Post Process

Everything to do with E-discovery & ESI

Archive for the ‘Computer Forensics’ Category

Computer Forensics Used in a Texas Murder Case

Posted by rjbiii on January 20, 2010

The Washington Post brings us the story:

WACO, Texas — In the month before his wife died, a minister in Texas tried to buy a prescription sleeping aid online and conducted an Internet search for “overdose on sleeping pills,” computer experts testified Thursday in his murder trial.

Neal Kersh, a computer forensics examiner, testified that he examined data from Matt Baker’s church-owned laptop and was able to retrieve information from a computer server at a youth center where Baker worked. Baker’s computer went missing two months after Kari’s death.

Kersh said Baker sent e-mails just before and after those 2006 Internet searches and site visits, indicating he – not anyone else – was at the computer looking at the pharmaceutical sites and online pharmacies.

Posted in Articles, Computer Forensics | Leave a Comment »

A Tug of War over Forensics Applications and Formats

Posted by rjbiii on December 16, 2009

From two different blogs, we read of a fascinating criminal case involving a tug of war over evidence. Ultimately, the main points made by both the prosecution and defense missed the mark. A little knowledge could have gone a long way.

We begin by browsing over to Law Professor Susan Brenner CYB3RCRIM3 blog, to a post entitled Encase v. Ghost. Here she describes the case of State v. Dingman, 149 Wash.App. 648, 202 P.3d 388 (Washington Court of Appeals 2009), where a construction contractor specializing in building sunrooms was given a large deposit and money for materials, but who allegedly never finished the job. At trial, Mr. Dingman was convicted of 16 counts of theft and 11 counts of money laundering. He appeals. Why?

Because of the tug of war over evidence residing on his computer. Prior to trial, Dingman requested access to the files on his computers, which were seized by the state and still locked up. The state evidently made Encase images available to the defendant, but that wasn’t good enough. Why?

According to testimony, neither the Dingman legal team nor their forensics expert possessed a copy of the EnCase application (they thought) necessary to read the image. And Encase costs over $3,000 and required another $1,500 for training, according to Defendant’s expert. The State should, as they had in the past, provide a copy of the hard drive in a non-Encase format. Even better, allow the Defense to use its own tools to image the drives themselves. Ghost was specifically mentioned as the Defense’s tool of choice. The State objected. Why?

Evidently, the State believed that the Hard Drives could be damaged should they be released from custody, and that Ghost might produce an inaccurate copy. The States expert noted that he had a copy of Ghost, but did not use the tool for forensics. The State also argued that it didn’t need to “conform” its investigation to the “whims” of the defense, and that the Encase images had been happily accepted by all other defendants prior to this case. The trial court denied Defendant’s motion, and ordered the Prosecution to provide Encase images to the Defense.

After receiving a continuance to allow Defense the time to examine the drives, the trial court refused to grant a second, despite the Defense’s assertion that it had only been partially successful in reviewing the evidence. The Defense and their expert had only been able to access two of the nine drives, and on those two encountered files that it could not open. The trial continued, leading to the conviction of Mr. Dingman on several charges. Of course, we are not done. Why?

On appeal, the higher court cited a Federal district court decision stating that a defense expert should be able to “`utilize his or her hardware or software.'” The prosecution had not established for appropriate restrictions necessary to limit discovery in the manner occurring in the instant case. The Court of Appeals continued by holding that the lower court had “erred by requiring that the State provide only an EnCase mirror image of Dingman’s hard drives to the defense.” The State Supreme Court declined to review the opinion, and Mr. Dingman gets a new trial, should the state decide to a mulligan.

There is plenty wrong here. A lack of knowledge, and of collaboration, has cost the state a bit of money, time, and perhaps secured the liberty of someone who may not deserve it. Rather than lay it out here, however, I’ll direct you to Craig Ball’s commentary, where he does a fine job of discussing all of the issues. His post is called Stubborn v. Stupid.

Posted in Computer Forensics, EnCase, State Courts, Washington | Tagged: | Leave a Comment »

DECAF for your COFFEE? New tool fights forensics application’s attempt to get your data

Posted by rjbiii on December 16, 2009

Ars Technica posts an article describing the battle that might occur inside your P.C.:

In response to Microsoft’s Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources, two developers have created “Detect and Eliminate Computer Assisted Forensics” (DECAF), a counter intelligence tool designed to thwart the Microsoft forensic toolkit. DECAF monitors the computer it’s running on for any signs that COFEE is operating on the machine and does everything it can to stop it.

