Logo
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forensic Discoveries Newsletter

January 2008
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Welcome to Forensic Discoveries' eDiscovery and Computer Forensics Newsletter. Keeping you and your practice informed of the ever-changing realm and value of Electronic Discovery and Computer Forensics is the purpose of this newsletter. If you have a colleague that may be interested in subscribing, follow the instructions at the bottom of this newsletter to be added to the distribution. If you choose not to continue receiving this newsletter, follow the directions at the bottom of this newsletter and accept our apologies for intruding.
in this issue
Upcoming Speaking Engagements
What is Metadata?
Metadata - What Is It and What Are My Ethical Duties?
eDiscovery 101 Webinar
24 States Have Now Enacted eDiscovery Laws
EDiscovery Case Law
Previous Newsletters
 
We hope you enjoy this month's article explaining metadata. Due to a steady increase in new subscribers, Forensics Discoveries will continue to list previous newsletters. As others have done, please let us know of a specific topic you would like to see covered.
 
Below is a review of our previous newsletters:
 

August 2007 - "What is Computer Forensics?"

September 2007 - "Preparing Your Clients for EDiscovery - Part 1"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Upcoming Speaking Engagements


Tennessee Private Investigators Association
March 13th, 2009
"Computer and Cell Phone Forensics"
More information can be found here


Forensic Discoveries is also planning to hold numerous "lunch and learn" events in 2009 covering the topics of EDiscovery, Computer Forensics, and the technical interpretations of the laws that govern electronic discovery. We are working with the CLE commission to obtain CLE credit for these events and will update as dates are determined. If you are interested in attending or would like to request specific content please email with subject line "Lunch and Learn".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What is Metadata?

The term "metadata" is likely the most commonly used technical term used by attorneys when dealing with eDiscovery. Speaking as a technologist for more than twelve years, metadata is a detail of electronic documents that the legal field has been able to gain more value from than technologists. Backup tapes exist and were invented to recover systems, not for discovery; however, with the value that metadata brings to intricate details of electronic files, I also understand the value of the historical data in litigation that backup tapes may contain. A basic definition of metadata is that it is simply "information about information". In this article, we will cover some of the basics of metadata, the value of the information, and how the metadata can tell a different story from the contents of an electronic document by itself.

A striking statement that I make in many of my speaking engagements is that you are already involved in eDiscovery whether you realize it or not. Ninety-five to ninety-eight percent of all information is digital. This means that the paper files that you are reviewing are likely just a printed manifestation of an electronic file. However, the printed document does not have all of the information that may be relevant to your case. You guessed it; the metadata is what is missing from a printed document. The metadata of a digital document provides a wealth of information that is only available when you have the electronic file. Information such as:

·    File creation dates and times
·    File modification dates and times
·    Authors of a document
·    Who last saved a document

Depending on the type of digital file, the metadata may also determine the computer a file was created, when it was last printed, and what version of the software was used to create and modify the document. The metadata of an excel document may uncover hidden rows or columns, in addition to the actual formulas used to derive the mathematical calculations. Email metadata will also contain the email "header" which can be best described as the tracking information for an email: when it was sent, where it was sent from, when it arrived, etc.

When combining the basics of metadata with "embedded" metadata that may contain the track changes history of word, the courts had a great deal of foresight with the issues surrounding metadata and the need for Rule 26(b)(5), the "clawback". When not properly analyzed, the metadata of a document could reveal much more information than you intended.

Rather than explaining each and every exciting detail about metadata, let's put this basic tutorial of metadata to use. You are representing a client in a workplace discrimination suit. As part of your discovery request, you have asked for all employment records from 2002-2007 in an electronic format. The manager who performed the annual reviews during that the time was named Darlene Johnson, she has since been replaced by John Smith. On February 1 2008, you receive annual employee reviews for your client in a native format (Microsoft Word). As you review the contents, the information in the files does not match the situation that your client has described. You decide to have the metadata of some the files analyzed. Below is a screenshot of a utility we use to analyze metadata:




Metadata ExampleWhen analyzing the metadata of the "Employee Review - 2002" document, there seems to be some inconsistencies.

1.    The original author of the "Employee Review - 2002" document was "djohnson", confirmed to be the username for Darlene Johnson but the document was last saved by "jsmith", confirmed to be the username for John Smith.

2.    The file was last modified and saved on 1/26/2008 by "jsmith" and was then printed.

As you can see, the metadata tells a different story from the contents of the document. If only a paper copy of the "Employee Review - 2002" document was provided, you may not have known that John Smith edited the document less than a week before it was produced.

The metadata of a document provides a great deal of information not available with a paper copy only. Information such as author, creations dates, and modified dates may provide great value to your litigation. Maybe simply knowing the formulas used in Microsoft Excel or when an email was actually sent could be a turning point in your case.




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Metadata - What Is It and What Are My Ethical Duties?

