The document outlines sound collection practices for electronically stored information (ESI), emphasizing the need to determine what to collect and the differences between readily accessible and 'not reasonably accessible' data. It discusses the complexities of authenticating ESI, including challenges posed by alterations, digital forensics, and the importance of maintaining a proper chain of custody. Best practices for data collection, including thorough vendor selection and systematic methodologies, are highlighted to ensure data integrity and admissibility in legal contexts.

1. Sound Collection Practices Presented by: Seth H. Row, Esq. Michael Bean, EnCE

2. Emails Web pages Social media postings Text messages Digital voice recordings Database compilations (including accounting) Digital photographs Computer logs ESI Comes in Numerous Flavors

3. Handling “Not Reasonably Accessible” Electronically Stored Information Before you decide how to collect – decide what to collect Investigation – readily accessible v. potentially “not reasonably accessible” Fed. R. Civ. P. 26(a) conference Disclose potential sources of information Including those that are not reasonably accessible Careful: duty to preserve broader than duty to produce

4. Defining “Not Reasonably Accessible” Rule 26(b)(2)(B): “A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost.” Type of storage media ≠ not reasonably accessible – no presumption (anymore) W.E. Aubuchon Co. v. BeneFirst LLC, 245 F.R.D. 38 (D. Mass. 2007)

5. “ Not Reasonably Accessible” - Fact-Intensive Analysis Producing party’s burden, initially “ Forensic costs” – converting data from a format that is difficult or impossible to search or review to another format Cost to review (usually based on volume) Business disruption and “internal” costs The Sedona Principles (Sedona Conference WG 2d ed. June 2007) cmt 13a. How is data source actually used? Is your vendor inflating costs?

6. Custodian Interviews Use a checklist – systematic Alter on the fly Go back if new information comes to light Verification from custodians Signed, sealed, delivered Policies in place are a good first step, but Assume nothing Be prepared to show compliance

7. Why Worry About Collection?

8. Forensic Collection: Admissibility The Five Hurdles Relevance Authenticity Hearsay Original Writing Rule Unfair Prejudice Lorraine v. Markel , 241 F.R.D. 534 (D. Md., 2007) (federal rule)

9. ESI Inauthentic What is Real? Sources Altered Websites – home page hijacked Photos – cosmetic adjustments or more…. Software bugs and application failures Programmed incorrectly Calculated incorrectly

10. Authentication of ESI: Rule 901(1) Provides that the authentication of a document is "satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims." Rule 901 requires a “foundation from which a jury could reasonably find that the evidence is what the proponent says it is...” United States v. Safavian , 435 F. Supp. 2d 36 (D.D.C. 2006).

11. Authentication of ESI: Rule 901(2) Rule 901(2)(a)-testimony by a witness with knowledge that a matter is what it is claimed to be Rule 901(2)(c)-comparisons by the trier of fact or expert witnesses with specimens which have been authenticated. Safavian , 435 F. Supp. 2d at 40 (federal rule) Rule 901(2)(d)-identified by “appearance, contents, substance, internal pattern, or other distinctive characteristics, taken in conjunction with the circumstance.” United States v. Siddiqui , 235 F.3 rd 1318 (11 th Cir. 2000) (federal rule)

12. Authentication of ESI: Typical Challenges Challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created. Question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records. Challenge the authenticity of computer-stored records by questioning the identity of their author.

13. Authentication of ESI: Record a Chain of Custody Shows data was not changed. The less susceptible an exhibit is to alteration or tampering, the less strictly the chain of custody rule is applied Needed when: Evidence is not readily identifiable, No witness with personal knowledge to identify, or Evidence susceptible to alteration by tampering or contamination. Particularly important when: Preserving/storing data Searching for creation/alteration data (e.g., date created),or Searching for any evidence of fabrication. United States v. Howard-Arias, 679 F.2d. 363,366 (4 th Cir. 1982)

14. Authentication of ESI: experts under Rule 901(2)(c) Expert Qualification – "a person who generally understands the system's operation and possesses sufficient knowledge and skill to properly use the system and explain the resulting data" is a "qualified witness" and may need to authenticate data or interpret recovered data.

15. Authentication of ESI: Expert Questions What is the evidence, or what does it purport to be? Forensics Expert: "This is a printout of data that I recovered on 4/26/07 from the hard disk drive primarily used by John Doe of the Acme Corporation." Where did it allegedly come from? Forensics Expert: "The hard drive was taken from the office of John Doe on 1/1/07. It was contained within a Generic PC bearing model XXXX and S/N YYYY." Who created, discovered, or recovered it? Forensics Expert: "The data appears to have been created by John Doe. I discovered and recovered it from his hard disk drive using computer forensic techniques." How was it created, discovered, or recovered? Forensics Expert: "I made an image of the hard disk drive using a forensic imaging device. This device is designed to make a perfect copy of a disk and does not alter the data on the disk being copied."

16. Authentication of ESI: Ubiquitous Email Direct knowledge of participant in exchange is best- 901(2)(a) Circumstantial evidence (Rule 901(2)(d)): “contents” and “circumstances” -901(2)(d) Circumstantial evidence: markings, addresses, logos- 901(2)(d) Expert testimony and comparison- 901(2)(c)

17. Authentication of ESI: Websites Hutchens v. Hutchens-Collins , 2006 WL 3490999 (D.Or. 2006) Defendant hired forensic vendor to download content of website pages to “write-only” CD-ROM’s. Website freely available on internet. Vendor tracked registered domain name to plaintiff’s corporation through publicly available WHOIS system. Court held that totality of circumstances sufficient to authenticate website documents.

