Close
Enter your
text here

Evidence

Court Rules that Stored Communications Act Applies to Former Employee Emails – eDiscovery Case Law

In Lazette v. Kulmatycki, No. 3:12CV2416, 2013 U.S. Dist. (N.D. Ohio June 5, 2013), the Stored Communications Act (SCA) applied when a supervisor reviewed his former employee’s Gmails through her company-issued smartphone; it covered emails the former employee had not yet opened but not emails she had read but not yet deleted.

When the plaintiff left her employer, she returned her company-issued Blackberry, which she believed the company would recycle and give to another employee. Over the next eighteen months, her former supervisor read 48,000 emails on the plaintiff’s personal Gmail account without her knowledge or authorization. The plaintiff also claimed her supervisor shared the contents of her emails with others. As a result, she filed a lawsuit alleging violations of the SCA, among other claims.

The SCA allows recovery where someone “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains . . . access to a wire or electronic communication while it is in electronic storage in such system.” “Electronic storage” includes “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”

The defendants claimed that Kulmatycki’s review of the plaintiff’s emails did not violate the SCA for several reasons: the SCA was aimed at “‘high-tech’ criminals, such as computer hackers,”‘ that Kulmatycki had authority to access the plaintiff’s emails, that his access “did not occur via ‘a facility through which an electronic communication service is provided’ other than the company owned Blackberry,” that “the emails were not in electronic storage when Kulmatycki read them,” and that the company was exempt because “the person or entity providing an electronic communications service is exempt from the Act, because the complaint does not make clear that plaintiff’s g-mail account was separate from her company account.”

The court rejected all but one of the defendants’ arguments. The SCA’s scope extended beyond high-tech hackers, and the Gmail server was the “facility” in question, not the plaintiff’s Blackberry. The court also found that the plaintiff’s failure to delete her Gmail account from her Blackberry did not give her supervisor her implied consent to access her emails; the plaintiff’s negligence did not amount to “approval, much less authorization. There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone be stopping by.” The court also found that the former employer could be held liable through respondeat superior: the actions of the supervisor could be imputed to the company.

Where the defendants scored a minor victory is in their interpretation of “storage”: any emails that the plaintiff had opened but not deleted before the defendant saw them were not being kept “for the purposes of backup protection” and thus were not protected under the SCA.

Accordingly, the court allowed the plaintiff’s SCA claim to proceed.

So, what do you think?  Should the emails have been protected under the SCA?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case Summary Source: Applied Discovery (free subscription required).  For eDiscovery news and best practices, check out the Applied Discovery Blog here.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Appellate Court Denies Sanctions for Routine Deletion of Text Messages – eDiscovery Case Law

In PTSI, Inc. v. Haley, No. 684 WDA 2012, 2013 Pa. Super. (Pa. Super. Ct. May 24, 2013), the appellate court denied a motion for spoliation sanctions where the defendants routinely deleted text messages and other data to “clean up” their personal electronic devices: the volume of messages and limited amount of phone storage made it difficult to retain all data and still use the phone for messaging.

Here, the plaintiff filed claims of conversion, breach of the duty of loyalty, and breach of fiduciary duty against its former at-will employees and their new competing business. The trial court dismissed all claims at summary judgment. It also denied PTSI’s motion seeking sanctions for spoliation, because the deletion of electronically stored information, including text messages, was not relevant to the summary judgment decision.

During discovery, PTSI filed a motion seeking sanctions based on its two former employees’ deletion of electronic records from their computers and phones, including text messages. The company claimed the information was “vital to the prosecution of this case” and could not be “feasibly reconstructed or retrieved without enormous time and expense to PTSI, if at all.”

Under Pennsylvania law, the court had to evaluate three factors to determine the appropriate sanction: “(1) the degree of fault of the party who altered or destroyed the evidence; (2) the degree of prejudice suffered by the opposing party; and (3) whether there is a lesser sanction that will avoid substantial unfairness to the opposing party and, where the offending party is seriously at fault, will serve to deter such conduct by others in the future.”

