Weekly Highlights: April 21, 2014

April 22, 2014

FRCP Rule 37(e) (Preservation) is Changing

On April 11th, the Civil Rules Advisory Committee approved a  revision to Rule 37(e) (the section covers failure to preserve Electronically Stored Information (ESI)).  The new draft reads, as follows:

“(e) FAILURE TO PRESERVE ELECTRONICALLY STORED INFORMATION. If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve the information, and the information cannot be restored or replaced through additional discovery, the court may:

(1) Upon finding of prejudice to another party from loss of the information, order measures no greater than necessary to cure the prejudice;

(2) Only upon a finding that the party acted with the intent to deprive another party of the information’s use in the litigation,

(A) presume that the lost information was unfavorable to the party;

(B) instruct the jury that it may or must presume the information was unfavorable to the party; or

(C) dismiss the action or enter a default judgment.”

You’ll note that the existing Rule 37e language is nowhere to be found:

Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.”

You can read the proposed changes on the US Courts site, here.

 Popular Legal Websites Affected by the Heartbleed Flaw

Robert Ambrogi’s blog, “LawSites” had a post listing sites, popular with attorneys, that were affected by Heartbleed.  You can view that site here.  If you don’t know what “Heartbleed” is, you will need to.  You can view the Inforensics Blog post, to catch up.

Box.com, and Dropbox.com were, according to Ambrogi’s research, affected by the flaw.  If you use these sites, it is a good time to review and change passwords.  Also, read the Inforensics Blog post on Password Re-use.

 

Changing Metadata Leads to Sanctions

You may have missed the following case.  Remember: It doesn’t take an expert to alter data, and attempt obfuscation, just some software from your local Best-Buy:

T & E Inc. v. Faulkner, 2014 WL 550596 (N.D. Tex. Feb. 12, 2014)

In this case, sanctions were sought for alleged manipulation of metadata, in an attempt to hide the existence of a computer that had not been produced.  A successful motion to compel the defendant to produce computers gave a specific timeline for production.  A forensic expert found evidence that, during the time given to produce, the opposing party created a new user profile on a computer, copied data to it, and used a commercial software to alter times on files in order to make the system appear as though it had been in use, in an effort to hide the “real” computer that had been in use.  Spoliation sanctions were awarded in the form of an adverse inference, and $27,000 dollars.

 

Leave a Comment » | Inforensics News, Preservation, Reading, Tools and Tips | Tagged: , , , , , , | Permalink
Posted by inforensics

Google and Deep Web Search Cheat Sheets Updated

July 18, 2012

The “Deep Web Search” and “Google Search” cheat sheets have been updated to reflect new information and capabilities in conducting your own research on people, places, companies, and other matter-related information.  The links to the newly updated sheets are located below.

Using “open source information (OSI)”, sometimes referred to as “Publicly Sourced Information”, one can research a variety of information related to a case: Retained or opposing experts, litigants, other witnesses, company information, etc.

Effective use of this type of research can uncover bank accounts, holdings, affiliations, activities, locations, social network accounts and a host of other information that would otherwise remain unknown.

Some Background

In mid-2010 Vidoc Razor published free cheat sheets, as well as a blog post on how to use the sheets to research people involved in a matter: Expert witnesses, places, companies, etc. It is worth it to re-read that post to refresh your memory on how to use the sheets.

The original post can be found here: https://inforensics.vidocrazor.com/2010/11/02/qualifyanexpert/

Since then, the sheets have been very popular, and I have updated the sheets on a yearly basis.

Where Do I Start?

Start with the “Google Cheatsheet” PDF document that I have linked to this post.  For life beyond Google you can look at the “Deep Web Cheatsheet” that is attached.

Google Cheatsheet rev 201207

DeepWeb Cheatsheet rev 201207

Leave a Comment » | Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics

Eight Strategies To Control Information Forensic Costs

April 12, 2011

I’m often told that the biggest barrier to introducing information forensics to a potential case is the cost of doing so, and I believe it.  It is hard to explain to a client that they may expend resources with no return on the expenditure, and yet effective use of information forensics can be a valuable part of case strategy.  Here are eight strategies to effectively control information forensic cost:

  1. Prioritize Systems. In cases where there are multiple computer systems, hard drives or electronic devices involved, try to identify which ones are more likely to contain key evidence or facts in the case.  Your expert should be willing and able to help you do this, based on the facts of the case and the role of the devices involved.
  2. Image and Hold. Perform forensic imaging of the systems and devices involved to preserve them, but unless there are other factors involved you may not need to do analysis on ALL the systems at once.  Start with the high priority systems, and then see if there is likely to be value on the other systems or devices involved.  “Image and Hold” can also be an effective early strategy for a single computing device as well.
  3. Be Selective. We are often approached with multiple cell phones and hard drives.  One of the first questions I ask is if the cell phones were potentially backed up on one of the computer systems.  If so, then we can often process the backup (or “synch”) of the cell phones just as though we had the cell phone itself.  This helps to prevent duplicating cost.
  4. Evaluate Before Analyze. Full disclosure: This is a self-serving statement, in that Vidoc Razor runs a flat-rate evaluation service, but that doesn’t make it any less true.  Your expert must be able to provide an evaluation of the computer systems involved to identify which devices are useful to a case, versus ones that are redundant or don’t contain case useful information.  Make sure that the evaluation is  in context with the case, and not a simple cookie-cutter print-out of log files.
  5. Look for Flat-Rate Services. I have heard many complaints of forensic costs that run wild because of hourly rates.  It isn’t hard for a forensic service to provide cost-effective, flat rates that still provide high-quality results.  Your expert should be interested in looking for a long-range relationship as part of your legal arsenal, rather than getting rich off of a single big case.
  6. Understand the Differences Between Data, Information, and Intelligence. This seems like semantics, but it really isn’t.  Data is a stream of un-evaluated, un-interpreted symbols.  Information is what data becomes once it is useful (in context).  Intelligence is what information becomes once it becomes fact.  Once you stop thinking about “data forensics” and start utilizing “information forensics” you can find all three in a variety of places beyond the hard drive, or as a supplement to the evaluation or analysis performed on a hard drive or cell phone.
  7. Know Your End-Game. It is easy to get caught in the flood of information that can open up in the effective use of information forensics.  It is equally easy to chase down information that doesn’t necessarily support your overall case strategy.  For each new  tributary that opens up to you, ask yourself if it is actually something that supports your end-strategy, or potentially alters it.  If not, then why spend resources to chase it?
  8. Take a Deep Breath. If I had a nickel for every time I have heard the phrase “I am completely computer illiterate”, I would be living on easy street.  In a Yogi Berra-esque way: “This ain’t rocket surgery.”  For some reason the mere exposure to electronic investigation causes people to shut down.  While information forensics can be very technical, I promise you that the average attorney has dealt with much more complicated issues.  Take a deep breath and enjoy the new strategies and brand new streams of information that open up to you and your client and augment your ability to argue your cases.

Next Post:  Effective Information Forensic Strategy

Leave a Comment » | Forensics Beyond the Hard Drive, Inforensics Opinion, Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics