04/09/23 1

Sound Collection Practices

Presented by:Seth H. Row, Esq.

Michael Bean, EnCE

04/09/23 2

• Emails • Web pages• Social media postings• Text messages• Digital voice recordings• Database compilations

• (including accounting)• Digital photographs• Computer logs

ESI Comes in Numerous Flavors

04/09/23 3

Handling “Not Reasonably Accessible” Electronically Stored Information Before you decide how to collect – decide

what to collect Investigation – readily accessible v.

potentially “not reasonably accessible” Fed. R. Civ. P. 26(a) conference

Disclose potential sources of information Including those that are not reasonably

accessible Careful: duty to preserve broader than

duty to produce

04/09/23 4

Defining “Not Reasonably Accessible” Rule 26(b)(2)(B): “A party need not provide

discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost.”

Type of storage media ≠ not reasonably accessible – no presumption (anymore) W.E. Aubuchon Co. v. BeneFirst LLC, 245 F.R.D.

38 (D. Mass. 2007)

04/09/23 5

“Not Reasonably Accessible” - Fact-Intensive Analysis Producing party’s burden, initially

“Forensic costs” – converting data from a format that is difficult or impossible to search or review to another format

Cost to review (usually based on volume) Business disruption and “internal” costs

The Sedona Principles (Sedona Conference WG 2d ed. June 2007) cmt 13a.

How is data source actually used? Is your vendor inflating costs?

04/09/23 6

Custodian Interviews Use a checklist – systematic

Alter on the fly Go back if new information comes to light

Verification from custodians Signed, sealed, delivered

Policies in place are a good first step, but Assume nothing Be prepared to show compliance

04/09/23 7

Why Worry About Collection?

04/09/23 8

Forensic Collection: AdmissibilityThe Five Hurdles

Relevance Authenticity Hearsay Original Writing Rule Unfair Prejudice

Lorraine v. Markel, 241 F.R.D. 534 (D. Md., 2007) (federal rule)

04/09/23 9

ESI InauthenticWhat is Real?

Sources Altered Websites – home page

hijacked Photos – cosmetic

adjustments or more…. Software bugs and

application failures Programmed

incorrectly Calculated incorrectly

BASICS

Stretching the Truth Just Became Easier (and Cheaper)

Digital pictures can be stretched without distorting a subject's face. Above, an altered photo.

By PETER WAYNER Published: January 31, 2008

WHEN Carlo Baldassi came home from vacation and looked at a picture he took of his

girlfriend on the Charles Bridge in Prague, he was torn. She looked beautiful, but the

proportions of the picture were all wrong. It seemed tight and constrained, and it would

not fill his widescreen monitor.

An artist is never satisfied.

Mr. Baldassi may not have an official title of an artist

— he studies computational neuroscience at the

Institute for Scientific Interchange Foundation in Turin,

Italy. But he could fix the problem with some automatic

The original photo of a dog photo-editing software he was writing with several swimming in a lake. Friends. With one click, the tool stretched the

uninteresting parts of the landscape – the water and the

hills – while leaving the face of his girlfriend just as it

was. The result was, he thought, more open and

panoramic.

04/09/23 10

Authentication of ESI: Rule 901(1) • Provides that the authentication of a document is "satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims."

• Rule 901 requires a “foundation from which a jury could reasonably find that the evidence is what the proponent says it is...”

United States v. Safavian, 435 F. Supp. 2d 36 (D.D.C. 2006).

04/09/23 11

Authentication of ESI: Rule 901(2) Rule 901(2)(a)-testimony by a witness with knowledge

that a matter is what it is claimed to be

Rule 901(2)(c)-comparisons by the trier of fact or expert witnesses with specimens which have been authenticated. Safavian, 435 F. Supp. 2d at 40 (federal rule)

Rule 901(2)(d)-identified by “appearance, contents, substance, internal pattern, or other distinctive characteristics, taken in conjunction with the circumstance.” United States v. Siddiqui, 235 F.3rd 1318 (11th Cir. 2000) (federal rule)

04/09/23 12

Authentication of ESI: Typical Challenges

• Challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created.

• Question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records.

