From IQPC:

Dear members,

I’d like to share with you an interview conducted by the Legal IQ team and Chris Dale of the eDisclosure Information Project for the 7th Annual Information Governance & eDisclosure Summit.

Hear from Professor Dominic Regan from City University of London about the reforms to the civil litigation process in England and Wales – Why the Jackson Reforms mean the Biggest Ever Upheaval for Litigation. Free access here: http://bit.ly/GLnhdF.

Dominic Regan and Chris Dale will be presenting at the 7th Annual Information Governance & eDisclosure Summit from 14th – 16th May 2012 in London. For further details about their presentations or to find out more about the event please download the finalised event programme here: http://bit.ly/GGnIcZ.

In addition, all EDEN E-Discovery Community LinkedIn members are invited to get a Free Visitor Pass* to the Information Governance & eDisclosure Exhibition, the UK’s largest exhibition dedicated to connecting the entire legal, IT and compliance community. Download the Exhibition programme here: http://bit.ly/GGnJ0z.

What’s more! Get your FREE EXHIBITION PASS and automatically enter in the draw to win an iPad now: http://bit.ly/GH4X8w.

If you have any questions on the content or the exhibition, please drop your notes to our POC Yun Shi at Legal IQ: enquire@iqpc.co.uk or call +44 (0)20 7036 1300

Hello E-Discoverers!

Welcome to EDEN’s “E-Discovery in the News,” our new blog series where we examine real life court cases and see how e-discovery played a role.

Throughout this series, we will be interviewing EDEN members with subject area expertise.  We are interested in speaking with all of our EDEN members with a certain area of expertise: attorneys, litigation support professionals, computer forensic experts, paralegals, and more.  If you would like to participate, please contact Carl Powers (cpowers@edenhub.com).

Over the past decade, mobile phones and their usage have evolved dramatically.  Ten years ago, mobile phones were just that: traditional phones for voice-calling that were mobile.  There wasn’t much you could do with a mobile phone other than making a live voice call, and because calls were not recorded, the mobile phone was not an important source of evidence for lawyers looking to make a case – other than as a potential target for a criminal wiretap.

These days, however, mobile phones might be more appropriately called mobile computers, as mobile phones are a lot less like phones and a lot more like miniature computers.  Sending email, surfing the internet, online shopping and banking – you name it, you can probably get it done on a smartphone.  For a lot of people, even the basic voice-calling function has been supplemented, if not supplanted entirely, by text messaging.  And although voice calls still aren’t recorded, text messages are logged, email is saved, and evidence of a whole range of activity is stored on a smartphone.

There’s no doubt about it, smartphones have become a critical source of electronic evidence for lawyers in the modern courtroom – and nowhere is this perhaps more evident than in the field of family law.  A recently released study by the American Academy of Matrimonial Lawyers (AAML) found that 92% of lawyers surveyed have seen an increase in smart phone evidence being used in divorce cases and 94% have seen an increase in the use of text messages as evidence.   Lawyers surveyed said that text messages were the most commonly used evidence taken from phones, with emails, call histories, and GPS histories also being used regularly.

As the AAML study makes clear, understanding how to secure smartphone evidence is essential for modern family law practitioners.  Let’s see what steps in the EDEN funnel, our step-by-step guide for e-discoverers, need extra attention when dealing with smartphone data as evidence.  (Visit our training page to see a complete list of EDEN webinars, including the Fundamentals of E-Discovery webinar that walks through the EDEN funnel.)

How the EDEN funnel fits in:

1.  Assess

The rise of smartphones is a clear reminder that effective e-discovery assessment must always take into account the evolution of electronic devices and their use.  Are text messages possibly relevant?  Internet browsing history?  Can the apps installed on a phone provide useful information?  Assessment of potential cell phone evidence must now take into account the broad range of activities supported by modern smartphones.

2.  Secure

Be sure to collect information from all cell phones in a timely manner.  Text messages histories are often limited, particularly in older phones, and many phones delete messages automatically after a given time period to save storage space.  Once it’s gone from the phone, it’s likely gone for good – service providers typically deny that text message content is saved to their servers.  Recovering any deleted data from a phone, be it texts, images, emails, or other data, often depends on the phone make and model and, in all cases, the earlier a phone is taken out of active use, the more likely it is that data will be preserved.

4.  Extract

Extracting data from any mobile phone requires the proper tools, such as Cellebrite’s mobile forensics software and hardware products.  Even with those tools, an experienced vendor is a must, to both ensure that the data is captured in a forensically sound manner, as well as to analyze and interpret the data collected.

5.  Macrosearch

Newer smartphones can have internal storage that rivals laptop and desktop computers from just a few years ago, and this increased storage space can mean a higher volume of information to sift through.  Having a smart strategy for searching will be more time and cost effective than analyzing every text, picture, call and email looking for evidence.

An Expert’s opinion

Jonathan Yeh, Mobile Phone E-Discovery Expert at Blank Law and Technology:

What types of data can be found on a mobile phone?

The kinds of data that might be found on a mobile device varies with the make and model of the device, but can include some or all of the following:

• Subscriber and equipment identifiers
• Date/time, language, and other settings
• Phonebook information
• Appointment calendar information
• Text messages
• Dialed, incoming, and missed call logs
• Email
• Photos
• Audio and video recordings
• Multi-media messages
• Instant messaging and Web browsing activities
• Electronic documents
• Location information

These are the main types of data that can be extracted from a mobile phone, but it’s important to be creative when considering what information might be contained in these data types.  For example, for a family law litigant that suspects the opposing party is hiding assets – are there apps on the phone that might indicate where hidden bank accounts are held?  Might the party have communicated with his or her broker via text?  You may not get a bank account number from the phone, but you may get a point in the right direction.

How is data extracted from a mobile phone?  Is information stored differently?

There are generally two ways that mobile phone forensic tools acquire data from a device: physical acquisition or logical acquisition.  To put it as simply as possible, physical acquisition is a bit-for-bit copy of the raw data in a device’s memory stores.  Logical acquisition is a bit-by-bit copy of logical storage objects, such as directories and files, which reside on a logical store.  Logical acquisition typically results in data that is more organized and easier to review and analyze, but will not capture deleted files and file fragments.  Physical acquisition can allow for the examination of deleted files and file fragments, but the data is often much more difficult to work with and may require a lots of manual work to parse, decode, and translate the data into a usable form.

Is e-discovery of mobile phones all about the data on the phone’s internal memory?  What about service provider records?

Service providers do have records of subscriber information, calls placed, texts sent, data used, etc.  They have to in order to generate your bills every month.  So, subscriber records can be an important source of information if things like call logs have been deleted from a phone and can’t be recovered.

In practice, though, service provider records can be difficult to obtain in the civil litigation context.  Service providers are a lot less cooperative with civil litigants than they are with law enforcement and criminal investigators.  So, the kinds of call log records you can typically get from a service provider might be more easily obtained from the party by requesting their billing statements as a part of discovery.

And it’s important to remember that service providers keep varying levels of data and may only keep certain records for a limited amount of time.  For example, Verizon is the only major service provider that retains actual text message content and, even then, they only purport to retain the data for a few days.  Cell tower history data, which might help with geolocation, is kept by most service providers, but is retained for as little as a few months to as many as a few years depending on the provider.

Hello E-Discoverers!

Welcome to EDEN’s “E-Discovery in the News,” our new blog series where we examine real life court cases and see how e-discovery played a role.

Throughout this series, we will be interviewing EDEN members with subject area expertise.  We are interested in speaking with all of our EDEN members with a certain area of expertise: attorneys, litigation support professionals, computer forensic experts, paralegals, and more.  If you would like to participate, please contact Carl Powers (cpowers@edenhub.com).

(Story Found in New York Times, official court document)

E-Discovery processes may have helped to save Citadel, a Hedge Fund in Chicago, from a breach of security that could have jeopardized their entire operations.

In late March 2010, Citadel’s internal monitoring systems alerted management of unusually high levels of activity originating with the user account of Yihao “Ben” Pu, a Quantitative Engineer at Citadel assigned to work on the development of Citadel’s proprietary trading strategies.

When questioned regarding the activity, Mr. Pu’s response was that he had merely uploaded music and academic documents onto his phone.  However, this didn’t really jibe with the activities detected.  Citadel’s internal investigation established that Mr. Pu had secretly created two “virtual machines” on his Citadel computer running Ubuntu Linux, which permitted Mr. Pu to bypass strict security protocols at Citadel barring data transfer to external devices.

