When you work in eDiscovery or computer forensics and you deal with ESI (Electronically Stored Information) on a daily basis, you become somewhat of an expert in it. Many of the issues raised by ESI in a case can be a real brain twister and we eDiscovery geeks revel in the fun of sorting it all out. We actually enjoy this stuff! On the other hand, parts of it can be rather mundane and there is little of the interesting complexity surrounding it.

METADATA LOOKS DECEPTIVELY SIMPLE

Simple things such as the extraction of metadata give us little joy  because this is  a rather basic task given the right tools. Verifying it is joyless too. It’s quite easy to verify a document’s metadata by using a second set of tools, some of which are quite inexpensive. (Take a look at Payne’s Metadata assistant for an affordable tool that does a good job of simple extraction.) So for us, metadata seems, dare I say it, basic.

Unfortunately there is little joy for the attorney who is not able to competently get metadata admitted into evidence. While seemingly simple, metatadata is something that the lay person is probably not particularly familiar with. Metadata refers to data about the underlying data.  Metadata can point to a document’s creation date, last saved date, author, total minutes edited and so forth. Since metadata is intrinsic to a document (such as a Microsoft Word file), it is not easily forged and thus metadata can be used to authenticate or disprove the authenticity of a document.

So when it comes to getting metadata admitted as evidence you are dealing with facts and information beyond what a layperson might know. Typically a competent attorney will simply engage an expert to explain these facts in a deposition or jury trial. However, that is not always what happens.

PROFESSIONAL COMPETENCE

The California Rule of Professional Conduct 3-110 deals specifically with the notion of professional legal competence and states that:

a)     A member shall not intentionally, recklessly, or repeatedly fail to perform legal services with competence.

b)     For purposes of this rule, “competence” in any legal service shall mean to apply the 1) diligence, 2) learning and skill, and 3) mental, emotional, and physical ability reasonably necessary for the performance of such service.

If an attorney lacks the learning and skill to competently deal with a type of evidence it behooves him or her to consult with someone who does. This is typically why experts are engaged. I have seen situations in which the admission of key piece of evidence such as metadata report might have disproved the authenticity of an important document provided from the other side. The metadata report did not get admitted into evidence because the attorney believed that metadata was so simple that testimony surrounding it did not require an expert witness to provide an opinion on it. Unfortunately for the attorney, the judge did not side with her and the jury never heard or saw key evidence.

Do you need MCLE credits before the January 31 deadline?

Elluma is offering two 4 hour sessions.

They are identical sessions served up in 2 hour blocks. You can register for two or four hours. Both include one hour of ethics and all sessions qualify for MCLE credits per California Bar Rule 2.72.

You can register here:

January 20 – Century City

January 27 – Downtown Los Angeles

As I’m writing this article somewhere in a law office a lawyer is preparing a document production using Microsoft Outlook as a discovery tool.

“NATIVE” EMAIL PRODUCTIONS FROM OUTLOOK

How is that?  Well lawyers doing “native file” productions get a copy of the Outlook file, the mail box file with the extension .pst from custodian’s computers or from their client’s Exchange servers. (Sometimes they obtain a .ost file, which is an offline store that is similar to a .pst).  They copy the .pst file to their computer and open it within their copy of Microsoft Outlook (the program they use to read their own email).  They then read through the emails using Outlook and delete the files that are either not responsive or privileged.  If the file is very voluminous they use the search tools in Outlook to look for documents.  They save the .pst file and make a native file production in the form of a .pst to their opponent.

Oops.

DELETED EMAILS DON’T MAGICALLY VANISH

The lawyer who did that made a huge mistake.  A .pst file is a database file that we refer to as a container file.  Like a zip file, the .pst is the container that holds the individual email messages.  When an email is deleted from the .pst, it’s content is still present in the container.  It no longer shows in the index so it isn’t visible, but it is still there.  Sometimes the .pst gets compacted before it gets produced and the deleted emails actually go away.  Sometimes they do not. Therein lies the problem.

When we, or other ediscovery vendors receive email in the form of .pst files, our common practice is to ingest it into a processing platform. This can cause indigestion for the producing party.  At Elluma we use eDiscovery tools such as Intella or Nuix.  When those programs process email, they read the email differently from how it appears in Outlook.  Many items that were deleted email are recovered in those processing tools.

