EDiscovery 101: Collection to Trial Presentation - Connecticut Bar Association
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
eDiscovery 101: Collection to Trial Presentation
November 12, 2020
10:00 a.m. – 12:00 p.m.
CT Bar Association
Webinar
CT Bar Institute, Inc.
CT: 2.0 CLE Credits (General)
NY: 2.0 CLE Credits (AOP)
No representation or warranty is made as to the accuracy of these materials. Readers should check primary sources where appropriate and
use the traditional legal research techniques to make sure that the information has not been affected or changed by recent developments.
Page 1 of 58Table of Contents
Lawyers’ Principles of Professionalism ................................................................................................ 3
Agenda ................................................................................................................................................ 6
Faculty Biographies ............................................................................................................................. 7
eDiscovery 101: From Preservation to Trial ......................................................................................... 8
Page 2 of 58Approved by the House of Delegates October 19, 2020
LAWYERS’ PRINCIPLES OF PROFESSIONALISM
As a lawyer, I have dedicated myself to making our system of justice work fairly and efficiently
for all. I am an officer of this Court and recognize the obligation I have to advance the rule of
law and preserve and foster the integrity of the legal system. To this end, I commit myself not
only to observe the Connecticut Rules of Professional Conduct, but also conduct myself in
accordance with the following Principles of Professionalism when dealing with my clients,
opposing parties, fellow counsel, self-represented parties, the Courts, and the general public.
Civility:
Civility and courtesy are the hallmarks of professionalism. As such,
I will be courteous, polite, respectful, and civil, both in oral and in written
communications;
I will refrain from using litigation or any other legal procedure to harass an opposing
party;
I will not impute improper motives to my adversary unless clearly justified by the facts
and essential to resolution of the issue;
I will treat the representation of a client as the client’s transaction or dispute and not as a
dispute with my adversary;
I will respond to all communications timely and respectfully and allow my adversary a
reasonable time to respond;
I will avoid making groundless objections in the discovery process and work
cooperatively to resolve those that are asserted with merit;
I will agree to reasonable requests for extensions of time and for waiver of procedural
formalities when the legitimate interests of my client will not be adversely affected;
I will try to consult with my adversary before scheduling depositions, meetings, or
hearings, and I will cooperate with her when schedule changes are requested;
When scheduled meetings, hearings, or depositions have to be canceled, I will notify my
adversary and, if appropriate, the Court (or other tribunal) as early as possible and enlist
their involvement in rescheduling; and
I will not serve motions and pleadings at such time or in such manner as will unfairly
limit the other party’s opportunity to respond.
Honesty:
Honesty and truthfulness are critical to the integrity of the legal profession – they are core values
that must be observed at all times and they go hand in hand with my fiduciary duty. As such,
I will not knowingly make untrue statements of fact or of law to my client, adversary or
the Court;
I will honor my word;
I will not maintain or assist in maintaining any cause of action or advancing any position
that is false or unlawful;
1
Page 3 of 58Approved by the House of Delegates October 19, 2020
I will withdraw voluntarily claims, defenses, or arguments when it becomes apparent that
they do not have merit or are superfluous;
I will not file frivolous motions or advance frivolous positions;
When engaged in a transaction, I will make sure all involved are aware of changes I make
to documents and not conceal changes.
Competency:
Having the necessary ability, knowledge, and skill to effectively advise and advocate for a
client’s interests is critical to the lawyer’s function in their community. As such,
I will keep myself current in the areas in which I practice, and, will associate with, or
refer my client to, counsel knowledgeable in another field of practice when necessary;
I will maintain proficiency in those technological advances that are necessary for me to
competently represent my clients.
I will seek mentoring and guidance throughout my career in order to ensure that I act with
diligence and competency.
Responsibility:
I recognize that my client’s interests and the administration of justice in general are best served
when I work responsibly, effectively, and cooperatively with those with whom I interact. As
such,
Before dates for hearings or trials are set, or if that is not feasible, immediately after such
dates have been set, I will attempt to verify the availability of key participants and
witnesses so that I can promptly notify the Court (or other tribunal) and my adversary of
any likely problem;
I will make every effort to agree with my adversary, as early as possible, on a voluntary
exchange of information and on a plan for discovery;
I will attempt to resolve, by agreement, my objections to matters contained in my
opponent's pleadings and discovery requests;
I will be punctual in attending Court hearings, conferences, meetings, and depositions;
I will refrain from excessive and abusive discovery, and I will comply with all reasonable
discovery requests;
In civil matters, I will stipulate to facts as to which there is no genuine dispute;
I will refrain from causing unreasonable delays;
Where consistent with my client's interests, I will communicate with my adversary in an
effort to avoid needless controversial litigation and to resolve litigation that has actually
commenced;
While I must consider my client’s decision concerning the objectives of the
representation, I nevertheless will counsel my client that a willingness to initiate or
engage in settlement discussions is consistent with zealous and effective representation.
2
Page 4 of 58Approved by the House of Delegates October 19, 2020
Mentoring:
I owe a duty to the legal profession to counsel less experienced lawyers on the practice of the law
and these Principles, and to seek mentoring myself. As such:
I will exemplify through my behavior and teach through my words the importance of
collegiality and ethical and civil behavior;
I will emphasize the importance of providing clients with a high standard of
representation through competency and the exercise of sound judgment;
I will stress the role of our profession as a public service, to building and fostering the
rule of law;
I will welcome requests for guidance and advice.
