March/April 1997

Getting Expert Help for Discovering Electronic Evidence

by Randall E. Winn

Two words: Discovery. Computers. It’s a combination that should make you wary.

Even in a case that has nothing to do with computers, you may need to look at the other side’s relevant spreadsheets e-mail, and word-processed memos. Yet, you can’t just photocopy a hard drive and backup tape. To do more than superficial discovery, you’ll need help from an expert in the new hybrid area of law and technology called "Computer Forensics".

For your expert, you might be tempted to ask an old college buddy working at Microsoft, or your firm’s MIS manager. Bad idea. You wouldn‘t ask an auto mechanic to analyze tire tracks at a crime scene (unless it’s Marisa Tomei in My Cousin Vinny) , because, outside of movies, the forensic work requires unique tools and expertise.

For example, when your word processor bombs, it leaves half-finished documents and spews cryptic error messages that a technician can use to solve the problem. On the other hand, if a temp copies your novel to a floppy disk, the clues are generally not recognizable to a typical computer expert.

There are no standards or meaningful certifications of competency in Computer Forensics. Therefore, it is up to you to decide which of the thousands of computer experts in any large city are actually going to be helpful.

I suggest you take time to prepare before interviewing several candidate experts. Think through every step of the evidentiary process and how the expert should be helpful. Then, interview prospective experts carefully, asking for concrete information on how they will help you through each step.

As a guide to your planning, I recommend that you ask prospects about the following steps in gathering electronic evidence:

1. Protecting the evidence before you obtain it.

2. Developing the discovery request.

3. Getting the evidence.

4. Turning the data into information.

5. Presenting the evidence.

6. Responding to discovery.

7. Maintaining general professionalism.

In this sinful world, some people will try to cover their tracks by destroying evidence.

Naturally, you were planning to get an ex parte order protecting the evidence while the actual discovery order is thrashed out. But a blind spot in your knowledge of technology may create a hole in the order, through which your evidence may drain away. For example, a party ordered not to delete or alter any files may (arguably) run some utilities in the normal course of business that have the incidental effect of blurring a file’s history. You don’t want that!

An experienced consultant can help you figure out how to ask for adequate protection. An ideal consultant would have sample orders to crib from.

Your discovery requires will have all the problems of your ex part order, plus the attention of an opponent.

For example, the other party may argue that your discover request is too burdensome. The other side may be unaware of tools that might radically cut costs, they may be blowing smoke, or they may be right (it happens …). For example, a good-sized company can crate hundreds of backup tapes and thousands of files within a short time. It may cost more than your entire law school tuition to preserve these tapes, or to locate all the files on all the floppy disks in every employee’s desk.

Your expert should be able to help you figure out whether the other side’s claimed costs are inflated, to pare down your discovery request, and to propose less-costly means of getting the information that you need and to which you are entitled.

Once you have the right to the evidence, you still have to get your mitts on it.

Copying electronic data is a lot tougher than photocopying papers. For one thing, it often involves going onto the deponent’s premises and copying things from their computers. This can be a delicate operation - imagine how you would feel letting the other side even touch the keyboard of your office computer! Therefore, you will want your expert to have highly professional methods, presentation, and backoffice support.

Hardware is another concern. There are hundreds of combinations of hardware, tape densities, compaction schemes, backup software, and so on. No one can have all the combinations on hand (for example, how many people can even identify a 4mm DAT written by a Tecmar 2000 running QTOS 2.0?) Instead, your expert must have experience getting what is needed quickly.

Unexpected events at your opponent’s site are the norm and showcase the benefits of strong backoffice support. For example, if your rented tape drive fails at 3 a.m., an expert organization should have the resources to get you going again instead of possibly missing a deadline.

Finally, your expert must have specialized tools for copying evidence. Most of the tools currently in the business market, such as Windows Backup commands, do not capture all the material in which you may be interested. For an analogy, consider a photocopier. It does a great job for normal business needs, but does not copy watermarks that would help you detect altered materials. Similarly, you will want an expert that uses special software tools to detect clues that are unimportant in normal business practices.

The raw data that you discover is like a pile of rocks; you have to organize it meaningfully before it becomes a wall of information. Likewise, once you have a pile of opponent’s files, you still must organize and extract the useful information.

One problem is the esoteric nature of some electronic evidence. For example, a common spreadsheet may have obscure dates within hidden features that provide the key to your case. Your expert should have practice in finding things like this.

Volume is another concern. Thousands of pages of e-mail messages are no longer unusual. Looking through so much material can be worse than searching Westlaw or the World Wide Web. Your expert must have the tools, especially the methodology, for sifting out the relevant from the dross.

Think carefully about whether your consultant might have to testify in court. Your consultant must be able to provide objective and authoritative credentials. It would also be helpful if expert had prior experience in testifying.

Given the glacial pace of some litigation, you may need your expert to reexamine the data or to testify months or years in the future. By then, your expert may have become unavailable. Hiring an organization, rather than an individual, may provide the continuity you require.

"Sauce for the goose is sauce for the gander," as my mother often says.

Your client may get hit by a discovery request for computer data. This can be a big problem. For example, if your client has hundreds of backup tapes, it can take months to search for the files that satisfy a request that has a deadline measured in days. Your expert should be able to help plan for dealing with these requests quickly and economically.

A deponent might claim the evidence has been tampered with. Your expert’s backoffice support is crucial in maintaining a proper chain of custody and otherwise securing the evidence. A locked evidence room with a professional 24-hour security system is a prudent minimum.

One final issue: professionals do not like to turn down business any more than lawyers do. If pride or financial pressure have ever tempted you to take on a case that was slightly beyond your experience, you can understand the attitude of a typical computer professional. They’ve got pride too! Therefore, think carefully about a possible expert’s abilities. Resist the urge to provide a subsidized education to someone new at forensic computing, even a friend. You do NOT want to be the subject of a story that starts, "Back when I was first getting into the field … ."

Electronic evidence is growing in importance every day. Take the time to pick your computer forensics expert carefully. You will not regret it. Nor will your malpractice insurer.

Randall Winn is an attorney in Seattle. He started writing software in 1973 and has most of the above from unfortunate experiences. His email address is rewinn@yahoo.com