More specifically, the program deletes COFEE’s temporary files, kills its processes, erases all COFEE logs, disables USB drives, and even contaminates or spoofs a variety of MAC addresses to muddy forensic tracks. It can be told to disable almost every piece of hardware on a machine and delete pre-defined files in the background. The 181KB DECAF program even has a ‘Spill the cofee’ mode in which it simulates COFEE’s presence to give the user an opportunity to test his or her configuration before actually using it. Source code for DECAF has not been made available, since the authors fear it will be reverse engineered, making it unclear what else the tool might be doing and whether or not it is completely safe to use.

Posted in Articles, Computer Forensics, Computer Security | Tagged: , | Leave a Comment »

Blogger Advises Company Execs to Learn about Computer Forensics

Posted by rjbiii on January 4, 2009

David Lacey, the security blogger at ComputerWeekly.com has a short post advising executives to become familiar with the field of computer forensics. Quoth Mr. Lacey:

Not many company directors will have the patience to read and digest [a recommended text on computer forensics]. But they should. Evidence of transactions underpins all modern business. In fact, amongst other things, an understanding of the validity of digital transactions will increasingly separate the real business men from the young apprentice boys.

Posted in Articles, Computer Forensics, Technology, Trends | Tagged: , | Leave a Comment »

More details on PI Licensing and Forensics Technicians

Posted by rjbiii on July 1, 2008

An update on the licensing issues discussed here, here, and here, with a couple of helpful links.

First, Kessler International, a company that engages in forensics accounting, computer forensics and corporate investigations, has posted the results of a survey concerning state licensing laws with respect to forensics accounting and computer forensics companies and employees. The results are posted in map form. Click on the state that interests you, and that state’s response pops up in pdf format.

Now, with respect specifically to Texas, you may click here [PDF] to find a series of opinions made by the Private Security Bureau with respect to licensing issues and technical tasks associated with computers. Scroll down and look at those opinions from August 21 to October 18.

Some relevant excerpts (keeping in mind that these are the board’s opinions, and not judicial rulings):

Computer Forensics August 21, 2007
The computer forensics industry has requested clarification of the Private Security Bureau’s position regarding whether the services commonly associated with computer forensics constitute those of an “investigations company” and are therefore services regulated under the Private Security Act (Chapter 1702 of the Occupations Code). It is hoped that the following will be of assistance.
First, the distinction between “computer forensics” and “data acquisition” is significant. We understand the term “computer forensics” to refer to the analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons. We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.
For example, when the service provider is charged with reviewing the client’s computer-based data for evidence of employee malfeasance, and a report is produced that describes the computer-related activities of an employee, it has conducted an investigation and has therefore provided a regulated service. On the other hand, if the company simply collects and processes electronic data (whether in the form of hidden, deleted, encrypted files, or otherwise), and provides it to the client in a form that can then be reviewed and analyzed for content by others (such as by an attorney or an investigator), then no regulated service has been provided.
The Private Security Act construes an investigator as one who obtains information related to the “identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person; the location, disposition, or recovery of lost or stolen property; the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property; or for the purpose of securing evidence for use in court. Tex. Occ. Code §1702.104. Consequently, we would conclude that the provider of computer forensic services must be licensed as an investigator, insofar as the service involves the analysis of the data for the purposes described above.
With respect to the statutory reference to “securing evidence for use in court,” we would suggest that the mere accumulation of data, or even the organization and cataloging of data for discovery purposes, is not a regulated service. Rather, in this context, the Bureau would interpret the reference to “evidence” as referring to the report of the computer forensic examiner, not the data itself. The acquisition of the data, for evidentiary purposes, precedes the analysis by the computer forensic examiner, insofar as it is raw and unanalyzed. FN1 The mere collection and organization of the evidence into a form that can be reviewed and analyzed by others is not the “securing of evidence” contemplated by the statute.
This analysis is consistent with the language of HB 2833 (Tex. Leg. 80th Session), which amends Section 1702.104. The amendment confirms that the “information” referred to in the statute “includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.”