Honor:
I recognize the honor of the legal profession and will always act in a manner consistent with the
respect, courtesy, and weight that it deserves. As such,
I will be guided by what is best for my client and the interests of justice, not what
advances my own financial interests;
I will be a vigorous and zealous advocate on behalf of my client, but I recognize that, as
an officer of the Court, excessive zeal may be detrimental to the interests of a properly
functioning system of justice;
I will remember that, in addition to commitment to my client's cause, my responsibilities
as a lawyer include a devotion to the public good;
I will, as a member of a self-regulating profession, report violations of the Rules of
Professional Conduct as required by those rules;
I will protect the image of the legal profession in my daily activities and in the ways I
communicate with the public;
I will be mindful that the law is a learned profession and that among its desirable goals
are devotion to public service, improvement of administration of justice, and the
contribution of uncompensated time and civic influence on behalf of those persons who
cannot afford adequate legal assistance; and
I will support and advocate for fair and equal treatment under the law for all persons,
regardless of race, color, ancestry, sex, pregnancy, religion, national origin, ethnicity,
disability, status as a veteran, age, gender identity, gender expression or marital status,
sexual orientation, or creed and will always conduct myself in such a way as to promote
equality and justice for all.
Nothing in these Principles shall supersede, supplement, or in any way amend the Rules of
Professional Conduct, alter existing standards of conduct against which a lawyer’s conduct might
be judged, or become a basis for the imposition of any civil, criminal, or professional liability.
3
Page 5 of 58E‐DISCOVERY 101 – PRESERVATION TO TRIAL PRESENTATION
Connecticut Bar Association CLE
November 12, 2020
Presenters: James Berriman, Esq.; Dana Conneally, Esq.
E‐DISCOVERY 101 ‐ Topics and Schedule
10:00 AM ‐ 10:20 AM (20 minutes)
Evolution of the discovery process: paper to electronic to forensics to analytics
The primary categories: active‐file ediscovery vs forensic ediscovery
10:20 AM ‐ 10:40 AM (20 minutes)
The traditional methodology of active‐file ediscovery
The EDRM workflow (Electronic Discovery Reference Model)
How the attorney controls cost and scope in the EDRM model
10:40 AM ‐ 11:10 AM (30 minutes)
The methodology of forensic ediscovery
A sample case scenario: commercial data theft
Basic low‐cost elements of forensic analysis
11:10 AM ‐ 11:20 AM (10 minutes)
Introduction to discovery of social media
11:20 AM ‐ 11:35 AM (15 minutes)
Introduction to trial technology objectives and methods
11:35 AM ‐ 11:50 AM (15 minutes)
Introduction to technology‐assisted review
11:50 AM ‐ 12:00 PM (10 minutes)
Introduction to ediscovery of cloud‐based data
Questions and Answers
Page 6 of 58eDiscovery 101 – Collection to Trial Presentation
November 12, 2020
Speaker Bios
James Berriman
James Berriman is an attorney admitted to practice in the state and federal courts of
Massachusetts. He is a certified forensic examiner in digital forensics (EnCE) and has been in the
field of litigation technology since 1982. He was formerly the founder and director of the
Litigation Technology Group at Goodwin Procter LLP and was the co-founder and CEO of
Evidox, a Boston-based ediscovery provider. He has taught Ediscovery and Advanced Civil
Procedure at Boston University School of Law, is an annual guest lecturer in the Boston
University digital forensics graduate program, and has conducted over 50 CLEs on ediscovery,
forensics, metadata, and trial technology. He is currently a consulting expert with Xact Data
Discovery.
Dana Conneally
Dana Conneally is a Managing Director at Xact Data Discovery (XDD). Prior to XDD’s
acquisition of Evidox, Dana served as the Chief Strategy Officer at Evidox Corporaton, a leading
provider of ediscovery services. Before joining Evidox, Dana was National Manager of
Litigation Technology, Goodwin Procter LLP. He has been managing complex litigation
discovery projects since 2000.
His experience includes electronic data preservation, collection, review, production, and digital
forensics. At Evidox, Dana is responsible for identifying developing technologies that can be
utilized to mitigate risk, increase productivity, and reduce costs related to the discovery process.
He received his law degree from Suffolk University School of Law and his B.A. from Gordon
College.
Brian Dillon
As an eDiscovery Director at Xact Data Discovery, Brian Dillon is responsible for the
company’s strategic business development in the Northeast. He has significant experience
assisting law firms and corporations on a range of complex litigation matters. Prior to joining
Xact, Brian has several years of experience in the industry, managing eDiscovery projects in
NYC and servicing clients throughout the world. Brian has also worked with multiple
government agencies throughout the U.S.
1
Page 7 of 58
Classified as PubliceDiscovery 101:
From Preservation to Trial
Connecticut Bar Association CLE
March 21, 2020
Presented by:
James Berriman, Esq., EnCE
Dana Conneally, Esq., EnCE
Xact Data Discovery
03-10-2020 Page 1
A Preliminary Comment
“Issue spotting” applies to the practice of
ediscovery just as to any other field of law.
How do we spot issues? Same as always:
• Abstraction
• Conceptualization
• Pattern recognition
• Focus on scenarios
03-10-2020 Page 2
The Evolution of Discovery
Paper Discovery
to
Active-File Ediscovery
to
Forensic Ediscovery
03-10-2020 Page 3
Page 8 of 58
11. Traditional Paper Discovery
• Source files are manually collected, copied
• Attorney conducts "linear" review - top to bottom
• Attorney "tags” for relevance, issues, privilege
• Manual annotations, post-it notes
• Tagged documents are pulled, numbered,
endorsed, redacted, copied again for production
• Copies are produced (as many copies as parties)
• Privilege log is created manually
03-10-2020 Page 4
1. Traditional Paper Discovery
• “Sizing” the traditional paper case
• Standard unit - the Banker’s Box
Data equivalents:
• 1 box = 10 MB
• 10 boxes = 100 MB
• 100 boxes = 1 GB
• (Based on max. 5,000 characters per full page, 80 x 60)
03-10-2020 Page 5
2. The Ediscovery Epiphany
• Many paper documents were originally electronic
• Printed from email, word processed files, etc.
• What if we stopped printing everything?
• What if we focused on the electronic sources?
