Over-stuffed file cabinets that hold business records and personal information have been replaced by compact computer hard drives that offer easy and convenient storage of and access to a variety of items, including correspondence, forms, memos, photos, account information and Internet transactions.
As a federal district court judge recently observed, a computer itself is not evidence in most cases, but merely the instrument for creating evidence (like a typewriter) or the means of storing it (like a file cabinet).
Accordingly, today's litigants routinely seek access to opponent's computer hard drive to search for discoverable evidence, especially when the opposing party may not be forthcoming about deleted or transferred files.
This article will discuss hard drive imaging and some of the federal rules used in seeking this in discovery, as well as the process generally used in federal courts to obtain such information.
HARD DRIVE IMAGING
When a hard drive is marked for discovery, a computer analyst makes a "bit stream" copy or mirror image of all electronically stored data on the hard drive. A mirror image is a forensic duplicate of the entire hard drive, replicating bit for bit, sector for sector, all allocated and unallocated space, as well as deleted files, on an external hard drive. Making this mirror image of the hard drive is a routine and technical step central to the examination process and is done to preserve the integrity of the electronic data on the original hard drive, since performing a forensic search of a hard drive can change the data within. Hard drive imaging should only be conducted by experts familiar with forensic procedure who will maintain complete records, including an accurate chain of custody.
Even in cases where computer imaging has been ordered, courts have nonetheless adopted procedures to protect privilege and privacy concerns. Following a production order, courts or the parties themselves typically establish protective protocols to screen out confidential material or nondiscoverable data to balance the legitimate interests of both parties. See Playboy Enters. v. Welles, 60 F.Supp.2d 1050, 1054 (S.D. Cal. 1999). For example, courts often order the imaging to be done by a neutral third-party expert at the requesting party's expense, with the adversary offered a chance to conduct a privilege and privacy review before the requesting party gains access to the data. See e.g., Sony BMG Music Entertainment v. Arellanes, 2006 U.S. Dist. LEXIS 78399 (E.D. Tex. Oct. 27, 2006).
Once a mirror image is created, forensic experts can search for evidentiary clues such as file creation and modification dates, Internet search histories and cached files, as well as printer spool history. A search for evidence of previously attached peripheral equipment, such as external media and drives, might be further evidence uncovered in a forensic investigation. In addition, experts can determine if a user attempted to hide his tracks and spoil evidence by running a "wipe" program, defragmenting the hard drive, or installing an entirely new operating system.[FOOTNOTE 1]
APPLICABLE FEDERAL RULES
One of the key operative federal rules concerning examination of computer hard drives is Fed.R.Civ.P. 34(a), which states, in pertinent part, that a party may request the other party to "produce and permit the party making the request ... to inspect, copy, test, or sample any designated documents or electronically stored information, including writings, drawings, graphs, charts, photographs, sound recordings, images and other data or data compilations stored in any medium from which information can be obtained ..."
Courts have interpreted the provisions of Fed.R.Civ.P. 34(a) as sufficient to authorize a court to order reproduction of an entire hard drive. See e.g., Simon Property Group, LP v. MySimon, Inc., 194 F.R.D. 639 (S.D. Ind. 2000); Antioch Co. v. Scrapbook Borders, Inc., 210 F.R.D. 645, 649 (D. Minn. 2002). However, requesting a hard drive examination does not automatically equate with authorization to do so and courts have been careful when issuing such an order. As the U.S. Court of Appeals for the Eleventh Circuit noted , 345 F.3d 1315, 1317 (11th Cir. 2003),
"Rule 34(a) does not give the requesting party the right to conduct the actual search."
In fact, with the passage of the amendments to the federal rules in December 2006, the Advisory Committee Notes to the 2006 amendments to federal rule 34 echo this sentiment, stating, "Inspection or testing of certain types of electronically stored information or of a responding party's electronic information system may raise issues of confidentiality or privacy.
The addition of testing and sampling to rule 34(a) with regard to documents and electronically stored information is not meant to create a routine right of direct access to a party's electronic information system, although such access might be justified in some circumstances. Courts should guard against undue intrusiveness resulting from inspecting or testing such systems."
It is important to note that rule 34(a) does not operate independently from other federal rules.
Indeed, the federal courts have long held that the district court retains discretion to impose reasonable conditions surrounding a request to test tangible objects, especially to protect against testing that might prove destructive. See e.g., Fisher v. United States Fid. & Guar. Co., 246 F.2d 344, 350 (7th Cir. 1957). While rule 34(a) authorizes a party to serve a request to inspect and copy, test, or sample tangible things, such a request must fall within the scope of Fed.R.Civ.P. 26., which addresses the general provisions governing discovery. See e.g., Diepenhorst v. City of Battle Creek, 2006 U.S. Dist. LEXIS 48551 at *3 (W.D. Mich. June 30, 2006).
Under Fed.R.Civ.P. 26, district courts have inherent power to protect parties against undue burden or expense, either by restricting discovery or requiring that the discovering party pay costs. See e.g., Thielen v. Buongiorno USA, Inc., 2007 U.S. Dist. LEXIS 8998 (W.D. Mich. Feb. 8, 2007). Given this power, the burden thus placed on parties seeking discovery of computer hard drives will vary from case to case. In particular, Rule 26(b)(2) gives a court additional discretion concerning whether to permit examination of a party's computer hard drive by allowing the court to curtail discovery efforts in a number of circumstances, such as when the discovery sought is unreasonably cumulative, attainable from some other source that is more convenient or less burdensome, or not crucial to the outcome of the case. See, e.g., Powers v. Thomas M. Cooley Law School, 2006 U.S. Dist. LEXIS 67706 at *15-16 (W.D. Mich. Sept. 21, 2006).
To Continue Reading: Click Here
----------------------------------------
Source: Law
By Richard Raysman and Peter Brown
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment