• An "Old School" Approach to Requests for Forensic Imaging of Computers
  • September 15, 2009 | Author: Steven M. Puiszis
  • Law Firm: Hinshaw & Culbertson LLP - Chicago Office
  • In Re Weekley Homes, L.P., 2009 WL 2666774 (Tex. Aug. 28, 2009)

    Covad Communications Co. v. Revonet, Inc., 258 F.R.D. 5 (D.D.C., 2009)

    Given the seemingly ever-growing complexity of computer systems, an “old-school” approach may be helpful when addressing the issues presented by a request to have a forensic image made of your client’s computers. By “old school,” we are not referring to the 2003 movie by the same name about a start-up college fraternity starring Vince Vaughn, Will Ferrell and Luke Wilson, although renting that comedy might be good for your mental health after dealing with a request for forensic imaging. Urban Dictionary defines the term “old school” as anything that refers to a previous generation of a subject, idea or object, and that is how we propose the issues presented by a request for forensic imaging should be addressed.

    How would a court respond to a request by opposing counsel to allow entry onto your client’s offices in order to rummage through the client’s file cabinets, simply because he did not believe your client produced all potentially relevant documents sought by his discovery requests? Most courts would deny such a request absent proof of deliberate withholding of information by the client or extenuating circumstances.

    A request for forensic imaging of your client’s computers is essentially no different than a request to rummage through your client’s file cabinets made two decades ago. While today’s computers and servers can obviously do more than merely store ESI, they are the digital era’s filing cabinets of today. Further complicating the matter is that unlike two decades ago when confidential or proprietary information would be separately stored in a secure location by a client, today privileged or confidential information frequently resides side-by-side with Aunt Sophie’s apple pie recipe on a computer’s hard drive. So forget about sectors, clusters, slack space and how a computer’s hard drive may be partitioned for the moment, and consider going “old school” when your opponent makes such a request.

    This post will address two recent decisions covering these issues. After analyzing applicable federal case law, the Texas Supreme Court in Weekley concluded that a trial court abused its discretion when it ordered four of the defendant’s employees to turn their computer hard drives over to forensic experts for imaging, copying and searching for deleted emails. In Covad Communications, Judge John Fasciola of the District of Columbia District Court granted a request to have forensic images made of several of the defendant’s databases and email servers. Judge Fasciola is regarded for his thought provoking ediscovery decisions. Both Weekly and Covad arguably take an old school approach to the forensic imaging issues presented, and provide insight into those factors that should be addressed whenever a request for forensic imaging is made, and the ways to limit the intrusiveness of such a search when it is allowed by the court.

    What is forensic imaging and what does it accomplish?

    A forensic image of a computer is generally described as “a forensic duplicate, which replicates bit for bit, sector by sector, all allocated and unallocated space, including slack space on a computer hard drive.” Balboa Threadworks, Inc. v. Stucky, 2006 WL 763668 *3 (D.Kan. March 24, 2006). In other words it makes an identical copy or “mirror image” of all electronic information stored on a computer’s hard drive.

    “Deleted” emails and ESI potentially can be fully or partially recovered through forensic imaging of a hard drive. This can be accomplished because hitting the delete key does not eradicate an email or remove it from the computer’s hard drive; rather it simply changes a binary digit on the computer’s file allocation table indicting that the space where the email or data is located on the hard drive is available for use. Until that space on the hard drive is actually written over with new data, the “deleted” email or file remains hidden on the computer’s hard drive waiting to be found. Even when the space is only partially over written, fragments of the original email or data will remain until the space is fully reused.

    For an “old school” analogy, think back to when you last went to your local library and went to the library’s card catalog index to find a book. Removing a card about a particular book from the card catalog, did not pull the book off the library’s shelves, it simply made it more difficult and time consuming to find that book. Hitting a computer’s delete key is nothing more than removing the book’s card from the library’s card catalog.

    What insight do the federal rules provide about when imaging should be allowed?

