eDiscovery and Keyword Searches

eDiscovery

• Electronic Discovery Reference Model (EDRM)
• discoveryassistant.com Discovery Assistant – Electronic Discovery, Records Management and Litigation Support

Digital Forensics vs. eDiscovery

The following was taken from: Electronic Discovery and Evidence, 2005-2006 ed. by Michael R. Arkfeld, Law Partner Publishing, LLC. Phoenix, AZ. It is available online at http://www.lawpartnerpublishing.com, but you must pay (a lot) for it.

_____

§ 4.2 EXPERTS, CONSULTANTS AND SERVICE BUREAUS

…A “computer forensic” specialist is part of the new “electronic discovery” industry. The use of such a specialist is similar to hiring an accident reconstructionist, investigator or economist to assist in the preparation of a case. For example, forensic specialists can assist with the following electronic discovery tasks:

• Assessing the opposing party’s computer systems and determin[ing] what data may be available;
• Harvesting and extracting electronic data and metadata from programs such as Microsoft Outlook;
• Negotiating for the exchange of electronic information;
• Making a forensic or mirror image copy of a hard disk;
• Monitoring the discovery of electronic information from the opposing party;
• Assisting with discovery cost containment;
• Providing advice on how to search [the] data;
• Providing education to the attorneys and the court on electronic discovery issues; and
• Providing in-court testimony on a computer forensic issue.

§ 4.3 TYPE OF EXPERTS, CONSULTANTS AND SERVICE BUREAUS

[B] Computer Forensic Experts

A computer forensic expert generally provides expertise regarding the generation, storage, recovery, location and analysis of computer evidence.

This individual expert can provide “expert” opinions in order to educate counsel and testify in court as to computer evidence. When an expert is to testify regarding computer evidence, the court will examine their experience, educational credentials and other background information closely. Such experts may review computer evidence directly using various forensic techniques and prepare expert forensic reports, affidavits, etc. They may also be called on to assist the court, as a neutral expert, in monitoring the electronic discovery process.

A forensic expert is needed if you intend to secure electronic information directly from a standalone or networked computer system. Otherwise you risk that the evidence may be damaged, destroyed or compromised in some way.

This expert is distinguished from data processing and data recovery consultants based on their education, experience and training in the forensic area and capacity to testify in the courtroom.

[C} Electronic Information Processing Consultants

After the electronic information has been acquired or “harvested,” electronic information processing consultants can provide expertise on how to process this information through the extraction, conversion and presentation stages. These consultants are available to assist in converting data from different software applications into databases, full text and images for control and presentation purposes. They should be able to provide cost estimates for processing various types of data (i.e., e-mail, word processing documents, etc.).

[G] Electronic Evidence Preparation Consultants

There are many information technology consultants who are changing from providing law office and litigation management consultation services to providing services pertaining to the discovery and production of electronic evidence. These individuals’ skills and credentials will vary depending ontheir background, education and experience. They may assist the attorney in discovering or disclosing electronic information, but generally do not possess sufficient expertise to testify in court.

These consultants are marketing their services under a variety of titles. These include electronic discovery management consultants, electronic evidence preparation consultants, litigation electronic discovery monitors and other titles usually containing the words “electron,” “discovery” and/or “evidence”.

_____

e-Discovery is the easy one:

e-Discovery is actually a shortened form of Electronic Document Discovery or EDD. It is the overall process of responding to a Discovery Order for Electronic Documents. That is, Party A will be Producing Electronic Documents to Party B because they are being compelled by a Court to do so or face sanctions, etc..

It is NOT the process of turning over computers, nor of making them available for imaging, nor of producing the images themselves. Those are NOT Electronic Documents, they are computers or images of computers (disks).

Obviously performing EDD may involve Computer Forensic processes/techniques such as imaging and even file recovery. For example, if the discovery order calls for the production of all files, live or deleted, relevant to a litigation, then you will have to use Forensic Techniques.

The key issue to me that defines EDD is that discreet documents/files (live, deleted, fragments, etc.) are being produced by Party A to Party B in response to a Discovery Order. Also, the number of documents/files being produced does not matter. It is EDD if it is a single file, or if it is several million files.

One can easily see that EDD is primarily designed to satisfy civil litigation requirements.

Computer Forensics:

Computer Forensics, on the other hand, is an Investigative process.

In the Civil world, it is often corporations performing investigations of data they own. In these situations the court does not have to get involved during the early stages, it is purely the corporation investigating its own data.

On the criminal side, law enforcement typically gets a warrant for the entire computer, not just specific electronic documents on the computer. Then once they have the computer they start their investigation.

There are federal rules that govern civil procedure in every state. The federal rules regarding discovery (particularly as it relates to electronic data) are undergoing significant changes effective December 1, 2006 [pdf]. (This is a large PDF file that contains all the rules, but the rules governing discovery are primarily 16, 26, 33 and 34.)

There are significantly limited rules that govern criminal discovery [pdf]. Rule 16 governs discovery and Rule 17 the subpoena process.

Expect each state to have its own set of civil procedure rules. Here are links to the websites for New Jersey and New York rules on the civil discovery process. Texas and Massachusetts have civil procedure rules similar to the federal rules.

Discovery in civil litigation does not require a court order. The same is true for discovery by the defendant in a criminal proceeding. In civil litigation, one party sends the other party a request to produce or inspect and the other party is supposed to comply. If the responding party fails to produce the requested data (in its entirety), the requesting party can make a motion to the court to compel the data and then the court can issue an order and possibly assess sanctions.

The Challenges of Keyword Searches

• Is the text actually plain text (i.e., ASCII/ANSI text)?
• Is any text Unicode?
• Is any text imaged as, e.g., TIFF, PDF, word art, etc.?
• Are any of the documents compressed or encrypted?
• Are any of the text items actually calculated fields (such as values contained in a spreadsheet)?
• How are diacriticals and hyphens handled?
• Do you need fuzzy searching (do you need to find the misspelled terms)?
• See further problems at 8 Problems of Keyword Search in E-Discovery – A Guide for Fortune 1000 Companies by J.R. Jenkins, MLIS, Senior Product Marketing Manager at FTI Technology

Keyword search tools

• DTSearch
• Strsrch by Dan Mares
• earlyCASE ® is an application which runs on your local PC and analyzes the ESI that your computer can access without the data ever leaving your computer or network. earlyCASE ® allows you to see and understand (early case assessment) all of your data before it is processed for discovery. It supports multiple languages, extracts emails, attachments, metadata, generates hash values, detects duplicates and creates a local inventory database of documents and emails. earlyCASE ® allows users to make informed discovery decisions and easily cut down the size of data sets through filter and culling before going into the discovery process and review.