Tag Archives: eDiscovery

Full Disk Imaging is Expensive Overkill for eDiscovery Collection

Early in my tenure as co-founder at Guidance Software (EnCase), we commercialized full-disk imaging circa 2001 with EnCase Forensic edition, which was the first Windows-based computer forensics tool. EnCase Forensic enabled broader market adaption of computer forensic drive imaging, but the tool was originally designed for law enforcement to perform criminal computer evidence seizures. We were thinking more CSI than ESI.

However, soon a funny thing happened. For a two to three year period in the mid-2000s, a majority of standalone forensic software purchases came from eDiscovery service providers. Law enforcement represented a sizable minority during this “surge period” of commercial sector purchases, but we eventually realized that the eDiscovery services community was in the process of standardizing on full disk imaging as their default collection practice.

I have a few theories on why this trend occurred, but suffice to say that one of the many reasons that full-disk imaging is burdensome is because the process often involves service providers traveling out to the individual custodians, which is very disruptive to employees, not to mention time consuming. Additionally, as eDiscovery processing and hosting fees are usually calculated on a per-gigabyte basis, costs are increased exponentially. In a word, this is overkill, with much more effective and efficient options now available.

However, many eDiscovery practitioners continue to collect or direct the collection of Electronically Stored Information (ESI) through full disk forensic “images” of targeted media as a routine practice. Full disk images capture every bit and byte on a hard drive, including system and application files, unallocated space and a host of irrelevant user-created data. While full disk images may be warranted in some limited situations, the expense and burden associated with the practice can be quite extensive, particularly in matters that involve multiple custodians.

The Duty to Preserve Only Extends to Relevant Information

It is established law that the duty to preserve evidence, including ESI, extends only to relevant information. Hynix Semiconductor Inc. v. Rambus Inc., 2006 WL 565893 (N.D.Cal. Jan. 5, 2006) at *27. (“The duty to preserve evidence, once it attaches, does not extend beyond evidence that is relevant and material to the claims at issue in the litigation.”)  As noted by the Zubulake court, “Clearly [there is no duty to] preserve every shred of paper, every e-mail or electronic document, and every backup tape…Such a rule would cripple large corporations.”  Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217 (S.D.N.Y. 2004) (“Zubulake IV”).

The vast majority of ESI on a full disk image will typically constitute irrelevant information. As stated by one court, “imaging a hard drive results in the production of massive amounts of irrelevant, and perhaps privileged, information.” Deipenhorst v. City of Battle Creek, 2006 WL 1851243 (W.D.Mich. June 30, 2006) at *3.  In noting that the “imaging of computer hard drives is an expensive process, and adds to the burden of litigation for both parties,” the Deipenhorst court declined to require the production of  full disk images absent a strong showing of good cause. See also, Fasteners for Retail, Inc. v. DeJohn et al., No 1000333 (Ct. App.Ohio April 24, 2014).

Similarly, in Zubulake v. UBS Warburg LLC, 2004 WL 1620866 at *8 (S.D.N.Y. July 20, 2004) (“Zubulake V”), Judge Scheindlin suggested that eDiscovery could be more manageable for producing parties but still defensible by taking advantage of the development of technology like X1 Distributed Discovery, which would be capable of conducting distributed keyword searches.  She anticipated that, due to the expansion of eDiscovery in coming years, counsel “must be more creative” because:

[It may not always] be feasible for counsel to speak with every key player, given the size of a company or the scope of the lawsuit, counsel must be more creative. It may be possible to run a system-wide keyword search; counsel could then preserve a copy of each “hit.” [FN75] Although this sounds burdensome, it need not be. Counsel does not have to review these documents, only see that they are retained. For example, counsel could create a broad list of search terms, run a search for a limited time frame, and then segregate responsive documents. . .

FN75. It might be advisable to solicit a list of search terms from the opposing party for this purpose, so that it could not later complain about which terms were used.