With Citadel on to him, Mr. Pu had to figure out what to do with the electronic evidence of his activities, namely hard drives from his home computers to which he had been transferring the Citadel data.  Launching into full “Lorraine Bracco from Goodfellas” mode Mr. Pu desperately tried to get rid of the evidence.  Unlike cocaine, though, you can’t flush hard drives down a toilet.  So, Mr. Pu did the next best thing: he worked with one of his coworkers to erase the hard drives and dump them in a canal.  Aware of the need to cover their tracks, Mr. Pu and his accomplice resorted to communicating via prepaid, disposable mobile phones in classic movie gangster style.

Unfortunately for Mr. Pu, his accomplice of choice was beyond unreliable and backed out as soon as he possibly could.  Just a few days later, the accomplice took Citadel investigators to the hard drive dump site.  He even gave up the one hard drive that Mr. Pu did not wipe and specifically told the accomplice to keep safe – as it turns out, the drive contained the proprietary trading algorithms and other trade secret data that Mr. Pu had stolen from Citadel.

As anyone with an understanding of sedimentary rocks can tell you, hard minerals, like the ones used to construct hard drives, take eons to erode in flowing water. Mr. Pu’s accomplice only allowed 36 hours for the drives to wear away, so investigators were able to still examine them. When the hard drives were forensically reviewed during the discovery process, they still had some sensitive data from the Citadel computers.  In addition, investigators found evidence that files originating from the Citadel computers had been deleted from the drives.

While the case is just getting started, we can review the steps taken by Citadel and see what lessons can be learned about the early stages of e-discovery.  To do so, we’ll use EDEN’s funnel process, which you may remember from EDEN webinars as a step-by-step tool for e-discoverers to guide them through the process.  (Visit our training page to see a complete list of EDEN webinars, including the Fundamentals of E-Discovery webinar that walks through the EDEN funnel.)

How the EDEN Funnel Fits in:

1.  Assess:

This case is a prime example of how proactive, network data-monitoring systems can aid immensely in the e-discovery assessment phase.  Citadel’s monitoring system was able to notice that something fishy was going on and, thanks to swift action it wasn’t difficult to find what was stolen from the computers.  An actively checked monitoring system saved Citadel a lot of trouble as it is much easier to build evidence when you catch a criminal in the act rather than sifting through computer systems for clues long after the fact.

It’s also important to remember to consider all potential sources of evidence in the assessment phase, even if some might be more far-fetched.  You never know what crafty and desperate defendants might do to cover their tracks; for example, using disposable devices to try to evade evidence gathering.  Don’t forget to check phones, text records, emails, credit card transaction records, or any other medium that might have relevant data to support your case.

2.  Secure:

Securing the data in this case proved to be more difficult than usual, as divers were needed to search the bottom of a canal for a bag of hard drives, illustrating the need to move as quickly and proactively as possible to secure potential evidence.  Although data was eventually recovered even from the sunken drives, you can’t always count on a cowardly accomplice to guide your way and it’s always better to get custody of evidence before it ends up in a river, a dumpster, or at the end of a strong magnet.

3.  Extract:

After electronic devices are secured, extracting the data can be a challenge, particularly in cases such as this one where important evidence has been “swimming with the fishes” so to speak.

But as this case amply illustrates, damaged evidence is not always a lost cause.  Data storage devices can often be surprisingly sturdy and efforts should be made to extract data even from obviously damaged data sources if possible and reasonably cost effective given the economics of a given case.

Even with data that is easily extracted, such as the internal activity logs from the company’s security systems in this case, care must be taken to extract data using forensically sound methods that are defensible in court.  After all, even the most damning evidence is useless if it can’t be shown that the evidence hasn’t been tampered with or otherwise manipulated.

So, as you can see, there are a lot of interesting, early phase e-discovery issues in this case.  Here to discuss some of these issues with us is Alex Harmon.

An Expert’s opinion

Alex Harmon, Computer Forensics Specialist at Blank Law and Technology

Trade secret data is critical to most businesses and a trade secret is not protected by the law unless it is just that: a secret that is reasonably protected against disclosure.  The case above illustrates the need for companies to have good data monitoring systems in place to protect their trade secret data – what are some of the kinds of monitoring systems and security protocols that should be in place at just about every company with regard to trade secret data?

