DIGITAL DISCOVERY AND RECOVERY
A NEW KIND OF EVIDENCE GATHERING

Copyright 1995 Dockery Associates, L.L.C.
"Opportunities For Success in Litigation"
By Mike Dockery

With the explosive increase in the number of personal computers within the workplace as well as at home, the number of locations in which relevant evidence can be found has been multiplying at
a breathtaking rate. The parallel increase in the number of home businesses has contributed to both the size and complexities involved with effectively identifying all these locations.

Windows/Windows 95/Macintosh System 7/UNIX /Business software packages...are you confused yet? You quickly begin to realize the difficulty associated with identifying and assimilating the myriad of information locations during discovery.

Attorneys are further hindered by the realities that a user, with current technologies, can quickly delete long lists of relevant information with little evidence of the event. Users can also encrypt their files making it difficult or impossible to obtain readable information from a supplied disk. The owner of the disk can conveniently claim they have forgotten the password.

Is there any way to "level the playing field" to allow a reasonable review of relevant electronic evidence? Solutions to this question were alluded to in the article "Electronic Records Are
Discoverable in Litigation", June 27, 1994 by Jean Marie R. Pechette. Pechette stated that the early stages of discovery should thoroughly explore all possible locations of relevant information. A thorough review of all sources of evidence, during interrogatories and depositions, will lay the groundwork for a "premises inspection" which may "uncover more useful and possibly damaging evidence because it diminishes the other side's ability to produce information selectively or otherwise obfuscate the process." "It also will allow the investigator to determine when documents were created, if and when they were altered or deleted, and when copies were made and when". This article also states that "an independent third-party expert should be
retained to assist in framing the request and conducting a premises inspection." "This approach would minimize the disruption to the responding party's business operations and the risk of crashing the system or corrupting data."

How can an outside expert assist during the discovery process?

1.
An outside expert can identify locations and media types on a broad array of hardware and operating systems.

Let me give you an example of where this kind of help can be invaluable. In a product liability suit, say you are trying to find some evidence that management had knowledge of a product defect
which it chose to ignore. This evidence could be found in a number of formats: electronic mail, spread sheets, word processing memos and others. During "discovery" you request that any applicable evidence
be supplied. What if several earlier relevant drafts of memos were conveniently omitted from your request? These drafts may well contain the evidence you need to make your case. Earlier drafts of documents frequently contain information that was edited out during the writing process. These can be invaluable
in providing insight into the thought processes involved and the decision making taking place within a firm.

What about a case where the company states that all information has been provided? Are you aware of the fact that Novell servers contain a directory named "deleted.sav" that contains most documents that have
been deleted? How would your case be affected if you could prove, via a "premises inspection", that relevant evidence had been destroyed because it had been found within the "deleted.sav" directory? The fact
that relevant data was deleted on a network after the discovery order date may well provide further relevant information to your case. You would not have even known this evidence existed without the aid of a
qualified expert.

2. A qualified expert can provide assurances that malicious logics are not deposited on a suspect computer.

This professional has substantial experience in computer security to successfully counter arguments that malicious viruses may have been placed inadvertently on a clients computer system. This experience
should be infused with a strong quality control system to guarantee clients are free from the possibility of being infected with a computer virus.

A qualified expert also has experience in computer programming and quality control over a broad range of different computer systems. You should not be looking for an individual who is an expert on any
one particular operating system because your potential sources of evidence will be severely restricted. What you will need is someone who has been exposed to a broad variety of computer platforms and
who knows how to sufficiently navigate file structures and directory trees.

3. A qualified expert assures relevant evidence is adequately protected and a custody chain established.

4. They can assure clients that business operations will not be unduly interrupted.

Expeditious recovery of all relevant data should be the recovery specialist's top priority. A severe constraint to such a firm should be the amount of time remaining on site. If a prospective company cannot demonstrate the means whereby they expeditiously conduct a premises inspection, you should select another consultant.

5. A qualified expert will have an active quality control program which is externally audited.

Why should a company have such a program. Number one, to assure clients there is absolutely no possibility of a virus being accidentally placed upon a computer systems during the premises inspection. Secondary reasons are to assure data is not changed, or deleted during the review process.

6. A qualified expert will be aware of legal concerns in the areas of "work product" and "client attorney privilege".

There is always the possibility that, during a premises inspection, some type of data could be acquired that is subject to "work product" or "client attorney". Any expert who is acquiring this data should
ethically be bound to not provide "work product" or "client attorney" privilege information to the other side. Conversely, information which is being inappropriately protected should not be kept secret simply because it has been improperly labeled.

Mike Dockery

Dockery Associates
P.O. Box 36384
Indianapolis, IN 46236
(317) 823-8939
(317) 823-2895 FAX
WWW- http://evidence.finder.com/dockery/

Copyright (c) 1996, Dockery Associates, L.L.C.
All Rights Reserved. Used with permission from Mike Dockery

We have set up a WWW repository for the legal community on electronic evidence cases and related information. Should you be interested our WWW address is:

http://evidence.finder.com/dockery/

If you have any additional information/references of interest in this area you feel would be beneficial to others please forward for posting to:

dockery@evidence.finder.com

For those of you not able to connect to the web, you can subscribe to our newsletter on electronic evidence by sending an email.

Thanks
Mike Dockery


RELATED INFORMATION AND REVIEWS
Disk Detective Book-How To Recover Information From Computers
Disk Detective Software-Seanor's CIBIR Computer Scanner
Go To Book And Manual Section On Computer Crime Investigations
Go To Books And Manuals On Online Searching