This the fifth in a series of posts examining e-discovery concepts addressed in legal ethics opinions, such as State Bar of California Opinion CAL 2015-193, relating to an attorney’s duty of competence.
In short, the California opinion states that attorneys handling matters involving e-discovery must do one of the following: 1) acquire sufficient skill and learning before handing cases involving e-discovery; 2) associate with counsel or consultants familiar with e-discovery, or 3) decline the representation.
The opinion also specifically identifies e-discovery tasks about which counsel must gain a working knowledge or enlist co-counsel or e-discovery consultants to assist. The tasks, which are discussed in this series of articles, are:
This article addresses the fifth task, collecting ESI in a manner that preserves its integrity.
Before addressing preservation of ESI integrity, an explanation is probably helpful. In sum, protecting the integrity of electronically stored information means that it is not altered during collection. This is important because if it is necessary at a later date, it may be established that collected data is an exact copy of original data. This is done by taking precautions not to alter a file’s contents or metadata. Proving the authenticity of electronic data is often important in criminal matters and when the authenticity of individual files is disputed in civil litigation.
To prove copies are the same as originals, when ESI is collected in a forensically sound, or “defensible” manner, “hash values” are generated for each file. Hash values are strings of numbers and letters assigned to each file by a computer algorithm and sometimes referred to as the file’s “digital fingerprint.” Two of the most common hash value algorithms are the MD5 and the SHA-1. To determine whether two files are exact copies, the hash value for the copied file is compared against the hash value for the original file. If the hash values match, then it establishes they are exact copies.
To ensure files are not altered during collection, they should not be opened, edited and the file type should not be changed. For instance, a pdf version of a text file should not be created during collection. To prevent against changes during collection, some e-discovery collection software uses “write-blocking” technology which prevents changes to the media from which the data is collected.
Protecting against changes to ESI during collection may also be accomplished by creating container files to hold the data. For instance, when email is collected for e-discovery purposes, individual messages are collected and then grouped together in a PST file.
Additionally, to protect the integrity of ESI, it is generally an ESI collection best practice to create a working copy of the data to analyze and keep access to the original file at a minimum.
There are generally two methods of collecting ESI: targeted collections and creating forensic images of storage media.
Targeted collections often only collect electronic documents from selected data custodians or network locations, or target only ESI containing keywords or search terms. Targeted collections may also only capture files created within a certain date range. Targeted collections are good for limiting the amount of data collected and decreasing the number of irrelevant files gathered.
The second method of ESI collection is copying all contents of a computer drive or storage media. This is done by creating a forensic image of the media. As defined by the Sedona Conference Glossary E-Discovery and & Digital Information Management, a forensic image is “an exact copy of an entire physical storage media (hard drive, CD-ROM, DVD-ROM, tape, etc.), including all active and residual data and unallocated or slack space on the media. Forensic copies are often called images or imaged copies.” Once the image is taken, the computer may be returned to service and the copied hard drive may be examined for relevant evidence without worry of information deletion or destruction.
It is often inadvisable to let individual litigants and data custodians collect their own ESI. It is unlikely that the client is trained to collect electronic data which makes it more likely that files may be altered during collection because of the method in which the data is copied. Additionally, clients may not understand the legal significance of documents they are tasked with identifying and collecting.
However, that is not to say custodian input is not important the process. Custodians are often in the best position to identify sources of relevant information. To assist with the identification of potential sources and locations of relevant evidence, ESI custodian questionnaires and interviews are often quite helpful.
Another ESI collection best practice is documenting chain of custody to the extent possible. This is especially true if you are creating forensic images of hard drives. Possession of the device from which ESI is collected should be documented at every step of via a chain of custody form documenting the identities of persons in possession of the devices and the dates and time of possession.
For additional reading on proper ESI collection methods, a good resource is the EDRM Collection Standards.