• Challenge the authenticity of computer-stored records by questioning the identity of their author.

04/09/23 13

Authentication of ESI:Record a Chain of CustodyShows data was not changed. The less susceptible an exhibit is to alteration or tampering, the less strictly the chain of custody rule is applied

Needed when:1. Evidence is not readily identifiable, 2. No witness with personal knowledge to identify, or3. Evidence susceptible to alteration by tampering or

contamination.

Particularly important when:1. Preserving/storing data 2. Searching for creation/alteration data (e.g., date created),or3. Searching for any evidence of fabrication.

United States v. Howard-Arias, 679 F.2d. 363,366 (4th Cir. 1982)

04/09/23 14

Authentication of ESI: experts under Rule 901(2)(c) Expert Qualification – "a person who

generally understands the system's operation and possesses sufficient knowledge and skill to properly use the system and explain the resulting data" is a "qualified witness" and may need to authenticate data or interpret recovered data.

04/09/23 15

Authentication of ESI: Expert Questions What is the evidence, or what does it purport to be?

Forensics Expert: "This is a printout of data that I recovered on 4/26/07 from the hard disk drive primarily used by John Doe of the Acme Corporation."

Where did it allegedly come from?Forensics Expert: "The hard drive was taken from the office of John Doe on 1/1/07. It was contained within a Generic PC bearing model XXXX and S/N YYYY."

Who created, discovered, or recovered it?Forensics Expert: "The data appears to have been created by John Doe. I discovered and recovered it from his hard disk drive using computer forensic techniques."

How was it created, discovered, or recovered?Forensics Expert: "I made an image of the hard disk drive using a forensic imaging device. This device is designed to make a perfect copy of a disk and does not alter the data on the disk being copied."

04/09/23 16

Authentication of ESI: Ubiquitous Email Direct knowledge of

participant in exchange is best- 901(2)(a)

Circumstantial evidence (Rule 901(2)(d)): “contents” and “circumstances” -901(2)(d)

Circumstantial evidence: markings, addresses, logos- 901(2)(d)

Expert testimony and comparison- 901(2)(c)

04/09/23 17

Authentication of ESI: WebsitesHutchens v. Hutchens-Collins, 2006 WL 3490999 (D.Or.

2006)

Defendant hired forensic vendor to download content of website pages to “write-only” CD-ROM’s.

Website freely available on internet. Vendor tracked registered domain name to

plaintiff’s corporation through publicly available WHOIS system.

Court held that totality of circumstances sufficient to authenticate website documents.

04/09/23 18

Authentication of ESI: Chat RoomsMost commonly utilized:

901(2) (a)-witness with personal knowledge 901(2)(d)-circumstantial evidence of distinctive

characteristics

04/09/23 19

Authentication of ESI: Chat RoomsUnited States v. Tank, 200 F.3rd 627 (9th Cir. 2000) • Gov’t adequately authenticated chat room log printouts

maintained by a co-defendant • Evidence included testimony from co-defendant about the

procedure he used to create logs and his recollection that logs appeared to be accurate representation of conversations among members

• Despite co-defendant’s deletion of portion of log to free up space, log was authenticated. Deletions would go to weight of evidence, not admissibility.

04/09/23 20

Nuts & Bolts (& Bytes)

04/09/23 21

Disk Area of Concentration

Allocated SpaceAllocated by operating system for active user files, system files, all

space available to user

Unallocated SpaceSpace that is recognized by the operating system but not currently assigned. Area for deleted files, temp files used

by programs, etc..

04/09/23 22

Other Areas of Concentration

Dear Byron and Don, please accept my resignation because you work me too hard, don’t pay me enough and by the way I am taking my clients with me, sincerely yours, The disgruntled employee. Customer Lists: Aon, Symantek $%#*&^%Jack Walker is a January 1, 2001..This letter will serve as an agreement between Jack in the box and Deloitte

Dear Byron and Don, I love my job and want to stay here forever!

Mr. HappyFile Slack

Disk Slack

512

byte

s51

2 by

tes

04/09/23 23

Acquisition How do I get the data on the principal

media in a state that I can examine without altering the original data?