    In short, not much. The Advisory Committee Notes to Fed. R. Civ. P. 34 explain that the federal rules dealing with electronically stored information (“ESI”) are “not meant to create a routine right of direct access to a party’s electronic information system, although such access might be justified in some circumstances.” Little guidance is provided by that comment as to when imaging should be allowed.

    The note further explains that “[c]ourts should guard against undue intrusiveness resulting from inspecting or testing such systems.” While that statement is certainly true, again little insight is provided as to what steps should be taken to limit the intrusion or to protect privileged communications or proprietary and confidential information that is not relevant to the litigation. Judge Fasciola aptly noted in Covad that the federal rules “do not specify what, if any requirements, must be met before a court permits” forensic imaging.

    As a result, courts have attempted to fashion forensic-imaging requirements on a case-by-case-basis, producing decisions that are reflective of the factual and legal arguments presented. However, many of the decisions are as vague as Rule 34’s Advisory Committee Notes as to when imaging should be allowed. See, e.g. John B. v. Goetz, 534 F.3d 448, 460 (10th Cir. 2008) (“compelled forensic imaging is not appropriate in all cases, and courts must consider the significant interests implicated by forensic imaging before ordering such procedures”).

    Something more than a discrepancy in a party’s production should be required.

    Typically, a party seeking forensic imaging will point to inconsistencies and discrepancies in the opposing party’s production of ESI as the basis for its motion. However, as Judge Fasciola observed in Covad, something more than merely suggesting a party’s ESI production is facially inadequate should be asserted before forensic imaging will be ordered:

    It is the rare case that a litigant does not allege some deficiency in the production of [ESI], particularly e-mail. All too many entities lack records management policies that are aggressively enforced, and records keeping may be a function not of an enterprise wide policy but determined by the idiosyncratic habits of the various users. In such a situation, the possibility that one user saved everything while another saved nothing may lead to curious gaps in the e-mails that are produced and an inability to explain why any are missing. While such productions cast little glory on the companies that produce them, I cannot find any authority in the cases to date that permit a court to conclude that allegations of deficiencies in themselves automatically require a forensic search whenever a party claims that there are, for example, fewer e-mails from a person or about a subject or transmitted in a given time than the party expected to find. This would result in forensic examinations in virtually every case, which would increase the cost of litigation involving [ESI] markedly not only because of the cost of the examination itself, but also because it would yield information that would have to be sorted for relevance and privilege.

    Both Weekley and Covad acknowledge that courts have consistently rejected requests for access to an opposing party’s computer system based on speculation and conjecture. Should support be needed for that proposition, you need go no further because those decisions provide ample ammunition for an argument against the use of speculation to obtain a mirror image of a party’s computer(s). But courts have struggled is to define when to allow imaging.

    A direct relationship between the computer and the claim warrants forensic imaging.

    Weekley noted that when a “direct relationship” exists between a computer and the claim itself, imaging may be warranted. When the manner in which a computer was used is at issue in a case, clearly a direct relationship exists.

    That was the case in Covad, where the plaintiff hired the defendant to run a marketing campaign for its voice over internet protocol (VoIP) business. The defendant stored all of the sales lead information it developed during the campaign on a database. Plaintiff claimed the defendant took sales lead information belonging to it, and provided that information to other customers in breach of its contract. The parties agreed that the database itself and not just the data it held, should be an exhibit in the case. In allowing the database to be imaged, Judge Fasciola concluded that there was simply no other way to obtain this information and noted that once a forensic image was obtained, it may have a determinative impact whether the case would “survive.” In his view, this was one of those “unusual cases where paradoxically, ‘the amount in controversy,’ ‘the likely benefit,’ and the ‘the needs of the case’ can only be ascertained by permitting” the forensic imaging.

