eDiscovery Daily Blog

Pop Quiz: Is it Possible for a File to be Modified Before it is Created? – eDiscovery Best Practices

Sounds like a trick question, doesn’t it?  The answer is yes.  And, collecting files in a forensically unsound manner can be a drag…and drop.

You know those TV shows where they say “Don’t try this at home?”  Here is an exercise you can try at home.  Follow these steps:

Open Windows Explorer and go to one of your commonly used folders – for example, your Documents folder.  Select one of the documents by clicking on it.  Then, hold down the Ctrl key on your keyboard and drag that file to another folder (preferably another of your commonly used folders).  You’ve just created a copy of that file.  BTW, be sure you hold down the Ctrl key when dragging; otherwise, you will move the file to the new folder instead of copying it.

Go to the folder containing the new copy of the file in Windows Explorer and right-click on the file, then select Properties from the pop-up menu.  You will then see a Properties window similar to the one in the graphic at the top of this blog post.  In my example, I used a blog post that I wrote about a month ago in a Word document for the post Five Common Myths About Predictive Coding.

Notice anything unusual?  The Created date and the Accessed date reflect the date and time that you performed a “drag and drop” of the file to create a copy of it in a new location.  The Modified date still reflects the date the original file was last modified – in my example above, the modified date is the date and time when I last edited that document in Word.  The file appears to have been modified one month before it was created.*

If this were an eDiscovery collection scenario and you used “drag and drop” to collect a file like this, then…congratulations! – you’ve just spoliated metadata during the collection process.  This is one reason why “drag and drop” is not a recommended approach for collecting data for eDiscovery purposes.

There are better, more forensically sound, free methods for collecting data, even if your goal is simply to perform a targeted collection of active files from within a folder.  If you wish to also collect deleted files and data from drive “slack space”, there are free methods for performing that collection as well.  Next week, we will begin discussing some of those methods.

So, what do you think?  Have you used “drag and drop” as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

* – Microsoft Office files do keep their own internal metadata date fields, so the date created would still be preserved within that field.  Other file types do not, so the “drag and drop” method would eliminate the date created completely for the new copies of those files.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.