Tag Archives: ESI

Full Disk Imaging is Expensive Overkill for eDiscovery Collection

Early in my tenure as co-founder at Guidance Software (EnCase), we commercialized full-disk imaging circa 2001 with EnCase Forensic edition, which was the first Windows-based computer forensics tool. EnCase Forensic enabled broader market adaption of computer forensic drive imaging, but the tool was originally designed for law enforcement to perform criminal computer evidence seizures. We were thinking more CSI than ESI.

However, soon a funny thing happened. For a two to three year period in the mid-2000s, a majority of standalone forensic software purchases came from eDiscovery service providers. Law enforcement represented a sizable minority during this “surge period” of commercial sector purchases, but we eventually realized that the eDiscovery services community was in the process of standardizing on full disk imaging as their default collection practice.

I have a few theories on why this trend occurred, but suffice to say that one of the many reasons that full-disk imaging is burdensome is because the process often involves service providers traveling out to the individual custodians, which is very disruptive to employees, not to mention time consuming. Additionally, as eDiscovery processing and hosting fees are usually calculated on a per-gigabyte basis, costs are increased exponentially. In a word, this is overkill, with much more effective and efficient options now available.

However, many eDiscovery practitioners continue to collect or direct the collection of Electronically Stored Information (ESI) through full disk forensic “images” of targeted media as a routine practice. Full disk images capture every bit and byte on a hard drive, including system and application files, unallocated space and a host of irrelevant user-created data. While full disk images may be warranted in some limited situations, the expense and burden associated with the practice can be quite extensive, particularly in matters that involve multiple custodians.

The Duty to Preserve Only Extends to Relevant Information

It is established law that the duty to preserve evidence, including ESI, extends only to relevant information. Hynix Semiconductor Inc. v. Rambus Inc., 2006 WL 565893 (N.D.Cal. Jan. 5, 2006) at *27. (“The duty to preserve evidence, once it attaches, does not extend beyond evidence that is relevant and material to the claims at issue in the litigation.”)  As noted by the Zubulake court, “Clearly [there is no duty to] preserve every shred of paper, every e-mail or electronic document, and every backup tape…Such a rule would cripple large corporations.”  Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217 (S.D.N.Y. 2004) (“Zubulake IV”).

The vast majority of ESI on a full disk image will typically constitute irrelevant information. As stated by one court, “imaging a hard drive results in the production of massive amounts of irrelevant, and perhaps privileged, information.” Deipenhorst v. City of Battle Creek, 2006 WL 1851243 (W.D.Mich. June 30, 2006) at *3.  In noting that the “imaging of computer hard drives is an expensive process, and adds to the burden of litigation for both parties,” the Deipenhorst court declined to require the production of  full disk images absent a strong showing of good cause. See also, Fasteners for Retail, Inc. v. DeJohn et al., No 1000333 (Ct. App.Ohio April 24, 2014).

Similarly, in Zubulake v. UBS Warburg LLC, 2004 WL 1620866 at *8 (S.D.N.Y. July 20, 2004) (“Zubulake V”), Judge Scheindlin suggested that eDiscovery could be more manageable for producing parties but still defensible by taking advantage of the development of technology like X1 Distributed Discovery, which would be capable of conducting distributed keyword searches.  She anticipated that, due to the expansion of eDiscovery in coming years, counsel “must be more creative” because:

[It may not always] be feasible for counsel to speak with every key player, given the size of a company or the scope of the lawsuit, counsel must be more creative. It may be possible to run a system-wide keyword search; counsel could then preserve a copy of each “hit.” [FN75] Although this sounds burdensome, it need not be. Counsel does not have to review these documents, only see that they are retained. For example, counsel could create a broad list of search terms, run a search for a limited time frame, and then segregate responsive documents. . .

FN75. It might be advisable to solicit a list of search terms from the opposing party for this purpose, so that it could not later complain about which terms were used.