To protect secretive data a company should have both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in place to serve as external gate keepers to a company’s computers and servers. These will alert the company and keep records of whenever something enters or leaves the system. Internal user activities should be monitored by someone very familiar with the system to see what is being accessed, who is accessing it, and when.  There are internal login/logout auditing systems that can help determin when specific credentials were used across the enterprise, and there are also internal file access systems that can show who accessed what data and when.   A monitoring system is only as useful as whoever is running it; expertise is essential to maintaining security. They should be aware of or have the ability to look up all employees’ clearance levels so they can spot abnormalities.

With the kinds of monitoring and security systems in place, what kinds of things need to be done in terms of preserving data, such as activity logs, from those systems to make sure they’ll stand up to challenges to their reliability?

If the company is suspicious of a user’s activity a good first step is to see where they’ve been and ask “should this person see these files?” A good IT department will have a strict process for creating new users so all accounts should start out identical. Check to see if anything about the user’s account stands out in contrast with other users with similar access levels. Keep activity logs with times, dates as well as records of what files were accessed and what files were changed. This is very useful even if you may need to call in an expert witness to interpret these records in court.

Let’s move on and talk a little about recovering data from devices that have been damaged – what do you need to do differently to extract data from devices that have been damaged by water, sewage or other elements?

When recovering data from a damaged drive it is not a matter of possibility in most cases, but rather a matter of price. The cost to recover the data from the drive should always be weighed with the value of the information you’re seeking. Just because NASA scientists were able to extract data from a Challenger Space Shuttle hard drive after the explosion doesn’t mean that this million dollar recovery process should be done if the stakes just aren’t that high.  Many data forensics shops  can extract data at a reasonable cost and for most cases this is the most economically feasible option. If the drive is extensively damaged there are specialists who are able to access storage components by rebuilding or repairing the drive in a particle free “clean room”. Water may not be as menacing of a problem as other types of physical damage; because of the way hard drives are sealed if you simply give wet drives time to dry it’s entirely possible that you can use them as you would a normal drive.

What do you do if you recover a hard drive where it is clear that information has been deleted from it?

“Deleting” files from a hard drive can mean many different things and it all depends on the computer skills of the person doing the deleting. Most of the time when a file is deleted what actually happens is that the space the file takes up on the drive is marked as open for rewriting. Unless that part of the drive has been written over the files remain as they were. If someone has used a more complex erasing program to rewrite over the deleted section it is still possible to find files, or partial files but the costs for this process mount quickly. If you suspect that files may have been tampered with NEVER plug that drive into any device that can rewrite as this can compromise the discovery process. “Write-Blockers” are great as they allow you to read the files without the ability to changing anything so the reliability of your extraction will never come into question. Records of file deletion must be interpreted by someone familiar with the computer system. Computers delete system files constantly so when looking at the records you have to differentiate between what is relevant and what is just noise.

Links:

NYT Story

WSJ Story

Court Document

The Electronic Data Extraction Network (EDEN) has partnered with Blank Law + Technology, a Seattle-based law firm and computer forensic expert, to provide mobile phone forensic services to the wider EDEN community.

Why EDEN?

EDEN is your trusted and reliable partner or referral source.  EDEN supports – and does not undermine – your customer relationships.  EDEN will ensure that the job is done right, every time.  EDEN’s work is technically and legally defensible, and will stand up in court.  Finally, as a valued EDEN member, each of your referrals entitles you to a $150 referral fee.

How do I partner with EDEN for mobile phone forensic services?

EDEN is flexible in our partnership arrangements, and we are available to support our EDEN members in a number of ways.

We recognize that the equipment necessary to conduct a thorough, forensically sound mobile phone investigation can be expensive.  If you do not have the necessary equipment, we can refer you to Blank Law + Technology’s forensic experts.  The team at Blank Law + Technology supports clients with a decade of experience in computer forensics and a record of hundreds of successful investigations.

If you already have the required forensic equipment, EDEN can support you with marketing materials and speaking points.  Our marketing team is available to help you position your company as a leader in the mobile phone forensics industry.

Why hire an expert for mobile phone forensics?

Law enforcement agencies, government agencies, and many employers have long since discovered that mobile phones can contain case-making evidence.

The forensic tools to pull data from mobile phones are expensive, and in the hands of police detectives and information technology security teams they are effective, efficient, and often devastating.