To determine the level of fault, the court considered the extent of the duty to preserve the evidence, based on whether litigation is foreseeable and whether the evidence might be prejudicial to the opposing party, and whether the evidence was destroyed in bad faith. The court also considered proportionality in making decisions, including five factors spelled out in the comments to the Pennsylvania Rules of Civil Procedure:

  • the nature and scope of the litigation, including the importance and complexity of the issues and the amounts at stake;
  • the relevance of electronically stored information and its importance to the court’s adjudication in the given case;
  • the cost, burden and delay that may be imposed on the parties to deal with electronically stored information;
  • the ease of producing electronically stored information and whether substantially similar information is available with less burden; and
  • any other factors relevant under the circumstances.

Here, the amount in controversy and the importance of the issues involving the data did not support awarding a discovery sanction. Moreover, PTSI could not show that its former employees’ “innocent clean up of personal electronic devices to allow them to function was unusual, unreasonable or improper under the circumstances.” Because the defendants “routinely deleted text messages, often on a daily basis, so as not to unduly encumber their iPhones” and because of “the volume of text messages that are frequently exchanged by cell phone users and the limited amount of storage on cell phones, it would be very difficult, if not impossible, to save all text messages and to continue to use the phone for messaging.” Furthermore, the order of preservation was entered well after any relevant data would have already been created and deleted. In addition, similar information was available from other sources and custodians; the forensic examiner in the case unearthed more than 1,000 e-mails from the employees’ computers. Finally, any spoliation inference could not defeat the summary judgment motion.

The appellate court agreed with the trial court’s reasoning and found no abuse of discretion.

So, what do you think?  Should the sanctions have been granted?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case Summary Source: Applied Discovery (free subscription required).  For eDiscovery news and best practices, check out the Applied Discovery Blog here.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Judge Rules Against Spoliation Sanctions when the Evidence Doesn’t Support the Case – eDiscovery Case Law

In Cottle-Banks v. Cox Commc’ns, Inc., No. 10cv2133-GPC (WVG) (S.D. Cal. May 21, 2013), California District Judge Gonzalo P. Curiel denied the plaintiff’s motion for spolation sanctions because the plaintiff was unable to show that deleted recordings of customer calls would have likely been relevant and supportive of her claim.

The defendant provides services and products such as set-top cable boxes and customers call in to order these services and products.  The plaintiff alleged a practice of charging customers for boxes without disclosing, and obtaining approval for equipment charges – a violation of the Communications Act of 1934, 47 U.S.C. § 543(f).  The plaintiff’s discovery requests included copies of recording of her own calls with the defendant, and the defendant began preserving tapes when the plaintiff notified the defendant that she would seek call recordings in discovery, not before that.  As a result, the plaintiff filed a motion for spoliation sanctions, requesting an adverse inference and requesting that the defendant be excluded from introducing evidence that it’s call recordings complied with 47 U.S.C. § 543(f).

From the call recordings still available, a sample of recordings was provided to the plaintiff – in those calls, it was evident that the defendant did, in fact, get affirmative acceptance of the additional charges as a matter of practice.

Judge Curiel ruled that the defendant “had an obligation to preserve the call recordings when the complaint was filed in September 2010” and that the defendant “had an obligation to preserve the call recording, [so] Defendant was negligent in failing to preserve the back up tapes. Thus, Defendant had a culpable state of mind.”  However, because the “Plaintiff cited only two call recordings out of 280 call recordings produced to support her position”, the judge concluded “that the deleted call recordings would not have been supportive of Plaintiff’s claim.”  Because “Plaintiff has not demonstrated all three factors to support an adverse inference sanction”, Judge Curiel denied the plaintiff’s motion as to adverse inference and preclusion.

So, what do you think?  Should the sanction request have been denied?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Adverse Inference Sanction for Defendant who Failed to Stop Automatic Deletion – eDiscovery Case Law

Remember the adverse inference instructions in the Zubulake v. UBS Warburg and Apple v. Samsung cases?  This case has characteristics of both of those.

In Pillay v. Millard Refrigerated Servs., Inc., No. 09 C 5725 (N.D. Ill. May 22, 2013), Illinois District Judge Joan H. Lefkow granted the plaintiff’s motion for an adverse inference jury instruction due to the defendant’s failure to stop automatic deletion of employee productivity tracking data used as a reason for terminating a disabled employee.

