Monday, December 29, 2008

litsupport summary for the week ending on 12/28/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

A.
  1. Alt - Print Screen -> Save as a JPEG -> Open In PAINT -> Crop -> and re-Save;
  2. Print driver: http://www.zan1011.com;
  3. Adobe acrobat free 30-day trial.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

litsupport summary for the week ending on 12/21/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

A.
  1. Scan the media using File Investigator and export the captured metadata as a CSV file;
  2. Extract the metadata and place it in the load file that you will use to import the TIFF/PDF into your review tool,using programs such as Discovery Assistant, LAW or Discovery Cracker;
  3. Use something such as Metadataminer Catalogue to extract the metadata from the Word documents, then import into your review tool linked with the appropriate documents;
  4. If the files need to be copied from the CD to the computer, use Robocopy or SafeCopy to preserve metadata;
  5. Use a standalone tool like MetaDiscover from Pinpoint Labs;

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Friday, December 19, 2008

litsupport summary for the week ending on 12/14/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

A. Timecoder Pro has that built in; Rename the VOB file extension to .mpg (then) covert to MPEG-1 via MediaCorder; Handbrake; TPMG; Xilisoft DVD Ripper; #1 DVD Ripper;


This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Tuesday, December 9, 2008

litsupport summary for the week ending on 12/07/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. How old is this group today?
A. 10 years.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

litsupport summary for the week ending on 11/30/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. No knowledge items of permanent value?
A. Nope!

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Sunday, November 30, 2008

litsupport summary for the week ending on 11/23/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. A utility to rename a lot of files?
A.
  1. NameWiz;
  2. RenameMan;
  3. The Rename;
  4. Magic File Renamer;
  5. Rename;
  6. Perl script (for those in the know);
  7. WildRename;
  8. Renamer;
  9. Bulk Rename Utility;
  10. Better File Rename;
  11. Write a DOS batch file, only be careful to use copy instead of ren :)
  12. Total Commander;
Q. What is the easiest way to print out metadata in office files, without corrupting that data?
A.
  1. Meta Viewer from PinPoint Labs;
  2. Metadata Assistant from Payne Group;
  3. A script described in a (somewhat technical) blog;

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Monday, November 17, 2008

litsupport summary for the week ending on 11/16/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. How would one export e-mails from Thunderbird to import into Outlook?
A. 

   1. Thunderbird is an open-source free email client hailing from Netscape and currently part of Mozilla. It may use the IMAP or POP3. The choice of the export method depends on the metadata requirements. Keep in mind that few MIME email package store attachment dates, so those may be lost.
   2. Aid4Mail is a commercially available software supporting multiple mail formats;
   3. Use IMAPSize  to convert to .eml, then convert to PST or import into  LAW, see detailed instructions here;
   4. It's important to note that Thunderbird uses two files and the one containing the messages doesn't have an extension, see more details here;
   5. Check out the tutorial here
   7. As with all conversion of documents, one should perform thorough tests as to the accuracy of the results compared to the original data, and also take note of what meta data may have been lost (or gained) during the process.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Monday, November 10, 2008

litsupport summary for the week ending on 11/09/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. Was there anything to say?
A. No, nothing this time.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Thursday, November 6, 2008

BYOS - Build Your Own Startup: Slideshare, a Successful Startup in the Cloud

In this episode, Bernard talks about a cloud computing company. True, it is not his, but his friends', so it should also count. 

Everybody is in the cloud, where is the common man?

Hardly a day passes by without a dozen articles about the cloud. Microsoft promised Windows clouds called Azure, and Google and Amazon already provide clouds of computers to hundreds of thousands of developers.But what's in it for the people?