18. Authentication of ESI: Chat Rooms Most commonly utilized: 901(2) (a)-witness with personal knowledge 901(2)(d)-circumstantial evidence of distinctive characteristics

19. Authentication of ESI: Chat Rooms United States v. Tank , 200 F.3rd 627 (9th Cir. 2000) Gov’t adequately authenticated chat room log printouts maintained by a co-defendant Evidence included testimony from co-defendant about the procedure he used to create logs and his recollection that logs appeared to be accurate representation of conversations among members Despite co-defendant’s deletion of portion of log to free up space, log was authenticated. Deletions would go to weight of evidence, not admissibility.

20. Nuts & Bolts (& Bytes)

21. Disk Area of Concentration Allocated Space Allocated by operating system for active user files, system files, all space available to user Unallocated Space Space that is recognized by the operating system but not currently assigned. Area for deleted files, temp files used by programs, etc..

22. Other Areas of Concentration Dear Byron and Don, please accept my resignation because you work me too hard, don’t pay me enough and by the way I am taking my clients with me, sincerely yours, The disgruntled employee. Customer Lists: Aon, Symantek $%#*&^%Jack Walker is a January 1, 2001..This letter will serve as an agreement between Jack in the box and Deloitte Dear Byron and Don, I love my job and want to stay here forever! Mr. Happy File Slack Disk Slack 512 bytes 512 bytes

23. Acquisition How do I get the data on the principal media in a state that I can examine without altering the original data? How long does this procedure take? What are my options to Acquire the data? What are the limitations to the acquisition procedures? How do I know that the data acquired is the same?

24. How do I get the data on the principal media in a state that I can examine without altering the original data? Create an exact bit by bit copy or a file that contains a bit by bit copy of the principal drive on sterile media For passing as an original the two must be identical Hard Drive Evidence File Segments .E01, E02

25. Evidence File Construction CRC CRC CRC CRC MD5 Header 64 Sectors 32K 64 Sectors 32K 64 Sectors 32K MD5 Hash Value CRC= 32 Bit Cyclical Redundancy Check MD5= Message Digest 5, 128 Bit Algorithm Header= Case info is stored Data Blocks= 64 Sectors/32K data CRC protects data block integrity MD5 protects evidence file integrity .E01 .E02 .E03

26. Once Data Is Preserved… Rebuild partitions if necessary Recover Folders Searching Boolean GREP Foreign Language/Unicode Signature Analysis Hash Analysis Email Analysis File Review Export Functions Registry Review

27. Windows Artifacts Recycle Bin My Documents Recent Print Spool Internet History Temporary Internet Files

28. Recycle Bin (before emptied)

29. Recycle Bin

30. Recycle Bin Info 2 Record Raw Text

31. Recycle Bin Analysis

32. Processing Back-up Tapes

33. Cases on Collection

34. Collection of Data Gates Rubber Co. v. Bando Chemical Indus., Ltd., 167 F.R.D. 90, 112 (D.C. Col., 1996). court defined a legal duty on the part of litigants or potential litigants to perform proper computer forensic examinations. examiner failed to do a mirror image copy of the target hard drive and instead did a file-by-file copy resulting in the loss of data. evidentiary sanctions and criticized the examiner for failing to make an image copy of the hard drive finding that when processing evidence for judicial purposes a party has “a duty to utilize the method which would yield the most complete and accurate results ”

35. EnCase Recognized By Courts State v. Morris, 2005 WL 356801 (Ohio App. 9 Dist. Feb. 16, 2005). In this appellate case from Ohio, the original hard drive, which belonged to a third party was overwritten. 8 All that was available at the time of trial was the EnCase Evidence File containing the image of the drive. The courts decision in this case validates the MD5 hash process and considers forensic disk images to be exact copies and admissible when the “original” is no longer available.

36. EnCase & Authentication State v. Cook , 777 N.E.2d 882, 886 (Ohio App. 2002) In this case the defendant appealed his conviction of possessing child pornography and designation as a sexual predator challenging what he claimed “the lack of reliability of processes used to create two mirror images of the hard drive. The Ohio Appellate court addressed this argument by describing in detail how the EnCase software was used to make the image of the hard drive. The court further noted that the investigator was trained in the use of EnCase and in upholding the validity of the images stated “In the present case, there is no doubt that the mirror image was an authentic copy of what was present on the computers hard drive”.

37. Coleman (Parent) Holdings, Inc v. Morgan Stanley & Co., Inc., 2005 WL 679071 at *4 (Fla.Cir.Ct. Mar. 1, 2005)., subsequent decision, 2005 WL 674885 (Fla.Cir.Ct. Mar. 23, 2005). Morgan Stanley decided to collect electronic documents themselves, using software they developed in-house. [A Morgan Stanley employee] reported that…she and her team had discovered a flaw in the software they had written and that flaw had prevented [Morgan Stanley] from locating all responsive email attachments. [She also] reported that [Morgan Stanley] discovered…that the date-range searches for email users who had a Lotus Notes platform were flawed, so there were at least 7,000 additional e-mail messages that appeared to fall within the scope of [existing orders]... * * * Sanctions! * * * “ DIY” Collection Programs

38. THANKS! Seth H. Row [email_address] (503) 222-1812 Michael Bean [email_address] (971) 285-3408 x 201