banner ad

Share |

JOhn Cosgrove - Cosgrove Consulting


The new Federal Rules of Civil Procedure (FRCP) became mandatory starting 12/01/2006. These modified rules were a response to the need to address the evolving predominance of Electronically Stored Information (ESI) in most all legal proceedings. Current estimates are that over 90% of documentary records in legal proceedings were created and maintained as some form of ESI. It also follows that authenticating the factual record must employ computer-assisted means. Furthermore, these computer-assisted means must also be subjected to court-accepted means of validation. To an engineer, this can be thought of as calibrating your toolsets in order to trust the interpretation that the toolset gives the user about the underlying data. In the case of ESI, the physical media which store the various forms of ESI absolutely require the use of these toolsets to view the contents of the document. In the past it was possible to directly interpret the coding of holes punched in a card or tape. This is no longer true!

Need for Change

Given the pervasive occurrence of ESI in legal proceedings, the disputes were often crippled by procedural battles over the nature of the ESI and whether or what type of it should be available as evidence. These disputes often involved both legal and technical issues such as access to archival records which could only be retrieved by costly, cumbersome, high-tech means to produce information which may not be relevant. In short, the governing bodies for legal procedures (e.g., FRCP) recognized that amended guidelines were critically needed.

Treat ESI Differently

What constitutes ESI? ESI consists of many different information formats which also reside on different types of media depending on the needs of the user. Examples of common formats are text files, word-processor files (e.g., Microsoft Word), spread sheet files (e.g., Excel) and also specialized formats such as Design (e.g., AutoCAD) files. Each of these examples have been important evidentiary artifacts in cases which I have been named as an expert witness.

The type of the media that contain the files in their various formats is a separate but equally important issue. Examples of media are the familiar disk drives resident in most desktop and laptop computers as well as portable media such as CDROM (Compact Disk, Read-Only Memory) and DVD (Digital Video Disk). Also important in some cases are the various archival media used for longer term storage such as high capacity tapes.

Federal Rules 16 - 45 - ESI Modifications

Although the rule-making body summarizes ESI changes to rules 9, 14, 16, 26, 33, 34 37 and 45, this paper will focus on the rules that most impact the forensic engineer. This summary is available on

16 - Establishes pre-trial conferences which "address early issues pertaining to the disclosure and discovery of electronic information." Briefly, this means that the legal teams must agree on a number of technical issues regarding the inclusion and form of data relevant to the dispute. Many of these issues require assistance from the forensic engineer. For example, how are the relevant design or project management data files going to be exchanged between the parties? Are historical archives significant or relevant?

26 - Given that the rule 16 conference established the need for mutual discovery ground rules, 26 gives guidelines to establish these agreements
- either by the opposing lawyers or by the court.

33 - Clarifies the obligation to include the relevant forms of ESI in the review of materials communicated between the parties. Frequently, this review of ESI requires the assistance of engineering experts skilled in the type of documents (e.g., design files) being reviewed. Even the conventional word-processing files will often require engineering assistance because of the technical content (e.g., technical specifications). This is more significant in the era of ESI because the sheer volume of data may demand the skilled use of automation.

34 - This rule clarifies the differences between ESI and other forms of documents. In particular, it establishes the right to specify the form of production and defines the default format to be the native format. In other words, word processing, spreadsheet, email, etc., should be produced in a form where it can be examined with the software which accesses all of the ESI, not just a printed representation of some of the content.

37 - This is called the "safe-harbor" rule. In short, it provides a means of dealing with ESI inadvertently unavailable or lost because of standard practice. A common example is the loss of archival records when backup media is recycled as part of normal IT operations.

FR changes likely to guide other courts

Although the new rules are only mandatory for federal cases, it is likely that all US courts at any level will be heavily influenced by this guidance at the federal level. Currently, the answers to these questions concerning ESI are largely absent whether the dispute venue is at a state or lower level or even an arbitration panel. Criminal courts are also facing many of the same questions. The admissibility of ESI evidence in these venues is just one of the key issues in those cases which required our services as an expert. At present, most all states are in a process of evaluating the application of these new FRs to their jurisdictions.

Impact on Litigation

The new rules will often require changes to the expert's planning for his support of the legal team. It may be necessary to adopt a pro-active role with the client attorney as they may need to be educated about specialized technical issues critical to the case. For instance, if critical facts are likely to be contained in the project management records generated by an application program such as Microsoft Project, the expert must educate the legal team about the importance of including the relevant MS Project files in the discovery demands. It may be necessary to provide the technical descriptions of the file data containing these records and also provide expert support in the review of the contents. Another example would be proprietary format design files such as AutoCAD.

Computer Forensics

This term can be defined as the handling and extracting of the ESI data from the storage media. Often this data is incomplete (fragmentary) and no longer accessible as active named files. It is often possible to retrieve this data even though it is deleted and incomplete. Specialized forensic tools are used to retrieve and report this type of data which can frequently provide proof critical to the outcome of the dispute.

Computer evidence handling

ESI can be compromised or corrupted in ways unlike more obvious physical evidence or records. As such, specialized procedures, recording equipment and software tools are required to preserve the quality of the evidence. This can be thought of as the setting of the crime scene boundaries and requiring an electronic equivalent of the "bag-and-tag" process familiar to watchers of TV detective shows. While not all civil disputes require full computer evidence capture procedures, many do, and it is important to preserve the evidence in case of doubt. A common example is the forensic image of the working computer of a terminated employee where there is a possibility of improper conduct such as theft of trade secrets.