Bernard Celebrates The Successes of His Friends

Bernard:  Hi, Pleemo, I have not seen you for ages, it looks like you've been hiding, and I suspect I know why. You have not gone too far with your prototype on the Google App Engine!
Pleemo: You are correct, Bernard, but I in turn have not seen you anywhere. I think I know why you haven't shown up - you could not come up with a business idea of your own.
Bernard:  You are also correct. I have a surprise for you though, but first tell me if you accept your defeat.
Pleemo:  I do. I could not keep up all my other projects and develop my prototype at the same time. Which proves that you were right and I was wrong: with all the excitement about the cloud, you still need a human to program it. And all programming projects take longer than planned.
Bernard:  Okay, Pleemo, don't be all that upset. Rather, look at what I have to show you. Admittedly, it is not my own idea and not my own startup, but that of my friends. Do you know SlideShare?
Pleemo:  I've heard about it.
Bernard:  Well, then you may know that this is an online place to share your slides, in formats such as Microsoft PowerPoint or OpenOffice Presentations. What you might not know, however, is that this is a high-profile startup which runs completely in the cloud. 
Pleemo:  What is high-profile about it?
Bernard:  First of all, it's the team,from whom I know some people. Here is the CEO, Rashmi Sinha, with Jon Boutelle (the head geek), and Guy Kawasaki (Garage Technology Venture, "The Capitalist Manifesto", remember?) you must have heard of at least one name! And yesterday a SlideShare application became available at LinkedIn. I call this a success, with 800K visitors monthly and 300% growth in the last year. All of that was possible because they run completely in the cloud, as Jon Boutelle would tell you. And BIG NEWS, they have recently got funded - they tell you about it in slides, of course!
Pleemo:  You've got me entranced. I knew part, but not all, of the story. 
Bernard:  Aha! That is the power of being connected with the right people. Thank you to my friends!
Pleemo:  But how does the cloud come in?
Bernard:  For that, look at the EC2 cloud, which has made the whole world talk about clouds. Steve Ballmer recently said that Microsoft was working on the cloud at the time that EC2 was released, measuring time in EC2 milestones.
Pleemo:  I'm all ears.
Bernard:  Here's the scoop. Slideshare would not be able to pull it off without the EC2 cloud. They do a lot of data crunching and data storing. When a user uploads a new slide show, it has to be converted to the SlideShare format, for best viewing. They use EC2 computers to do it. And when the user wants to see the show, it gets downloaded directly from the Amazon cloud. The SlideShare computers do no work - instead, they give it to Amazon's S3 (Simple Storage Service).
I have heard John Boutelle talk about "Bootstrapping SlideShare with Amazon Web Service and using S3 to avoid VC." You, Pleemo, should also read about how they use Ruby with Amazon S3 to speed up development - and they share the lessons they learned!
Pleemo:  So what do they gain?
Bernard:  A lot! S3 automatically scales up, so that when more people want the shows, S3 just adds capacity. S3 also backs everything up, so SlideShare does not have to. And of course, SlideShare only pays for what it uses. In fact, it was called the YouTube of slides (good marketing shtick which led to financing). Here is my friend Richard MacManus giving you his thoughts on their success.
Pleemo:  I will upload my next show there. You have beaten me and you have taught me a lesson. Beware, though, I have a great thing to tell you next time.
Bernard:  What is it?
Pleemo:  I am talking to a company which builds cloud applications for others. They are also a great success, and they have a unique approach of helping their clients succeed. So while you have found a great example, I may find a whole bunch of examples next time! Arrivederci!
Bernard:  Tot Ziens!

Conclusion
Pleemo and Bernard failed. They have not invented any new ideas. It is not that easy! But, it is okay to celebrate the successes of others and learn from others. What am I to do with such brilliancy? I will just keep listening and recording what I hear.

If you have your own questions or answers, leave your comments or join the discussion.