• Same philosophy, same goal, better tools:
• Automated collection, searching, sorting,
deduping, analytics, copying, production
• The digital extension of traditional paper discovery
03-10-2020 Page 6
Page 9 of 58
23. Forensics: A New Type of Evidence
• Not just traditional “documentary” evidence
• You can also analyze digital artifacts & history
• Data about the documents:
• Metadata, doc properties, envelope data
• What was done with a computer:
• Files deleted, apps run, searches run
• What was done with a cellphone:
• Phone logs, geolocation data, web history
03-10-2020 Page 7
Ediscovery is “Custodian-Centric” (1 of 2)
• F.R.Civ.P. 26: Must produce “all ... electronically
stored information ... that the disclosing party has
in its possession, custody, or control and may
use to support its claims or defenses”
• The person with “posession, custody, or control”
is called a “custodian”
• Ediscovery (like all discovery) is inherently
custodian-centric
03-10-2020 Page 8
Ediscovery is “Custodian-Centric” (2 of 2)
• A custodian typically has login credentials to the
relevant repositories (email accounts, online
accounts, cellphone accounts, etc.)
• A custodian often has physical possession of the
relevant devices (cell phones, laptops, etc.)
• A custodian often has virtual possession of online
resources (Dropbox, webmail, etc.)
• By identifying the relevant custodians, you also
identify the relevant repositories
03-10-2020 Page 9
Page 10 of 58
3Two Major Categories of Ediscovery
Active-File Forensic
Ediscovery Ediscovery
03-10-2020 Page 10
Active-File Ediscovery
Scope of Active-File Ediscovery:
• “Active” files -- not deleted files
• “User” files -- not system files
• In short: “human readable” files
• Created by users, accessed by users
• Usually in “business-oriented” formats
• Emails, word-processed documents,
spreadsheets, presentations, media files, etc.
03-10-2020 Page 11
Active-File Ediscovery
Scope of Active-File Ediscovery:
• Communications, reports, financials, marketing
materials, work product, etc.
• In short: electronic business records
• The digital equivalent of traditional paper files
• Often highly voluminous
• Relevance depends on substantive content
03-10-2020 Page 12
Page 11 of 58
4Active-File Ediscovery
What matters is
“on the face of the document”
03-10-2020 Page 13
Active-File Ediscovery
Evidence “on the Face of the Document”:
• What is stated in this communication?
• What are the terms of this offer?
• What are the warranties in this contract?
• What is the scope of this specification?
• What is the invention claimed in this patent?
• What is represented in this advertisement?
03-10-2020 Page 14
Active-File Ediscovery
This is traditional legal issue-spotting:
Relevance, Materiality, Privilege
These determinations do not require
technical expertise regarding the
electronic format of the document
These determinations are made
by the lawyer
03-10-2020 Page 15
Page 12 of 58
5Two Major Categories of Ediscovery
Active-File Forensic
Ediscovery Ediscovery
03-10-2020 Page 16
Forensic Ediscovery
Scope of Forensic Ediscovery:
• A different goal and a different methodology
• To look behind the face of the active user files
• To assess the digital context of the evidence
• To assess conduct (or misconduct) of the user:
• What the user did with the documents
• What the user did with the computer
03-10-2020 Page 17
Scope of Forensic Ediscovery (1 of 5)
• Spoliation:
• Was relevant evidence deleted?
• When? By whom?
• Can it be recovered?
• Authenticity:
• Is the document authentic?
• Edited? Altered?
• Fabricated?
03-10-2020 Page 18
Page 13 of 58
6Scope of Forensic Ediscovery (2 of 5)
• History:
• When was the file actually created?
• When? By whom?
• Edited? Printed? Other versions?
• Access:
• Who accessed the document?
• From where? When?
03-10-2020 Page 19
Scope of Forensic Ediscovery (3 of 5)
• Transmittal:
• Was the file copied to a USB device?
• Was the file attached to an email?
• Was the file uploaded to DropBox?
• Was the file converted to PDF?
• Was the file printed?
03-10-2020 Page 20
Scope of Forensic Ediscovery (4 of 5)
• User Activity:
• What was the user doing a certain date and
time?
• What applications did the user install? Use?
• What web sites did the user visit?
• What searches did the user conduct?
• What communications did the user have?
03-10-2020 Page 21
Page 14 of 58
7Scope of Forensic Ediscovery (5 of 5)
• Cell Phones & Tablets:
• What is the user’s call history?
• Where did the user travel?
• What WiFi locations did the user access?
• Texts, contacts, photos, videos?
03-10-2020 Page 22
Sources of Forensic Evidence (1 of 2)
• File system metadata (creation date, saved date)
• The “Master File Table” in Windows systems
• System caches (automatic system copies):
• Browser caches, shadow copies, temp files,
hibernation files, page files
• System databases (like the Windows Registry)
• USB connection data, user settings, application
settings
03-10-2020 Page 23
Sources of Forensic Evidence (2 of 2)
• System logs:
• Event logs (system event history)
• Office Alert logs (all user warnings)
• Index.dat (document and search history)
• Technical data within files (transmission headers,
access logs, internal attributes)
• Unallocated space:
• Residue of deleted data and past disk activity
03-10-2020 Page 24
Page 15 of 58
8Forensic Ediscovery
This requires technical issue-spotting
and technical expertise
These determinations are made
by the forensic expert
03-10-2020 Page 25
Active-File vs. Forensic Ediscovery
Active-File Ediscovery Forensic Ediscovery
Where is the Active user documents Digital environment
evidence? (electronic business records) of hard drive or device
What is the Substantive content User conduct (or misconduct)
focus? on face of documents behind face of documents
What is the
Find relevant documents Find technical clues
objective?
What kind of
Legal issue-spotting Technical issue-spotting
expertise?
Who does the
Lawyer (with technical help) Forensic expert (with legal help)
assessment?
What is the
Document production Expert opinion / report
result?