FN1 It may well be that the hardware on which the data exists is itself the product of an investigation, but that is a separate question.

Computer Network Vulnerability Testing Firms — AMENDED January 15, 2008
This opinion amends the previous opinion issued in June of 2007. The question posed was whether network vulnerability testing firms must be licensed under the Private Security Act, Chapter 1702 of the Texas Occupations Code (“the Act”). Such companies typically conduct:
(1) Scans of a computer networks to determine whether there is internet vulnerability or other external risk to the internal network;
(2) Sequential “dial ups” of internal phone numbers to assess potential access;
(3) Risk assessment and analysis on all desktop computers connected to the network;
(4) Notification of any new security threats and required action.
Section 1702.226 of the Occupations Code provides in relevant part, that “[a]n individual acts as a private security consultant for purposes of this chapter if the individual consults, advises, trains, or specifies or recommends products, services, methods, or procedures in the security loss prevention industry.” TEX. OCC. CODE §1702.226 (1).
However, while the Bureau regulates consultants in the “security industry or loss prevention industry,” these latter phrase is not explicitly defined in the statute. It is therefore necessary to look to the rest of the statute in order to understand to which services the private security consultant’s licensure requirement applies.
It is reasonable to consider those industries otherwise regulated by the Private Security Act as reflecting the scope of the phrase “security industry or loss prevention industry.” In other words, the definitions are implied by those services that are regulated by the statute, viz., security guards, locksmiths, alarm system installers and monitors, and private investigators, and not software designers, installers or suppliers.
Thus, the industries that are directly regulated are the same industries about which one cannot consult without a license. Because the Private Security Bureau does not regulate software designers, installers, or suppliers, it also does not regulate those who provide consulting services related to computer network security.
Computer Repair & Technical Assistance Services October 18, 2007
Computer repair or support services should be aware that if they offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators. The review of computer data for the purpose of investigating potential criminal or civil matters is a regulated activity under Chapter 1702 of the Texas Occupations Code, as is offering to perform such services. Section 1702.102 provides as follows:
§1702.104. Investigations Company
(a) A person acts as an investigations company for the purposes of this chapter if the person:
(1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to:

(A) crime or wrongs done or threatened against a state or the United States;
(B) the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person;
(C) the location, disposition, or recovery of lost or stolen property; or
(D) the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property;
(2) engages in the business of securing, or accepts employment to secure, evidence for use before a court, board, officer, or investigating committee;
(3) engages in the business of securing, or accepts employment to secure, the electronic tracking of the location of an individual or motor vehicle other than for criminal justice purposes by or on behalf of a governmental entity; or
(4) engages in the business of protecting, or accepts employment to protect, an individual from bodily harm through the use of a personal protection officer.
(b) For purposes of subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.
Please be aware that providing or offering to provide a regulated service without a license is a criminal offense. TEX. OCC. CODE §§1702.101, 1702.388. Employment of an unlicensed individual who is required to be licensed is also a criminal offense. TEX. OCC. CODE §1702.386.

Posted in Computer Forensics, Computer Security, Laws, Legislation | 2 Comments »

Case Blurb: Search Cactus; Court lays out Protocol for Forensic Collection of Plaintiff’s Hard Drive

Posted by rjbiii on June 19, 2008

Post Process-Plaintiff Attorney objected to a forensics exam of his computer hard drive, a computer which he used both personally and professionally. The court, though noting the validity of issues raised, ruled for Defendants. In doing so, it appointed two forensics experts to act as officers of the court, and issued the following protocol:

[T]his Court ORDERS:
1. Within seven days of the date of this Opinion and Order, Plaintiff’s forensic computer expert shall mirror image both of Plaintiff’s computer systems’ hard drives and Plaintiff shall preserve this mirror image.

2. Plaintiff’s forensic computer expert shall then remove only Plaintiff’s confidential personal information from the mirror image of Plaintiff’s computer systems’ hard drives. Plaintiff’s expert shall provide Defendants with the protocol he utilized to remove the confidential information.