The recommended collection and preservation approach described by Judge Scheindlin is a far cry from obtaining full-disk images of the hard drives of each potential custodian, and in fact maps directly to the capabilities of X1 Distributed Discovery.

Courts do require that ESI be collected in a forensically sound manner, which does not mean a full forensic disk image is required, but generally does entail that metadata is not altered and a documented chain of custody is maintained. Historically, eDiscovery collection efforts not involving full disk imaging would often result in the loss or alternation of metadata. More advanced enterprise class technology, such as X1 Distributed Discovery, can accomplish system-wide searches that are narrowly tailored to collect only potentially relevant information while preserving metadata at the same time. This process is better, faster and dramatically less expensive than manual disk imaging. As with the Zubulake V decision, which advocates employing technology to perform “system-wide keyword searches”, courts recognize that advanced computer software can be deployed to limit the scope of computer searches and thus support reasonable discovery efforts.

With X1 Distributed Discovery (X1DD), parties can perform targeted search collection of the ESI of thousands of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%). This method is sound from an evidentiary standpoint as the collected data is preserved in its native file format with its metadata intact. X1DD features a solid chain of custody and robust logging, tracking and reporting.

The authorities cited above establish that effective technology can enable corporate counsel to establish a highly defensible process that at the same time minimizes cost. Routine full-disk imaging, over collection, and high eDiscovery costs are symptoms of an absence of a systemized process.  By establishing a scalable and system-wide eDiscovery process based upon the latest technology, large organizations can save millions while improving compliance.

Leave a comment

Filed under eDiscovery

New FRCP Rule 37(e) Calls Out Importance of Social Media Evidence

By John Patzakis

A new version of Federal Rule of Civil Procedure 37(e) FRCP bookgoes into effect December 1, 2015, barring an unexpected act of Congress to amend or rescind the changes. Proposed rule 37(e), features a new title: “Failure to Preserve Electronically Stored Information,” and replaces the current subpart in its entirety, providing a uniform standard to resolve a split in case law among different Judicial circuits concerning serious ESI spoliation sanctions. Rule 37(e) will be the only Federal civil rule section addressing the duty to preserve ESI and thus serves as key guidance governing eDiscovery collection and preservation efforts.

Proposed Rule 37(e) is accompanied by official Committee Advisory notes. Judges and counsel refer to these Advisory notes to provide guidance and insight concerning the intent of the laws and how they should be applied. The Advisory notes are published alongside the statute and are in fact widely seen as an extension of the FRCP. The Advisory notes for new proposed Rule 37(e) include the following key section:

Another factor in evaluating the reasonableness of preservation efforts is proportionality. The court should be sensitive to party resources; aggressive preservation efforts can be extremely costly, and parties (including governmental parties) may have limited staff and resources to devote to those efforts. A party may act reasonably by choosing a less costly form of information preservation, if it is substantially as effective as more costly forms. It is important that counsel become familiar with their clients’ information systems and digital data — including social media — to address these issues (emphasis added).

This reference to social media is particularly notable as it is included in very important guidance concerning overall ESI preservation requirements.  The implication of the new law is clear:  social evidence is given at least equal weight and import as other forms of ESI such as email and documents. As an aside, the Advisory notes to the 2006 Federal Rules Amendments, specifically for Rule 37(f)  state: “When a party is under a duty to preserve information because of pending or reasonably anticipated litigation, intervention in the routine operation of an information system is one aspect of what is often called a ‘litigation hold.’”

Due in large part as a result of this mention, legal holds quickly became a core eDiscovery requirement, with an entire sub-industry spawned.  So there is no question that the Advisory notes are highly influential.

It is notable that social media evidence is already a core component of eDiscovery evidence collection efforts by most lawyers and practitioners.  Recently, the global law firm Gibson Dunn released their influential 2015 Mid-Year eDiscovery and Information Law Update. In a section dedicated to social media, the Gibson Dunn update reports that “the use of social media continues to proliferate in business and social contexts, and that its importance is increasing in litigation, the number of cases focusing on the discovery of social media continued to skyrocket in the first half of 2015.”

