Thousands of words are written each week about e-disclosure / ediscovery. That old joke about today’s article is being tomorrow’s cat litter is hard to apply literally to electronic publication, but it is right to say that few of the many articles are read much after the month in which they were published. Many of those which do survive seem to be written by US forensic expert Craig Ball.
I predict a long life for his article Double Delete Doesn’t Do It published on Law Technology News on 1 April. I have deliberately included a reference to the UK case Rybak v Langbar in my title to emphasise that Craig’s article is as relevant in the UK as it is in the US – this is not true of all US articles, many of which depend on the peculiarities (I use the word in its widest sense, connoting distinctiveness rather than oddness) of US e-discovery.
One of my themes for 2011 is “What actually happens to your data”, reflecting my perception that many of the terms of art used in ediscovery / e-disclosure pass over their heads of those who need to understand what is actually involved. It is hard to avoid this in conventional marketing materials which must necessarily be punchy and succinct. Shades of meaning get lost by this abbreviation; whole subjects embracing a wide range of concepts get reduced to a single word or snappy expression. “Processing” is one example; “forensic collection” is another.
The broader sense of the term “forensic collection” implies that data is collected in a form which exactly matches the original. Whole servers, laptops and a range of other devices, including perhaps empty or slack space (don’t ask, not just now anyway), are copied to preserve the contents as they stood at the date of collection. The term equally applies to the collection of sub-sets, such as particular folders or the documents of particular custodians; it can apply to the examination of a single document. Forensics, though, goes further than mere collection and can include analysis and deduction – the adoption of the word “forensic” in computing science should not obscure its original meaning which, in my (pre-computer) dictionary is “of, used in, courts of law”. You may engage a forensics expert simply to ensure that data has been collected in a sensible manner; you may need him in a role more akin to that of a detective.
Craig Ball’s article describes the latter situation. He was engaged to examine the computers of a party to litigation pursuant to a court order as an independent expert. Part of that task involved technical tools and technical knowledge. Part of it simply involved informed observation – it is near-impossible anyway to conceal the use of disk-cleaning software like CCleaner, but leaving its icon on the desktop is a bit of a giveaway, like the bank robber who wrote his demand on the back of his own utility bill or the one who had his name stencilled in large letters on the motorcycle helmet used to hide his face.
The article is worth reading for an understanding of the steps which a conscientious forensic examiner will undertake in a case where suspicions have already been aroused – you would not go to these lengths in ordinary circumstances, but the value of the article for those new to this subject lies in finding out what is possible. If you are minded to tamper with the evidence in this way, or have reason to be on alert that your opponent might have done so, it helps to know what can be done to trace such activities.
We in the UK have not had many published examples of cases involving this kind of forensic examination. Last year, however, we had Rybak v Langbar which I wrote about (see Rybak v Langbar sends warning to those who destroy evidence). It was, as I said in the article, too obvious a case to ground any new principles – you do not need to be involved with computers (or, indeed, to know much law) to be clear that deliberate destruction of evidence will bring severe penalties, not just after an order for examination, as in Rybak, but at any point after you are on notice of likely litigation. The main message, as I said in my article, was the need to be aware of what might be done by those keen to destroy evidence and of what might be done to unmask them. Craig Ball’s article puts us on notice of avenues which might be explored.