Ask a man who can

By | 6th September 2012

I am not a DIY fan.

According to Wikipedia:

“The DIY ethic refers to the ethic of self-sufficiency through completing tasks without the aid of a paid expert. Literally meaning “do it yourself,” the DIY ethic promotes the idea that anyone is capable of performing a variety of tasks rather than relying on paid specialists. The DIY ethic requires that the adherent seeks out the knowledge required to complete a given task. The term can refer to a variety of disciplines, including home improvement, first aid or creative works.

Rather than belittling or showing disdain for those who engage in manual labour or skilled crafts, DIY champions the average individual seeking such knowledge and expertise. Central to the ethic is the empowerment of individuals and communities, encouraging the employment of alternative approaches when faced with bureaucratic or societal obstacles to achieving their objectives.”

The idea is brilliant but the execution often fails and inevitably makes me hot and bothered. Nothing is more irritating than to apply oneself to a task only to find that, on completion, it has not turned out as anticipated, or worse still, the resulting mess places you in a less enviable position than when you started. As night follows day, I have to find someone who knows what they are doing and pay him or her to tidy up my mess before they can do the job properly. All this involves an expenditure of time and money which is best avoided if at all possible. After all, no one wants to spend time and incur expense to no good purpose, particularly if the end result does not achieve the objective and costs more to put right than if the job had been done properly in the first place. Even more unpalatable, is if the mess you create renders the original objective impossible to achieve.

Millnet was asked recently whether it would be acceptable for the in house IT department of a client to carry out their own collection/preservation process prior to delivering the material, mainly in the form of emails, to the lawyers for review.

A cynic might say that the answer given depends on who is going to benefit from the process. Any views expressed by a company which specialises in the collection and preservation of electronic data are bound to be less valid than if the opinions were garnered from an organisation which, or an individual who, had no prospect of benefit from the ensuing task(s).

I say, all well and good, do it yourself if you can, but woe betide you if you mess the job up!

I also happen to think that we can be more helpful than that. Many lawyers are grappling with this very problem as is demonstrated by a recent article in Inside Counsel E-discovery: Top 5 considerations for ethical preservation in e-discovery whose authors suggest five top considerations for ethical preservation in e-discovery.

I was particularly interested in the authors’ comments about:

  • Calling in lawyers who actually understand e-discovery and how it works;
  • The importance of guarding against the inadvertent destruction of potentially relevant data;
  • How not to disclose privileged material;
  • Instances where lawyers have been “burned” by accepting at face value what they hear from a client representative or IT person who may not have carried out a proper investigation;
  • The desirability of cooperation with opponents over issues relating to e-discovery (the importance of which cannot be emphasised too highly).

The authors are all from law firm Reed Smith and clearly know what they are talking about. Their article is well worth a read.

So, what should I say to the cynic who believes that this sort of activity can be carried out “DIY” and that a mere vendor will only seek to make money out of the need to collect and preserve evidence?

We regularly provide this advice to law firms and their clients. According to Stuart Clarke, Millnet’s Head of Digital Forensics & Technical Services, the most common issues associated with a DIY approach to collection include:

  • Search restrictions.
    Most IT departments do not have the software tools available to eDisclosure specialists such as Millnet. Windows & Outlook search tools cannot search all file types (non-searchable data, encryption, ZIP archives). Outlook is generally not able to or not configured to search attachments. Some search technologies only index the first 3000 characters of each file and the search index may not be fully up to date so there is no real way of telling how much of the drive content is indexed.
  • Disconnect between the IT department’s policies / understanding of how relevant custodians of data created, stored, received, archived, transmitted etc potentially relevant data.
    For instance, it is common to find within organisations where email in-box size restrictions are in place that users use many different and often creative ways to create ‘archives’ of emails for future reference some of which are outside the scope of IT document archiving/retention policies.
  • Deep file paths.
    Windows has a well documented feature which means it cannot ‘see’ or handle data stored in a file path longer than 255 characters. This is most problematic with network shares. The risk is that documents contained within long/deep folder structures are therefore missed entirely.
  • Verification & Defensibility.
    The forensic image process creates an MD5 hash of the data pre image and compares this with the data collected in the image. This means you can show all of the data which has been collected and also identify any files which may have been missed.
  • Audit trail.
    If searches are performed across email, archives, file servers etc and the results are copied/extracted, there is no record of what was/wasn’t searched and/or the extent to which there were any exceptions/errors in relation to either the search or copy process. As a result, it is not possible to state definitively the scope/extent of search performed. There is a risk that where no ‘smoking gun’ or otherwise critical documents are identified, this is not because they did not exist but because they were missed during the initial search/collection process.
  • Loss of metadata.
    The exact fields which change differ across different operating systems (Win XP, Win 7 etc). However, when data is copied to an external drive using Windows ‘copy and paste’,the FS creation date is reset to represent the time of copy. Generally the file system metadata which includes the file system creation, modification and accessed dates cannot be relied upon. The FS last accessed date should never be relied upon in ED cases as it can change with simple actions including an anti virus scan or directory listing.
  • Deleted material.
    To the extent that electronic documents have or may have been deliberately or inadvertently deleted, there is a distinct possibility they will be retrievable in whole or part if a forensic collection is undertaken.

Law firms and their clients need to understand these potential problems. Failure to get to grips with these issues can lead to an imperfect collection which in turn is indefensible, incomplete and may well turn out to be costly as putting right earlier mistakes (even if this is possible) will certainly be more expensive than going to an expert in the first place.

In such circumstances, it will almost always make sense to instruct a man who can!