Monday, November 3, 2008

litsupport summary for the week ending on 11/02/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. Is there anything to say?
A. No, nothing this time.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Sunday, October 26, 2008

litsupport summary for the week ending on 10/26/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. What do litigation support professionals (LSP) see as the best way(s) for vendors to do their work?
A. Not strictly a technical question, but one that inspired important discussion. Note also by the style and sometimes capitalization that LSPs have responded earnestly to the issues that bother them, thus, it represents important input from them:
  1. Vendors should have a clear understanding of what they DO BEST at the time they are selling their worth; assess your talent (Operational - Managerial - Sales - Accounting/Payroll) and set GOALS for each department and review these goals (really review) these goals every month; HIRE GOOD PEOPLE: hungry, optimistic, creative, "I will do whatever it takes to get the job done” and have
    a clear understanding of what it means to excel as a TEAM; have clear GOALS defined that can be easily explained to customers in less than 10 minutes that RESONATE; decide what is important in the market place TODAY – what clients need to solve their problems TODAY and what their problems
    ARE; make a decision that you will or will NOT be willing to invest in the TECHNICAL INFRASTRUCTURE to offer your clients; hire managers that have "PERSONAL INNER POWER" and believe in themselves and KNOW how to get the best out of people an know how to identify the "PERSONAL POWER" in others; finally, hire people that like the business, are passionate about what we are trying to accomplish and ARE WILLING TO again "DO WHATEVER IT TAKES."
  2. It's very frustrating for me to see a vendor wear down and drop the ball instead
    of riding out the wave with me until the case is put to bed. PLEASE hire
    GOOD TALENT that's willing to work any hours of the day since large law firms
    have 24hr needs (especially here in New York City). First thing I would do if I
    ran a vendor shop is to replace all of my "9-5 minded" employees with true
    soldiers;
  3. In complete disagreement with the items 1 and 2 above: highly skilled people are hard to find; when you find them they often have professional development
    activities and/or a family that's just as important as 24 hr on-call; if you have employees who are married to your firm they will have a hard time keeping up with latest trends and tend to "burn-out" quicker because they're always "processing" and never see the light of day; if the vendor is lucky to find some person with no life that's willing to work at its beacon call, the salary they want for that far out weighs the benefits of hiring them to begin with; with great leadership, communication and team work these obstacles can be avoided to begin with – and then no one ever needs to bear the weight of a project(s) on his shoulders alone and everyone can have a life and a great professional career;
  4. In disagreement with the item 3 above, remember that "I'm sorry your Honor, but my vendor has a life" doesn't go over very well when explaining why deadlines were missed. Any vendor who can't support a 24/7 solution is probably in the wrong business. You will always have the 2:00 am request that is needed by 7:00 am and the vendors who can support this will always win out in the end;
  5. If the vendor can't meet a deadline, tell the law firm upfront. There may be a court order in place subjecting the firm to sanctions, malpractice, etc.;
  6. Vendor point of view again: if you want the 24/7 service, you should be ready to pay at the price level required for it.
This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Friday, October 24, 2008

litsupport summary for the week ending on 10/19/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. What litigation support professionals (LSP) see as the best way(s) for a vendor to make first contact and follow up?
A. Not strictly a technical question, but one that inspired discussion:
  1. LSPs are very busy and have no time to talk to vendors. When they need information, they get it from the Internet. Therefore, LSPs likely won't see vendors until they are in need of specific information, if they are an old friend of vendor, if you have previous employment ties or ties through other organizations. Attending or sponsoring CLE is one possible way;
  2. If you want to have success, be honest about your abilities, provide exceptional service, both before and after the "sale," and do business with the clients like you are the client. Spend more time listening to them about what they need, not what you are trying to sell them;
  3. Give the option of dealing directly with a tech and bypassing the salesman;
  4. Be honest. If you can't do something, just say so. If you can't do something and tell the LSP so, but also tell that you know who can do it, the LSP will be more inclined to take your advice and guidance. Knowing the technical aspects of the project is much more important. You have to be able to "walk the walk." Always take notes during project meetings. Missing information in a project spec. is not a good sign;
  5. Send news about products/services/prices by email rather than phone;
  6. PLEASE stop spamming attorneys with the same information you've given to LSPs. The attorneys simply forward the information to the team responsible for vetting vendors (LSPs) and vendor looks like attempting to circumvent the process;
  7. People were of two minds regarding cookies supplied by vendors;
  8. Vendor is a bad term, should be replaced with something nicer.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Sunday, October 19, 2008

Technology for Lawyers and Paralegals: Book Review - Foundations of Digital Evidence

Electronic evidence presents unique authentication challenges. In this issue we review the latest book on the subject, "Foundations of Digital Evidence" by George L. Paul and add practical suggestions.