The protocols to mandate critical data delivery from mobile phone carriers are in place.  Even Cloud-based storage areas and phone accessory devices are known, searched for, and examined.

Still, as with any computer forensics application, skill and experience matter.  Investigators make mistakes.  Phone companies turn over incomplete or erroneous records.  Multiple innocuous explanations may exist in parallel to the “story of the case” that is the favorite of the prosecutor, employer, or agency.  The investigator may miss critical data.

If your client is on the other side of a criminal or sophisticated civil investigation, you cannot afford to ignore mobile phone records.  Your client also cannot rely on what the other side chooses to disclose of its findings; they may present less than the full picture.  The analysis may be flawed.  The records may be wrong.  Your clients need to undertake their investigation, and EDEN is here to help.

Mobile phone forensic services are required.

In many legal cases, mobile phone forensic services are required.  Common cases include employment investigations, civil litigation, criminal litigation, and divorce cases.

Contact EDEN today to learn more about partnership!

Part 3: Computer Forensics Tools

As an attorney, you are not expected to know how to operate the tools that help IT professionals mine for information, just as you are not expected to know how to operate a 40-ton excavator.  However, you will get along much better with the person doing the actual work—and be much more aware of potential benefits and pitfalls—if you have some basic familiarity with the equipment’s capabilities and don’t just stand there staring.  Spend some time learning.  To get started, here are some common e-discovery tools:

Five Tools Every Investigator Should Know:

1.       Keyloggers.  Available as hardware or software applications, keyloggers record users’ keystrokes.  As a legitimate tool, keyloggers are important quality assurance aides in software development and customer service.  On the dark side, keyloggers record passwords, login names, bank account and credit card numbers, websites visited, etc. 

2.       Web Filters.  Many companies use web browsing security applications, either a Cloud-computing service or through installed software or hardware.  Web filters screen for viruses and are useful security tools.  However, sophisticated filters also limit internet access and log internet activity, including time spent on the internet, sites visited, data transferred, and even search terms.  Simple user tools pull up this information on a user-by-user basis.

3.       Email Encryption Applications.  Email encryption is increasing in popularity.  Simple searches of email servers may miss encrypted email.  Also, email encryption applications provide a “content management” function that searches email messages for disallowed content.  Disallowed content, which may include movement of certain types of data (like customer lists) may be copied to an IT administrator or logged in the utility. 

4.       Directory List Dumps/Log Aggregation Utilities.  One way to see what an employee has been up to is to examine whether unusual or unauthorized software applications have been downloaded or recently upgraded.  Directory List Dump utilities itemize all of the software on a computer; these can then be searched for evidence of hacker/sniffer programs, data-movement utilities, password crackers, and so forth.   Similarly, as part of the normal operation of a network of computers, computers and servers keep extensive logs of their activities and communications.  These logs may be overwritten on a regular basis, but while they exist they are rich sources of information about employee behavior, including data movement, internet browsing, file copying and altering, etc.  Log Aggregation Utilities take this mass of data and, with a few keystrokes, make it useful and efficient for examination purposes.

5.       Popular “Computer Forensic Software”.  A few sets of software tools are so popular with practitioners of “computer forensics” that every workplace investigator should be familiar with their names and understand their basic functions.  These are, primarily, “Encase” by Guidance Software (www.guidancesoftware.com), “Forensic Toolkit” by AccessData (www.accessdata.com), the family of tools manufactured by Paraben Corporation (www.paraben.com), and the cellular phone acquisition hardware and software package sold by Cellebrite (www.cellebrite.com).  These are terrific toolsets that make computer forensics accessible and affordable.  They allow acquisition and review of electronically stored information without modifying the source data.  Live files, deleted files, drive free space, slack space, and unallocated space can be examined across a range of storage media.  Many of the included components of these tools overlap (for example, the search engines).  The tools also all have various and significant weaknesses that must be appreciated to be used effectively. 

And some more tools:  screen-shot applications (to automatically record screen images of data movement commands); imaging hardware and software (like Image Masster and Ghost) and many, many other special-use applications and hardware devices.

Part. 2: Sources of Electronically Stored Information

To be an effective attorney in the 21^st Century, you must be computer literate.  You do not need to be able to program computers, or assemble them, but you must at least understand the basics of electronically stored information and networks.  In the paper world, you did not need to know how to type, but you did need to understand that some documents are typed, and others are handwritten.  To represent your clients effectively today, you must understand how employers and employees generate and preserve electronic information. 

