user access • Often no access across multiple accounts • You must trust the vendor on backups • You may need to rely on vendor for exports • You may own the data, but you don't own the system that runs your data 03-10-2020 Page 135 Page 52 of 58 45
Characteristics of Cloud-Based Access “Possession, custody, or control” is indirect 03-10-2020 Page 136 A Scenario The company is an advertising company • They create multimedia content • They conduct product campaigns • Technology intensive; network intensive • Demanding clients; fast-moving projects • Friction between creative and administrative • Frustration with corporate bureaucracy 03-10-2020 Page 137 A Scenario The creative division begins to use the Cloud • Cloud-based storage for large video projects • Cloud-based FTP to transfer data to customers • Online collaboration tools • Online video distribution platforms • Promotional blogging for customers • Online networking • Astroturfing through online review sites 03-10-2020 Page 138 Page 53 of 58 46
A Scenario The sales division catches on • Cloud-based prospecting and sales databases • Cloud-based document sharing: sales materials, proposals, responses to RFIs, contracts • Cloud-based evites and event scheduling • Cloud-based text and communication apps • Use of web mail when traveling 03-10-2020 Page 139 A Scenario A few complications arise • Adoption is bottom-up, not top down • Each user is researching and choosing their own providers • Sometimes, different users choose different providers for the same type of service • Sometimes, users change providers • There is turnover at the company 03-10-2020 Page 140 A Scenario Company administration gets worried • The GC starts to worry about compliance with corporate retention and destruction policies • The CIO starts to worry about company data no longer under the direct control of company IT • The CMO starts to worry about lack of governance and oversight • But the CEO loves the company's new-found flexibility and reduced expenses 03-10-2020 Page 141 Page 54 of 58 47
A Scenario Disaster strikes • A high-profile lawsuit • Multiple allegations of fraud & misrepresentation Discovery is demanded: • All marketing materials for the relevant period • All proposals and draft contracts • All communications with certain customers • All advertisements, videos, and campaign materials for certain customers 03-10-2020 Page 142 What Did Outside Counsel Learn? • No one had overall knowledge of how the company's cloud repositories were organized. • No one had a master list of all cloud vendors, past and present. • No one had a master list of all login credentials for the cloud-based systems. • There was no "data map" of the company's outsourced collections. Everything was ad hoc, often at the individual user level. 03-10-2020 Page 143 What Did Outside Counsel Learn? • There was no easy way to perform server- level preservation operations. • There was no way to perform server-level "batch" operations, like keyword searching, since each repository was a separate island. • Each repository had to be addressed separately. 03-10-2020 Page 144 Page 55 of 58 48
What Did Outside Counsel Learn? • There were no historic archives of the outsourced collections. At most, there were only short-term disaster recovery backups. • There were no historic archives of web mail contents other than the current contents. • There was no way to recover web mail contents of long-departed employees. • There was no way to recover the contents of abandoned storage and data systems. 03-10-2020 Page 145 What Did Outside Counsel Learn? • For many systems, there was no administrative access; the only access was through the end-user web interface. • This meant that the contents of each system had to be laboriously preserved one at a time. 03-10-2020 Page 146 What Did Outside Counsel Learn? • For some of the collaborative systems, there were no archival copies of earlier drafts. • There was sometimes no record of what had initially been provided to the customers. • There was no way to prove who had accessed some of the documents and when, or to determine which collaborator might have made which edits to which documents. 03-10-2020 Page 147 Page 56 of 58 49
What Did Outside Counsel Learn? • Old content had expired on some of the blogs and networking sites. • As a result, there was no way to verify or disprove some of the allegations made by the plaintiff regarding public statements. 03-10-2020 Page 148 What Did Outside Counsel Learn? • The company had no way to "lock down" some of the outsourced repositories. There was no easy way to ensure that the contents were preserved pending collection. • This was a concern because the company believed that a few of its employees might have an incentive to alter or purge evidence to cover their tracks. • It was also a concern for sites that allowed third parties to alter the contents. 03-10-2020 Page 149 What Did Outside Counsel Learn? • Obtaining copies of outsourced repositories sometimes required protracted administrative processes with vendors over which the company had no direct control. • Some vendors were slow and uncooperative. • Some sites had unfavorable Terms of Service regarding obligations to assist with data export or migration. Nothing had been vetted by the legal department. 03-10-2020 Page 150 Page 57 of 58 50
Duty to Disclose; Duty to Produce “Possession, Custody, or Control” 03-10-2020 Page 151 The EDRM Workflow 03-10-2020 Page 152 Question & Answers Copyright 2006-2020 03-10-2020 Page 153 Page 58 of 58 51
You can also read