03-10-2020 Page 26
The Traditional
Methodology
of Active-File
Ediscovery
03-10-2020 Page 27
Page 16 of 58
9The EDRM Workflow
03-10-2020 Page 28
Major Repositories of Electronic Evidence
Mail File Database Web Cloud DR Backups
Server Servers Servers Server Repositories
Archives
Workstations Portable Devices Media
03-10-2020 Page 29
Active-File Ediscovery: The Methodology
• Identify relevant custodians
• Identify relevant repositories (custodian-centric)
• Implement preservation plan (repository-centric)
• Interview custodians (learn criteria for relevance)
• Select sub-repositories of interest
• Develop culling and processing criteria
• Conduct disclosures / preliminary conference
• Create review set (culled, deduped, processed)
• Review documents for actual responsiveness
• Produce responsive subset
03-10-2020 Page 30
Page 17 of 58
10Traditional (Keyword) Winnowing Process
• Entire Client Network (all sources)
• Preserved Subset (broad; all potentially-relevant custodians/repositories)
• Selected Subset (initial priority selections; can be supplemented iteratively)
• Processed Subset (per objective criteria) = Review Set
• Responsive Subset (per subjective review) = Production Set
• Incoming Production (added to review platform)
• Trial Subset (post-depositions, post-discovery, key documents)
1
Review Production Incoming Trial
Platform Set Production Exhibits
03-10-2020 Page 31
The EDRM Workflow
03-10-2020 Page 32
How the Attorney Controls
Cost in Active-File Ediscovery
03-10-2020 Page 33
Page 18 of 58
11How the Attorney Controls Cost
Basic Concepts of Cost Control:
• Valuation
• Proportionality
• Selection
• Completeness vs Undue Burden
03-10-2020 Page 34
How the Attorney Controls Cost
Implementation of Cost Control Concepts:
• Preserve broadly - your protection
• Identify highest-priority subsets
• Develop & test criteria to meet target cost
• Disclose criteria to opposing counsel
• Negotiate and finalize first-pass criteria
• Agree to consider supplemental requests
• Go back to preserved pool as necessary
03-10-2020 Page 35
The General Methodology
of Forensic Ediscovery
(We will focus on Windows systems)
03-10-2020 Page 36
Page 19 of 58
12The Basics: What is a Byte?
• Think of a byte as a single “character”
• Letter, number, symbol
• Control or formatting code (tab, return, etc.)
• Unit of data or value
03-10-2020 Page 37
The Basics: What is a Sector?
• A sector is the smallest storage unit that a hard
drive can physically read or write
• 512 bytes per sector is a common size
• This allows the system to handle bytes in groups
• It allows a smaller number of storage addresses
and faster data handling
03-10-2020 Page 38
The Basics: What is a Cluster?
• A cluster is the smallest storage unit handled by a
file system
• It cannot be smaller than one sector (because that
is a physical limitation of the hard drive)
• 8 sectors per cluster (4096 bytes) is common
• This allows the file system to be configured to
handle bytes in larger groups than a sector
• Cluster size is set during formatting; it is a trade-off
between efficiency and economy of space
03-10-2020 Page 39
Page 20 of 58
13Large Versus Small Clusters
• Jim's school bus analogy:
• Sending children by one school bus versus
many individual taxis
• Group efficiency at the cost of empty seats
• Jim's post-it note analogy:
• Small post-it notes versus large post-it notes
• Need many small ones to do the job of one
large one, but one large one may be wasted for
a small note
03-10-2020 Page 40
Cluster Scenario
• The following scenario is an over-simplification, a
conceptual schematic.
• It shows bytes and clusters but omits sectors.
• The principles of space allocation are the same.
03-10-2020 Page 41
An Unformatted Drive
• An unformatted “drive”
• Lots of byte locations (3200 bytes)
• No clusters
• No files
03-10-2020 Page 42
Page 21 of 58
14A Formatted Drive
• A formatted drive
• Same number of byte locations
• Now grouped into 50 clusters
• 64 bytes per cluster in this example
• Fewer addresses to worry about
• Still no files
• All clusters are therefore “unallocated”
03-10-2020 Page 43
A File on a Formatted Drive
• Here is a file (blue)
• It occupies 1 cluster
• That cluster is “allocated” to the file
• “Logical” size (blue) = 54 bytes
• “Physical” size (cluster) = 64 bytes
• “Leftover” space = “slack” = 10 bytes
• “Unallocated” space = 49 clusters
03-10-2020 Page 44
A File on a Formatted Drive
• The file is now larger (blue)
• It occupies 2 clusters
• Those 2 clusters are “allocated”
• “Logical” size (blue) = 100 bytes
• “Physical” size (clusters) = 128 bytes
• “Leftover” space = “slack” = 28 bytes
• “Unallocated” space = 48 clusters
03-10-2020 Page 45
Page 22 of 58
15A File on a Formatted Drive
• The file is now even larger (blue)
• It occupies 4 clusters
• Those 4 clusters are “allocated”
• “Logical” size (blue) = 193 bytes
• “Physical” size (clusters) = 256 bytes
• “Leftover” space = “slack” = 63 bytes
• “Unallocated” space = 46 clusters
03-10-2020 Page 46
The Basics: The File System & File Deletion
What happens when you “format” a drive?
• A new drive has “capacity” (e.g., 100 GB)
• But it has no file system yet
• It has “bytes” and “sectors” but no “clusters”
• When you format a drive:
• The cluster size is defined (e.g., 4K)
• The clusters are mapped and addressed
• A Master File Table (MFT) is created
03-10-2020 Page 47
The Basics: The File System & File Deletion
The Master File Table
• The MFT is itself a file
• Think of it as the “Table of Contents” for the drive
• Contains a data record for each file on the drive
• Points to file’s address (the clusters that store it)
• Contains many fields of metadata about each file
• Metadata = data about the file, not on the face of
the document
03-10-2020 Page 48
Page 23 of 58
16The Basics: The File System & File Deletion
Metadata in the Master File Table
• File name, file extension, full path
• Status: active or deleted
• Type: file or folder (a folder is a special type of file)
• Dates/times of creation, last access, last save
• Attributes (read only, hidden, system)
• Permissions (which users can access, save)
• Logical size (size of the document's own bytes)
• Physical size (in whole cluster increments)
03-10-2020 Page 49
The Basics: The File System & File Deletion
• Does any of this sound familiar? It should.