Computer-version of chain-of-custody rules

Since the actual content is invisible to the unassisted observer, the first step is to create an exact "image" of the media and also create accompanying records which establish the electronic equivalent of the "chain-of-custody" history. Specialized equipment is used to guarantee that no "writing" is possible when the media is powered-up. A unique "hash-code" is created and compared with the copy in order to guarantee that an exact copy was made. Future analysis of the contents first uses the "hash" to verify that the contents have not been changed. This image will then become a reliable evidence file used for future analysis.

Requires court-accepted software tools (Frye/Daubert)

Since the reliability of the reports which document the evidence found on the media depend on the accuracy of the software tools used, court validated (Frye/Daubert criteria) toolsets are usually required, depending on the skills of the opposition. The most commonly used forensic toolsets are the Encase family of software tools provided by Guidance Software. They also publish a free white paper which references legal precedents showing court acceptance of their systems. Often Encase is augmented by additional toolsets which can be valuable for certain systems and data formats.

Electronic discovery - "moves"

The abstract nature of ESI records tempt some legal teams to impede the free exchange of useful information with questionable tactics. In the updated federal rules, some of these tactics are noted. One example is taking advantage of the sheer volume of possibly relevant data. It can be thought of as the "building a giant haystack to hide the critical needle" rule. Magnitude tactic With ESI, generating an excess of useless data is easy to accomplish. An example is the practice of printing the contents of large spreadsheet files which are not setup to be printed. These piles of largely blank pages can be preserved in TIF image (similar to a fax file) files, one blank page in each file. Tens or hundreds of thousands of mostly blank files are virtually useless to anyone attempting to read them for meaning. The solution is to specify that the spread sheet files be supplied in native (i.e., .xls) format (as recommended by rule 34) where they can be examined as intended. The expert needs to advise the legal team as to the correct description of the file types to be requested. Also cumbersome is the fact that each page is a separate file identified by a Bates number. Reviewing for actual content is doubly difficult. Although some computerized procedures can partially circumvent this, prevention is the best solution.

Format important - ESI original form best

There are additional reasons to choose original format in ESI other than the magnitude issues noted. Basically, original format data is more valuable because it can be readily validated and analyzed.

Metadata provides provenance

Any document may be need to be validated for authenticity and accuracy. Conventional document examiners examine characteristics of the physical document to establish its provenance. Electronic documents can be authenticated by means of the "metadata". This is data about the data and it often comes in both internal and external forms. The most commonly used form is contained is the file "properties" easily examined by the Windows Explorer. These file properties are "created, last written (modified) and last accessed" and reveal the date and time (sometimes) for each of these events. Many file operations can affect these records so due care must be exercised if the original properties are critical. Additionally, many common applications carry internal metadata which are primarily affected by internal operations of the application. These include most word processor and spread sheet applications. The internal metadata tends to be more useful in terms of document provenance because it records document operations, not necessarily file operations external to the document itself.


Original format data is generally "searchable". This means that textual content can be searched as a string of text characters. TIF image files are not searchable because the content is an image of the text, not the text itself. If the quality is good, these files can sometimes be OCR-Converted which renders the image into text. Search-ability is often critical when dealing with large volumes of data. Sometimes the search must take place within the application itself (e.g., Outlook for emails) because the data is maintained in a specialized internal format.

Specialized data formats may need support

Specialized data formats such as AutoCAD files may also require a specialist who owns a valid license on the application and is skilled in its use. In one case involving theft of trade secrets embodied in CAD files, it was necessary to add an expert team member who was a designer experienced with the CAD application who also had current versions of all of the application software relevant to the issues in the case.


Computer-resident (i.e., ESI) evidence is involved in most litigation.

The trend is for this to increase. The new FRs recognize this trend to ESI-type evidence.

  • Define new evidentiary guidelines
  • Provides e-discovery rules
  • Establishes framework for retention and preservation
  • ESI evidence poses new challenges
These challenges are in managing, identifying and interpreting the content for litigants.
  • Identify & find the relevant ESI evidence.
  • Organize the complexity.
  • Interpret the meaning for the court.


  1. California Lawyer, Rules of the Game, 2/2005, P17
  2. Federal Rulemaking, Civil Rules,
  3. Guidance Software, The New Federal eDiscovery Rules, 10/25/06,
  4. LA Times, "New US rules raise retention requirements for e-documents", Monday 12/04/2006, C3,
  5. "Sedona Principles for Managing Information in the Electronic Age", September 2004
  6. Helpful website when dealing with documents in electronic form
  7. "Systemizing eDiscovery for Compliance with the New Federal Rules" - Guidance Software,
  8. "Evaluating the Proposed Changes to Federal Rule of Civil Procedure 37: Spoilation, Routine Operation and the Rules Enabling Act - Nathan Drew Larsen", Northwestern University
  9. "E-Discovery-Related Changes to the Federal Rules of Civil Procedure" Laura E. Ellsworth, Irene Savanis Fiorentinos, Cecilia R. Dickson,

Share |

John Cosgrove, P.E., has been a software engineer for over 40 years and a self-employed consultant for more than 30. His specialties include forensic engineering, project management, software architecture, real-time critical systems, and hardware-software interfaces.

©Copyright - All Rights Reserved