Case Background

The plaintiff alleged that the defendant is liable for retaliation under the Americans with Disabilities Act (“ADA”) for terminating his employment after the plaintiff opposed the defendant’s decision to terminate another employee because of a perceived disability.  The defendant employed a labor management system (“LMS”) to track its warehouse employees’ productivity and performance.  Shortly after hiring the employee and telling him that his LMS numbers were great, the defendant fired the employee when it was determined that a prior work injury he suffered rendered him with a disability rating of 17.5 percent by the Illinois Industrial Commission, which prompted the senior vice president to send an email to the general manager stating “We have this all documented right? … Let’s get him out asap.”  The employee (and the plaintiff, for objecting to the termination) was terminated in August 2008 and the defendant contended that the employee’s termination resulted from his unacceptable LMS performance rating of 59 percent.

Deletion of LMS Data

In August 2009, the raw data used to create the employee’s LMS numbers were deleted because the LMS software automatically deleted the underlying data after a year. Before the information was deleted, the plaintiff and other terminated employee provided several notices of the duty to preserve this information, including:

  • A demand letter from the plaintiff in September 2008;
  • Preservation notices from the plaintiff and other terminated employee in December 2008 reminding the defendant of its obligations to preserve evidence;
  • Charges filed by both terminated employees with the Equal Employment Opportunity Commission (“EEOC”) in January 2009.

Also, the defendant’s 30(b)(6) witness testified that supervisors could lower an LMS performance rating by deleting the underlying data showing that an employee worked a certain number of jobs for a given period of time, which the plaintiff contended happened in this case.  As a result, the plaintiff filed a motion for the adverse inference jury instruction.

Judge’s Ruling

Noting that the defendant “relied on this information when responding to the EEOC charges, which occurred before the deletion of the underlying LMS data” and that “[i]nformation regarding the underlying LMS data would have been discoverable to challenge Millard’s explanation for Ramirez’s termination”, Judge Lefkow found that the defendant had a duty to preserve the LMS data (“A party must preserve evidence that it has notice is reasonably likely to be the subject of a discovery request, even before a request is actually received.”).

With regard to the defendant’s culpability in deleting the data, Judge Lefkow stated “[t]hat Millard knew about the pending lawsuit and that the underlying LMS data would be deleted but failed to preserve the information was objectively unreasonable. Accordingly, even without a finding of bad faith, the court may craft a proper sanction based on Millard’s failure to preserve the underlying LMS data.”

So, Judge Lefkow granted the plaintiff’s request for an adverse inference sanction with the following instruction to be given to the jury:

“Pillay contends that Millard at one time possessed data documenting Ramirez’s productivity and performance that was destroyed by Millard. Millard contends that the loss of the data was accidental. You may assume that such evidence would have been unfavorable to Millard only if you find by a preponderance of the evidence that (1) Millard intentionally or recklessly caused the evidence to be destroyed; and (2) Millard caused the evidence to be destroyed in bad faith.”

So, what do you think?  Should the adverse inference sanction have been awarded?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Capturing Memory and Obtaining Protected Files with FTK Imager – eDiscovery Best Practices

Over the past few weeks, we have talked about the benefits and capabilities of Forensic Toolkit (FTK) Imager from AccessData (and obtaining your own free copy), how to create a disk image, how to add evidence items for the purpose of reviewing the contents of those evidence items (such as physical drives or images that you’ve created) and how to export files and create a custom content image of a targeted collection of files with FTK Imager.  This week, let’s discuss how to Capture Memory and Obtain Protected Files to collect a user’s account information and possible passwords to other files.

Capture Memory

If you’re trying to access the contents of memory from an existing system that’s running, you can use a runtime version of FTK Imager from a flash drive to access that memory.  From the File menu, you can select Capture Memory to capture data stored in memory within the system.

Capturing memory can be useful for a number of reasons.  For example, if TrueCrypt is running to encrypt the contents of the drive, the password could be stored in memory – if it is, Capture Memory enables you to capture the contents of memory (including the password) before it is lost.

Simply specify the destination path and filename to capture memory to the specified file.  You can also include the contents of pagefile.sys, which is a Windows system file that acts as a swap file for memory; hence, it can contain useful memory information as well.  Creating an AD1 file enables you to create an AD1 image of the memory contents – then you can add it as an evidence item to review the contents.

