Post Process

Everything to do with E-discovery & ESI

Posts Tagged ‘Craig Ball’

Around the Block for 9/1/10-Technical Articles of Note

Posted by rjbiii on September 1, 2010

On the Mandiant blog, Nick Harbor reflects on the topic of DLL Search Order Hijacking. Using this method, a person can, by placing a DLL file in a directory accessed by the targeted application, execute malicious code. An advisory on the subject, issued by Acros Security, can be found here.

In CSI SQL Server, Jasmin Azemovic discusses collecting evidence from MS SQL Server systems. Most of the article deals with handling and auditing logs, and it’s a nice read.

Attorney and technology consultant Craig Ball weighs in with a discussion of the the mechanics of email communications, in his article, E-Mail Isn’t as Ethereal as You Might Think.

Posted in Articles, email | Tagged: , , , , | Leave a Comment »

Investigating the client’s data enterprise

Posted by rjbiii on October 14, 2007

The third installment in our “Effectively Managing E-Discovery” series.

The process of determining those documents needing to be produced may only begin once it has been found and identified. What are the obligations with respect to conducting an investigation of the responding party’s data enterprise of the party and counsel?

To begin with, counsel does not relieve his obligation by a mere request to his client, but must actually engage in a search for information. Phoenix Four, Inc., 2006 WL 1409413, at *5 (“Counsel’s obligation is not confined to a request for documents; the duty is to search for sources of information.”). “Counsel has the duty to properly communicate with its client to ensure that ‘all sources of relevant information [are] discovered.’” Id. (citing Zubulake V). The court in Phoenix Four, Inc. emphasized that under new Rule 26, the duty does not entail extracting information from sources to which access is difficult, but “rather to ascertain whether any information is stored there.” Phoenix Four, Inc., 2006 WL 1409413, at *6. In order to accomplish this, counsel “should become fully familiar with its client’s document retention policies, as well as its client’s data retention architecture.” FN1. There are strong indications that counsel should not attempt to do this on his own, unless already endowed with a particularly strong level of technical expertise. Even then, it might be advisable to retain an expert possessing easily proven credentials and who might be seen as being somewhat objective.

FN1:Id. at *5 (citing Zubulake V). See also, Guidelines for State Trial Courts Regarding Discovery of Electronically-Stored Information, Conference of Chief Judges (Rev. Draft, Sept. 2005) (stating “[i]n any case in which an issue regarding the discovery of electronically-stored information is raised or is likely to be raised, the court should encourage counsel to become knowledgeable about their client’s information management systems and their operation, including how information is stored and retrieved.” The report continued: “[w]hile the manner in which this encouragement should be given will, of necessity, depend on the procedures and practices of a particular jurisdiction, the court should establish the expectation early that counsel must be well informed about their clients’ electronic records.”); U.S. District Courts (Kan.) Guidelines for Discovery of Electronically Stored Information (“Prior to the Fed. R. Civ. P. 26(f) conference, counsel should become knowledgeable about their clients’ information systems and their operation, including how information is stored and retrieved. In addition, counsel should make a reasonable attempt to review their clients’ electronically stored information to ascertain the contents, including archival, backup, and legacy data (outdated formats or media”).

The court in Peskoff v. Faber, 240 F.R.D. 26 (D.D.C. 2007) illustrated the point, when it ordered:

The [responding party] must therefore conduct a search of all depositories of electronic information in which one may reasonably expect to find all emails to Peskoff, from Peskoff, or in which the word “Peskoff” appears. Once the search is completed, [responding party] must make the results available to [requesting party] in the same format as the electronically stored information was previously The [responding party] must therefore conduct a search of all depositories of electronic information in which one may reasonably expect to find all emails to Peskoff, from Peskoff, or in which the word “Peskoff” appears. Once the search is completed, [responding party] must make the results available to [requesting party] in the same format as the electronically stored information was previously made available. [The responding party] must also file a statement under oath by the person who conducts the search, explaining how the search was conducted, of which electronic depositories, and how it was designed to produce and did in fact produce all of the emails I have just described. I must insist that the person performing the search have the competence and skill to do so comprehensively. An evidentiary hearing will then be held, at which I expect the person who made the attestation to testify and explain how he or she conducted the search, his or her qualifications to conduct the search, and why I should find the search was adequate.