"Foundations of Digital Evidence" by George L. Paul, (C) 2008 by ABA, published in July 2008, 450 pages, price: $119.95.


Review

The book covers the philosophy and the history of the Law of Evidence, the Hearsay Rule, and their applicability or failures when the evidence becomes digital. It explains digital objects, treating them as an advanced form of writing, and explains when the "who, when, where, and what" of the digital evidence can be ascertained and the evidence authenticated, leading to the conclusion that in most cases the proper scientific authentication is not possible.

In contrast, as the book shows, the courts today will most likely overrule the admissibility and authenticity objections and allow into evidence the documents which may not be authentic, avoiding dealing with the complicated technical and legal issues, and letting the jury decide the matter as the question of the weight of the evidence. At this point the book gives an advice to the practitioners who understand the current state of the matter to use it for the clients' benefit.

Having ascertained the less than perfect state of the law, the book suggests the changes in the Law of Evidence which would properly reflect the nature of digital evidence. It explains why the digital evidence is, after all, hearsay, but suggests that it should be allowed into evidence not as a business record exception, but as a new "Systems Reliability" exception. The book thus calls for changes in a number of areas. The judges should require more substantive evidence authentication, going beyond trivial showings. The law should be changed to reflect the nature of digital evidence. And the world of business should build the authentication of "who, when, where, and what" into the documents it produces.

Future trends


The last chapters of the book, written by experts in respective areas, cover islands of already existing more stringent "eunomic", that is, "ordered" world. This includes the robust authentication mechanism built into PDF, the capabilities of public/private encryption systems, the specialized eunomia created by a group of mortgage players, the electronic notarization, the arguably better treatment of digital evidence in the five nations of the word (Argentina, France, Germany, Japan, and Russian Federation), and the role of the Vendor in Handling digital evidence.

As Magistrate Judge Facciola writes in the preface to the book, the book and its author are revolutionary, suggesting the new rules of evidence based not on tradition but on how digital information actually comes into creation. While only time will tell if Paul will prevail against the powerful forces arrayed against his approach, in the meanwhile the book serves as remarkable, albeit demanding, intellectual exercise. It makes a most compelling case of the need for the understanding of how computers work and for awareness of the reality that digital information, far from being inherently reliable, can be manipulated, corrupted, and misused.

Summary


The book is thus useful both as guidance for the many forces involved in forming the law, as well as providing the background and the specific legal and technical armory for the practitioners of today.

The author, Mr. George L. Paul, was kind enough to find time, amid his busy schedule of a trial lawyer, to read the review and verify that it does not contain obvious inaccuracies.

This review was written in the lull following hurricane Ike, which left Houston with no power, by the candle light. The quiet and the absence of interruptions allowed for a pleasurable study.

Practical suggestions

As the book convincingly shows, today's courts are more likely than not to admit unreliable evidence, simply because it was published by the computer. The authentication requirements are reduced to trivial showing, so that once a witness testifies that the document is authentic, this testimony is accepted, without requiring that the witnessed be indeed thoroughly familiar with the document in question. The objections that the document lacks proper authentication, may be forged and thus may not be what it purports to be are often overruled. In a recent case printouts of emails from hotmail were admitted into evidence, until a forensics examiner proved that they were fabricated. What is a law practitioner to do in this situation?