Obtain Protected Files

Because Windows does not allow you to copy or save live Registry files, you would have to image the hard drive and then extract the Registry files, or boot the computer from a boot disk and copy the Registry files from the inactive operating system on the drive. From the File menu, you can select Obtain Protected Files to circumvent the Windows operating system and its file locks, thus allowing you to copy the live Registry files.  If the user allows Windows to remember his or her passwords, that information can be stored within the registry files.

Specify the destination path for the obtained files, then select the option for which files you would like to obtain.  The Minimum files for login recovery option retrieves Users, System, and SAM files from which you can recover a user’s account information.  The Password recovery and all Registry files option is more comprehensive, retrieving Users, System, SAM, NTUSER.DAT, Default, Security, Software, and Userdiff files from which you can recover account information and possible passwords to other files, so it’s the one we tend to use.

For more information, go to the Help menu to access the User Guide in PDF format.

So, what do you think?  Have you used FTK Imager as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Export Files and Custom Content Images in FTK Imager – eDiscovery Best Practices

Over the past few weeks, we have talked about the benefits and capabilities of Forensic Toolkit (FTK) Imager from AccessData (and obtaining your own free copy), how to create a disk image and how to add evidence items with FTK Imager for the purpose of reviewing the contents of evidence items, such as physical drives or images that you’ve created.  This week, let’s discuss how to export files and how to create a custom content image of a targeted collection of files.

Sometimes, you don’t want to create an image of the entire drive; instead, you’d like to perform a targeted collection or export individual files to review them.  Let’s discuss how to do that.

Export Files

As we discussed last time, you can Add Evidence Item to add a single evidence item to the evidence tree.  You can select a Physical Drive or Logical Drive, an Image File to view an image file created before or Contents of a Folder, to look at a specific folder.  You can also Add All Attached Devices to add all of the attached physical and logical devices.  When you select one or more evidence items, the selected items will be displayed in the Evidence Tree on the left hand side; navigate to the folder you want and it will display the contents on the right hand side.

Select one or more files (use Ctrl+Click to select multiple files or Shift+Click to select a range of files), then right-click on one of the files to display a popup menu.

Select Export Files to export the selected files, then FTK Imager will prompt you for a folder where the files will be saved.  The files will be saved to that folder.  Exporting files can be useful to pull a copy of selected files out of a forensic image for review.

Create Custom Content Image

As you’ll notice in the previous section, when you display the popup menu, another choice is to Add to Custom Content Image (AD1).  This enables you to start building a targeted list of files to be included in a custom image – useful if you want a specific group of files and not everything on the evidence item.

Any files that you select will then be added to the Custom Content Sources pane in the lower left window.  Continue adding items by repeating this step until you’ve specified or selected all the evidence files you want to add to this Custom Content image.  You can also use the Edit button to open the Wild Card Options dialog and select all files that meet a certain criteria (e.g., “My Documents|*.doc” will collect all files with a .doc extension in any folder named My Documents).

Once you have built your desired list of files, you can then build your Custom Content Image.  Select Create Custom Content Image from the file menu.  You can then repeat the steps for the Create Image, Evidence Item Information, Select Image Destination, Drive/Image Verify Results and Image Summary forms as illustrated in our earlier post How to Create an Image Using FTK Imager.  The resulting image will have an AD1 extension.  Then, this image can be examined just like any other image.

For more information, go to the Help menu to access the User Guide in PDF format.

Next time, we will discuss how to Obtain Protected Files to collect a user’s account information and possible passwords to other files.

So, what do you think?  Have you used FTK Imager as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Some Additional Perspective on the EDRM Enron Data Set “Controversy” – eDiscovery Trends

Sharon Nelson wrote a terrific post about the “controversy” regarding the Electronic Discovery Reference Model (EDRM) Enron Data Set in her Ride the Lightning blog (Is the Enron E-Mail Data Set Worth All the Mudslinging?).  I wanted to repeat some of her key points here and offer some of my own perspective directly from sitting in on the Data Set team during the EDRM Annual Meeting earlier this month.