Peskoff v. Faber, 240 F.R.D. 26, 31 (D.D.C. 2007).

More and more, courts expect counsel and their technical team to engage in a process that can be defended if challenged. FN2. The court’s scrutiny will likely focus on two factors: counsel’s selection of technical vendors; and the process used by counsel and its technical team to identify, harvest and process data. Id. One industry expert sees Phoenix Four, Inc., and similar cases, not only as “a mandate to engage experts,” but also an “obligation to select capable ones.” Worst Case, supra FN2 (quoting Michael Arkfeld). An attorney does not relieve himself of responsibility once he has turned engaged an expert, because “[i]t is ultimately counsel’s duty to preserve and gather discoverable ESI.” Worst Case, supra FN2 (quoting J. William Speros, referring to attorney liability with regard to vendor actions and discussing Residential Funding Corp. v. DeGeorge Fin. Corp., 306 F.3d 99, 108 (2d Cir. 2002) and In re Worldcom, 2004 WL 768573 (S.D.N.Y. 2004)).

FN2: See, e.g., Craig Ball, EDD Showcase: Worst Case Scenario, LAW TECHNOLOGY NEWS (Oct. 31, 2006) at, [hereinafter Worst Case] (quoting Michael Arkfeld, “[t]he bottom line is that when you handle electronic or paper evidence, you need to include quality control standards that assure disclosure of all responsive evidence to the opposing side. These efforts must be reasonable and documented…[i]n my experience, the one thing judges insist on is that you take reasonable steps to diligently search, process, and disclose responsive discovery.”).

Once the selection of a technical vendor has been accomplished, the process utilized to find and process the data should be closely monitored. Recall that the court in Peskoff warned that it intended to examine the process used by the responding party. In another case of an investigative process coming under scrutiny, a court clarified that it had required the producing party to reveal search terms it had used to identify relevant documents in order to give the requesting party “an avenue to test or assess the scope of the search terms.” In re CV Therapeutics, Inc. Securities Litigation, 2006 WL 2458720, at *2 (N.D. Cal ).

Posted in Data Collection, Duty to Conduct a Reasonable Inquiry, Effectively Managing E-Discovery | Tagged: , , | Leave a Comment »

Craig Ball: ESI does not equal Native Data

Posted by rjbiii on September 27, 2007

Craig Ball writes that electronically stored information is not necessarily native data.

Reviewing the correspondence between the counsel, I spotted the problem. The e-mail was there, but in rich text format. Like many lawyers new to e-discovery, defense counsel regarded electronically stored information and native data as one and the same. They’re not.

The IT department had dutifully located responsive e-mail on the mail server and furnished the messages as RTF, a generic format offering easy access and electronic searchability. Any computer can read RTF, so it’s a reasonable choice. But it’s not the native format.

He goes on to explain that e-mail’s native file is the container file in which the message is stored. At the enterprise level, that might be and MS exchange database (extension = .edb) or a lotus notes database (extension = .nsf). On workstations, the container file will likely be an outlook database (.pst). By the way, an outlook database is merely a modified MS Access database. The messages are just entries in database fields, so the “native format” of a message is something of an exercise in creative deduction.

And because of that, Mr. Ball states:

How, then, do we realize the considerable benefits of native production for e-mail? The answer lies in distinguishing between production of the native container file and production of responsive, non-privileged e-mail in electronically searchable formats that preserve the essential function of the native source, sometimes called quasi-native formats.

I’ve not heard the term “quasi-native,” but it seems a reasonably serviceable name for the concept. The rest of his article discusses the way in which a quasi-native production would work.

Posted in email, Form of Production, Native Files | Tagged: , | Leave a Comment »