Electronically stored information (ESI) continues to take center stage in all types of litigation, from bankruptcy to tort. Author Keenen Milner discusses the critical role computer forensics experts play in collecting and preserving digital evidence.

Over the past decade or so, attorneys have come to realize that some of the most valuable evidence is found not in filing cabinets but on computers and servers. The 2006 amendments to the Federal Rules of Civil Procedure, which expressly made ESI subject to discovery, also reflect the growing role of digital data. Even when vital evidence might appear in hard copies, many attorneys have found it much more efficient and economical to scan those copies for review by computer-based tools than to rely on manual review. But ESI can be vulnerable to alteration and manipulation, making careful preservation essential.

The Ability to Dig Deeper

With computer forensics, qualified experts can unearth evidence far beyond the textual or numerical contents of electronic files, including the significant information found in metadata – that is, information that describes the history, tracking, or management of an electronic file.1

Metadata comes in two forms – system and application. System metadata contains the dates a file was modified, accessed, and created (known as the MAC dates) and also reveals when a file was deleted or last printed and by which user. Application metadata, embedded by the application that created a file (Microsoft® Word, for example), can show information related to file revisions and the last time the file was saved.

The information packed in metadata might establish timelines or knowledge, demonstrate fraud or negligence, or suggest causation. In bankruptcy cases, for example, a computer forensics expert can use metadata to determine all of the users who accessed or revised a debtor company's accounting documents and financial statements. Note, however, that a file's metadata changes every time the file is opened.

Often, though, computer forensics experts do not have the luxury of working with intact electronic files. In these circumstances, a qualified expert can ferret out data in otherwise inaccessible locations. He or she might find fragments of a deleted file on the hard drive and put them together to reconstruct the original document. The expert also could use a computer's recycle bin to discover which files were deleted and when. With a computer's Internet history and temporary Internet files, an expert can plot the exact path that a computer user took while working online.

Preservation and Chain-of-custody Issues

ESI is not without its weaknesses, especially its susceptibility to both intentional and inadvertent alteration. A proponent of ESI, as with any evidence, must establish its chain of custody and authenticity before the ESI will be admitted. A mere litigation hold might not always suffice; it may be necessary to preserve an entire computer and document every individual who accesses it to pre-empt challenges to evidence derived from the computer. As an example, a single field agent sitting down at the computer of a debtor company's CEO during the company's wind-down can compromise all of the evidence the computer offers for a related bankruptcy case.

When dealing with individual files, a computer expert might be able to use metadata to establish authenticity, particularly MAC dates. Like the contents of an electronic file, though, metadata is subject to manipulation. With a file's metadata changing every time the file is opened, capturing an image of the hard drive is crucial to protecting the integrity of its files' metadata for purposes of authentication.

The costs of failing to preserve ESI can prove high. In a well-known sexual discrimination case from the Southern District of New York, Zubulake v. UBS Warburg, the jury awarded the plaintiff $29 million after the court allowed the jurors to make adverse inferences about e-mails that the defendant failed to adequately preserve.2

Executing the Basic Computer Forensics Investigation

Computer forensics investigations typically follow a general outline. An expert will begin by securing the system or systems in question and establishing a chain-of-custody log. The expert makes a forensic image of the data repositories (that is, the hard drives and, if necessary, volatile RAM), along with information about the systems. The servers and drives must be imaged before the files on them are searched and reviewed to prevent the corruption of important evidence. From the image, the expert generally will export all of the word processing and spreadsheet documents, and encrypted, compressed, and PDF files, and locate the relevant software programs, including the accounting and database systems.

Working with the attorney, the expert then determines the types of information of interest and selects relevant keywords to use in data searches. Common search terms include specific names and dates, credit card and Social Security numbers, birthdays, telephone numbers, and e-mail addresses.

More specific searches will be conducted based on the nature of the case. If financial fraud is suspected, for example, an expert can look for journal entries made outside of regular business hours and at the end of an accounting period. The expert also might find entries made by unusual users, entries made for nonrecurring transactions, entries posted to unusual or seldom-used accounts, and other suspicious entries. Data mining could uncover trends, patterns, and inconsistencies indicative of fraud. The mountain of data usually involved in cases involving financial matters – data that is frequently available only in electronic format – almost demands computerized tools and expertise.

Pre-empting Litigation

In addition to using ESI in existing or pending litigation, some attorneys have recognized that their clients can wield ESI as a hedge against future litigation and are advising them to preserve certain data. A human resources department might consider imaging a departing employee's hard drive as a defense against a potential lawsuit. If the employee subsequently brings a wrongful termination or sexual harassment claim, the company can examine that hard drive for evidence of incriminating behavior or wrongdoing. Similarly, some human resources departments at companies undergoing large numbers of layoffs will use computer forensics to determine if their former or soon-to-be-former employees have gained access to data before leaving or tried to misappropriate company information or assets.

Time Is of the Essence ESI can make or break a case, but must be handled properly. The fundamental first step is to obtain an image of the relevant systems as early as possible to minimize challenges related to preservation and authentication. At the time, you may believe you won't have any need for the image, but why take the risk?


1 Committe Note, "Amendments to the Federal Rules of Civil Procedure," www.uscourts.gov/rules/EDiscovery_w_Notes.pdf .

2 For more information on the case, see www.lexisnexis.com/applieddiscovery/lawlibrary/focus_07.asp .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.