• MFT is the source of Windows Explorer data:
• Filenames, extensions
• Datestamps
• Attributes
• All from the MFT
03-10-2020 Page 50
The Basics: The File System & File Deletion
• MFT is also the source
of “Properties” data in
Windows Explorer:
• “Size” = logical size
• “Size on disk” = physical size
• Datestamps
• Attributes
• All from the MFT
03-10-2020 Page 51
Page 24 of 58
17A Disgruntled Employee Scenario
03-10-2020 Page 52
A Disgruntled Employee Scenario
03-10-2020 Page 53
A Disgruntled Employee Scenario
03-10-2020 Page 54
Page 25 of 58
18A Disgruntled Employee Scenario
03-10-2020 Page 55
A Disgruntled Employee Scenario
03-10-2020 Page 56
A Disgruntled Employee Scenario
03-10-2020 Page 57
Page 26 of 58
19A Disgruntled Employee Scenario
03-10-2020 Page 58
A Disgruntled Employee Scenario
03-10-2020 Page 59
A Disgruntled Employee Scenario
03-10-2020 Page 60
Page 27 of 58
20A Disgruntled Employee Scenario
03-10-2020 Page 61
A Disgruntled Employee Scenario
03-10-2020 Page 62
A Disgruntled Employee Scenario
03-10-2020 Page 63
Page 28 of 58
21A Disgruntled Employee Scenario
03-10-2020 Page 64
A Disgruntled Employee Scenario
03-10-2020 Page 65
A Disgruntled Employee Scenario
03-10-2020 Page 66
Page 29 of 58
22A Disgruntled Employee Scenario
If this were a system drive (C:\ drive)
it would also contain system files,
system caches, executables, drivers,
libraries, icons, help files ….
03-10-2020 Page 67
A Disgruntled Employee Scenario
03-10-2020 Page 68
A Disgruntled Employee Scenario
Active-File Ediscovery:
• Only the active user files
• Not system files
• Not slack space
• Not unallocated space
03-10-2020 Page 69
Page 30 of 58
23A Disgruntled Employee Scenario
Forensic Ediscovery – Everything:
• Active user files
• System files
• Slack space
• Unallocated space
03-10-2020 Page 70
Forensic Ediscovery: The Methodology
Forensic Preservation:
• Objective: to preserve the exact existing state of
the entire digital storage device
• Every byte in every cluster, top to bottom
• Do not boot it up, do not turn it on:
• This could change the state
• Use a “write blocker” to avoid changes
• Use specialized forensic preservation software
03-10-2020 Page 71
Forensic Ediscovery: The Methodology
Forensic Preservation:
• This approach preserves everything:
• The Master File Table
• All active user files
• All active system files and caches
• All recoverable deleted files, user and system
• All residue of past disk activity
• All slack space (“unused” space at cluster end)
• All unallocated space
03-10-2020 Page 72
Page 31 of 58
24Forensic Ediscovery: The Methodology
Forensic Preservation:
• The resulting archive is called a “forensic image”
• Call it a “forensic image” (a well-defined term)
• Do not call it a “mirror” (an ambiguous term)
• A forensic image basically converts the entire
digital storage area into one huge searchable file
• The forensic expert can search, scroll through,
and review the entire space at the byte level
03-10-2020 Page 73
What You Can Do
With a Forensic Image
at Minimal Expense
(Using Windows Examples)
03-10-2020 Page 74
Forensic Analysis: The Basics
Extract and Review MFT Contents:
• MFT contents can be extracted in Excel format
• You can review the name of every file and folder
listed in the MFT, both active and deleted
• You can sort by any of the fields of data
• You can run searches on the file names and folder
names (not the files themselves)
• Tremendous bang for the buck
03-10-2020 Page 75
Page 32 of 58
25Forensic Analysis: The Basics
Sort the MFT to Find Interesting Data:
• Sorting by full path allows you to find the user
accounts and see the names of the files and icons
on the desktop and the user folders
• Sorting by extension allows you to see the names
of the user files (PDF, DOCX, XLSX, etc.)
• Sorting by date allows you to see the last activities
before the computer was shut down
03-10-2020 Page 76
Forensic Analysis: The Basics
Extract Active User Files:
• Remember: A forensic image ALSO contains all of
the active user files: Word documents, PDFs,
Excel spreadsheets, PowerPoint decks
• Have them extracted so you can review them just
like normal active-file ediscovery
03-10-2020 Page 77
Forensic Analysis: The Basics
Extract Mailboxes:
• A forensic image often contains a local copy of the
user’s active mailbox (*.ost) and archives (*.pst)
• Have them extracted so you can review them just
like normal active-file ediscovery
03-10-2020 Page 78
Page 33 of 58
26Forensic Analysis: The Basics
Extract Recoverable Deleted User Files
• A forensic image also contains all recoverable
deleted files (i.e., not yet overwritten)
• Have them restored and extracted so you can
review them just like normal active-file ediscovery
03-10-2020 Page 79
Forensic Analysis: The Basics
Recent Link Analysis:
• Windows automatically creates “Recent Links” that
point to recently-accessed user files
• Recent Links store information regarding full path
and access date for each accessed file, even if the
file itself has been deleted or was never located
on that computer
• A “Link Analysis” extracts that information and
provide you with a report that shows the user’s file
access history
03-10-2020 Page 80
Forensic Analysis: The Basics
History Analyses:
• Windows maintains “history” data on files, network
locations, and URLs accessed by users
• These are found in History files, NTUSER.dat files,
Index.dat files, and other system logs
03-10-2020 Page 81
Page 34 of 58
27Forensic Analysis: The Basics
USB Analysis:
• The Windows Registry keeps track of every USB
device ever attached to the computer
• This includes the type of device, manufacturer,
model number, serial number, date of installation
• You can see what USB devices the user attached
and when
• Especially useful in a data theft or spoliation
scenario
03-10-2020 Page 82
Forensic Analysis: The Basics
Prefetch Analysis:
• Windows stores data about the applications that
the user runs in order to help them launch faster
• This data can be analyzed to show which apps
were run, how many times they were run, and
when they were most recently run
• They can show things such as whether the user
ran a file clean-up utility before producing the
computer
03-10-2020 Page 83
Forensic Analysis: The Basics
Print Spooler Analysis:
• When documents are sent to the printer, they are
stored as temporary graphic files to await printing
• These files can sometimes be recovered, allowing
you to see what documents the user sent to the
printer
03-10-2020 Page 84
Page 35 of 58
28Forensic Analysis: The Basics
Event Log Analysis:
• Windows maintains system logs that keep track of
various system events
• These can show when a computer was booted up,
when an application was installed, when a device
was installed, when a file was accessed, etc.
