Post Process

Everything to do with E-discovery & ESI

Archive for November 19th, 2007

Case Blurb: Scotts Co.; Forensic Copies not required by amended FRCP

Posted by rjbiii on November 19, 2007

The 2006 amendments to Rule 34 of the Federal Rules of Civil Procedure simply clarify “that discovery of electronically stored information stands on equal footing with discovery of paper documents.” Fed.R.Civ.P. 34 Advisory Committee’s Note on 2006 Amendments. Consequently, without a qualifying reason, plaintiff is no more entitled to access to defendant’s electronic information storage systems than to defendant’s warehouses storing paper documents.

The discovery process is designed to be extrajudicial, and relies upon the responding party to search his records to produce the requested data. In the absence of a strong showing that the responding party has somehow defaulted in this obligation, the court should not resort to extreme, expensive, or extraordinary means to guarantee compliance. Imaging of computer hard drives is an expensive process, and adds to the burden of litigation for both parties, as an examination of a hard drive by an expert automatically triggers the retention of an expert by the responding party for the same purpose. Furthermore, as noted above, imaging a hard drive results in the production of massive amounts of irrelevant, and perhaps privileged, information. Courts faced with this inevitable prospect often erect complicated protocols to screen out material that should not be part of discovery. See, e.g., Playboy Enters., 60 F.Supp.2d [1050, 1054 (S.D.Cal.1999) (appointing court’s expert to conduct examination). Again, this adds to the expense and complexity of the case.
This court is therefore loathe to sanction intrusive examination of an opponent’s computer as a matter of course, or on the mere suspicion that the opponent may be withholding discoverable information. Such conduct is always a possibility in any case, but the courts have not allowed the requesting party to intrude upon the premises of the responding party just to address the bare possibility of discovery misconduct.

The Scotts Co. v. Liberty Mutual Ins. Co., 2007 WL 1723509 (S.D. Ohio June 12, 2007) (quoting with approval Diepenhorst v. City of Battle Creek, 2006 U.S. Dist. LEXIS 48551, *10-11 (W.D. Mich. June 30, 2006).)

Posted in 6th Circuit, Case Blurbs, Computer Forensics, Data Collection, Magistrate Judge Norah McCann King, S.D. Ohio | Tagged: , | Leave a Comment »

EDD Basics: What is a hash value (or hash code)?

Posted by rjbiii on November 19, 2007

An installment of our EDD Basics Series.

It has been referred as a “digital fingerprint” and compared to DNA. But what exactly is a hash value?

Briefly, and perhaps unhelpfully, a hash code is a “value,” in the form of a text string, that is calculated by a hash function. Basically, you take a bit of data, you chop it up and mix it all around, and you come up with a unique value. As long as it’s consistent (i.e., the same data is always identified with same hash code), and as long as it’s unique (mathematically unlikely to assign different sets of data the same hash code), then the method can be used, among other things, to identify identical files on an I.S. system, regardless of the name of the file.

In electronic discovery, the hash code is used to remove duplicate files from review or production. Removing duplicates from review reduces costs by allowing a reviewer to see and make a decision on a document once (and only once); the unseen duplicates are then marked in the same manner as the reviewed file. Removing duplicates from production can reduce the size (and therefore cost) of the production. Some care must be taken with respect to cross-referencing those removed identicals to the included original file. Furthermore, removing e-mail attachments can lead to confusion, and in some cases contention. E-mail messages often indicate the presence of attachments, and if those attachments are not present in a production, the requesting party will often point out that “documents are missing.”

The two most commonly used types of hash functions are MD5 and SHA-1. The MD5 is a 128 bit hash value, while SHA-1 is 160 bits. The MD5 is expressed as a 32 character hexadecimal number, while the SHA-1 is expressed as a hexadecimal number with 40 characters.

Posted in EDD Basics, Hash Values | 2 Comments »