Thursday, December 8, 2016

Lessons in Computer Forensics



My colleague Josh Gilliland analyzed the legal issues in Emergency Response Specialists, Inc., v CSA Ocean Scis., Inc., in our prior blog post. This case also had several fascinating issues that may have been overlooked, as well as a few questions that could have been addressed. ERS claimed the produced emails were corrupted during a computer that crashed. CSA then requested the emails be produced in native file format. What format was requested and produced in the initial production? What type of computer did Ms. Moore use at work? How could the emails stored on the server have been corrupt? What would cause the attachments to become separated and inaccessible from the emails? What backup system was in place? Did Ms. Moore use the recovery software herself to attempt recovery from the server? What was the name of the recovery software? Did ERS maintain their own email server or was their email hosted by a third party? It may have been helpful to have a technical expert that would have verified that Entourage is not in fact a company, but a Microsoft email application that leveraged Microsoft’s Exchange Server.

CSA also uncovered evidence or an admission during the ERS deposition that certain photographs produced were in fact videos. Were files types listed in the Discovery Requests or Deposition Notice? Was the accuracy of the production certified? Could it have been an attempt to conceal or otherwise obfuscate the evidence in the matter? To conform with best practices, it is always helpful to identify who collected the ESI, how they collected it and what methods were used for processing, review and production.

During another deposition, Carl Haywood admitted that responsive text messages may have been stored on his work cell phone, though ERS did not have his phone’s passcode. Was a custodian interview conducted? What efforts were undertaken to extract this information for review?

Certain technical aspects of the matter may also be addressed. Entourage was a Microsoft email platform that was replaced by Microsoft Outlook for Macintosh computers. It was an older application that would not have been used in 2014, as Microsoft Outlook version 2011 was already in use at that time. Entourage offered the ability to use a Microsoft Exchange Email Server or a Web-based setup that is common when a third party hosts a company’s email. Occasionally, a custodian may store a local copy of their email on their computer to work with the data “offline” or to preserve an archive of their communications. Regardless, the data is synchronized with a server, whether managed by the company of their hosting provider. Because of this, a crashed computer may not have been a relevant issue, as the data would be stored on a server.

Ms. Moore claimed Entourage gave her recovery software to use. Although Entourage can create a database, Entourage is not a company, Microsoft was the maker of Entourage. The opposing party could have questioned Ms. Moore’s background and experience in attempting recovery of corrupt email databases. Lacking the requisite credentials to perform that type of work, it may have been prudent for CSA to assert that spoliation had occurred, even if inadvertent.

Cell phones, especially modern ones, contain security features that necessitate the use of pass codes to extract data. In rare instances, some may be bypassed, though this process may increase costs exponentially and is avoidable in most cases. The parties may obtain this information from custodians, especially upon departure from an organization. Also, when conducting custodian interviews and assessing potential sources of responsive information, computers and Cloud-based repositories should be identified, as they may be used to synchronize data stored on mobile devices, including smartphone and tablets. When the actual devices are inaccessible, a backup file may be the only alternative for obtaining the data.

To address the chronology aspect of the events, CSA could have requested that ERS submit a Declaration that identified, in detail, when a preservation notice was received, what steps ERS took to preserve and collect the potentially relevant ESI, when they performed those tasks, and when they became aware of the corrupted database. Further, during the 30(b)(6) deposition, CSA could have questioned the deponent on the email architecture that ERS employed within their Enterprise or whether they used a hosting service. Additional questions could have addressed technologies and intervals of backups, as well as retention periods for email and storage locations.

These issues may be brought to the surface and memorialized in documentary form or elicited through oral testimony. Parties have certain obligations to satisfy during the Discovery process to ensure they maintain the integrity of digital evidence and produce responsive material to the opposing party. Engaging an expert’s services, especially when the fact pattern resembles the issues listed above, may help counsel and the court to achieve clarity.