But, First a Recap

To recap, the EDRM Enron Data Set, sourced from the FERC Enron Investigation release made available by Lockheed Martin Corporation, has been a valuable resource for eDiscovery software demonstration and testing (we covered it here back in January 2011).  Initially, the data was made available for download on the EDRM site, then subsequently moved to Amazon Web Services (AWS).  However, after much recent discussion about personally-identifiable information (PII) data (including social security numbers, credit card numbers, dates of birth, home addresses and phone numbers) available within FERC (and consequently the EDRM Data Set), the EDRM Data Set was taken down from the AWS site.

Then, a couple of weeks ago, EDRM, along with Nuix, announced that they have republished version 1 of the EDRM Enron PST Data Set (which contains over 1.3 million items) after cleansing it of private, health and personal financial information. Nuix and EDRM have also published the methodology Nuix’s staff used to identify and remove more than 10,000 high-risk items, including credit card numbers (60 items), Social Security or other national identity numbers (572), individuals’ dates of birth (292) and other personal data.  All personal data gone, right?

Not so fast.

As noted in this Law Technology News article by Sean Doherty (Enron Sandbox Stirs Up Private Data, Again), “Index Engines (IE) obtained a copy of the Nuix-cleansed Enron data for review and claims to have found many ‘social security numbers, legal documents, and other information that should not be made public.’ IE evidenced its ‘find’ by republishing a redacted version of a document with PII” (actually, a handful of them).  IE and others were quite critical of the effort by Nuix/EDRM and the extent of the PII data still remaining.

As he does so well, Rob Robinson has compiled a list of articles, comments and posts related to the PII issue, here is the link.

Collaboration, not criticism

Sharon’s post had several observations regarding the data set “controversy”, some of which are repeated here:

  • “Is the legal status of the data pretty clear? Yes, when a court refused to block it from being made public apparently accepting the greater good of its release, the status is pretty clear.”
  • “Should Nuix be taken to task for failure to wholly cleanse the data? I don’t think so. I am not inclined to let perfect be the enemy of the good. A lot was cleansed and it may be fair to say that Nuix was surprised by how much PII remained.”
  • “The terms governing the download of the data set made clear that there was no guarantee that all the PII was removed.” (more on that below in my observations)
  • “While one can argue that EDRM should have done something about the PII earlier, at least it is doing something now. It may be actively helpful to Nuix to point out PII that was not cleansed so it can figure out why.”
  • “Our expectations here should be that we are in the midst of a cleansing process, not looking at the data set in a black or white manner of cleansed or uncleansed.”
  • “My suggestion? Collaboration, not criticism. I believe Nuix is anxious to provide the cleanest version of the data possible – to the extent that others can help, it would be a public service.”

My Perspective from the Data Set Meeting

I sat in on part of the Data Set meeting earlier this month and there was a couple of points discussed during the meeting that I thought were worth relaying:

1.     We understood that there was no guarantee that all of the PII data was removed.

As with any process, we understood that there was no effective way to ensure that all PII data was removed after the process was complete and discussed needing a mechanism for people to continue to report PII data that they find.  On the download page for the data set, there was a link to the legal disclaimer page, which states in section 1.8:

“While the Company endeavours to ensure that the information in the Data Set is correct and all PII is removed, the Company does not warrant the accuracy and/or completeness of the Data Set, nor that all PII has been removed from the Data Set. The Company may make changes to the Data Set at any time without notice.”

With regard to a mechanism for reporting persistent PII data, there is this statement on the Data Set page on the EDRM site:

PII: These files may contain personally identifiable information, in spite of efforts to remove that information. If you find PII that you think should be removed, please notify us at mail@edrm.net.”

2.     We agreed that any documents with PII data should be removed, not redacted.

Because the original data set, with all of the original PII data, is available via FERC, we agreed that any documents containing sensitive personal information should be removed from the data set – NOT redacted.  In essence, redacting those documents is putting a beacon on them to make it easier to find them in the FERC set or downloaded copies of the original EDRM set, so the published redacted examples of missed PII only serves to facilitate finding those documents in the original sets.

Conclusion

Regardless of how effective the “cleansing” of the data set was perceived to be by some, it did result in removing over 10,000 items with personal data.  Yet, some PII data evidently remains.  While some people think (and they may have a point) that the data set should not have been published until after an independent audit for remaining PII data, it seems impractical (to me, at least) to wait until it is “perfect” before publishing the set.  So, when is it good enough to publish?  That appears to be open to interpretation.