Sometimes the email that is recovered is privileged email that we should not have received.  In California we have an obligation to notify counsel and to return the inadvertently produced email.  Sometimes the email that is provided is not privileged, but outside what was specifically requested.  And sometimes that email opens up new avenues of inquiry.

RECOVERING DELETED EMAILS IS TRIVIAL

You can see for yourself how easy it is to recover deleted emails from an outlook .pst.  Take a .pst file and delete a few emails.  Locate the .pst file and open it using a hex editor.  There are a number of freeware hex editors available on the web.  I usually use an editing program called notepad++.  Locate bits (bytes?) seven through twelve (7,8,9,A,B,C) and change them each to 00 then save the file.  Then find the Microsoft utility called scanpst.exe that is located on you hard drive.  Put the altered .pst file into the same folder as scanpst, and double click on scanpst.exe.  This will “fix” the .pst file.  When that is done open the .pst in Outlook.  You will find the deleted files back where they were before you deleted them.

What alternatives are there for producing native files?  Well, there are utilities that can export individual message files from a .pst and produce the individual messages. However, those tools alter critical message metadata.

CALIFORNIA BAR ETHICS OF PRODUCING FROM OUTLOOK

In California the State Bar Ethics Committee has addressed the issue of attorney competence in the context of using technology:

Many attorneys, as with a large contingent of the general public, do not possess much, if any, technological savvy. Although the Committee does not believe that attorneys must develop a mastery of the security features and deficiencies of each technology available, the duties of confidentiality and competence that attorneys owe to their clients do require a basic understanding of the electronic protections afforded by the technology they use in their practice. If the attorney lacks the necessary competence to assess the security of the technology, he or she must seek additional information or consult with someone who possesses the necessary knowledge, such as an information technology consultant.

THE STATE BAR OF CALIFORNIA STANDING COMMITTEE ON PROFESSIONAL RESPONSIBILITY AND CONDUCT FORMAL OPINION NO. 2010-179.

Email production directly out of Outlook raises basic competency issues.  Attorneys who insist on using it run the risk of running afoul of the ethics rules.

In the end attorneys need to use a proper eDiscovery tools to produce email.  There are tools like Intella that are relatively low-priced compared to full-blown eDiscovery platforms, that will index and properly format email for eDiscovery.   There are also vendor options available for processing small volumes of email that can keep the costs in the range of a few hundred dollars.  The alternative is to tread on the edge of a possible ethical violation and even a potential malpractice suit.

In May of this year Dominique Strauss-Kahn resigned as head of the International Monetary Fund after accusations of sexual assault by a hotel maid. Surveillance cameras in the hotel appear to support the accusations. Of course surveillance cameras no longer record to video tape, but rather to DVRs (Digital Video Recorders) which are simply computers with lots of storage space. A huge amount of ESI is created constantly by these surveillance systems.

Further review of the recordings raises some discrepancies. Two of the hotel security personnel are seen high fiving each other and doing what appears to be a “victory dance” right after placing a call reporting the alleged assault to the police.  Other recorded information suggests that the maid possibly may have “rehearsed” prior to the time the incident occurred.

This series of events regarding the recording illustrates several of the challenges in computer forensics, electronic discovery, and the management of ESI.

Most notably it shows the persistence of electronic information. We are now several months past the original incident and the public and media have created a narrative around the incident. The generally held interpretation is that Strauss-Kahn had a propensity to aggressively pursue women; he probably behaved inappropriately toward the maid, but there were too many unrelated questions raised around her credibility to support a criminal trial. If all that existed were eyewitness testimony and physical evidence from the scene, this narrative would be final. Instead, because electronic evidence has the quality of persistence and often continues to exist even if it hasn’t been reviewed, there is now recorded evidence that – while open to various interpretations – raises a whole new set of questions about the incident.

The emergence of this evidence also demonstrates how the voluminous nature of electronically stored information can cause months of lag between an event and the ability to review the evidence.  We have worked on cases at Elluma where there has been surveillance camera video, and this evidence can comprise an enormous volume of information that takes a great deal of time to review. Thus, it may require months to view critical information.