The recommended collection and preservation approach described by Judge Scheindlin is a far cry from obtaining full-disk images of the hard drives of each potential custodian, and in fact maps directly to the capabilities of X1 Distributed Discovery.

Courts do require that ESI be collected in a forensically sound manner, which does not mean a full forensic disk image is required, but generally does entail that metadata is not altered and a documented chain of custody is maintained. Historically, eDiscovery collection efforts not involving full disk imaging would often result in the loss or alternation of metadata. More advanced enterprise class technology, such as X1 Distributed Discovery, can accomplish system-wide searches that are narrowly tailored to collect only potentially relevant information while preserving metadata at the same time. This process is better, faster and dramatically less expensive than manual disk imaging. As with the Zubulake V decision, which advocates employing technology to perform “system-wide keyword searches”, courts recognize that advanced computer software can be deployed to limit the scope of computer searches and thus support reasonable discovery efforts.

With X1 Distributed Discovery (X1DD), parties can perform targeted search collection of the ESI of thousands of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%). This method is sound from an evidentiary standpoint as the collected data is preserved in its native file format with its metadata intact. X1DD features a solid chain of custody and robust logging, tracking and reporting.

The authorities cited above establish that effective technology can enable corporate counsel to establish a highly defensible process that at the same time minimizes cost. Routine full-disk imaging, over collection, and high eDiscovery costs are symptoms of an absence of a systemized process.  By establishing a scalable and system-wide eDiscovery process based upon the latest technology, large organizations can save millions while improving compliance.

Leave a comment

Filed under eDiscovery

New FRCP Rule 37(e) Calls Out Importance of Social Media Evidence

By John Patzakis

A new version of Federal Rule of Civil Procedure 37(e) FRCP bookgoes into effect December 1, 2015, barring an unexpected act of Congress to amend or rescind the changes. Proposed rule 37(e), features a new title: “Failure to Preserve Electronically Stored Information,” and replaces the current subpart in its entirety, providing a uniform standard to resolve a split in case law among different Judicial circuits concerning serious ESI spoliation sanctions. Rule 37(e) will be the only Federal civil rule section addressing the duty to preserve ESI and thus serves as key guidance governing eDiscovery collection and preservation efforts.

Proposed Rule 37(e) is accompanied by official Committee Advisory notes. Judges and counsel refer to these Advisory notes to provide guidance and insight concerning the intent of the laws and how they should be applied. The Advisory notes are published alongside the statute and are in fact widely seen as an extension of the FRCP. The Advisory notes for new proposed Rule 37(e) include the following key section:

Another factor in evaluating the reasonableness of preservation efforts is proportionality. The court should be sensitive to party resources; aggressive preservation efforts can be extremely costly, and parties (including governmental parties) may have limited staff and resources to devote to those efforts. A party may act reasonably by choosing a less costly form of information preservation, if it is substantially as effective as more costly forms. It is important that counsel become familiar with their clients’ information systems and digital data — including social media — to address these issues (emphasis added).

This reference to social media is particularly notable as it is included in very important guidance concerning overall ESI preservation requirements.  The implication of the new law is clear:  social evidence is given at least equal weight and import as other forms of ESI such as email and documents. As an aside, the Advisory notes to the 2006 Federal Rules Amendments, specifically for Rule 37(f)  state: “When a party is under a duty to preserve information because of pending or reasonably anticipated litigation, intervention in the routine operation of an information system is one aspect of what is often called a ‘litigation hold.’”

Due in large part as a result of this mention, legal holds quickly became a core eDiscovery requirement, with an entire sub-industry spawned.  So there is no question that the Advisory notes are highly influential.

It is notable that social media evidence is already a core component of eDiscovery evidence collection efforts by most lawyers and practitioners.  Recently, the global law firm Gibson Dunn released their influential 2015 Mid-Year eDiscovery and Information Law Update. In a section dedicated to social media, the Gibson Dunn update reports that “the use of social media continues to proliferate in business and social contexts, and that its importance is increasing in litigation, the number of cases focusing on the discovery of social media continued to skyrocket in the first half of 2015.”