Like Sharon, my hope is that we can move forward to continue to improve the Data Set through collaboration and that those who continue to find PII data in the set will notify EDRM, so that they can remove those items and continue to make the set better.  I’d love to see the Data Set page on the EDRM site reflect a history of each data set update, with the revision date, the number of additional PII items found and removed and who identified them (to give credit to those finding the data).  As Canned Heat would say, “Let’s Work Together”.

And, we haven’t even gotten to version 2 of the Data Set yet – more fun ahead!  🙂

So, what do you think?  Have you used the EDRM Enron Data Set?  If so, do you plan to download the new version?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Hard Drive Turned Over to Criminal Defendant – Eight Years Later – eDiscovery Case Law

If you think discovery violations by the other side can cause you problems, imagine being this guy.

As reported by WRAL.com in Durham, North Carolina, the defense in State of North Carolina v. Raven S. Abaroa, No. 10 CRS 1087 filed a Motion to Dismiss the Case for Discovery Violations after the state produced a forensic image of a hard drive (in the middle of trial) that had been locked away in the Durham Police Department for eight years.

After the state responded to the defendant’s March 2010 discovery request, the defendant filed a Motion to Compel Discovery in October 2012, alleging that the state had failed to disclose all discoverable “information in the possession of the state, including law enforcement officers, that tends to undermine the statements of or reflects negatively on the credibility of potential witnesses”.  At the hearing on the motion, the Assistant DA stated that all emails had been produced and the court agreed.

On April 29 of this year, the defendant filed another Motion to Compel Specific Items of Discovery “questioning whether all items within the state’s custody had been revealed, including information with exculpatory or impeachment value”.  Once again, the state assured the court it had met its discovery obligations and the court again denied the motion.

During pre-trial preparation of a former forensic examiner of the Durham Police Department (DPD) and testimony of detectives in the case, it became apparent that a hard drive of the victim’s that was imaged was never turned over to the defense.  On May 15, representatives of the DPD located the image from the victim’s hard drive which had been locked away in a cabinet for eight years.  Once defense counsel obtained a copy of the drive, their forensic examiner retrieved several emails between the victim and her former boyfriend that were exchanged within a few weeks of the murder that belied the prosecution’s portrayal of the defendant as an unfaithful, verbally abusive and controlling husband feared by his wife.  In testimony, the defendant’s forensic examiner testified that had he known about the hard drive in 2005, steps could have been taken to preserve the emails on the email server and that they could have provided a better snapshot of the victim’s email and Internet activity.

This led to the filing of the Motion to Dismiss the Case for Discovery Violations by the defense (link to the filing here).

As reported by WTVD, Judge Orlando Hudson, having been recently ruled against by the North Carolina Court of Appeals in another murder case where he dismissed the case based on discovery violations by Durham prosecutors, denied the defense’s requests for a dismissal or a mistrial.  Sounds like interesting grounds for appeal if the defendant is convicted.

So, what do you think?  Should the judge have granted the defense’s request for a dismissal, or at least a mistrial?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Adding Evidence Items with FTK Imager – eDiscovery Best Practices

A couple of weeks ago, we talked about the benefits and capabilities of Forensic Toolkit (FTK) Imager, which is a computer forensics software application provided by AccessData, as well as how to download your own free copy.  Then, last week, we discussed how to create a disk image.  This week, let’s discuss how to add evidence items with FTK Imager for the purpose of reviewing the contents of evidence items, such as physical drives or images that you’ve created.

Adding Evidence Items Using FTK Imager

Last week, I created an image of one of my flash drives to illustrate the process of creating an image.  Let’s take a look at that image as an evidence item.

From the File menu, you can select Add Evidence Item to add a single evidence item to the evidence tree.  You can also select Add All Attached Devices to add all of the attached physical and logical devices (If no media is present in an attached device such as a CD- or DVD-ROM or a DVD-RW, the device is skipped).  In this case we’ll add a single evidence item.