Finally, this event demonstrates something we see every day as forensic examiners. We can see the contents of evidence but its meaning is by no means self-evident. We have found that context can be critical. In the case of Dominique Strauss-Kahn, the electronic evidence provides more information, but it doesn’t settle the “he said, she said” story.

On December 15, 2011, the Ninth Circuit is going to hear a case En Banc (the full panel will hear the case) that touches on a situation that we see almost daily in computer forensics.

The case under consideration is U.S. v. Nosal,  642 F.3d 781 (9th Cir. Apr. 28, 2011). In that case, the Ninth Circuit was considering the case of an employee who left his employer and took the company’s contact database. The issue arose under the Computer Fraud and Abuse Act, 18 US 1030.  That law makes it a crime,  and it  also authorizes civil suits for certain acts that “exceed authorized access” to a computer system.

On first hearing of the appeal, a three judge panel held that the violation of an authorized use policy that placed “clear and conspicuous restrictions on the employees’ access” to the employer’s computer system and the specific data at issue could be enough to qualify as conduct that exceeded authorized access.

Anyone who works in computer forensics quickly finds that just about everyone engages in activities that either violate employer policies, or would violate them if the employer had a written policy. In the course of looking at computers we find nearly the full range of human behavior. In addition to viewing pornography (a practice very widespread), people use computers for looking up sports scores, storing pictures of their family, spreading jokes, and just about anything imaginable.  We have seen people use their work computers to solicit sex from Craigslist, conduct a side business, steal employer trade secrets, plan personal trips, and many other activities. Some of these activities are benign but generally not business uses (and hence forbidden by many employer policies), and some of them are harmful or potentially harmful.

By using the standard for unauthorized access as the employer’s acceptable use policy, the court has created a morass of potential liabilities and lawsuits. If that remains the standard, companies will have a strong incentive to have strict acceptable use policies in order to have a means to control employees, and prosecutors will be given a powerful tool with very little restraint.

A further implication extends to matters in the cloud and storage on third party systems.  The Computer Fraud and Abuse Act deals with “protected” computers. When we sign up with Facebook, or Gmail or any of the myriad of services, we usually click through and accept authorized use policy without a moment’s thought. As the Ninth Circuit ruling currently stands, violation of authorized use on Facebook could potentially lead to criminal prosecution with Facebook’s policy being the determining factor in whether a crime has been committed.

Currently the Ninth Circuit has suspended the ruling pending a hearing by the entire court. Those of us who have daily contact with the uses to which people put their computers will be watching closely what happens with this case.

The slurred speech recording you’ve heard over and over on the news, where Michael Jackson tells his Doctor, Conrad Murray, that he wants to be bigger than Elvis or the Beatles, was made on Murray’s iphone.  The Prosecutor considered the recording to be so persuasive that he played it as part of his opening statement. Most news accounts have referred to the recording as a “tape.”  In actuality it was a digital recording recovered from the iphone by forensic expert Stephen Marx.

Once again, computer forensics has provided important evidence in a very high profile trial.  From a forensic standpoint, a cell phone is a computer that fits in a pocket.  The same techniques and tools that we use for finding evidence on computers enable us to also find and preserve evidence on cell phones, including iphones.

There are a number of tools available for obtaining a forensic image from an iphone.  A forensic image is a copy of the data on the phone taken in a way that provides a complete and true copy of the data on the phone.  Among the tools available for this are Cellebrite and Encase version 7 (which incorporates features from an earlier Encase product called Neutrino).

Once we obtain the copy of the data, we view the contents of the phone using forensic tools.  The iPhone stores much of its data in SQLite databases, and extracting those databases and reading their contents with the right tools frequently  can recover even deleted data.

What kind of data can we get from cell phones?  Obvious items are logs of phone calls that have been made and the content of text messages.  Other items include voice messages stored on the phone, recordings the user might have made, videos or pictures made or stored on the phone, and email.  In the Conrad Murray trial, the  forensics expert was able to reconstruct a timeline of Murray’s activities prior to Jackson’s death and to help investigators reconstruct Murray’s activities.

This is an example of how cell phones, and other digital sources besides computers, can provide important evidence in trials.