Every company is a little different; each company has its own unique software, protocols or processes that will affect where you should look for data.  At the same time, every company is a little bit the same.  So, you should be comfortable starting off with:

Five Places to use computer forensics (and what to look for):

1.       Employee Workstation/Laptop.  Look for live files, including user-archived email messages and attachments, with full metadata (author, creation date, last access date, last written date, etc.); Office-type files; internet files, including internet mail files (think Gmail or Hotmail) and attachments; deleted files; fragmentary files; files from slack space, drive free space and unallocated space; drafts and redlines; computer usage patterns, including identification of internet mail, internet surfing/downloading patterns, file copying and download behavior, print and save destinations; login/out times; password identification and extraction; and the presence of suspicious files.

2.       Business Cell Phone/Blackberry/PDA.  Look for email and Office-type files; contacts; calendar; pictures and video; suspicious applications (like packet sniffers); internet browsing history; data movement; geolocation information (from radio signal or cell tower logs); text messages, both live and deleted; password information.

3.       File Shares/Mapped Drives.  These files, often located on the “file server” or a mapped drive (with a “drive letter” towards the end of the alphabet—think “P” drive, for example), are used to store personal and group files, often in preference to the workstation or laptop (file shares are usually backed up; workstations are usually not).  Look here for user-archived email and Office-type files.

4.       Email Server.  Look for email and attachments; be sure to ask about restoring deleted messages.            

5.       External Media.  Look for all of the above document types on CDs, DVDs, USB flash drives, and external hard drives around the employee workspace.  Storage devices are so small and inexpensive that they are often forgotten or left behind by departing employees; their contents can be forensically restored to reveal employee activity.  Don’t forget to look in the workstation’s CD bay and USB ports.

More places to look:  on a case-by-case basis, be sure to also consider looking at vehicle GPS/transponder records (for vehicle movement); key card records (for building entry logs); Wide Area Network devices (for internet access and file movement logs); employer-controlled commuter pass records (for use of passes on “sick” days); video records (for employee activity); EAS loss prevention devices (for patterns of “false” alarms mapped against employee time records); inventory management servers (for suspicious patterns of inventory adjustments); medical dispensing machines (for records of drugs dispensed); sophisticated printers (for additional copies of printed and scanned documents); payroll systems; purchasing software; and so forth.  And of course, do not forget to consider the backups and archives of all of these systems.

Stay tuned for Part 3: Computer Forensics Tools.

Eric P. Blank is the founder and Managing Attorney of Blank Law & Technology P.S. (formerly Blank & Associates P.S.).  Mr. Blank has conducted hundreds of investigations into computer and software-related torts and employee misconduct.  He has provided defense and prosecution on an expedited basis of intellectual property claims, and the release and protection of new products.  Over the past several years, Mr. Blank and the other employees of Blank Law & Technology have counseled companies ranging from new businesses to a host of major corporations located across the United States and Canada and throughout the world.  The objective for each representation is the same: to provide insightful, dedicated, creative and efficient solutions that help clients succeed.  You can learn more about Mr. Blank and Blank Law & Technology at www.digital-legal.com.

(Editor’s note: This article was included with the written materials at the 2010 ABA Labor and Employment Law Conference in Chicago, and it was also included in a recent King County Bar Association seminar about Investigating Workplace Complaints.  This article and its predecessors are Mr. Blank’s original work in all respects.)

Part 1: Electronic Information in the Workplace

Whether we—or they—like it or not, the connected workplace is overflowing with information about employee behavior.  Much of this information is available to employers without a lawsuit, without a subpoena, and by simply pushing a few buttons on a computer’s keyboard.  In fact, enormous volumes of data describing employee conduct are visible to information technology personnel who are just doing their jobs.  Websites that employees are visiting, and for how long; passwords to private areas; destination and content of email messages; file downloading and uploading patterns; text messaging humor; and the logistics of intraoffice romances all travel through machines and storage areas that are examined, as part of normal operations, by IT personnel at all levels.  These facts have created the ridiculous but universal IT culture of “don’t ask, don’t tell,” in which IT personnel pretend not to see evidence of employee conduct when managing email accounts or sweeping computers for viruses. 

