Preserving and Harvesting Non-Traditional ESI
by Conrad Jacoby
As has been made explicitly clear in the Federal Rules of Civil Procedure, relevant information is potentially discoverable, regardless of where and how it has been stored. As a consequence, traditional definitions of “document” no longer match real life, since relevant information may be as likely to be stored in a database entry or a chat log as in standalone word processing documents.
This new awareness of information relevance is forcing legal teams and their clients to update their document preservation procedures, especially with respect to potentially relevant electronically stored information (“ESI”) that is stored on specialized computerized devices like mobile phones, PDAs, and Internet appliances. These small devices don’t fit the conventional definition of “computer” and often fall outside a company’s ordinary channels of information management. As a result, litigants are often confused about what procedures are reasonable in light of current technology and data management practices. Fortunately, answering a few basic questions will often provide enough guidance to permit a legal team to craft a case-specific strategy with respect to untraditional sources of ESI.
What Is The Likelihood That These Devices Contain Unique ESI?
Many portable computing devices are explicitly designed to serve as ancillary, not primary, information repositories. Through a variety of synchronization processes, these devices collect information that has originated elsewhere (e.g., e-mail, documents copied from a primary computer, audio and video files) and provide convenience copies for remote use.
If these portable devices merely mirror content that exists elsewhere, a producing party can make a strong argument that these devices do not contain unique information that cannot be accessed more easily from an alternate source. Unfortunately, things are rarely that simple. Data that originated elsewhere may no longer be available in its original location. An iPod, smart phone, or other traveling data repository, especially when only manually synchronized with its host, may become the last known repository for data. Retired Blackberries are notorious for containing e-mail dating back to the moment they were turned off or disconnected from their service network. Though not initially valuable, such information can, over time, become unique.
Some portable devices are also used to create new content, particularly e-mail and short text messages. Many times, devices are configured to send this data back to a primary data repository or computer, but sometimes, these messages may be stored only on the device itself. Fortunately, depending on these facts—which not all owners fully understand—portable devices typically fall fairly clearly on one side or the other of the unique / duplicative data dividing line.
What Technology Must Be Used To Harvest Data?
Portable devices with embedded computer technology often require special procedures to harvest their data. Even devices that run a somewhat standard operating system, such as Linux or Microsoft Windows Mobile, typically lack the standard input / output (“i/o”) ports found on traditional desktop and laptop computers. In a best case scenario, data collectors can use a device’s USB ports, using simple hardware adaptors to match proprietary device ports. However, in more complicated situations, standard forensic imaging software may not be able to fully recognize a customized embedded operating system, creating the potential for incomplete or failed data acquisition.
Fortunately, cell phones, iPods, and other portable computing devices use an increasingly standardized set of operating systems and applications. Data collection from a Blackberry device, once an exotic and risky undertaking, is now relatively common and almost, to the extent it can be, an automated harvesting process. Other common devices powered by Linux, Microsoft Windows Mobile, PalmOS and Symbian operating systems, can also be accessed using popular forensic software and tool kits. Some of these data harvesting tools can build a full forensic images that permit legal teams to clone one or more copies of the device to investigate how data was displayed and accessed.
Who Should Collect Non-Traditional ESI?
Data collection services—and even some in-house forensic teams—typically have specialists who have received additional training for harvesting information from portable devices. It’s worth the extra cost. A technician attempting a “maiden voyage” in portable device data acquisition is not only more likely to incorrectly harvest data but may also inadvertently alter or overwrite data on the device itself. In a litigation environment where any loss of data is viewed with suspicion, it makes little sense for litigants to skimp on the small incremental cost to greatly increase the odds of successful, admissible data acquisition.
Legal teams should resist the urge to harvest data themselves using techniques such as forwarding e-mail messages stored on a device or removing an embedded flash storage card to copy files from it. Such procedures are often inadequate when used to collect data from traditional electronic data repositories, and they are no better when used in this context. A forensic technician may image removable flash storage outside of a device, but this will certainly be done using hardware and software write-blockers to ensure data reliability.
Conclusion
Non-traditional data repositories continue to grow in importance as sources of unique ESI. Whether they represent a requesting or a producing party, legal teams should carefully consider the potential significance of these devices—especially cell phones and smart phones. Analysis may well conclude that such repositories do not require special preservation or collection measures, but litigation discovery plans must ensure that they are adequately considered—and managed—in the discovery process.
About the Author
Conrad Jacoby is the founder of efficientEDD, a consultancy specializing in electronic discovery and litigation information management issues. A seasoned litigator as well as a technology consultant, Mr. Jacoby writes and speaks extensively on electronic discovery issues. He received his undergraduate degree, magna cum laude, from Yale University and received his law degree, cum laude, from the Georgetown University Law Center. He can be reached at conrad@efficientEDD.com.
Filed under Featured Articles, From the Experts, Home Page Featured.