3. Plaintiff shall then provide Defendants’ computer forensic expert access to his computer systems’ hard drives.

4. Defendants’ forensic computer expert shall mirror image Plaintiff’s computer systems’ hard drives in approximately four to eight hours for each system. If the expert finds that this is not enough time, Plaintiff is expected to be reasonable in allowing some additional time. Defendant is expected to be considerate with regard to scheduling times that are less intrusive to Plaintiff and his business.

5. Defendants’ expert shall review his findings in confidence with Plaintiff prior to making any findings available to Defendants.

6. Plaintiff shall identify for deletion any information that is irrelevant and create a specific privilege log of any relevant information for which he claims privilege. The computer forensic expert shall remove the information claimed as privileged and provide all other information to Defendants.

7. Defendants’ expert shall provide Plaintiff with the protocol he utilized to remove the privileged information.

8. Forensic computer experts C. Matthew Curtin and Scott T. Simmons shall act as officers of this Court. Defendants shall be responsible for remunerating Mr. Curtin and Plaintiff shall be responsible for remunerating Mr. Simmons.

Ferron v. Search Cactus, L.L.C., 2008 WL 1902499 at *5 (S.D. Ohio Apr. 28, 2008 )

Posted in 6th Circuit, Computer Forensics, Cost of Discovery, Duty to Preserve, Duty to Produce, Form of Production, Judge Gregory L. Frost, Privacy, Privilege Log, S.D. Ohio | Tagged: , , , , , | Leave a Comment »

Case Blurb: Search Cactus LLC; Forensics Examiners to Serve as Officers of the Court

Posted by rjbiii on June 19, 2008

Post Process-Plaintiff Attorney objected to a forensics exam of his computer hard drive, a computer which he used both personally and professionally. The court, though noting the validity of issues raised, ruled for Defendants. In doing so, it appointed two forensics experts to act as officers of the court:

It appears to the Court that both of the forensic computer experts presented to it are qualified. In certain situations, courts appoint computer forensic experts to act as officers of the court to help “reduce privacy intrusions and privilege waiver issues during forensic analysis.” Mark E. Borzych, Avoiding Electronic Discovery Disputes: Practice Questions Answered, 41 AZ Attorney 36 (January 2005). See also Thielen, 2007 U.S. Dist. LEXIS 8998, at *8 (court ordered forensic analysis by third party and accepted that no waiver of privilege occurred). Thus, the two identified computer forensic experts shall serve as officers of this Court.

Ferron v. Search Cactus, L.L.C., 2008 WL 1902499 at *4 (S.D. Ohio Apr. 28, 2008 )

Posted in 6th Circuit, Case Blurbs, Computer Forensics, Judge Gregory L. Frost, Neutral Third Party, Privacy, S.D. Ohio | Tagged: , , , , , | Leave a Comment »

Computer Forensics Vindicates Man Fired for Possessing Child Pornography

Posted by rjbiii on June 18, 2008

A distasteful case appears in the on-line version of the Boston Herald. Michael Fiola was suddenly fired from his job at a state agency and accused of possessing child pornography:

Months later, DIA information technology officials noted that the data usage on Fiola’s Verizon wireless bill was 4 times greater than his colleagues’. After discovering the child porn , Commissioner Paul Buckley fired him on March 14, 2007.

DIA turned the matter over to state police who, after confirming “an overwhelming amount of images of prepubescent children engaged in pornographic poses” were stored on the laptop, persuaded Boston Municipal Court to issue a criminal complaint against Fiola in August 2007.

Now, I’ve seen Dateline, and I know that there are people (a lot of people, evidently) who simply can’t resist the impulse to engage in this kind of behavior. In fact, if you work anywhere near a computer forensics lab (and I do), you find out how incredibly common this kind of activity is. That said, there’s still a little issue of due process. It seems that the data wasn’t downloaded by Mr. Fiola, or anyone he knows, after all:

[Computer Examiner Tami] Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye.

The DA’s office concurs. So, Mr. Fiola went back to work, right? Wrong. Apparently the Massachusetts Department of Industrial Accidents, who had employed Fiola, who had in fact given him a laptop with defective protection, states that it “stands by [its] decision” to terminate him. Fiola’s attorney, Timothy Bradl, doesn’t get it:

“Imagine this scenario: Your employer gives you a ticking time bomb full of child porn, and then you get fired, and then you get prosecuted as some kind of freak,” he railed.