As George Paul shows in the chapter entitled "A Day in the Life of the Printed Electronic Document," smart sleuthing can find the forgery. Individual analysis of every detail can be very time-consuming.

However, what if there is no forgery? What if the document could easily been changed, in fact has been changed, and then printed? How can one challenge its authenticity? Just stating that it could have been changed is often not enough. Computer technology is complex, and "could have been" is not convincing in the face of the lack of understanding.

A more convincing way is to demonstrate in front of the court and the jury, how easy it is to forge a document in question. Our previous letter shows how anybody with a limited knowledge of web site authoring can completely change the story on a web site in a minute, then print the new site content looking as polished as the old one. Therefore, the challenge plan involves two steps: (1) find a way to forge the specific digital evidence, (2) rehearse and show an elegant presentation which will convince any layman that he could have forged this evidence with apparent ease. This will lead to the conclusion that the document is either inadmissible, or unauthenticated, or that the evidence it provides carries little weight.


Note: Legal information is not legal advice. Top8 provides information pertaining to business, compliance, and litigation trends and issues for educational and planning purposes. Top8 and its consultants do not provide legal advice. Readers should consult with competent legal counsel.

Top8 offers entire life cycle litigation support, from computer forensics to
eDiscovery, scanning/OCR, document coding, on-demand review, attorney staffing, data hosting, and trial support.

The author gratefully acknowledges the editing help and numerous suggestions of Kelvin Rocquemore, Esq., of Trial Solutions.

The author is also thankful to his colleagues at the litsupport discussion group, whose discussions provide him with much inspiration and knowledge.

Sunday, October 12, 2008

litsupport summary for the week ending on 10/12/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. What are the pros and cons of producing emails in MSG format (continued)?
A.
Pro: MSG files are what you want and as a requesting party what you should request. This type of file coupled with a product that will automatically pick up the metadata and allow you to use it to search and review and find stuff along with free text search will save tons of time and money. This is not the case with TIF's of emails;

Con: With regards to delivery of single-page tiffs, that is common place when using a document review tool such as Summation or Concordance. Particular information, including begdoc, enddoc, begattach, endattach is delivered along with the images to allow the lawyers to know the document boundaries and family groupings. A benefit to having an image file is to allow redactions as well. You can't redact a native file in general.

Synthesis: convert native files to tiff, extract the text and metadata and then load the TIFF, native file, metadata and extracted text giving the attorneys everything they might need in one place - thus have the best of both worlds.

Q. Are attorneys entitled to take their work-product when they leave the firm?
A. The answer was summarized by the author of the question, and thus required little editing work. However, it was too valuable to be left out for this reason.

Observations from in-house counsel and staff assert that as a matter of corporate policy attorneys' work-product belongs to the company. Consequently, corporate counsels' offices do not provide departing attorneys copies of the attorneys e-mails and other documents, not even those which relate to personal business or even benefits.

By contrast, observations from private law firms' attorneys and staff take the opposite position: firms normally deliver to departing attorneys "their" work-product and other documents. Naturally, if the client to whom the documents relate request the documents, then the firm must tender the documents. Yet, to protect their own interests as "firm of record," some firms withhold the documents—or at least retain copies of them--until a formal Withdrawal and Substitution order is approved. Yet even absent that client request, in many jurisdictions the work-product belongs to the attorney, not the firm. All this seems to be addressed state-by-state.

As always, interesting complications were identified. Please see the original post for details.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Thursday, October 9, 2008

Monday, October 6, 2008

litsupport summary for the week ending on 10/05/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. What are the pros and cons and other considerations of native production in the MSG format?
A. Considerations:
  1. An .MSG is the native file format for Outlook message files. One MSG file
    equals one message in outlook with its associated content (i.e. attachments);
  2. This production is allowed, but one can choose to argue if the agreed upon format was TIFF, which may turn out to be another court battle.
Pros of MSG (or EML) v. TIF:
  1. Searchability;
  2. Inclusion of email metadata, headers, etc.
  3. There is no need to convert to TIF and OCR. Just be careful with attachments, however, as they may be encoded and not directly searchable without prior extraction;
  4. Attachments and embedded files are seen as the person who created or used would have seen;
  5. Ability to inspect email threads, verify time zones, make sure one sees actual email addresses rather than just the names displayed in a print job, get all the names and not just the ones that made it to the print job, have a generally more reliable access to attachments;

