Potential Lines of Questioning for 30(B)(6) or Equivalent Depositions of IT Personnel



The following is intended to be a guide to lines of questioning to ask during a deposition of IT personnel, most typically using FRCP 30(b)(6) or the equivalent state rule. It is not an exhaustive list, but rather a starting point for general lines of questioning. Forensicon encourages counsel to expand and adapt these samples to fit the specifics of their case and their own questioning style.

It is important in the examples below to note the differences between an informal practice or procedure, an official written policy, and actual physical restrictions of user rights on the computers. Copies of any formal policies should be requested. For all such policies, you might wish to ask: When did this policy or practice go into effect? Who made the policy decision and how did it come about? Has it ever changed? Who is responsible for overseeing, carrying out, and enforcing the policy or procedure?

Email and Instant Messaging
• What email and IM software does the company use?
• Is data hosted internally or through an external service provider? If external, what is the name of the provider?
• How do users access their email? – a program on their computer? a web-browser
• Do all users use the same program/method to access their email? If not, how is it
determined which program(s) users can use?
• Are IMs or email messages left on a server? Are they all downloaded to personal storage /archive files or otherwise saved on the individual users’ machines? Is there mirroring or synchronization between the server and files on the user computers? Is the server mirrored elsewhere to another server?
• How often is the server backed up? How often is it purged of old emails? How long are
backups retained? What type of media is used for the backups. Where are the backups
stored (onsite or offsite)?

Document Management
• How and where do users save documents / files?
• Do you use a document management system? Which one (iManage, WorldDox, PCDocs, etc.)? Are files saved on a server? Are they saved on individual user machines? Are they ever saved to removable or optical media (CDs, DVDs, floppy disks, USB flash drives, etc.)?
• Is there a policy on where documents must be stored/saved? What is the rate of employee compliance?
• Are all file types stored through the document management system (“DMS”)? Are there file types (i.e. non-Microsoft files or things other than .DOC, .XLS, .PPT, or .PDF) that aren’t saved through the DMS? Where and how are those other file types stored?

System Infrastructure
• How many servers does the company have? What kinds/types and what are they each
used for? Does the company run a “Profile” server?
• Are any servers set up with mirroring or striping capabilities? Which specific RAID
(Redundant Array of Inexpensive Disks) configurations are used? What is the stripe size? Is the entire hard drive used in the RAID? If not, what is the starting and ending sector used on each drive? Do you employ “right-handed” striping?
• How many desktops/laptops does the company have? Does every employee have a
computer? Who are the primary users of each machine? Do they have separate logins and passwords?
• What operating system are the computers running? How big are the hard drives?
• Does the company setup or distribute Blackberries or other PDAs to employees? (see email section for related storage questions)
• Does the company run a Voice-over-IP (VoIP) line? Does the company have voice mail capabilities? Is call recording enabled? Where/how are messages saved?

• Do you have a document retention policy or observe any other form of data preservation or destruction practices?
• What are the terms of policy/practice?
• How often are individual user workstation computers backed up and how long are backups retained?
• What about servers? Are all servers backed up? Which are and which aren’t? How long
are those backups retained? What is the rotation schedule? Are backups full or incremental? Are the contents of backups cataloged on the tapes?

Litigation Hold
• Were you ever notified of a litigation hold or otherwise informed to alter your electronic data preservation practices? If so, when? Who informed you?
• How did your practices change? How was the litigation hold implemented?
• Was the information regarding electronic data preservation disseminated to other
employees? If so, how? (email notification, word of mouth, written memo, etc.)

Usage Policy
• Do you have a company policy on computer or internet usage?
• What are the terms of the policy/practice?
• Are there any restrictions on employees using web-based email or visiting sites unrelated to legitimate business activity?

Administrative Access
• Who has access to administrative capabilities on individual workstations?
• Are employees allowed to download, install or remove programs or files on their computers?
• Are there any restrictions on access to specific program or file directories on their individual computers? On the server(s)?
• Can employees access the computer management console or other administrative utilities on their machines?
• Can employees add or remove USB, Firewire, or other similar devices to their machines?