I don’t get it either, and in this day and age, these types of situations are going to continue to occur; so we should all be very wary.

Posted in Articles, Computer Forensics | Tagged: , , | Leave a Comment »

TX Case Blurb: Honza; Court addresses objection to discovery request based on revealing confidential information, court order

Posted by rjbiii on March 10, 2008

[Producing Party members] seek a writ of mandamus compelling Respondent, the Honorable Greg Wilhelm, Judge of the County Court at Law No. 1 of Ellis County, to set aside a discovery order requiring the Honzas to permit a forensic expert to create a mirror image of each of the computer hard drives in the Honzas’ office in an effort to locate two particular documents or iterations of those documents

The Honzas contend that Respondent abused his discretion because: (2) the order authorizes the disclosure of information protected by the attorney-client privilege; and (3) the order authorizes the disclosure of confidential information pertaining to the Honzas’ other clients who have no connection to the underlying lawsuit.

The present discovery dispute originated with [Requesting Party’s] motion to gain access to the Honzas’ computers, which was filed about one month before trial. By this motion, [Requesting Party] sought “[i]nformation (the ‘Metadata’) contained on the actual computers of the Defendants, such as any time stamps on the Relevant Documents, versions of the Relevant Documents, if any, as well as the deletion of various versions, if any.” [Requesting Party] explained that, although the Honzas responded to a prior request for production of relevant documents in their electronic version, “the Metadata was neither produced nor made available.”

[Ed. Testimony indicated the existence of relevant documents with respect to a another transaction apparently not addressed by earlier discovery requests]

[] [Requesting Party] sought discovery of relevant documents pertaining to the [newly revealed] transaction, and the [Producing Party] complied by providing pertinent written discovery.

[Requesting Party] seeks the metadata from the [Producing Party’s] hard drives because it wants to identify the points in time when the partial assignment draft was modified in relation to the diary entry. This goes to the issue of whether [the Producing Party] altered the partial assignment after the parties concluded their agreement but before the document was presented for execution.

[Ed. The opinion then went on to list various Federal and State sources for persuasive authority in discovery law, especially with respect to ESI]

Privileged or Confidential Information

The [Producing Party] also contend[s] that the discovery order improperly authorizes the disclosure of (1) information protected by the attorney-client privilege and (2) confidential information pertaining to the Honzas’ other clients who have no connection to the underlying lawsuit.

Notwithstanding the “unlimited” access necessarily granted the forensic expert, Respondent’s order preserves any privileged or confidential information in several ways. First, the expert is limited in his search to two specific documents or iterations of those documents. [Members of the Producing Party] are then accorded the right to review the documents and information which the expert believes responsive and produce to [Requesting Party] only those documents and information which [members of the Producing Party] themselves believe are responsive. These provisions effectively preclude [Requesting Party] from having any access to documents or information pertaining to other clients of the Honzas not involved in this litigation.

Second, the order allows the [Producing Party executives] to withhold from discovery any documents or information which they claim to be privileged or confidential and provide instead a privilege log, subject to in camera review by Respondent.

Finally, the order provides that: (1) the observation of information by [Requesting Party] representatives during the imaging process shall not constitute a waiver of privilege or confidentiality; (2) all participants in the imaging process are subject to a protective order prohibiting the unauthorized disclosure of information; and (3) [Requesting Party’s] expert must provide proof of being bonded and of having commercial liability insurance by which the [Producing Party] may be “fully indemnified against any monetary loss.”

For these reasons, we hold that Respondent appropriately tailored the discovery order to prohibit the unauthorized disclosure of privileged or confidential information and no abuse of discretion is shown.

[Ed. Note that a dissenting opinion is also entered by one of the Judges hearing the case. See the order itself for the full text of that dissent, or of the opinion itself.]