• “Office Alerts” event log analysis: Windows stores
the content of every Office Alert, with datestamps.
• (“Are you sure you want to delete that folder?”)
03-10-2020 Page 85
Forensic Analysis: The Basics
Carve and Recover Deleted Files:
• If a deleted file is no longer accessible through the
file system, it may be recovered with file carving
• This involves searching for the characteristic
“header” at the beginning of the file type (e.g.,
%PDF for PDF files) and then extracting the bytes
that follow
03-10-2020 Page 86
Forensic Analysis: The Basics
Run keyword searches in unallocated space
• Even if a deleted file is partially overwritten (and
therefore not recoverable as a “file”) it is possible
that surviving fragments contain searchable text
• Embedded text in user files is often in standard
ASCII or Unicode formats
• This text remains human readable and searchable
even if the surrounding formatting is lost
03-10-2020 Page 87
Page 36 of 58
29Cellphone Analysis: The Basics
• Cellphones typically use a database system rather
than a traditional file system to store data and files
• A cellphone can be forensically preserved in a
manner similar to a computer
• The cellphone’s database can then be extracted
and parsed to generate a comprehensive report of
user activity
03-10-2020 Page 88
Cellphone Analysis: The Basics
• A cellphone report can include:
• All texts, organized by sender/recipient
• Call logs, incoming and outgoing
• WiFi connection history
• Location history
• Photographs and videos
• Application installation history
• Web browser history
• Saved files
03-10-2020 Page 89
Forensic Analysis: The Basics
Advanced Analysis
• There are many other things that a forensic expert
can do, depending on circumstances, objectives,
and budget
03-10-2020 Page 90
Page 37 of 58
30Online & Social Media - Overview
Active-File Forensic
Ediscovery Ediscovery
Online &
Social Media
03-10-2020 Page 91
Online & Social Media Ediscovery
Scope of Online & Social Media:
• Typically hosted on web sites: Facebook, Twitter,
YouTube, Instagram, Reddit, etc.
• Typically personal rather than business-oriented
• Typically interactive (i.e., users can comment)
• Typically dynamic (frequent updates & deletes)
• Can be public, semi-public, or private
• Sometimes anonymous or semi-anonymous
03-10-2020 Page 92
Online & Social Media Ediscovery
Scope of Online & Social Media:
• Social media is a hybrid:
• It is like Active-File Ediscovery in that
relevance is typically “on the face” of the
document (i.e., the web page content)
• It is like Forensic Ediscovery in that the
methods of preservation and analysis typically
require forensic expertise
03-10-2020 Page 93
Page 38 of 58
31Online & Social Media Ediscovery
Special Issues with Social Media Ediscovery:
• A social media website is essentially an
“application” accessed remotely through a web
browser
• The custodian’s access is therefore constrained
by the limitations of the interface and the tools
and settings supplied by the provider
• Certain data regarding the site (e.g., server logs,
connection history, IP addresses) might not be
available to the user
03-10-2020 Page 94
Introduction to
Trial Technology
03-10-2020 Page 95
The Objectives
• To persuade
• To change someone's mind (judge / jury)
• Using evidence and argument
What is the role of technology?
• It is an "evidence delivery" medium
• It is an "evidence enhancement" medium
03-10-2020 Page 96
Page 39 of 58
32How Technology Enhances Evidence
• Access: You can store everything
• Immediacy: near-instant recall of evidence
• Fluidity: no clumsy paper shuffling
• Speed: display without manual distribution
• Orientation: Easily show identifying criteria
• Focus: Jump straight to the relevant parts
• Clarity: Use callouts and highlighting tools
• Dynamism: Real-time coordination with the
testimony of the witness
03-10-2020 Page 97
The 3 Purposes of Trial Evidence
• To Establish
• To Corroborate
• To Contradict
Technology enhances all 3 purposes
Especially when using a split-screen to show
either corroboration or contradiction between
two items of evidence
03-10-2020 Page 98
17 U.S.C. 101 vs 1976 House Report
03-10-2020 Page 99
Page 40 of 58
3317 U.S.C. 101 vs 1976 House Report
03-10-2020 Page 100
17 U.S.C. 101 vs 1976 House Report
03-10-2020 Page 101
17 U.S.C. 101 vs 1976 House Report
03-10-2020 Page 102
Page 41 of 58
3417 U.S.C. 101 vs 1976 House Report
03-10-2020 Page 103
The Trial Support Objective
Avoid Disasters!
• Avoid technical disasters
• Avoid logistical disasters
• Avoid effectiveness disasters
• Avoid legal disasters
03-10-2020 Page 104
Elements of a Mobile Trial Setup
• Sources of evidence (e.g., digital files)
• Evidence control software (TrialDirector)
• Evidence display devices
• Switching and connecting devices
• Ancillary devices
03-10-2020 Page 105
Page 42 of 58
35Sources of Evidence
• Live testimony - introduces the other kinds
• Electronic files in production format (TIFF)
• Electronic files in native formats
• Transcripts of past testimony
• Media files (photos, depo video, animations)
• Demonstratives, summaries, chalks
• Paper documents, physical evidence
03-10-2020 Page 106
Evidence Control Devices
• Call up the evidence, control it, and send it
to the display device
• Often stores the evidence too
• Examples:
• Laptop
• Tablet
• Touch screen
• Document camera
• Video playback devices
03-10-2020 Page 107
Software for “Static” Presentations
• Primary tool: PowerPoint
• Linear display order (slideshow)
• Best for "scripted" presentations (opening,
closing, direct, expert testimony)
• Slides are made in advance
• Very precise design control
• Ability to add captions and labels
• Labor-intensive and time-consuming
• Easy to use in the courtroom
03-10-2020 Page 108
Page 43 of 58
36Software for “Dynamic” Presentations
• TrialDirector, Sanction, etc.
