The Journal of The DuPage County Bar Association

Back Issues > Vol. 18 (2005-06)

Electronic Evidence-Weapon of Mass Discovery
By Robert Guinaugh


The proliferation of electronic means of gathering evidence and the development of conventional discovery techniques focused on electronic targets (collectively "e-discovery") has given rise to a rare level of "buzz" within the legal community. Legal journals as well as the media in general often feature high profile cases in which e-discovery played a key role. Litigators that have managed to become "e-discovery aware" compete at a level unmatched by their opponents. Such digitally enlightened litigators understand that electronic evidence is, by its very nature, hard to find, identify, preserve, and recover, making it equally difficult to hide, bury, or destroy. The lawyer that can coax out such information has a decided advantage.

Evidence Preservation Notice

With data loss the boogey-man of the modern workplace, the solution is to save everything. It therefore comes as no surprise that reams of vital information are ripe for the plucking. After all, electronic evidence is routinely and unavoidably duplicated and saved on multiple devices. This makes it well worth taking a look "under the hood" of an opponents’ computer systems and networks. Proactive attorneys must demand that electronic evidence be preserved. Issuing notice to opposing counsel may not always be practical or even effective, but it is one of the best ways to signal that you are serious about conducting comprehensive discovery. Besides, the alternative is that relevant electronic evidence will fall to data loss, memory seepage, mechanical failure, or worse yet, intentional destruction. The evidence preservation notice should be followed up with proposals for a detailed protocol to be followed by the producing party to ensure preservation of relevant electronic information. Make sure that the party’s attorney is forced to supervise the process.

Building a Better Discovery Request

Another tactic that the e-discovery aware must keep in mind is to refer to, request, and actively seek "deleted" files in their discovery requests. In this context a "deleted" object is one which appears to the uninitiated to have been lost but in reality is still locked away in the core of a system’s memory. The omission of such references in discovery can allow broad swaths of information to go unreported, whether documents, spreadsheets, e-mails, messages, or machine-generated information such as meta-tags. As previously mentioned routine business processes involve deleting "stale" information and almost all data is subject to user destruction (intentional or not). It is therefore more important than ever that good discovery include a request for deleted information. Of course there are other causes for data destruction; a hardware or software malfunction, computer replacement, deliberate deletion of files, discarding or destruction of the hardware itself, etc. While some or all of these eventualities may have come to pass by the time litigation is at hand, that does not mean counsel should just "give up." On the contrary, the proactive litigator must drive the stake into the ground somewhere, and since "spoliation" is the subject of vigorous debate, loss of critical information should not be ignored as mere bad luck but instead used as a means by which to turn the litigation.

Responding to the Evidence Preservation Notice

Typical objections to an evidence preservation notice are based on the request’s being too burdensome, broad, disruptive, or costly. These hotly contested issues have many facets and for some time have been at the center of debate among those drafting amendments to the Federal Rules of Civil Procedure ("FRCP"). Nonetheless there are a number of strategies the savvy litigator can use to overcome such objections. Below we take a look at a particularly common but thorny objection – that the evidence preservation notice is "too disruptive" to stand.

The objection that an evidence preservation notice is "too disruptive to ordinary business practices" often arises because the target information is still in use, often in multiple places within "live" networks; all of which permits the objecting party to argue (correctly) that preservation efforts could paralyze business. This is of course especially true if the request is overbroad or poorly drafted. How can the objection be deflected? The requesting party can perform a perfunctory analysis of the producing party’s computer systems, via a §30(b)(6) deposition for example, then tighten the parameters of their request to extract crucial information without going too far. Not as easy as it sounds, but it can be done.

Once the preservation notice is sufficiently narrowed, the responding party has only two (2) options: deactivate all devices on which the target data is stored, or produce forensic bit-stream images of each device. These options should be laid out in the mandatory pretrial "meet and confer" event, where evidence preservation should be stressed. When the producing party predictably refuses to deactivate its business-critical systems, the requestor should point out that the continued operation of those computers and routines threatens to permanently overwrite the deleted files stored on the hard drive, with devastating effects. Of course the producing party can still seek to substitute bit-stream copies for actual information. The ultimate choice is for the Court.

