Presentation given May 6, 2010 by Seth Row, Esq. and Michael Bean, EnCE on sound collection practices in e-discovery.

1. Sound Collection Practices Presented by: Seth H. Row, Esq. Michael Bean, EnCE

7. Why Worry About Collection?

20. Nuts & Bolts (& Bytes)

21. Disk Area of Concentration Allocated Space Allocated by operating system for active user files, system files, all space available to user Unallocated Space Space that is recognized by the operating system but not currently assigned. Area for deleted files, temp files used by programs, etc..

22. Other Areas of Concentration Dear Byron and Don, please accept my resignation because you work me too hard, don’t pay me enough and by the way I am taking my clients with me, sincerely yours, The disgruntled employee. Customer Lists: Aon, Symantek $%#*&^%Jack Walker is a January 1, 2001..This letter will serve as an agreement between Jack in the box and Deloitte Dear Byron and Don, I love my job and want to stay here forever! Mr. Happy File Slack Disk Slack 512 bytes 512 bytes

25. Evidence File Construction CRC CRC CRC CRC MD5 Header 64 Sectors 32K 64 Sectors 32K 64 Sectors 32K MD5 Hash Value CRC= 32 Bit Cyclical Redundancy Check MD5= Message Digest 5, 128 Bit Algorithm Header= Case info is stored Data Blocks= 64 Sectors/32K data CRC protects data block integrity MD5 protects evidence file integrity .E01 .E02 .E03

28. Recycle Bin (before emptied)

29. Recycle Bin

30. Recycle Bin Info 2 Record Raw Text

31. Recycle Bin Analysis

32. Processing Back-up Tapes

33. Cases on Collection

35. EnCase Recognized By Courts State v. Morris, 2005 WL 356801 (Ohio App. 9 Dist. Feb. 16, 2005). In this appellate case from Ohio, the original hard drive, which belonged to a third party was overwritten. 8 All that was available at the time of trial was the EnCase Evidence File containing the image of the drive. The courts decision in this case validates the MD5 hash process and considers forensic disk images to be exact copies and admissible when the “original” is no longer available.

37. Coleman (Parent) Holdings, Inc v. Morgan Stanley & Co., Inc., 2005 WL 679071 at *4 (Fla.Cir.Ct. Mar. 1, 2005)., subsequent decision, 2005 WL 674885 (Fla.Cir.Ct. Mar. 23, 2005). Morgan Stanley decided to collect electronic documents themselves, using software they developed in-house. [A Morgan Stanley employee] reported that…she and her team had discovered a flaw in the software they had written and that flaw had prevented [Morgan Stanley] from locating all responsive email attachments. [She also] reported that [Morgan Stanley] discovered…that the date-range searches for email users who had a Lotus Notes platform were flawed, so there were at least 7,000 additional e-mail messages that appeared to fall within the scope of [existing orders]... * * * Sanctions! * * * “ DIY” Collection Programs