• Random access (non-linear)
• Good for less-predictable examinations
(crossing an adverse witness)
• Can use with huge repositories
• Realtime markup tools
• Less precise design control
• No heavy advance labor
• More skill required to use
03-10-2020 Page 109
Video Playback
• Static or dynamic (PPT or TrialDirector, etc.)
• Can synchronizes video with transcript
• Transcript scrolls like captioning
• Words plus text adds clarity
• Easy to jump to page-line coordinates
• Easy to make video excerpts and clips
• Clips can be called up in real time like other
evidence
03-10-2020 Page 110
Evidence Display Devices
• Projector and screen (shadow issues)
• Large flat screen
• Individual screens for judge, clerk, steno,
podium, counsel tables, tech, jury, gallery
• Speakers for audio playback
03-10-2020 Page 111
Page 44 of 58
37Switching and Connection
• To controls which input device is active
• To controls which displays are active
• Switches between parties
• A matrix of inputs and outputs
• "Kill switch" to isolate jury
03-10-2020 Page 112
Other Critical Things
• Hardcopies. Your team will always need
physical copies of the documents displayed
electronically
• To be marked for the record
• If judge wants a copy
• If something goes wrong
• Clean memory keys. The parties are often
called upon to exchange data.
03-10-2020 Page 113
Pretrial Checklist
• Contact info
• Judge’s protocols
• Security protocols
• Courtroom schedule
• Courtroom survey / sketch
• Existing equipment
• Stenographer
• Vendor cost sharing
03-10-2020 Page 114
Page 45 of 58
38Introduction to
Technology-Assisted Review
03-10-2020 Page 115
Technology-Assisted Review
Active-File Forensic
Ediscovery Ediscovery
03-10-2020 Page 116
Technology-Assisted Review
Active-File Forensic
Ediscovery Ediscovery
Straight With With
Linear Clustering- TAR
Review Threading
03-10-2020 Page 117
Page 46 of 58
39Linear Review
• Electronic equivalent of banker's box review
• Linear - straight through the document set
• Tagging - electronic equivalent of yellow stickies
• Responsive / non-responsive
• Privileged / non-privileged
• Issue coding
• Hot documents
• Batch coding
03-10-2020 Page 118
Clustering - Threading
• An algorithmic process is run
• The process identifies "similar" documents
• Also known as "near duplicates"
• The process applies an arbitrary "pivot" value
• Similar documents have closely-grouped values
• Dissimilar documents have distant values
• If you sort by pivot value, the similar documents
will be grouped together
03-10-2020 Page 119
Clustering - Threading
Benefits of clustering:
• Similar documents can be found even if they
come from different repositories (different
custodians, different mailboxes)
• Multiple drafts of the same document
• Standardized forms
• Email threads
• A single reviewer can review all similar
documents -- promotes consistent coding
03-10-2020 Page 120
Page 47 of 58
40Technology Assisted Review ("TAR")
• A random sample of documents (e.g., 2000
"family" sets) is taken across all custodians and
repositories
• A single "expert" reviewer codes the sampling
for relevance
• This is now regarded as the "seed" set
• An algorithmic process is run that uses the seed
set to predict relevance in the larger universe
03-10-2020 Page 121
Technology Assisted Review ("TAR")
• The predictively-coded universe will be
generally grouped into three categories:
• Those predicted to be likely relevant
• Those predicted to be likely irrelevant
• Those that remain uncertain
• There are no "bright lines" -- just likelihoods
• Subsequent review and coding can be used to
improve the results
03-10-2020 Page 122
Technology Assisted Review ("TAR")
Likely Likely
Irrelevant Relevant
Documents
Uncertain
Relevance
03-10-2020 Page 123
Page 48 of 58
41When Does TAR Make Sense?
• Very large documents sets
• Low percentage of relevance
• Amorphous criteria for relevance (i.e., relevance
is not well-correlated with objective criteria)
• Willingness to rely on the process to avoid
review of irrelevant documents (otherwise, you
are just going to do a linear review anyway)
• Cost of process lower than cost of linear review
03-10-2020 Page 124
When Does TAR Not Make Sense?
• Smaller documents sets
• High percentage of relevance (e.g., subject-
specific folders; critical custodians)
• Well-defined criteria for relevance
• Good correlation between relevance and
keywords and other objective criteria
• Lawyer's (or client's) insistence upon reviewing
everything anyway
03-10-2020 Page 125
When Your Evidence
Is In the Cloud
03-10-2020 Page 126
Page 49 of 58
42Traditional Corporate Network Repositories
“Possession, Custody, or Control”
03-10-2020 Page 127
Traditional Corporate Network Repositories
Mail File Database Web DR Backups
Server Servers Servers Server
Archives
Workstations
03-10-2020 Page 128
Traditional Corporate Network Repositories
Mail File Database Web DR Backups
Server Servers Servers Server
Archives
The “Four Walls”
of the Network.
The evidence
lives at home.
Workstations
03-10-2020 Page 129
Page 50 of 58
43Pros and Cons of the Traditional Network
Pros:
• Complete and direct dominion and control
Cons:
• Capital intensive (hardware, software)
• Labor intensive, maintenance intensive
• Expertise, staff, payroll
• Requires budget allocations and approvals
• Requires major lead time
• Security obligations, patching, defensive systems
03-10-2020 Page 130
The Original Corporate View of the Internet
Internet
Two primary functions:
• Email communications
• Access to online content
Evidence still lived at home.