No matter what the outcome, the producing party will most likely offer to pay for the extraction and production of the requested evidence – don’t let them. Offer to pay for half, or if necessary for all, of the costs. Why? Because your objective is to extract and preserve evidence, while the goals of the producing party is to minimize business disruption. Yet those very day-to-day operations jeopardize the electronic evidence you wish to extract, so try to maintain as much as control over the process as possible – down to selecting the firm that will gather the evidence.

Practical Questions Deserve Practical Answers

Since so much of e-discovery and electronic evidence is still new by legal practice standards, many readers will treat this article as a case of first impression. Still others have experience with e-discovery issues but still have questions. Below I try to provide practical answers to both types of readers.

How much does "bit-streaming" evidence acquisition cost?

On average, a per desktop/laptop computer bit-stream imaging will range from $600-$1,500 depending on the size of the hard drive. More time and effort is required to extract information from e-mail and other application servers so costs range from $1,200-$3,500.

How should the "business interruption" objection addressed?

To conduct forensic bit-stream evidence acquisition of electronic information the subject system should be non-operational for a matter of hours. Ideal times for such downtime include after-hours, weekends and holidays.

How will the Court protect the producing party against the discovery of proprietary, non-responsive, or privileged information on their network or system?

The bit-stream copy of the subject system includes every bit of data stored there, whether active or deleted. Typically the Court will issue a protective order that requires examination and approval of the bit-stream image by it as well as the producing party before it can be released to the requesting party.

Whose computer forensic examiner should perform the analysis?

The litigators can decide this among themselves or seek a ruling by the Court. Usually the protective order referred to above includes an affidavit from a 3rd-party forensic examiner, who is then answerable to the Court. In the alternative the parties can agree to a protocol for choosing an examiner, or even one by which the chosen examiner will conduct their investigation. A major stipulation in such arrangements is that the producing party’s attorney must have the right of first review as to the information actually recovered.

In the event the producing party is adamant that no bit-stream imaging be allowed and the Court is leaning their way, what other options are available?

After you have agreed to assume the costs of extraction and schedule your activities to avoid business interruption, it is unlikely that the Court would not permit you to obtain a bit stream copy of your opponent’s system. Nonetheless, Judges unfamiliar with computer technology may see such forensic examination as unnecessary or believe, despite your inspired arguments, that evidence simply ceases to exist once deleted and cannot be recovered.

In such cases one can generally still employ a technique known generally as "examination sampling." In this approach limited forensic examination of a few systems of interest is conducted to determine whether evidence that may have been deleted is still recoverable. Obviously this technique is far from perfect; there may be no way to recover the deleted evidence on the particular computers offered up by the producing party.

Still another option for the requesting party under such circumstances is to seek permission to conduct a real-time forensic examination of the producing party’s systems for deleted files. This approach should be used subject to the condition that if relevant files are located the parties will agree to bit-stream imaging of all of the individual computers identified in the original request.

Should all e-discovery requests include deleted files, or is that a bit too radical?

Your opponent owes you no favors. Failure to request all relevant data leaves you at the mercy of the producing party’s e-discovery service provider, hoping that they will harvest the "right" data on your behalf. Good luck; the producing party will never volunteer deleted evidence except on pain of sanctions or to exculpate themselves!

Will this stipulation come back and bite the requesting party?

Always prepare for the retaliatory e-discovery attack. This is the common fear of uninitiated e-discovery litigators, who assume that by holding back in their discovery requests opposing counsel will also abstain from seeking computer forensic evidence. While many practice such a quid pro quo, the e-discovery aware attorney will have already shuffled off such fears and, anticipating a mirror-image attack, has prepared themselves and their client for what may happen next. As this observation implies, the e-discovery aware counselor discusses the nature and extent of electronic discovery with their client before the issue comes up; including the costs and benefits of e-discovery as well as the risks of retaliatory e-discovery attacks. As it happens, this is also an opportune moment to flush out any latent concerns your client may have about time bombs ticking within their own system.


There are many more scenarios that may be played out, as well as options available, when dealing with electronic discovery and digital forensics. This article merely represents a sampling of those issues and attempts to set the stage for further discussion by the reader. The author does however hope that he has been able to motivate a few practitioners who may have been sitting on the fence to pursue more information about e-discovery and how it can help transform not only their practice but the practice of law overall.

Robert Guinaugh, Senior Partner, CyberControls, LLC

DCBA Brief