And as succinctly noted by The Florida Bar Association in its publication, Florida Law Journal, “Social Media Evidence: What You Can’t use Won’t Help You” (2014) Volume 88, No. 1:

“Social media is everywhere. Nearly everyone uses it. Litigants who understand social media–and its benefits and limitations– can immeasurably help their clients resolve disputes. If not properly researched, preserved, and authenticated, the best social media evidence is worthless.”

And:

“Social networking sites have grown from a few thousand users to more than a billion. These sites have become a preferred form of electronic communication, surpassing email in 2009. As of March 31, 2011, 9,370,620 Floridians had registered for a Facebook account, which is approximately half of the state’s population. Based on these statistics, it is inevitable that the social media accounts of at least one person involved in a dispute will have potentially relevant and discoverable information.

And we are of course seeing this explosive trend in the adoption of X1 Social Discovery ahead of new FRCP Rule 37(e). X1 Social Discovery is the undisputed leader in its field for the preservation and analysis of social media and other internet evidence. If you are not one of the several thousand eDiscovery, legal, and digital investigation professionals who have enthusiastically incorporated X1 Social Discovery into your standard preservation protocols, new FRCP 37(e) should be your final call to action.

1 Comment

Filed under Case Law, eDiscovery, Social Media Investigations

A Series of Firsts: How X1 Sets the Standard for the New Enterprise Search Market

by Barry Murphy

The new world of IT demands that enterprise software support varying infrastructures – traditional managed data centers, the cloud, hybrid and virtual environments.  As a result, old-school approaches that once seemed logical no longer work in today’s reality.  For example, tightly-coupled search appliances that marry hardware and software together no longer meet the requirements of enterprises that need to make distributed workers more productive no matter what kind of device they are on.  It’s a new world for enterprise search and traditional solutions will have a very hard time adapting and scaling.

X1 is ready for the IT reality of always-on, virtual, cloud, and hybrid environments and business mobility.  This is evidenced by two “firsts” that X1 is proud to announce.  First, X1 is the first search application with an app publicly available in an Enterprise Mobility Management (EMM) app store.  X1 Search Mobile is available in the AirWatch marketplace.  Given the rapid move to mobile devices for work, this is no small news.  Google just announced on Friday that searching the web is now predominantly done from mobile phones.

Click to enlarge image

Click to enlarge image

It’s clear, then, that enterprise search from the mobile device is now an essential requirement for business professionals.  The mobile search app is important, but what X1 is building out is much more than that.  In order to effectively deliver enterprise search from the mobile device requires having the back-end infrastructure to support full enterprise search in virtual environments.  It also requires supporting the next-generation desktop (VDI or DaaS) where the users live. X1 has uniquely mastered such back-end infrastructure with the only desktop search (VDI or otherwise) and enterprise search solution that are VMware Ready certified.

The second “first” that X1 is proud of is the listing of X1 Rapid Discovery in the Amazon AWS Marketplace.  Again, this is no small feat – this is the first enterprise-grade search and eDiscovery application to be available in the AWS Marketplace.

AWS marketplace

Click to enlarge image

Organizations storing content in AWS can now get full-featured enterprise search and eDiscovery deployed right next to their content.  And, if these organizations store other content locally, they can deploy Rapid Discovery in their own data center as well and have a single-pane-of-glass across all information no matter where it lives.

X1 will continue to provide solutions that work in the infrastructures that organizations utilize today.  The traditional approach to search will not work, but with X1, companies will have the flexibility to deploy into any environment and give users a powerful search experience on any device.  That is a powerful productivity tool – and businesses require worker productivity the same way humans require oxygen.  It is a new enterprise search market out there and X1 is uniquely positioned to lead the charge.