  With this month's feature article explaining the technical basics around metadata, I discovered a very informative article on some of the ethical duties surrounding when metadata "mistakes" occur. The article can be read here.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

eDiscovery 101 Webinar

As previously mentioned, Forensic Discoveries is planning multiple lunch and learns with the topic of "eDiscovery 101" for CLE credit. FIOS also has an "Electronic Discovery 101" webinar that lasts 1 hour and can be downloaded as a podcast or webcast that covers the following:
  • What e-discovery really is
  • The various phases of e-discovery and why they are important
  • Basics of the Electronic Discovery Reference Model (EDRM)
  • Available educational resources
The course can be downloaded here (requires sign-up)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

24 States Have Now Enacted eDiscovery Laws

As Tennessee will soon enact updated rules at address ESI, 24 other states have already enacted updated rules to address eDiscovery. See the complete list here.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
EDiscovery Case Law


Destruction of Documents Pursuant to Document Retention Policy Results in Dispositive Sanctions Where Policy was Created as Part of Litigation Strategy and Thus Litigation was Reasonably Foreseeable

Micron Tech., Inc. v. Rambus, Inc., 2009 WL 54887 (D. Del. Jan. 9, 2009)
In this case arising from Micron's alleged infringement of Rambus' patents, a bench trial was held on the issue of Rambus' alleged spoliation of relevant documents pursuant to a document retention policy it had recently implemented.  The court ruled that Rambus had intentionally spoliated documents in bad faith.  As a sanction, the court declared the patents in suit unenforceable against Micron. Click here to read more.



Magistrate Judge Recommends Default Judgment for Laptop Spoliation, Finding Lesser Sanctions Inadequate

Gutman v. Klein, 2008 WL 4682208 (E.D.N.Y. Oct. 15, 2008).

In this fraud litigation, the plaintiffs sought default judgment and monetary sanctions claiming the defendants destroyed crucial evidence on a laptop belonging to one of the defendants. Previously, the court ordered a court-appointed forensic expert to analyze the hard drives for evidence of a deletion program. The examiner forensically copied the hard drive, discovered that a deletion program did exist, and that hundreds of documents were deleted. The forensic expert also discovered that the computer's system clock had been altered, calling into question the integrity of the time stamps in the event logs. Finding that the plaintiffs demonstrated spoliation of evidence on the laptop and that the evidence was relevant, the magistrate judge determined the defendant acted in bad faith and recommended a default judgment, holding that the spoliation made it impossible to identify files, therefore making lesser sanctions inadequate. The magistrate judge also recommended awarding attorneys' fees to the plaintiffs relating to all expenses incurred regarding the laptop, but did not recommend that any punitive monetary sanctions be imposed.



Magistrate Judge Sets Forth Detailed Procedure to Govern Forensic Analysis

Koosharem Corp. v. Spec Personnel, LLC, 2008 WL 4458864 (D.S.C. Sept. 29, 2008).

In this breach of contract, inter alia, litigation, the plaintiffs claimed the former employee defendant stole confidential information and used it to expand the business of his current employer. The plaintiff thus sought production of the defendants' business and personal computers for forensic inspection, alleging the e-mails produced by the defendants were not accurate copies. The plaintiffs also argued that electronic documents were modified after the defendants were put on notice of litigation, noting that the defendants did not make any preservation efforts. Finding forensic analysis appropriate, the court granted the motion to compel. The court established a detailed procedure to govern the forensic examination and ordered the parties to share equally in the fees, costs and expenses charged by the forensic expert.


Court Upholds Expert Witness Testimony Citing Sufficient Computer Forensics Knowledge

Michigan v. Raar, 2008 WL 4228349 (Mich.App. Sept. 16, 2008).

In this criminal prosecution, the defendant appealed his jury trial convictions, including a conviction for using the Internet or computer system to engage in criminally prohibited communications. The defendant argued the trial court improperly permitted the government's expert witness to offer opinions on computer activity. At trial, the defendant objected to the expert witness' computer forensics qualifications, but did not specifically identify a basis for objection. Overruling the objection, the trial court noted the expert witness had: over 800 hours of training in computer forensics; three years of experience working in state police computer forensics lab; was a certified member of the International Association of Computer Specialists; and had performed over 100 computer forensic examinations. This court held that the trial court did not abuse its discretion in relying on the forensic expert's testimony and its determination that the witness had "sufficient 'knowledge, skill, experience, training, or education' in the field of computer forensics."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Forensic Discoveries is available to provide onsite presentations or Q&A sessions on topics such as Electronic Discovery, Technical Implications of the updated Federal Rules of Civil Procedure, or Computer Forensics. Forensic Discoveries is also available to you, obligation free, to answer any specific questions pertaining to these topics. Simply give us a call and we will be glad to answer any questions pertaining to Electronic Discovery and Digital Forensics.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contact Information
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Phone:    (865)-809-7590

Address: 1431 Centerpoint Boulevard, Suite 150

              Knoxville, TN 37932

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

If you have a topic that you would like addressed in the newsletter, please let us know. Either visit http://www.forensicdiscoveries.com/newsletter.html and submit your suggestion there or reply to this e-mail with your suggestion. 

For previous versions of Forensic Discoveries EDiscovery newsletters, visit http://www.forensicdiscoveries.com/pastnewsletters.html  

 

This document does not provide legal or other professional advice and should not be relied upon as anything other than a starting point for research and information on the subject of electronic evidence and computer forensics.

Quick Links...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~