Cons
  1. Since emails are not in an "e-paper" format like TIF, review may require additional production effort (such as "early assessment" technology products), adding Bates numbers, etc.;
  2. Emails may come in unsorted folders;
  3. The production may not have been QC'd;
  4. MSG production may include data that was not intended for production. For example, the parent email was responsive, but the attachments were not;
  5. Redactions will not appear on the MSG files;
  6. By providing information in MSG format, the associated metadata with
    the files may not be preserved;
  7. Attorneys can review documents faster when they are in image form as opposed to native further increasing costs to the client;
This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Thursday, October 2, 2008

litsupport summary for the week ending on 9/28/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. In addition to Kroll, Fios Webcasts and Estrin Legal, what EDD training is there for beginners?
A. Start with http://www.AIIM.org for $150, then continue with their webinars for free; State Bar Associations have EDD webinars; LITWORKS will teach about Concordance, Summation, repositories, processing workflow, real case best practices; Randall Consulting; Jason Park of the MD5 Group.

Q. How to convert a PDF to Word?
A. PDF Converter by Nuance; OmniPage Pro; FineReader; ScanToOffice; Abbyy; full version of Adobe; pdfDocs for a server-based solution; DocsCorp; perhaps editing a pdf will do: tools, advanced editing, touch up text, then highlight document changes.

Q. How to scrub out all metadata, comments, etc. from a PDF file?
A.
  1. Be especially careful if the PDF was created from Word, for example, if you use Print to PDF and DO NOT (a) accept all track changes, and (b) scrub the file when printing to PDF, you comments, etc. WILL be able to be retrieved. Therefore, choose File->Print->Adobe in the "Print What:" drop down box "Document only" and under the Adobe Print Properties Menu uncheck the "Add Document Information" to limit the passing of metadata to the post script driver ;
  2. A surefire way is to convert to tiff or JPG and then to Adobe PDF;
  3. Microsoft released Office 2003/XP Add-in: Remove Hidden Data;
  4. This is built in into Office 2007, under MS icon go to Prepare and then Inspect Document, there is an option to remove metadata, then you may use the MS tool called Save As PDF;
This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Monday, September 22, 2008

litsupport summary for the week ending on 9/21/08

A lot of important and useful information is posted to litsupport each week. However, this past week was very special. Probably due to the combination of double trouble, locally - hurricane Ike in Houston and in Texas, and globally - arguably the most serious economic crisis since the Great Depression, the group boasted precious few scientific and technical posts.

Instead, I decided to share my personal impressions of Ike in Houston. Life without electricity was not that bad. Here is a picture of me studying "Foundations of Digital Evidence," the review of which I will publish soon.

We were lucky to have a cold front to come at an unusual time, and precisely after the storm. I have grown accustomed to wait for the quiet evenings when everybody got around the table to read with the candles. Of course, laptop with wireless connection was our first priority, even if the car battery which charged it later had to be replaced.

People exhibited their best qualities. Everybody was very friendly and helpful. We felt all in the same boat with no power.

I also think that Houston got an unusual share of good luck. Papers were filled with photos of near misses. A tree almost hitting the house but not quite. A mother with the baby standing next to the house which the tree missed, hitting instead the toy house.

Many are still without power, going to work may take two hours, especially if you take the kids to a makeshift school at a new location. Many people on litsupport showed their support to friends and to all Houstonians, and this was very precious.

Best wishes to all.

