Beginning October 1st, 2009, the Seventh Circuit Electronic Discovery Pilot Program entered it’s Phase One Implementation and Evaluation period. During the seven months from now until May 1st, 2010, individual Seventh Circuit judges have agreed to adopt new principles concerning the discovery of electronically stored information (ESI) and implement them in select cases. “The Principles” will be adopted in the form of a standing order and cover such issues as cooperation, proportionality, early assessment, identification, preservation, and production. Final implementation of the Principles is scheduled for May 2011.
One section of the Principles in particular will heavily impact the use of computer forensics in cases pending before the 7th Circuit:
As one might imagine, many of these categories are data sources that are essential to conducting a thorough forensic investigation. Accordingly, the ability to demonstrate the need for this information will become imperative in gaining access thereto.
The chief issue to overcome is whether bit-stream imaging of computer media (and the data derived there from) is necessary or constitutes an “extraordinary affirmative measure.” While routine discovery of ESI in many cases may not be dependent on full forensic preservation, there are situations in which discovery should extend beyond the standard Microsoft Office and other “user documents.”
In cases such as misappropriation of confidential company data by a departing employee, it is not the mere existence of the files at issue, but also their method of transfer and the extent of dissemination to other parties. Reconstructing this type of activity is dependent upon information that is tracked not by the pilfered files themselves but by the operating system and other program metadata which is only available from a properly acquired forensic image.
For example, a person may transmit sensitive files via personal web-email accounts such as Yahoo! or Gmail. While this type of email is not typically stored as an actual “document” on the computer, there may nevertheless be several indicators that such activity took place. A qualified forensic examiner will likely investigate not only dates and times of online access to these websites using internet history records, but will also look through temporary files and even use advanced recovery techniques to “carve” HTML pages from cached data and unallocated space.
Trade secrets can also be taken by copying data to removable USB devices (e.g. flash drives), burning to CD/DVD, or even printing the “old-fashioned” way. All of these activities tend to leave behind various artifacts that can be analyzed, including system event logs, registry entries, link files, and spool files — data which would not ordinarily be preserved without a forensic image.
Additionally, when a party has reason to believe that attempts have been made to “cover up” nefarious activity or take steps to delete pertinent information, data recovered from slack or fragments can indicate repetitive patterns associated with wiping programs, and, as in Krumwiede v. Brighton Associates LLC, 2006 U.S. Dist. LEXIS 31669 (N.D.Ill. May 6th, 2006), dates of last access can potentially indicate when spoliation occurred.
Furthermore, while the charges associated with a full-scale forensic analysis can often end up totaling thousands, simply preserving evidence via forensic imaging is not in itself cost-prohibitive and can usually be done for just a few hundred dollars per computer or media item. Imaging can also be scheduled to minimize any potential disruption to the business.
Moreover, forensic preservation up-front leaves options on the table that would otherwise be lost; a bit-stream image still allows for the possibility of the more routine “e-discovery” processing of ESI for litigation databases in addition to forensic analysis, but a “logical”, non-forensic collection precludes any possibility of the latter. Given this, a request to preserve via forensic imaging may be more reasonable than many might initially think.
As a final matter, taking proactive measures to forensically preserve and analyze your own devices not only demonstrates good faith and equity, but can further serve as the foundation upon which to base preservation and production requests. Certainly, indications on a work computer that notable activity took place would establish reason to believe the same activity occurred elsewhere and would show cause as to why a similar search of a former employee’s computers at home or at their new place of business would be warranted. The sooner a party takes steps to identify and examine media in their custody and control, the more quickly they can press opposing to do the same.
Suspected use of web-mail, external devices, and spoliation activity are just three examples of when the specified ESI categories may be at issue. The Pilot Program marks only the latest in a series of attempts to reform the discovery process and increase cooperation among litigants. From the Sedona Conference Guidelines to the continued FRCP amendments, ESI is demanding increasing attention from attorneys and their clients. The coming months and year will provide the region with a unique opportunity to evaluate and provide the Courts with feedback on these important issues.