And for those few of us who still like to believe the fantasy that email messages and other electronic data are private or difficult to access, consider Google’s frank comment after dismissing one of its engineers for spying on teenagers in a prankish pattern of activity that included accessing users’ accounts, reading private chat transcripts, tapping into call logs and messages from Google Voice, and reading IM traffic:  “a limited number of people will always need to access these systems if we are to operate them properly . . . .”  (Bill Coughran, Senior Vice President, Engineering, Google, quoted in gawker.com 9/15/10.)  No duh.

Now at this point you’re of course saying to yourself:  OK, I’ll watch what I say in my emails, but how do I, as an attorney representing employers, get my hands on good dirt like that?  If you were immersed in a particular sump of pop culture, you may even be thinking:  “we can do that; we don’t even have to have a reason!”

Since this is a lawyer’s guide, I must point out that you may not need a reason, but any approach using computer forensics should be reasonable, and tempered by caution.  Your client’s employees may have privacy rights by contract or force of law.  You may discover more than you want to know, about more people than you wanted to know about.  You may learn nothing and look like a fool.  You may set a dangerous precedent for effort and energy that must, in the future, be applied to all employees, at significant cost.  And finally, your ham-handed dirt-digging may disrupt the smooth operation of the workplace, demoralize the IT department, unearth files useful to your opponents, cost a fortune, and generally make you wish that you had stuck with camera-toting private investigators and dumpster-diving.

The point is:  please do not forget to exercise caution and good judgment when using computer forensics in workplace investigations.

Stay tuned for Part 2: Sources of Electronically Stored Information.

Yesterday, EDEN launched the new EDEN E-Discovery Community group on LinkedIn.

The EDEN E-Discovery Community is a forum for:

• project referrals
• opinions on important e-discovery topics, and
• discussion about technical standards

We look forward to hearing your opinions about popular e-discovery debates.  Today’s topic: is it reasonable to expect custodians to self-collect data?  Do you always need an expert?  We want to hear what you think!

Additionally, the group is open to the public and is a great resource for project referrals.  If you’re looking for a technician in a certain city or a subject matter expert, the group’s discussion board may be able to help you find the right fit.

We invite you to join the EDEN E-Discovery Community group on LinkedIn and join the conversation!

In looking at the companies and individuals who make up EDEN’s membership base, one word comes to mind: diversity.  EDEN members are not only diverse in their e-discovery education and background, but also in their industry vertical.  It can be challenging when trying to have an attorney or paralegal speak the same language as a CIO or network engineer.  For this Slack Space post, we wanted to list some of the most frequent acronyms you might come across in both the legal and technical vernacular of e-discovery.  Have any additions or an acronym that has been stumping you?  Please let the EDEN community know! 

COC – Chain of Custody

DAT – “Data” file type, very common in database load files

ECA – Early Case Assessment

EDD – Electronic Data Discovery

EDI – Electronic Data Investigation

EDRM – Electronic Discovery Reference Model

ERM – Enterprise Risk Management

ESI – Electronically Stored Information

FRCP – Federal Rules of Civil Procedure

FRE – Federal Rules of Evidence

GB – Gigabyte

HaaS – Hardware as a Service

IaaS – Infrastructure as a Service

IM – Instant Message

MSP – Managed Service Provider

OCR – Optical Character Recognition, a method for translating text into readable characters

OS – Operating System

PDF – Portable Document Format

PST – Personal Folder File

QC – Quality Control

RAM – Random Access Memory

ROM – Read Only Memory

SaaS – Software as a Service

TB – Terabyte

TIFF – Tagged Image File Format

USB – Universal Serial Bus

VPN – Virtual Private Network

EDEN welcomes members from a diverse range of industries.  Each month, we update our Member Spotlight page  to showcase some of our newer members from around the nation. 

This month, we spotlight Firm Forensics.  Firm Forensics offers discrete, highly personalized, case-specific forensic analysis and litigation support services for law firms and corporate clients.  Their areas of expertise is fraud, computer forensics, and electronic discovery.  Firm Forensics assists in the investigation, handling and prosecution of computer-related crimes or misuse.

To see our other spotlight members, visit our Member Spotlight page.  If you are interested in sharing some of your company’s information with the EDEN community, please contact Cathy Lopez at clopez@edenhub.com or 877.837.7147.