Mark

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Tuesday, September 16, 2008

litsupport summary for the week ending on 9/14/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. Is it really that bad in Houston after hurricane Ike?
A. Yes, pretty bad. Most people do not have power, streets are still being cleared from debris and broken glass, Galveston had it the worst, and rescue teams are still at work. However, the good side is that there are very few casualties. I am writing from a wireless laptop connected to my car power outlet.

Q. A What are the requirements for the business case to bring ESI processing in-house?
A. In addition to investigating the list of vendors (LAW, IPRO's e-Capture, Discovery Cracker, Extractiva, eDiscovery Tools, ImageMAKER Discovery Assistant) and their capabilities, one should also consider
  1. Data! If you have a data set and an audit of each file this will help tremendously in evaluating any tool;
  2. It will help to do some basic tests of a few programs on the market this year with your .PST sample set;
  3. One industry consultant reports that the best score for the programs that he tested with his .PST set was 84%;
  4. Some programs are unable to go unlimited nesting of attachments, read attachments and embedded items in Adobe 8 files and read container files within container files.
Q. Can a law firm require unlimited liability in agreements with 3rd party ESI vendors?
A. A few national law firms (AmLaw 50) have been demanding and getting agreements of unlimited liability. Those vendors signing have predominantly been smaller players so it does not mean much to the law firms. However, there has been one upper tier vendor that signed on for unlimited liability.

Q. What are the pros and cons of using XML to store and retrieve EDD information.
A. A complete discussion is found on litsupport here, but in brief it would depend on which kinds of EDD information, as below,

The PROS:
- XML can incur less overhead than a database, and may fetch relational data quicker;
- file-based - easy to relocate and move around;
- can be understood by any platform and language;
- well-formed XML stores relational and hierarchical data logically and
efficiently;
- smaller XML files can fit entirely into memory, and once there, can be
queried nearly instantaneously.

The CONS:
- Write-once, read-many - not for rapidly or frequently changing data;
- No ACID compliance (Atomic, Consistent, Isolated and Durable);
- XML prefers to be read end-to-end;
- XML is a single-threaded;
- XML is file-based rather than server-based;
- XML has no business logic or constraints.

More pros and cons can be advanced depending on the file system, server, and implementation.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Tuesday, September 9, 2008

litsupport summary for the week ending on 9/07/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. A solution to grab an entire website for display during trial without having Internet access?
A.
  1. Adobe 8 has a webcapture function. For embedded flash videos one can keep a screenshot in the adobe pdf webcapture and then use the free open source CamStudio to record the audio and video right off the screen. It does loose a little resolution, but it is good enough for the purpose;
  2. Save the embedded videos (directly from hosting website or using the stream capturing software) to your laptop local drive and fix the html links to point them. This may require editing the JavaScript;
  3. HTTrack can collect the page or the site, Area Tube helps download videos from YouTube and MySpace;
  4. Teleport;
  5. wget (some programming in Perl or other language may be required);
  6. Camtasia can create a movie of a site;
  7. And in all these cases the authentication of the web site evidence is not obvious.
Q. Can we rely upon the log to identify the custodian of a document despite the location of the documents on a network share (either Home share or Departmental share)?
A. This approach is not defensible for many reasons:
  1. One cannot rely on the metadata value in the file or from the backup software to determine the author of the document. A document can be authored by John, e-mailed to Jane, modified by Jane and forwarded to Ted, who saves it to his personal folder on his department's file server;
  2. In a corporation, just with hires and fires over time one can not expect the log to be accurate - especially with unstructured data;
  3. Most OS and user environments do not have reliable metadata.
A practical approach may be to first set acceptance criteria (i.e. what percentage error you are willing to tolerate) and then do a representative sample of known folders and check. If that field is consistent and matches to the known authors, document it and make sure that counsel understand and approve the methodology.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Monday, September 8, 2008

Old-School Attorneys Face E-Discovery of New World

Two years ago, Patrick McLaughlin used a Dictaphone when working on pleadings for his criminal cases. But times have changed for the assistant U.S. attorney, who has graduated from using the recording device – to dictating to his legal secretary.

