Newsbits 2008

  • December 2008 (Topic 20): eDiscovery: Criminal Defense

    Defense Attorneys: Don't be shy about eDiscovery! Demand the Prosecution turn over all email and any electronic documents related to your case. Many crime labs keep their email. Also get the metadata for all documents. Metadata in the revisions to reports may contain useful and even exculpatory evidence that otherwise may get lost in the "system." Get your production in Native Document Format, not just .pdf or .tiff as both of these formats strip out the metadata.

    WARNING: IF your State Case involves Child Pornography, of any type, be aware of Federal Laws concerning you or your experts handling such evidence. You need to obtain State Protective Orders.

  • November 2008 (Topic 19): eDiscovery: Native Documents Get and Give

    When you ask for Native Format documents, be prepared to give them to the other party in Native Format also. INSIST ON NATIVE DOCUMENTS FROM THE BEGINNING. Once you receive the TIFF documents they must be re-processed into a searchable format. This is a huge waste of effort, money, and time.

  • October 2008 (Topic 18): eDiscovery: Why Native Documents

    The other party must search for Privileged Documents and remove them from the production. Then they must search for relevant documents and prepare them for the production. These documents must be in their Native Format. Native Format includes metadata, information about the document's creation, history, and changes. All are useful to the requester. The producer may convert the Native Documents to TIFF. INSIST ON NATIVE DOCUMENTS FROM THE BEGINNING. Once you receive the TIFF documents they must be re-processed into a searchable format. This is a huge waste of effort, money, and time.

  • September 2008 (Topic 17): eDiscovery: get Native Documents

    Typical responders will want to provide documents in TIFF (Tagged Image File Format). TIFF is a "photocopy" of the original. It is easy to Bates number TIFF. HOWEVER, it is non-modifiable and difficult to word search. TIFF must be converted to another format to search. TIFF is usually Black on White, so hyperlinks and other important information is hidden. This is how most eDiscovery programs provide data, so it can be uploaded to Summation or Concordance. Accept the TIFF if you must, but INSIST ON NATIVE DOCUMENTS FROM THE BEGINNING. Once you receive the TIFF documents they must be re-processed into a searchable format. This is a huge waste of effort, money, and time.

  • July 2008 (Topic 16): eDiscovery: Meet and Confer

    As to electronic evidence, what format is it in? Does the other party use PC or MAC, or Linux or AS400, or Sun or another system altogether? Do they use Microsoft or Lotus Notes or Open Office or another system? What version do they use? These questions all need answers. This may come out in a Meet and Confer. However, the other party is not going to volunteer this information. You must probe for the answers and craft your initial Meet and Confer questions to find out. Having your eDiscovery expert involved from the beginning and during the meetings will go a long way to help resolve these issues.

  • June 2008 (Topic 15): eDiscovery: Preservation Letter

    The action is filed and now you need to gather evidence. Include a Preservation Letter when you serve the respondent. This puts the other party on notice not to delete or destroy evidence-electronic or otherwise. However, what evidence do they have? Next month I will discuss Meet and Confer.

  • May 2008 (Topic 14): Neutral Imaging

    Not everyone can agree on the findings of a court appointed "Neutral." In many cases each party hires their own expert to gather the data and then analyze it all over again. Avoid the expense of having two experts gather the exact same data. Consider having us gather the data using industry standard, forensically sound methods and then delivering duplicate images to each party's expert examiner for analysis. You can save your client a lot of money and multiple disruptions to their activities, yourself a lot of unneeded stress and wasted time, and move the case along faster by using a true independent - ACTFroensic.com, Inc.

  • April 2008 (Topic 13): Image Early-Analyze Later

    Passage of time is your worst enemy in cases involving computer data. Deleted files, overwritten, cannot be recovered, though some fragments may be. Our last case involved mysteriously missing emails from our Plaintiff's computer. The Defendant claimed they purged their copies in accordance with written policy. Moral of the story: It is better to have your EXPERT image the client media as soon as you take the case and analyze it later.

  • March 2008 (Topic 12): email Artifacts and Fragments

    Did you know?

    The data is placed in linear blocks called SECTORS. Typically a sector is 4096 BYTES long, but can be manually adjusted to 512, 1024, or 2,048 units, or larger. A byte on a PC, depending on the operating system, is typically made up of 8 BITS grouped in 8, 18, 32, and 64 units to create a character.

    Each sector has an ADDRESS which is kept separately on the platter in an address book called a TABLE. There are 2 types of tables in common use: FAT and NTFS. Microsoft VISTA will be third type, but not yet in common use.

    When a file is DELETED the operating system changes the address from "in use" to "open" in the table. However, the data is still on the platter until the space it occupies, which is now available for use, is overwritten. An END OF FILE MARKER is placed at the end of the new data. If the new data does not fill up the entire sector, an end of file marker tells the operating system to stop looking for data associated with the file.

    There may still be old data in the sector. This data is called an ARTIFACT or a FRAGMENT. These can be recovered.

  • February 2008 (Topic 11): Using a "Neutral"

    At a recent OCBA Litigation Section Luncheon, the panel Topic centered around "Moving Civil Cases Forward." I spoke with one panelist after the session and suggested a way to move things along was for the parties, when and where possible, to stipulate to a "neutral" Computer Forensics Expert. I noted, and they observed, that the "neutral expert" concept has long been used in the Family Court to save both time and cost to the clients.

  • January 2008 (Topic 10): New Year's Resolutions:

    I will:
    Set my virus protection and Microsoft updates to Daily and Automatic.
    NOT download cool stuff from the Internet because it is probably loaded with bad things that may "crash" my computer.
    NOT send or forward non-business email while@ work.
    AND BACK UP MY DATA EVERY DAY!!!

< 2009   2007 >