    Another scenario involving a direct relationship between the computer and a claim is where a computer is used to download, transmit or store trade secrets, customer lists or proprietary information. Because in that scenario, one or more computers may have been involved in the misappropriation of information, forensic imaging of any computer(s) involved is more likely to be permitted. Similar to the situation presented in Covad, there may be simply no other way to prove or disprove such a claim.

    In Covad, one of the defendant’s email servers crashed and another was retired from service after a duty to preserve was triggered. Because there were no backups and no evidence was presented as to what efforts were made to recover or extract potentially relevant emails from those servers, the court allowed those servers to be imaged in order to determine if emails resided on them that had not produced in discovery. The fact that a computer or server “crashes” does not eliminate a party’s burden to preserve and produce ESI contained therein. Accordingly, where a party fails to properly preserve or produce ESI, imaging may be warranted. However, to ensure that a request for imaging is not based on rank speculation, some direct or circumstantial proof should be required by the court that potentially relevant ESI was not properly preserved or deliberately withheld by the party in question.

    The Texas Supreme Court in Weekley concluded that forensic imaging should only be allowed when there is some indication that the retrieval of the data sought is feasible. Thus, feasibility should be a prerequisite to any order permitting a forensic search.

    In Weekly, the Court observed that in light of the particularities of the defendant’s information system and storage methodology, there had been no showing that the emails which had been deleted could be retrieved and what that retrieval would entail. Further complicating the matter was that two-and-a-half years had elapsed making it virtually impossible to determine what benefit could be gained by the forensic imaging.

    Limiting the intrusiveness of a forensic search.

    In order to prevent a forensic imaging order from turning into the ultimate in fishing expeditions, a court must carefully limit the computers or servers to be imaged and should insist on a carefully drafted set of search terms or keywords be used to find any emails or data once the imaging has been completed. Additionally, imaging should be permitted only during off-hours or weekends to limit the business interruption as much as possible.

    In the event the parties cannot agree on a protocol to follow, the order permitting the imaging should specify the person or entity that will make the forensic image(s), and limit the electronic discovery tasks that can be performed to those specifically set forth in the court’s order. The order should provide the person or entity making the image shall maintain that information in the strictest confidence, and that no information shall be disclosed except as specified by the terms of the court’s order or any future directives from the court. The order must also provide that the imaging of any computer hard drives or servers does not waive any privilege or doctrine assuring the confidentiality of the information on those computers or servers.

    The order should describe all ediscovery procedures to be performed. Typically this will involve creating a full mirror image or bitstream copy of all hard drives in the specified computers including all file slack and unallocated space. Typically, all images and copies of images are authenticated by generating a “hash value” for comparison to the original hard drive. The order should also provide that any deleted data on the mirror image or bitstream copies of the hard drives should be reassembled into as much of its original active state as possible. The order may also provide that the person or entity making the forensic image may shield from direct observation any proprietary procedures or processes used to make the images or to search them once made.

    The order should set forth who is allowed to be present when the imaging and/or any search occurs, and should provide that anyone allowed to be present may merely observe. Any circumstances that would justify cessation of the imaging should be clearly provided for in the order as well as how many images will be made, who will pay for the imaging and that the hard drives may be put back into service (or storage if not then in active use) once the imaging has been completed. The order should also address how the forensic images will be handled once they have been made and specify how, where and when they may be searched and who may observe that process. The order should provide how the results of the search are to be handled. Typically, the search results are produced to the party whose computers where imaged to review the extracted data for privilege and work product before anything is produced to the requesting party. Frequently protocols require some type of report to the court, the parties or both as to the progress and the results of the imaging and/or search.

    Finally, the court should enter a protective order addressing any confidential or proprietary information or trade secrets that may be produced in the process. The court should also enter a Fed. R. Evid. 502 non-waiver order to ensure that privilege or work product is not inadvertently waived in the process.

    No matter how complex the technology in the future may become, our proposed old school approach should hopefully provide some guidance as to when forensic imaging should be allowed. And, don’t forget to rent a copy of Old School to remember why we should be happy to no longer be in college.