banner ad
Experts Logo

articles

November 2004

How to Successfully Obtain Computer-Based Discovery in 10 Steps

By: SETEC Investigations
Contact: Todd Stefan
Website: www.setecinvestigations.com

Profile on Experts.com.


Identifying pertinent evidence on computer systems is essential to the discovery process in today's world, as it is believed that over 70% of information stored in computer systems is never reproduced in hard copy form. Often, a significant amount of data, such as date and time information, can only be viewed electronically, causing the discovery of computer-related evidence to become even more critical. Simply asking for electronic evidence will not necessarily result in all relevant information being supplied. Therefore, it is important to understand the proper collection processes involved with ensuring that electronic evidence will be authenticated and admissible in a court of law. The following ten steps are meant to provide clarity with respect to the collection of electronic evidence:

Step 1: Send a letter to all involved parties notifying them that electronic evidence will be sought.

Essential to the discovery process, such a letter will seek to ensure that electronic information will be preserved. In addition, a protective order may be sought at this time that compels all parties to safeguard electronic information that may be relevant to the case.

Step 2: Specifications regarding electronic information must be included in the written discovery request.

Definitions of the precise documents requested, instructions, and specific questions must be included in this request, as well as the form of production requested, whether only electronically or in hard copy form. In addition, at this time a request for experts to physically examine and analyze the computer hard drive(s) in question should be admitted and interrogatories may be sent in an attempt to gain an overview of the target computer system(s).

Step 3: IT staff should be deposed via 30(b)(6).

Throughout the course of these depositions, if asked, employees will be required to provide information regarding the manner in which electronic evidence is stored, the types of hardware and software utilized, and how the organization backs up electronic information.

Step 4: Gather backup tapes

Backup tapes contain information that would help the organization recover from a disaster. Backup tapes are generally made on a routine basis and often contain information that is no longer readily available on a computer system's hard drive.

Step 5: Gather removable media, such as CD-ROMs and zip drives

Such as the case with backup tapes, removable media often contains information that is not available on a computer system's hard drive. In addition, such removable media may contain ad hoc backups of files and email messages.

Step 6: Question all available witnesses about their specific computer usage

All witnesses can be asked how they specifically store data on their computer systems. In addition, witnesses should be questioned with regards to their home computer systems as it is possible that they have removed information from their work systems and transferred them to their home systems.

Step 7: Make a mirror image copy of the hard drive(s) in question

A mirror image is an exact duplication of a computer hard drive that is completed sector by sector to secure residual data, such as deleted files, partial deleted files, and other information that still exists on the disk.

Step 8: Uphold the integrity of the data by write protecting all media and checking for viruses

Write protecting the media keeps the data from being distorted or obliterated. In addition, all media should be checked for viruses to ensure evidence is not tainted. If a virus is found, a record should be made and the opposing party must be notified.

Step 9: Ensure the proper chain of custody is followed

A proper chain of custody ensures that the data presented is "as originally acquired" and has not been altered prior to admission into evidence. An electronic chain of custody link should be maintained between all electronic data and its original physical media throughout the production process.

Step 10: Understand your limitations

Due to the intricacy of the computer forensic process and the complexity involved with electronic discovery, outside expertise is often warranted to maximize the discovery of electronic evidence and ensure its admissibility in a court of law.


Setec Investigations offers expertise in computer forensics and electronic discovery, providing highly personalized, case-specific forensic analysis and litigation support services.

See SETEC Investigations's Profile on Experts.com.

©Copyright 2004 - All Rights Reserved

DO NOT REPRODUCE WITHOUT WRITTEN PERMISSION BY AUTHOR.

Related articles

expert_placeholder

7/15/2010· Computer Forensics

CSI Computer Forensics - Real Cases From Burgess Forensics

By: Steve G. Burgess

It was a grey October day, the kind of day when a guy likes to cozy up next to a bank of servers to keep warm, when the Teacher first called me. "They think I'm nuts" were the words emanating from the phone. Well, just because you're paranoid doesn't mean they're not out to get you. I sat up and went to my desk, away from the noisy fans cooling off all those Gigahertzes. "What's the problem, Miss?"The young woman explained that she was a not-yet-tenured teacher in a New England (greyer there than here) high school with a problem. Seems that a student in one of her classes was repeating things in the classroom that she had uttered only the night

expert_placeholder

11/16/2004· Computer Forensics

Proactive Forensics in the Workplace

By: Paul Taylor

The benefits of computer forensics have been seen over and over again in the criminal and civil courts throughout the world in the past two decades. If there is ever a case involving accounting or communication between key witnesses then computer forensics will be involved in some form

insync_article.jpg

8/14/2004· Computer Forensics

Computer Sleuth: Beating Down The Evidence Trail With Computer Forensics

By: Robert P. Green and Scott Cooper

Think Sherlock Holmes sans the goofy hat and magnifying glass. Today ’s digital sleuths enlist the tactics that once were only the purview of FBI and police investigators.The tools of computer forensics play a vital role in resolving matters in the corporate world and litigation process by enhancing the evidence pool, establishing truths otherwise left undiscovered and, consequently, contributing to more efficient and rapid resolution, judgments or settlements

;
Experts.com-No broker Movie Ad

Follow us

linkedin logo youtube logo rss feed logo