`

Miller: Act quickly to locate all potential e-discovery data sources

November 30, 2016
miller-daren-mug.jpg Miller

Author L. Frank Baum did not live to see us store shopping lists to a refrigerator through a USB drive; however, he did foresee the incredible future of technology.

We live in a world where electronics are around us everywhere we go. The retention capabilities of these devices are not only staggering, but also highly important to our livelihood.

When a new case comes across the desk, attorneys naturally assume that motions need to be filed, meetings set, possible pleas discussed and an overall strategy assigned. One thing that is not considered as much in this process is the possibility that some form of electronic evidence exists — evidence that might help the case or sink it entirely.

Most everyone carries at least one cellphone. We use tablets at bedtime to search the day’s news or read a book. Our cars choose navigation paths for us and save them for future use in the name of convenience. The computers we use for email at work are backed up to “the cloud” so we can access them anywhere.

What does this mean when it comes to e-discovery?

By the time an attorney takes a case, some of the information that he or she seeks likely will be lost due to either a purge, purposeful deletion, “accidental deletion,” server migration or any number of other reasons.

The most damning pieces of evidence in cases used to be emails. Now, it may be text messages or social media posts. Attorneys don’t have the luxury law enforcement has of a special company phone line or email address to get anything needed for a case without court intervention.

So, where to start?

Figure out what could be the crux of the case in terms of electronic evidence. Are there cellphones, emails, GPS, phone towers, thumb drives, home computers, police cruiser MDTs, pagers, or VOIP involved in the case? The list can go on and on. Once an attorney identifies what to look for, he or she can begin the long task of asking for what is wanted.

In anticipation of actually obtaining the data needed, typically an attorney would send out a preservation letter to the other party or custodian of records outlining a potential need to access records that may otherwise be deleted through the normal course of business practices. This letter may be to a company such as ATT for customer subscriber information or to Verizon for call detail records on a client’s cellphone account. It may be to the plaintiff or defendant telling them to not dispose of that brand new iPhone 7 that was making a noise so they threw it away instead of getting it fixed. (That happens.)

The website www.search.org/resources/isp-list/ is a great place to start. Search.org gives the names and addresses of any ISP in the country. The information listed tells what is required to obtain a specific set of information as well as the person who handles these requests. Most of the time, you will need a subpoena to get anything of value from a company. However, if you send the preservation letter as soon as you take a case, the chance of getting exactly what you want in deliverable form is much better.

Even with a subpoena, attorneys are only going to get metadata about an account. For example, if you want to obtain the actual text message from the ISP sent between User A and User B, you are out of luck. However, if you want to get the date, time, sent to, sent from, size and a few other nuggets, then you just arrived at your destination.

In order to get the actual text messages, you will have to look in one of five other places. The phone of User A, the phone of User B, User A’s home computer (where hopefully he or she religiously backs up the phone), User B’s home computer, or “the cloud” for either user.

With the ability to spoof text and email messages, I see attorneys and prosecutors far too often rely on one set of data as the proverbial “Holy Grail.” Many judges and jurors do not know that there are apps, methods and programs that have the sole purpose of making it look like a text message or email was sent from someone when it was not.

If an exam is conducted of User A’s phone, what do you really have? If, however, an attorney has call detail records and an exam of the phone, the case against spoofing just got a lot stronger.

The extra court motion, email or phone call could end up highly favorable to your side, or, if you do not react properly, could end up in sanctions or even a spoliation claim.

Locate all potential data sources, find the ISP at search.org, send out your preservation letters and subpoenas, and get your case on the right track from an e-discovery standpoint.•

__________

Darren R. Miller is a computer forensic examiner at Strategic Forensic Partners LLC in Fishers, Indiana. He handles computer-based investigations as well as cell phone examinations. Miller has 16 years’ experience and has testified as an expert in state and federal courts in both criminal and civil cases. The opinions expressed are those of the author.

ADVERTISEMENT