Source Evidence Type: The first step is to identify the source type that you want to review.  You can select Physical Drive or Logical Drive (as we noted before, a physical device can contain more than one logical drive).  You can also select an Image File to view an image file you created before or Contents of a Folder, to look at a specific folder.  In this example, we’ll select Image File to view the image of the flash drive we created and locate the source path of the image file.

The evidence tree will then display the item – you can keep adding evidence items if you want to look at more than one at once.  The top node is the selected item, from which you can drill down to the contents of the item.  This includes partitions and unpartitioned space, folders from the root folder on down and unallocated space, which could contain recoverable data.  Looking at the “Blog Posts” folder, you see a list of files in the folder, along with file slack.  File slack is the space between the end of a file and the end of the disk cluster in which it is stored. It’s common because data rarely fills clusters exactly, and residual data occur when a smaller file is written into the same cluster as a previous larger file, leaving potentially meaningful data.

You’ll also notice that some of the files have an “X” on them – these are files that have been deleted, but not overwritten.  So, with FTK Imager, you can not only view active data, you can also view inactive data in deleted files, file slack or unallocated space!  When you click on a file, you can view the bit-by-bit contents of the file in the lower right window.  You can also right-click on one or more files (or even an entire folder) to display a pop-up menu to enable you to export a copy of the file(s) out and review them with the native software.  You can also Add to Custom Content Image to begin compiling a list of files to put into an image, enabling you to selectively include specific files (instead of all of the files from the device) into the image file you create.

Next time, we’ll discuss Add to Custom Content Image in more detail and discuss creating the custom content image of specific files you select.

For more information, go to the Help menu to access the User Guide in PDF format.

So, what do you think?  Have you used FTK Imager as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Defendant Compelled by Court to Produce Metadata – eDiscovery Case Law

Remember when we talked about the issue of metadata spoliation resulting from “drag and drop” to collect files?  Here’s a case where it appears that method may have been used, resulting in a judgment against the producing party.

In AtHome Care, Inc. v. The Evangelical Lutheran Good Samaritan Society, No. 1:12-cv-053-BLW (D. ID. Apr. 30, 2013), Idaho District Judge B. Lynn Winmill granted the plaintiff’s motion to compel documents, ordering the defendant to identify and produce metadata for the documents in this case.

In this pilot project contract dispute between two health care organizations, the plaintiff filed a motion to compel after failing to resolve some of the discovery disputes with the defendant “through meet and confers and informal mediation with the Court’s staff”.  One of the disputes was related to the omission of metadata in the defendant’s production.

Judge Winmill stated that “Although metadata is not addressed directly in the Federal Rules of Civil Procedure, it is subject to the same general rules of discovery…That means the discovery of metadata is also subject to the balancing test of Rule 26(b)(2)(C), which requires courts to weigh the probative value of proposed discovery against its potential burden.” {emphasis added}

“Courts typically order the production of metadata when it is sought in the initial document request and the producing party has not yet produced the documents in any form”, Judge Winmill continued, but noted that “there is no dispute that Good Samaritan essentially agreed to produce metadata, and would have produced the requested metadata but for an inadvertent change to the creation date on certain documents.”

The plaintiff claimed that the system metadata was relevant because its claims focused on the unauthorized use and misappropriation of its proprietary information and whether the defendant used the plaintiff’s proprietary information to create their own materials and model, contending “that the system metadata can answer the question of who received what information when and when documents were created”.  The defendant argued that the plaintiff “exaggerates the strength of its trade secret claim”.

Weighing the value against the burden of producing the metadata, Judge Winmill ruled that “The requested metadata ‘appears reasonably calculated to lead to the discovery of admissible evidence.’ Fed.R. Civ.P. 26(b)(1). Thus, it is discoverable.” {emphasis added}

“The only question, then, is whether the burden of producing the metadata outweighs the benefit…As an initial matter, the Court must acknowledge that Good Samaritan created the problem by inadvertently changing the creation date on the documents. The Court does not find any degree of bad faith on the part of Good Samaritan — accidents happen — but this fact does weight in favor of requiring Good Samaritan to bear the burden of production…Moreover, the Court does not find the burden all that great.”

Therefore, the plaintiff’s motion to compel production of the metadata was granted.

So, what do you think?  Should a party be required to produce metadata?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.