And as succinctly noted by The Florida Bar Association in its publication, Florida Law Journal, “Social Media Evidence: What You Can’t use Won’t Help You” (2014) Volume 88, No. 1:

“Social media is everywhere. Nearly everyone uses it. Litigants who understand social media–and its benefits and limitations– can immeasurably help their clients resolve disputes. If not properly researched, preserved, and authenticated, the best social media evidence is worthless.”

And:

“Social networking sites have grown from a few thousand users to more than a billion. These sites have become a preferred form of electronic communication, surpassing email in 2009. As of March 31, 2011, 9,370,620 Floridians had registered for a Facebook account, which is approximately half of the state’s population. Based on these statistics, it is inevitable that the social media accounts of at least one person involved in a dispute will have potentially relevant and discoverable information.

And we are of course seeing this explosive trend in the adoption of X1 Social Discovery ahead of new FRCP Rule 37(e). X1 Social Discovery is the undisputed leader in its field for the preservation and analysis of social media and other internet evidence. If you are not one of the several thousand eDiscovery, legal, and digital investigation professionals who have enthusiastically incorporated X1 Social Discovery into your standard preservation protocols, new FRCP 37(e) should be your final call to action.

1 Comment

Filed under Case Law, eDiscovery, Social Media Investigations

Highlights from Reed Smith’s SharePoint eDiscovery Webinar

by John Patzakis

Reed Smith recently hosted an excellent webinar on SharePoint eDiscovery challenges, led by Patrick Burke with the firm’s eDiscovery team. The webinar featured a substantive and detailed discussion on the nuances, pitfalls and opportunities associated with eDiscovery of data from SharePoint sites. This topic is very timely as the majority of enterprises are deploying the Microsoft platform at an accelerated rate, with the solution reaching $1 billion in sales faster than any other Microsoft product in history. Burke noted that “SharePoint has exploded across corporate networks, and are filling rapidly with ESI,” but that “the bad news is that it’s not centralized. There is no single place to go to search through the ESI across an organization’s SharePoint sites to identify which SharePoint Site holds the ESI you’re looking for.”

As SharePoint enables enterprises to consolidate file shares, Intranet sites, internal message boards and wikis, project management, collaboration and more into a single platform, it provides significant operational efficiencies as well as eDiscovery challenges. The vast majority of current SharePoint deployments are versions 2007 or 2010, and neither have meaningful internal eDiscovery or even export features. This is one reason why SharePoint eDiscovery is fraught with over-collection, resulting in much higher costs and time delays that what is typically seen with other similar data stores such as email servers and file shares.

In addressing best practices for eDiscovery of SharePoint sites, Burke advised, among other key points, that the litigation hold process must not only involve individual custodians but the SharePoint administrator as well: “As it usually isn’t feasible to search all an organization’s SharePoint sites, the first step is to talk to the key custodians (through litigation hold questionnaire processes) and ask them which SharePoint sites they use (to identify) relevant ESI.” From there, “the cross-check involves talking with the SharePoint administrator, who can look up all the SharePoint sites to which the custodian’s belong.”

A full video recording of the webinar can be accessed here >

Appliance-based eDiscovery solutions or remote collections do not work as it may take weeks, if not months, to copy a multi-terabyte SharePoint site over a network connection and a large corporation may have several dozens of SharePoint silos from which to collect.  Manual collection efforts, which are geared toward mass “data dumps,” are also time consuming and are typically very costly due to the extensive processing and data massaging required to put the SharePoint data back into context.

