Electronic Evidence Joe Kashi
Today’s Program Types of Electronically stored information Accessibility and effect upon discovery Where and how to find ESI ESI forensics and indicators of tampering Revised FRCP regarding ESI Some thoughts on authenticating photos Demonstration of ESI forensic software Electronic Brief demonstration
Electronically Stored Information (“ESI”) Used by revised FRCP as the “official” term of art for electronic evidence FRCP 26,30,33,34,37 ESI is pervasive recent studies conclude that ESI accounts for 93% - to 98% of all original “documents” arguably, ESI is now the “best evidence” Paper prints, though often easier to use in the courtroom, are usually secondary copies
General Types of ESI Few original paper documents, mostly signed or hand-written items Locally generated documents Networks – local, enterprise, Internet Personal Digital Assistants, i.e., Palm, Blackberry, smart cell phones
Internet uploads and downloads Text, audio, video, photo, music Personal web pages number in the tens of millions; example “MySpace” Internet collaborative documents Usually free services Example Google Docs
Third Party ESI Voice mail, typically stored on hard disks Email, web hosting, Google Docs, usually stored in about 4 locations Cell phones voice messaging wireless video/photo/Email GPS or cell tower locating
Non-computer ESI Fax and copier memory Digital cameras and camcorders Blackberry and iPod type devices VHS, CD and DVD Audio recorders
ESI - Is It Accessible? Critical distinction under new FRCP If accessible, existence and location must be disclosed as a matter of course during initial disclosures If not readily accessible, then other factors become prominent, including whether to order discovery, sampling of records, and cost-shifting
Accessibility depends upon media type Active data Easily accessed dynamic data that can change or be lost due to ordinary use “Near line” Not everyday storage but can be mounted and searched without too much difficulty. Examples: CD or DVD disks and backups, portable hard disks, small USB “thumb” drives, digital camera memory cards
“Not Readily Accessible” ESI These may require significant effort to be usable and searchable Examples: Backup tapes; each needs to be restored, mounted and searched individually; often requires new hardware Old data or file formats not readable by current software
Practical Guides for Trial Judges Guidelines for State Trial Courts Regarding Discovery of Electronically Stored Evidence – Conference of Chief Justices, August 2006 US District Court for the District of Kansas pretrial order Zubulake and Coleman decisions December 2006 revisions to FRCP Sedona Principles
Preliminary Information Types of computer systems How networked IT personnel How backed up and how often Disaster Recovery Plans Logging of activities – very useful What programs are used? File formats and data formats What data is maintained and where
“Delete” does not mean deleted Persistence Broad storage Duplicative storage Actually harder to discard than paper files Automatic logging and System Registry File fragments
Recommend
More recommend
