Rule 26, Rule 37, HIKE!

Technical information to assist you in a Rule 26 Conference.

It is not always practical to take a forensic examiner to your Rule 26 Conferences – but if you can, we recommend it highly.  If you can’t however, there are some issues that you will want to include in your evidentiary requests.

You will undoubtedly ask for information from computers that are a target of the discovery process – however, did you know that you can also request a list of devices that were attached to that computer so that they can also be included in your discovery request ?  On Windows-based computers, the registry tracks the removable devices that have been attached to the computer – and in many cases, includes the serial number of the device.  So when you ask for all of the thumb drives, or external USB drives used on a computer, you will actually know if they are the ones requested, or if they were simply purchased earlier that day.

Certainly you will ask for any mobile phones that may contain valuable evidence, but did you know that most corporate email systems track the devices that attach to them to pull data ?  A simple request to the IT department for a list of all devices that a user used to attach to corporate resources takes the guesswork out of how many devices – personal or corporate – were used to access information from a protected source.

Backups are the bane of existence for many people and the companies that they work for.  With the advent of the Safe-Harbor clause in Rule 37, people can often declare that data does not exist because it was purged in accordance with corporate retention polices and therefore they are unable to comply with requests.  However, if the data purge that is in accordance with the corporate retention policy is unchecked and automatic, a litigation hold order might inadvertently be neglected.  It is wise to include the IT personnel of the company at the time to exclude or suspend the retention policy with respect to information sought.

Another item which must be considered is something called Shadow Copies.  With respect to Windows-based computers, Shadow Copies may exist on workstations which will allow you to “go back in time” to see revisions of documents.  This same technology may also be present on Macs using a built-in program called “Time Machine” which is an image based backup that often occurs automatically.  It is wise to query if a “Time Capsule”, or other such storage medium is/was in use.

Finally, copies vs. images is a topic that must be discussed.  Historically we refer to images as pictures, or graphics, however in the context of evidentiary discovery, it is something completely different.  If you are to request copies of documents in a proceeding, you will not have a lot of the information that you may require.  If, on the other hand, you request a forensic image,  the forensic examiner will create a complete “image” of the storage medium which will include deleted files, meta data, and other information that will not be found in copied documents.  As well, a qualified forensic examiner will create a hash, or digital fingerprint, of the device to ensure that the original drive and the forensic copy are identical, thus aiding in admissibility.

So if you can’t take your tech, take these suggestions with you.  It isn’t everything there is to know, but it might just be what you need to make your case.


Leave a Reply

Your email address will not be published. Required fields are marked *