In re Honza, 2007 WL 4591917 (Tex. App. Dec. 28, 2007)

Posted in Case Blurbs, Computer Forensics, Data Collection, Data Custodians, Data Sources, Discovery Requests, Duty to Produce, Objections to Discovery Requests, Privacy, Privilege, Privilege Log, Scope of Discovery, Texas, TX Judge Felipe Reyna | Leave a Comment »

TX Case Blurb: Honza; Court addresses objection to ‘overly broad’ discovery requests, court order

Posted by rjbiii on March 10, 2008

[Producing Party members] seek a writ of mandamus compelling Respondent, the Honorable Greg Wilhelm, Judge of the County Court at Law No. 1 of Ellis County, to set aside a discovery order requiring the Honzas to permit a forensic expert to create a mirror image of each of the computer hard drives in the Honzas’ office in an effort to locate two particular documents or iterations of those documents

The Honzas contend that Respondent abused his discretion because: (1) the discovery order is overbroad and authorizes an improper “fishing expedition”;…

The present discovery dispute originated with [Requesting Party’s] motion to gain access to the Honzas’ computers, which was filed about one month before trial. By this motion, [Requesting Party] sought “[i]nformation (the ‘Metadata’) contained on the actual computers of the Defendants, such as any time stamps on the Relevant Documents, versions of the Relevant Documents, if any, as well as the deletion of various versions, if any.” [Requesting Party] explained that, although the Honzas responded to a prior request for production of relevant documents in their electronic version, “the Metadata was neither produced nor made available.”

[Ed. Testimony indicated the existence of relevant documents with respect to a another transaction apparently not addressed by earlier discovery requests]

[] [Requesting Party] sought discovery of relevant documents pertaining to the [newly revealed] transaction, and the [Producing Party] complied by providing pertinent written discovery.

[Requesting Party] seeks the metadata from the [Producing Party’s] hard drives because it wants to identify the points in time when the partial assignment draft was modified in relation to the diary entry. This goes to the issue of whether [the Producing Party] altered the partial assignment after the parties concluded their agreement but before the document was presented for execution.

[Ed. The opinion then went on to list various Federal and State sources for persuasive authority in discovery law, especially with respect to ESI]

Overbroad Discovery

The [Producing Party] first contend that the discovery order is overbroad and authorizes an improper “fishing expedition.” In this regard, they argue that Respondent improperly “gave blanket approval for [the Requesting Party] to gain total access to [their] computers and all information stored on them, whether or not it has anything to do with this lawsuit.”

Although it is true that Respondent’s order gives A & W’s forensic expert [FN8]complete access to all data stored on the Honzas’ computers, the order provides that the expert is to index all forensic images acquired from the imaging process “for the limited purpose of searching (the ‘Examination Process’) for two documents, previously Bates-labeled as HONZA 00019 and HONZA 00017, which are drafts of “Assignment of Contract” and any iterations (the ‘Relevant Documents’).” The expert must then compile any documents or information which the expert believes responsive and deliver them to the Honzas to determine for themselves which are responsive to A & W’s discovery request and which they choose to withhold, providing a privilege log instead.

In addition to limiting the expert’s search to two specific documents, the order provides that no waiver of privilege or confidentiality occurs if any otherwise privileged or confidential information is observed by A & W’s counsel or representatives during the imaging process, and they are prohibited from using such information other than in compliance with the terms of the order. The forensic expert is likewise prohibited from disclosing any information observed during the imaging process. And finally, the order requires the expert and all party representatives or counsel participating in the imaging process to sign an acknowledgment agreeing that they are subject to contempt of court for any violation of the order.

Any order requiring the imaging of a computer hard drive necessarily grants the expert who is conducting the imaging process access to all data on that hard drive. Here, Respondent specifically limited the expert’s search to two documents; gave the [Producing Party] a “right of first refusal” with regard to determining which documents or information are relevant to those two documents and responsive to [Requesting Party’s] discovery request; imposed stringent limitations on inadvertent disclosures to prevent any unintended waiver of confidentiality or privilege; and placed all participants in the imaging process under a carefully drawn protective order.

Therefore, we do not agree with the Honzas’ contention that the discovery order is overbroad.

[Ed. Note that a dissenting opinion is also entered by one of the Judges hearing the case. See the order itself for the full text of that dissent, or of the opinion itself.]

In re Honza, 2007 WL 4591917 (Tex. App. Dec. 28, 2007)

Posted in Case Blurbs, Computer Forensics, Data Custodians, Data Sources, Discovery Requests, Duty to Produce, Form of Production, Objections to Discovery Requests, Overly Broad Request, Privacy, Scope of Discovery, State Courts, Texas, TX Judge Felipe Reyna | Leave a Comment »