Electronic Discovery and Computer Forensics: Perspective and Process
by Scott Cooper and Robert P. Green
(County Bar Update, May 2005, Vol. 25, No. 5)


Electronic Discovery and Computer Forensics: Perspective and Process


By Scott Cooper, CMC, and Robert P. Green, CPA/CITP, at the request of the Law Practice Management Section Executive Committee. Cooper and Green are principals at INSYNC Consulting Group, Inc. (www.INSYNCusa.com), a multi-location information technology professional services firm. They can be reached at Scott@INSYNCusa.com and Bob@INSYNCusa.com. The opinions expressed are their own.


Face it -- Litigation is a battle. If you want to win, you need to use the best tactics and you need to use the best weapons. Electronic discovery, computer forensics, and the intelligent use and interaction between the two provide tactics, weaponry, and a competitive edge in the fight. If you don't want to take advantage of that opportunity, your opponent will. Only one of you is going to win.


As courts begin to see the benefits of using electronic discovery and computer forensics, and speak to the significance of the corresponding results in their rulings (as in the precedent-setting federal cases of Zubulake v. UBS Warburg, and Medtronic v. Michelson), electronic discovery and computer forensics are becoming an integral part of the litigation fabric. As soon as you recognize that electronic data may contain critical and valuable evidence related to your client's case, it is important to immediately construct your team, and deploying state-of-the-art procedures and methodologies in a timely manner is essential for success.


What is Digital or Electronic Data?


Digital data is electronic information created in and used by computer systems and their related applications, including e-mails, documents, financial information, and metadata1 contained therein. It is important to realize that electronic data is pervasive. Computers play a huge role in our lives, and the activities of employees and individuals are documented with electronic data (e.g., Web activity, documents, log files). The evidence of activity usually exists in many places simultaneously (e.g., mailboxes, back-up tapes), and the data usually exists in many states (e.g., live, deleted, archived).


What is Electronic Discovery?


Electronic discovery is, simply, a two-step process to "discover" the electronic data that you desire.


Step 1: Target and strategize regarding the case objectives. Develop the strategic approach. Collaborate with counsel and others. Understand the problem, the complaint, the issues, the obstacles, and the objectives. Identify the sources of data and potential evidence. Preserve the evidence by issuing a Preservation Order to notify the opposing party to preserve the electronic data that you will be requesting.


Step 2: Acquire electronic data by serving targeted production requests and interrogatories, including language to obtain all relevant active as well as deleted and altered data. Demand metadata, too. Receive the produced electronic data. Encapsulate data within a proper forensic "image," including all locations and "states" of the data. Preserve the integrity of the evidence and maintain the chain of custody. Determine what was omitted.


What is Computer Forensics?


Computer Forensics is a three-step process to search through and analyze the provided electronic discovery results, and to document findings and conclusions.


Step 1: Search through acquired data, using court-recognized, court-approved forensic tools and methodologies.


Step 2: Analyze search results thoroughly and accurately. Deploy proven methodologies and tools to develop and implement search criteria for key words, phrases, documents, patterns, styles, and attributes to find evidence within the data. Generate the "hit list" of successful hits that are responsive to the search criteria.


Step 3: Report in declarations, depositions, and trial testimony with expert conclusions and opinions (in an understandable, persuasive, and unimpeachable manner) regarding the interpretation of the search result analysis.


Taken together, these five steps form the acronym TASAR, a conceptually straightforward methodology for implementing the electronic discovery and computer forensics process. In summary,


-- Realize the importance of electronic evidence and its pervasiveness;


-- Take advantage of proven methodologies to gain access to ALL evidence to which you are entitled;


-- Do it in a timely manner;


-- Use experts as trusted advisors throughout the process.



1 Literally, "data about data," metadata includes data associated with either an information system or an information object for purposes of description, administration, legal requirements, technical functionality, use and usage, and preservation. It describes how, when, and by whom a particular set of data was collected and how data is formatted.

# # #