How long does this procedure take? What are my options to Acquire the

data? What are the limitations to the

acquisition procedures? How do I know that the data acquired is

the same?

04/09/23 24

How do I get the data on the principal media in a state that I can examine without altering the original data? Create an exact bit by bit copy or a file that contains a bit

by bit copy of the principal drive on sterile media For passing as an original the two must be identical

Hard Drive

Evidence File

Segments

.E01, E02

04/09/23 25

Evidence File Construction

CRC

CRC

CRC

CRC

MD5

Header 64 Sectors

32K

64 Sectors

32K

64 Sectors

32K

MD5 Hash Value

CRC= 32 Bit Cyclical Redundancy Check

MD5= Message Digest 5, 128 Bit Algorithm

Header= Case info is stored

Data Blocks= 64 Sectors/32K data

CRC protects data block integrity

MD5 protects evidence file integrity

.E01 .E02 .E03

04/09/23 26

Once Data Is Preserved… Rebuild partitions if necessary Recover Folders Searching

BooleanGREPForeign Language/Unicode

Signature Analysis Hash Analysis Email Analysis File Review Export Functions Registry Review

04/09/23 27

Windows Artifacts Recycle Bin My Documents Recent Print Spool Internet History Temporary Internet Files

04/09/23 28

Recycle Bin (before emptied)

04/09/23 29

Recycle Bin

04/09/23 30

Recycle Bin Info 2 Record Raw Text

04/09/23 31

Recycle Bin Analysis

04/09/23 32

Processing Back-up Tapes

04/09/23 33

Cases on Collection

04/09/23 34

Gates Rubber Co. v. Bando Chemical Indus., Ltd., 167 F.R.D. 90, 112 (D.C. Col., 1996).

• court defined a legal duty on the part of litigants or potential litigants to perform proper computer forensic examinations.

• examiner failed to do a mirror image copy of the target hard drive and instead did a file-by-file copy resulting in the loss of data.

• evidentiary sanctions and criticized the examiner for failing to make an image copy of the hard drive finding that when processing evidence for judicial purposes a party has “a duty to utilize the method which would yield the most complete and accurate results”

Collection of Data

04/09/23 35

EnCase Recognized By Courts

State v. Morris, 2005 WL 356801 (Ohio App. 9 Dist. Feb. 16, 2005).

In this appellate case from Ohio, the original hard drive, which belonged to a third party was overwritten. 8 All that was available at the time of trial was the EnCase Evidence File containing the image of the drive. The courts decision in this case validates the MD5 hash process and considers forensic disk images to be exact copies and admissible when the “original” is no longer available.

04/09/23 36

EnCase & AuthenticationState v. Cook, 777 N.E.2d 882, 886 (Ohio App. 2002)In this case the defendant appealed his conviction of

possessing child pornography and designation as a sexual predator challenging what he claimed “the lack of reliability of processes used to create two mirror images of the hard drive. The Ohio Appellate court addressed this argument by describing in detail how the EnCase software was used to make the image of the hard drive. The court further noted that the investigator was trained in the use of EnCase and in upholding the validity of the images stated “In the present case, there is no doubt that the mirror image was an authentic copy of what was present on the computers hard drive”.

04/09/23 3737

Coleman (Parent) Holdings, Inc v. Morgan Stanley & Co., Inc., 2005 WL 679071 at *4 (Fla.Cir.Ct. Mar. 1, 2005)., subsequent decision, 2005 WL 674885 (Fla.Cir.Ct. Mar. 23, 2005).

Morgan Stanley decided to collect electronic documents themselves, using software they developed in-house.

[A Morgan Stanley employee] reported that…she and her team had discovered a flaw in the software they had written and that flaw had prevented [Morgan Stanley] from locating all responsive email attachments. [She also] reported that [Morgan Stanley] discovered…that the date-range searches for email users who had a Lotus Notes platform were flawed, so there were at least 7,000 additional e-mail messages that appeared to fall within the scope of [existing orders]...

* * * Sanctions! * * *

“DIY” Collection Programs

04/09/23 38

THANKS! Seth H. Row

srow@pfglaw.com (503) 222-1812

Michael Bean mbean@in2itivetechnologies.com (971) 285-3408 x 201