03-10-2020 Page 131
The Beginning of the “Cloud” Conception
• Transition from "static" (read-only) to "dynamic"
(interactive) web technology
• Database-backed web sites proliferate
• Ability to embed logical elements in web pages;
scripting languages; Java
• Result: The ability to build applications that can
run in the web browser and use remote
databases and resources
• "Salesforce" and "Dropbox" type applications
03-10-2020 Page 132
Page 51 of 58
44Corporate Networks Offload Functions
03-10-2020 Page 133
Attractions of Cloud-Based Services
• No capital expenditures, no capex budget
• Just a monthly expense
• Fast implementation
• No server maintenance, no updates to test
• Always the latest version
• Less need for in-house administrative expertise
• Reduced headcount/payroll issues
• Security obligations are the vendor’s
03-10-2020 Page 134
Characteristics of Many Cloud Systems
• Standalone apps rather than integration
• Access via a web page; limited browser interface
• Often no direct control of the remote system
• Often no administrative access; only user access
• Often no access across multiple accounts
• You must trust the vendor on backups
• You may need to rely on vendor for exports
• You may own the data, but you don't own the
system that runs your data
03-10-2020 Page 135
Page 52 of 58
45Characteristics of Cloud-Based Access
“Possession, custody, or control” is indirect
03-10-2020 Page 136
A Scenario
The company is an advertising company
• They create multimedia content
• They conduct product campaigns
• Technology intensive; network intensive
• Demanding clients; fast-moving projects
• Friction between creative and administrative
• Frustration with corporate bureaucracy
03-10-2020 Page 137
A Scenario
The creative division begins to use the Cloud
• Cloud-based storage for large video projects
• Cloud-based FTP to transfer data to customers
• Online collaboration tools
• Online video distribution platforms
• Promotional blogging for customers
• Online networking
• Astroturfing through online review sites
03-10-2020 Page 138
Page 53 of 58
46A Scenario
The sales division catches on
• Cloud-based prospecting and sales databases
• Cloud-based document sharing: sales materials,
proposals, responses to RFIs, contracts
• Cloud-based evites and event scheduling
• Cloud-based text and communication apps
• Use of web mail when traveling
03-10-2020 Page 139
A Scenario
A few complications arise
• Adoption is bottom-up, not top down
• Each user is researching and choosing their own
providers
• Sometimes, different users choose different
providers for the same type of service
• Sometimes, users change providers
• There is turnover at the company
03-10-2020 Page 140
A Scenario
Company administration gets worried
• The GC starts to worry about compliance with
corporate retention and destruction policies
• The CIO starts to worry about company data no
longer under the direct control of company IT
• The CMO starts to worry about lack of
governance and oversight
• But the CEO loves the company's new-found
flexibility and reduced expenses
03-10-2020 Page 141
Page 54 of 58
47A Scenario
Disaster strikes
• A high-profile lawsuit
• Multiple allegations of fraud & misrepresentation
Discovery is demanded:
• All marketing materials for the relevant period
• All proposals and draft contracts
• All communications with certain customers
• All advertisements, videos, and campaign
materials for certain customers
03-10-2020 Page 142
What Did Outside Counsel Learn?
• No one had overall knowledge of how the
company's cloud repositories were organized.
• No one had a master list of all cloud vendors,
past and present.
• No one had a master list of all login
credentials for the cloud-based systems.
• There was no "data map" of the company's
outsourced collections. Everything was ad
hoc, often at the individual user level.
03-10-2020 Page 143
What Did Outside Counsel Learn?
• There was no easy way to perform server-
level preservation operations.
• There was no way to perform server-level
"batch" operations, like keyword searching,
since each repository was a separate island.
• Each repository had to be addressed
separately.
03-10-2020 Page 144
Page 55 of 58
48What Did Outside Counsel Learn?
• There were no historic archives of the
outsourced collections. At most, there were
only short-term disaster recovery backups.
• There were no historic archives of web mail
contents other than the current contents.
• There was no way to recover web mail
contents of long-departed employees.
• There was no way to recover the contents of
abandoned storage and data systems.
03-10-2020 Page 145
What Did Outside Counsel Learn?
• For many systems, there was no
administrative access; the only access was
through the end-user web interface.
• This meant that the contents of each system
had to be laboriously preserved one at a time.
03-10-2020 Page 146
What Did Outside Counsel Learn?
• For some of the collaborative systems, there
were no archival copies of earlier drafts.
• There was sometimes no record of what had
initially been provided to the customers.
• There was no way to prove who had
accessed some of the documents and when,
or to determine which collaborator might have
made which edits to which documents.
03-10-2020 Page 147
Page 56 of 58
49What Did Outside Counsel Learn?
• Old content had expired on some of the blogs
and networking sites.
• As a result, there was no way to verify or
disprove some of the allegations made by the
plaintiff regarding public statements.
03-10-2020 Page 148
What Did Outside Counsel Learn?
• The company had no way to "lock down"
some of the outsourced repositories. There
was no easy way to ensure that the contents
were preserved pending collection.
• This was a concern because the company
believed that a few of its employees might
have an incentive to alter or purge evidence
to cover their tracks.
• It was also a concern for sites that allowed
third parties to alter the contents.
03-10-2020 Page 149
What Did Outside Counsel Learn?
• Obtaining copies of outsourced repositories
sometimes required protracted administrative
processes with vendors over which the
company had no direct control.
• Some vendors were slow and uncooperative.
• Some sites had unfavorable Terms of Service
regarding obligations to assist with data
export or migration. Nothing had been vetted
by the legal department.
03-10-2020 Page 150
Page 57 of 58
50Duty to Disclose; Duty to Produce
“Possession, Custody, or Control”
03-10-2020 Page 151
The EDRM Workflow
03-10-2020 Page 152
Question & Answers
Copyright 2006-2020 03-10-2020 Page 153
Page 58 of 58
51You can also read