Instead, what is needed is a solution such as X1 Rapid Discovery can quickly and remotely install and operate within the same local network domain to enable localized search, review and early case assessment in place. X1 Rapid Discovery’s full content indexing and preview of native SharePoint document libraries and lists, as well as its robust search, document filters, intuitive review interface uniquely enables targeted and contextual search, preservation and export of SharePoint evidence in its native format. In fact, we believe it is the only solution available that enables true in-place early case assessment and eDiscovery review of SharePoint sites, including iterative search, tagging and full fidelity preview in place, without the requirement to first export all of the data out of the platform.

To learn more, sign on to the recorded webinar or please contact us for a further briefing to learn how to save your organization or your clients tens of thousands of dollars on litigations costs associated with SharePoint.

Leave a comment

Filed under Best Practices, Case Law, eDiscovery & Compliance, Enterprise eDiscovery, Information Access, Preservation & Collection

The Benghazi ESI Scandal

Last week, the United States Senate Intelligence Committee issued a bipartisan report finding that the deadly assault on the American diplomatic compound in Benghazi, Libya, which killed US Ambassador Chris Stevens and 3 other Americans, could have been prevented.

Bengazi

The account spreads blame among the State Department, the military and U.S. intelligence for missing what now seem like obvious warning signs in the weeks before the September 11, 2012, attack, including multiple clues and outright threats that appeared on social media — key evidentiary source of Electronically Stored Information (ESI) as defined by the Federal Rules of Civil Procedure.

And therein lies what could be the real scandal of the Benghazi affair – The failure of the US Intelligence Committee to monitor and investigate available social media evidence leading up to the attack in that volatile and dangerous part of the world.  The Senate report notes that “[a]lthough the Intelligence Community (IC) relied heavily on open source press reports in the immediate aftermath of the attacks, the IC conducted little analysis of open source extremist-affiliated social media prior to and immediately after the attacks.” And that there were “reports from the IC indicating that more in-depth intelligence exploitation of social media in the Benghazi area, including web postings by Libyan nationals employed at the Temporary Mission Facility, could have flagged potential security threats to the Mission facility or important information about the employees prior to the September 11, 2012, attacks.”

One of the missed clues identified by the Senate report, which includes 14 independent references to social media evidence, involved a prior May 22, 2012, attack on the Benghazi-based International Committee of the Red Cross (ICRC) building by militants with Rocket Propelled Grenades (RPGs). On May 28, 2012, a previously unknown organization, The Omar Abdurrahman Group, took to social media to claim responsibility for the ICRC attack and issued a direct threat against the United States. It is believed by many intelligence experts, and implied in the Senate report, that the Omar Abdurrahman group was responsible for the September 11, 2012, attacks on the American diplomatic compound.

The Senate report includes a key recommendation that the Intelligence Community “must place a greater emphasis on collecting intelligence and open-source information, including extremist-affiliated social media, to improve its ability to provide tactical warnings…” And separately, the Senate Intelligence Committee recommends that the “IC should expand its capabilities to conduct analysis of open source information including extremist-affiliated social media particularly in areas where it is hard to develop human intelligence or there has been recent political upheaval. Analysis of extremist-affiliated social media should be more clearly integrated into analytic products, when appropriate.”

Ironically, all these pieces of evidence and clues could have been very effectively gathered with specially designed investigation software that runs $945 a seat.

And speaking of written reports issued last week by prominent organizations that address the compelling trend of social media evidence, Gibson Dunn released their 2013 Year-End Electronic Discovery and Information Law Update. In a section dedicated to social media, the Gibson Dunn Update notes that “the number of cases involving social media evidence continues to skyrocket,” and that “Commentators and courts alike have noted that the use of social media evidence has become commonplace across all types of litigation.” The Update covers several cases, many of which have been addressed on this blog, involving key legal issues related to social media. It’s a good read, and is not unlike the Senate Intelligence Committee’s Benghazi report, in that both underscore the critical importance of social media evidence, for both reactive and proactive investigations of many stripes.

1 Comment

Filed under Social Media Investigations, Uncategorized