1 Comment

Filed under Cloud Data, eDiscovery, Enterprise eDiscovery, Hybrid Search, Information Management

Gibson Dunn Report: Number of Cases Involving Social Media Evidence “Skyrocket”

By John Patzakis

Global law firm Gibson Dunn has released their esteemed 2015 Mid-Year eDiscovery and Information Law Update.skyrocket In a section dedicated to social media, the Gibson Dunn update reports that “the use of social media continues to proliferate in business and social contexts, and that its importance is increasing in litigation, the number of cases focusing on the discovery of social media continued to skyrocket in the first half of 2015.”

The eDiscovery update addresses key themes and several cases involving key legal issues related to social media evidence, which were previously addressed on this blog. Two key highlights cite cases affirming that mere screenshot printouts of social media evidence are not defensible and clarify overall authentication requirements in order to admit social media evidence in court.

As noted by the report “in the first half of 2015, courts continued to find that the testimony of the individual who printed a copy of a social media webpage, or prepared a memorandum summarizing information obtained from the social media account, is insufficient to authenticate social media evidence.” The report cites Linscheid v. Natus Medical Inc., 2015 WL 1470122, at *5-6 (N.D. Ga. Mar. 30, 2015) (finding LinkedIn profile page not authenticated by declaration from individual who printed the page from the Internet); Monet v. Bank of America, N.A., 2015 WL 1775219, at *8 (Cal Ct. App. Apr. 16, 2015) (finding that a “memorandum by an unnamed person about representations others made on Facebook is at least double hearsay” and not authenticated).

The Report also cited “a major shift” in case law concerning the authentication of social media evidence. The Court of Appeals of Maryland determined that “in order to authenticate evidence derived from a social networking website, the trial judge must determine that there is proof from which a reasonable juror could find that the evidence is what the proponent claims it to be.”  Sublet v. State, 113 A.3d 695, 698, 718, 722 (Md. 2015) (citing U.S. v. Vayner, 769 F.3d 125 (2d Cir. 2014)). Previously in Maryland, social media evidence was admissible only if the judge was “convince[d] . . . that the social media post was not falsified or created by another user.”  Griffin v. State, 19 A.3d 415 (Md. 2011).

Under Sublet, the preliminary determination of authentication is made by the trial judge and is a “context–specific determination” based on proof that “may be direct or circumstantial.” Id. at 715 (citing Vayner). The court noted that “[t]he standard articulated in Vayner … is utilized by other federal and State courts addressing authenticity of social media communications and postings.”

These cases cited by Gibson Dunn illustrate why best practices software is needed to properly collect and preserve social media evidence. Ideally, a proponent of the evidence can rely on uncontroverted direct testimony from the creator of the web page in question. In many cases, such as in the Vayner case where incriminating social media evidence is at issue, that option is not available. In such situations, the testimony of the examiner who preserved the social media or other Internet evidence “in combination with circumstantial indicia of authenticity (such as the dates and web addresses), would support a finding” that the website documents are what the proponent asserts. Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154. (emphasis added) (See also, Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and referencing MD5 hash values as an additional element of potential “circumstantial indicia” for authentication of electronic evidence).

One of the many benefits of X1 Social Discovery is its ability to preserve and display all the available “circumstantial indicia” or “additional confirming circumstances,” in order to present the best case possible for the authenticity of social media evidence collected with the software. This includes collecting all available metadata and generating a MD5 checksum or “hash value” of the preserved data for verification of the integrity of the evidence. It is important to collect and preserve social media posts and general web pages in a thorough manner with best-practices technology specifically designed for litigation purposes.  For instance, there are over twenty unique metadata fields associated with individual Facebook posts and messages. Any one of those entries, or a combination of them contrasted with other entries, can provide unique circumstantial evidence that can establish foundational proof of authorship.

Leave a comment

Filed under Case Law, eDiscovery, Social Media Investigations