Forensically Sound Data: What Does IT Need to Do?

By Ed Lee and Scott Giordano

Computer forensics, the practice of making computer-generated evidence admissible into the legal system, paved the way for the discipline of e-discovery in the 1990s. In doing so, practitioners created the concept of the “forensically sound copy” of electronically stored information (ESI) through the use of bit stream imaging of hard drives as a standard for admissibility into court. Bit stream copies (often simply called images) are an exact duplicate of every bit on the subject drive.

In today’s e-discovery practice, such copies—which contain system files, empty space and fragments of deleted ESI—unnecessarily consume the time of IT and legal professionals, while adding little of value to resolving a matter. Moreover, courts do not require them as a condition for admissibility of specific files found on the drive. In fact, forensically sound is a legal conclusion, not a method for copying ESI.

Exacerbating this problem is the year-over-year, double-digit increases in ESI volume that enterprises have been experiencing in the past five or so years—a phenomenon that promises to get only worse. This article provides insights into admissibility of ESI and what IT professionals can do to reduce exploding costs associated with ESI collection, storage and document review.

IT professionals often presume that ESI must be copied using a bit stream process and that a logical process that copies only the file and its metadata is not sufficient. Such a presumption is likely a legacy of forensic software developers’ efforts to promote their products by listing all of the matters in which their software was used—all or nearly all of which were criminal in nature. In fact, the same set of rules—the Federal Rules of Evidence (FRE)—governs the vast majority of civil and criminal court matters. FRE 901(a) states that when authenticating an item, the proponent must produce “evidence sufficient to support a finding that the matter in question is what the proponent claims.”

Neither the rule nor the advisory committee notes state what type of copying process is required. Courts do not prescribe the type, either. Their opinions consistently hold that the threshold for authentication is relatively low, with standards such as one of “reasonable likelihood” that the evidence is what the proponent claims it to be, or that the proponent demonstrates a “rational basis” that it is what he or she purports it to be.

Which Types of Matters Require Bit Stream?

The touchstone of choosing a copying methodology is the degree of trust in the integrity of the ESI that is implicated in a given matter: the lesser the trust, the greater the need for evidence of tampering or accidental damage. As a result, the class of matter will drive the collection strategy.

Civil: The vast majority of civil matters do not merit the benefits and related expense of bit stream copies. Instead, logical copies that faithfully capture the files and their metadata are all that’s required. Counsel are typically interested in metadata types, such as the days and times that email messages were sent and received, as well as the recipient list.

Matters that do merit bit stream copying typically involve suspicion of destruction or alteration of evidence, or other attempts to conceal evidence of some activity, such as an employee’s illegal copying of an employer’s intellectual property. These matters typically do not involve the large volume of custodians that are common in litigation among Fortune 500-class companies (who routinely number in the thousands). As a consequence, counsel can prevent review costs from spiraling out of control, as well as limiting the additional time bit stream requires to copy the ESI.

Regulatory: The regulatory world straddles both civil and criminal realms, often leading to a hybrid approach to preservation and collection. Federal and state regulatory bodies have broad authority to request information—not simply to prove a case, but even to begin building a case. Because of the sweeping authority often granted by the courts to regulatory investigators, companies may see extremely overbroad requests early in the investigation.

Because it may not be clear where the facts will lead, or what may be relevant in the future, many experts advise both a broad scope of collection and a leaning toward a collect-all approach. Also, in many cases, regulators have an easier time proving charges of obstruction or conspiracy, and will therefore keenly review deleted files and user activities related to the manipulation of evidence.