Newsbits 2011

  • December 2011 (Topic 56): Digital Evidence leaves traces everywhere

    Most people know investigators can find email traces on computers and backups. If the email is web based, a subpoena to the service provider will be required.

    Today's cell phones are also computers. Cell phones store emails, pictures, text, and voice messages along with usage logs, internet histories, and address books. However, due to the plethora of operating and storage systems, cell phone data is harder to retrieve. Even if deleted, an investigator may be able to recover much of this data. If necessary, a subpoena can be issued to the service provider to release this information.

  • November 2011 (Topic 55): US Ct of Appeals to issue new email discovery limits

    A Model Order is in the works for eDiscovery. Citing time and costs to the parties, Chief Judge Rader presented its provisions on 9-27-11. Include are Limits on production after meet and confer; Limits on number of requests; Cost Shifting to the requesting party; Limits on metadata items requested; Email request must be narrow to issues and terms; and last, Automatic "clawback" and removing non-privilege challenge for inadvertent production. (1)

    Keep current on this important topic. For several sources, please Google "Federal Circuit e-discovery model court order."

    Hot developments in the J-M Mfg v. MWE eDiscovery Malpractice case:

    As a full service digital forensics firm, we handle all your eDiscovery data needs from pre-meet and confer planning through expert trial testimony. We are your source for THE INVESTIGATION* and management of Electronically Stored Information for all Litigation Support, Criminal Defense, Family Law, Internal Security Breaches, Employee Computer Misuse, and Harassment Investigations.

    (1) paraphrased from

  • October 2011 (Topic 54): MWE seeks "claw back"

    In Topic 51, (7-2011), we discussed J-M Manufacturing's malpractice case against their former counsel, McDermott Will & Emery (MWE). We questioned using non-employee researchers and "claw back." Several readers questioned our observations. An article, dated 8-3-2011, in the ABA Journal (1) supports our observation. A comprehensive keyword search and first review by contractors followed by a stakeholder review, then an expanded second keyword search of the internally reviewed documents (by independent digital investigators before release) may have served MWE well.

  • September 2011 (Topic 53): Have a phone number, but no name?

    You receive a call and your ID shows a number, but no name. You don't recognize the number or maybe the voice message is unintelligible. Before calling back you can use these websites to see if the caller's name is revealed: or Also, before returning the call you may want to have your investigator to do a quick background check of the caller.

    If you don't want to call or do not know the caller's email address, you can send a text message. If it is a cell phone, you can send a text message. The Carrier Information is on the above websites. The format is PhoneNumber@type.carrier.ext. For example, my cell phone information is 7142712865@ Additional information can be found at

  • August 2011 (Topic 52): Consolidating eDiscovery in multiple Plaintiff Cases

    eDiscovery is very costly. It requires a huge amount of time, expertise, and cost on the part of the Plaintiff's firm. Why not hire one PI firm to do the eDiscovery preparation for a group of plaintiffs and spread the cost? If the case is really big, the law firms could hire one PI firm who could hire and supervise several others. Then the Plaintiff's can share the data on a more cost effective basis. Then the attorneys can review and search the documents.

  • July 2011 (Topic 51): Were MWE's procedures Malpractice?

    J-M Manufacturing alleges McDermott Will & Emery turned over privileged documents to opposing counsel. The discovery may have included THOUSANDS OF PAGES of e-documents. Did MWE also convert paper documents and search them? Did MWE hire an outside digital investigator to do a final context and keyword search review before delivery? Did MWE have a "claw back" in place?

  • June 2011 (Topic 50): What is an MD5 "Hash Sum"?

    The MD5 (Message Digest algorithm 5th version) is the "digital DNA" of a file, folder, directory, or the entire media. It is an Alpha-Numeric representation of the sum of all the data therein. The Hash Sum is represented by a string of letters and numbers 16 characters long and has combinations to the 32nd power (16^32 ). What does this mean to you? Basically, the odds of any two Hash results being the same are infinitesimal:

    The hash uses 0-9 and a-f, for 16 characters. There are approximately 340,282,366,920,938,463,463,374,607,431,768,211,000 unique combinations.

  • May 2011 (Topic 49): What is a Daubert?

    Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993) applies to all forensic evidence Civil and Criminal: Has the theory, technique, and practice: 1. been tested and accepted within its community, 2. is it repeatable and are the results consistent as to specific evidence, 3. are the theories and or techniques accepted within its community, 4. does it have peer review and can it be researched, 5. are there known potential errors, 6. are there operational standards for the techniques, and 7. can the expert present the theory, technique, and conclusions in nonscientific terms and testimony.

  • April 2011 (Topic 48): Protective Orders for your Investigators?

    Defense Cases often involve digital contraband. In Federal or State cases, Investigators handling this contraband risk prosecution by the US Attorney (18 USC 2252 & 2252A). Will they prosecute? Why take a chance? Ask the Court for a Protective Order. We have a sample P.O. contact us if you would like this example to customize for your case.

  • March 2011 (Topic 47): Copiers have data in them

    Did you know today's modern copiers are also computers? Did you ever consider they are an excellent source of eDiscovery? They have Hard Disk Drives in them. This is how they can store images to print: color, rotation, size, collation, and distribution. They also have scanned data and are often used to fax and email documents. This information is stored on the HDD unless you know how to delete it. They should ALWAYS BE INCLUDED IN DISCOVERY REQUESTS - civil or criminal.

  • February 2011 (Topic 46): Criminal Defense - Alibi

    The Prosecution's Digital Forensic Evidence should be subject to your scrutiny as with any evidence. Was their examiner thorough? Does you client have an alibi? Example: Your client is charged with soliciting a minor from his home computer which is accessible by others. Your client claims he did not "chat" with the minor, who turned out to be an Under Cover officer in a state two Time Zones away. The UC's ISP provides the chat logs. Whose Time Zone were they based on: the UC's or your client? The prosecution's examiner has no reason to, but IF your investigator converted the time to Local - maybe your client was at work and did not access to their computer.

  • January 2011 (Topic 45): New Year's Resolution 2011: Our Annual Reminder

    I will:
    1. Set my virus protection and Microsoft updates to Daily and Automatic.
    2. NOT download cool stuff from the Internet 'cuz it is probably loaded with bad things that may "crash" my computer, or worse, open my employer's computer network to hackers and thieves who WILL steal our trade secrets. Then I will be out of work!
    3. NOT send or forward non-business email while at work, no matter how interesting the pictures.
    4. BACK UP MY DATA EVERY DAY!!! Otherwise it will cost a lot of money and time to have recover it. Back is very cheap and can save your case in a lawsuit.