System Logs
• Have any changes been made to default computer settings in regards to enabling or
disabling of system logging? If so, what?
• Are there any security or monitoring software packages installed on user machines, or any tools that keep track of a user’s internet or network activity? If so, what are they?

• Are there any anti-virus software installed on user workstations?
• If so, which one(s)? (Norton, McAfee, TrendMicro, etc.)
• Can an individual user initiate a virus scan?
• Is automatic protection of email or files enabled?
• Are workstations set up to perform automatic system scans on any sort of regular basis? If so, how often?

• Are there any anti-spyware or anti-adware programs installed on user workstations? If so, which one(s)? (Spybot, AdAware, etc.)
• Can an individual user initiate a spyware scan?
• Is automatic protection enabled?
• Are workstations set up to perform automatic system scans on any sort of regular basis? If so, how often?

• Is there a corporate policy regarding defragmentation of computers?
• Are any other defragmentation programs installed on workstations other than what is
included with Windows? If so, which one(s)? (O&O, etc.)
• Are users allowed to initiate defragmentation?
• Is defragmentation set up to run on a regular basis? If so, how often?

• Are there any other administrative or maintenance utilities scheduled to run at regular intervals? If so, which ones? How often?

• How often are operating system or software updates or patches installed?
• Can individual users initiate the updates themselves?
• If not, how many people have the ability to do them?
• Are they set up to be automatically installed? If so, when or how often?

New Installations
• Have any computers/workstations experienced complete operating system failure requiring reinstallation? If so, when and which / whose machines were effected?

• Does the company have any sort of shutdown or logout policy?
• Do employees completely shutdown their workstations at the end of the day or do they just logout or even leave their computers running?
• Are employees required to temporarily log out when leaving their desks for a preset amount of time?
• Are screen savers set up to automatically take effect and require login credentials to regain access to the computer?

Employee Departure
• What procedures are taken with respect to their computers or electronic data when
employees leave the company?
• If computers are re-distributed to other employees, are the hard drives cleaned, wiped, or re-imaged in any way prior to deployment?
• What happens when a computer is taken out of circulation?
• Are any procedures in place to address the disposal of computers or hard drives?


© 2013 Forensicon, Inc. For use as a template only. All other rights reserved.



    Related Posts

  • Staff Recognized for Departing Employee Investigations - The first issue of Corporate Counsel Business Journal, CCBJ,  includes an interview with our Director of Digital Forensics, Yaniv Schiff, and Solutions Architect, Curtis Collette, on the evolution of departing employee investigations. Departing Employee: When Do Investigations Become Necessary? appeared in the print publication, online edition, and on CCBJ’s In-House Tech website. For Increasing Numbers of Employers, Departing Employee Investigations[...Read More]
  • Chicago Office Food Drive – The Results Are In - QDiscovery’s Chicago Office collected nearly 1,000 containers of food for the local food bank this Holiday Season!  Our office competed with sister offices in Indiana and Connecticut.  Alas, we came in third.  Our sister offices each collected nearly 2,000 containers for their local food banks.  Relatively new to the company-wide food drive, the Forensics Division[...Read More]
  • QDiscovery Forensics Team Develops Award Winning App! - QDiscovery is winner of a 2017 Relativity Innovation Award.  Presented at Relativity Fest, the award celebrates organizations that create apps or integrations that extend the functionality of Relativity’s eDiscovery software.   Our development team created an application that makes the analysis of mobile collections much more manageable.  Relativity users can now produce and review mobile device data[...Read More]
  • Moving and Changing - Acquired by Connecticut-based QDiscovery in 2016, Forensicon’s capabilities multiplied overnight, both in forensics brain power and eDiscovery expertise.  As part of a leading provider of end to end litigation support, moving to larger offices that are more central to the Chicago legal community was inevitable.
  • QDiscovery Named One of the Top 20 Providers of Legal Services! - Leading industry publication, CIO Magazine, has named Forensicon’s parent company, QDiscovery, to it’s  Top 20 Providers of Legal Services.  The annual listing includes 20 companies that are at the forefront of providing legal solutions and impacting the marketplace.  Read the whole article here.  Featured in the publication alongside QDiscovery President, Dave Barrett, is Director of Digital Forensics, Yaniv[...Read More]
Comments are closed.