“I never became comfortable with the idea of sitting down and typing out documents,” said McLaughlin, 58, who prosecutes drug traffickers and money launderers for the U.S. Attorney’s Office.

He’s one of many trial lawyers who started practicing before the Internet came into common use. They are now facing a changing legal landscape as technology takes a larger place in the world of law, specifically in the area of electronic discovery.

read complete story...

Wednesday, September 3, 2008

Did the opposing side hide some files?

In usual requests for production, you have to rely on the opposing party to follow the correct protocol and to produce all relevant ESI. To verify or challenge the protocol, you need to substantiate the claim, pointing out the ESI that has not been produced. But how can one point to the information if it has not been produced? We seem to have a vicious circle.

There is a way, however, and this way includes correctly crafted requests for metadata production. The request needs to be specific enough, so that it is not considered a fishing expedition. It has to be simple, so that it is not overburdensome. All this means that you have to do your home work with both the FRCP rules that apply and the technology that is relevant. This article from the Metropolitan Corporate Counsel explains how to ask for Windows metadata, such as registry and log files, in the proper way.

Tuesday, September 2, 2008

litsupport summary for the week ending on 8/31/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. Is there a simple way to have Microsoft Exchange Outlook to curtail, organize and push retention of email? For example, after the received date turns 90 plus days old - the application would push the question to purge the email, save, etc.
A
. Outlook 2007 policy. Just change the Archive to delete. Not perfect or granular (i.e. folder dependent), but easy if you want everything over 90 days to go away. If you use a local PST for your 'permanent' records, it should work.


Q. Should one give a negative review of a vendor on the litsupport group?
A
.
Yes. This is what the group is for, and users will not be swayed by the negative report one way or the other. Otherwise the group becomes a place for vendors to stroke each others' egos and gang up on anyone with an honest review. What else is one to do if one's job got messed up by a vendor?
No. Other vendors will not be willing to work with a firm that published a negative review, because they will be afraid of a scathing review of them; one might violate an NDA; quashing negative responses to anything is simply a natural response for some; private messages are very appropriate given that litsupport is a large group, and posting on it can mean loss of business and reputation to some firms; after all, problems happen.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Monday, September 1, 2008

Technology for Lawyers and Paralegals: Evidence Authentication - Web Site Content

Electronic evidence presents unique authentication challenges. What are the specific issues for web site contents?

Judge Grimm on Evidence

In his memorandum opinion in Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534 (D. Md. 2007), Magistrate Judge Grimm remarks that "considering the significant costs associated with discovery of ESI, it makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence or rejected from consideration during summary judgment because the proponent cannot lay a sufficient foundation to get it admitted."

In this issue we investigate ways to authenticate and bring into evidence web site contents, and potentially challenge the same.


Laying foundation and challenging it

As Judge Grimm explains, whenever ESI is offered as evidence, the following evidence rules must be considered: (1) is the ESI relevant as determined by Rule 401 (does it have any tendency to make some fact that is of consequence to the litigation more or less probable than it otherwise would be); (2) if relevant under 401, is it authentic as required by Rule 901(a) (can the proponent show that the ESI is what it purports to be).

It is item (2) that poses most significant technological challenges. If an item of evidence can be easily forged by a lay person, a developer, or a hacker, it is inherently inadmissible, because it may not be what it purports to be.

Let us review some simple ways in which a web site content can be forged. The first way is explained in a PDF file which can be downloaded from here.

In short, one saves the real web site with the web browser "File-Save Page As" command. This creates a local copy of the page on one's hard drive. This local copy looks just like the original site, except that the URL indicates that it comes from the local hard drive. We then modify the content with the text editor, re-display it in the browser, but before printing the site we substitute the URL. This can be accomplished in under one minute and can turn a story of a happy marriage into a story of divorce.

This explains why a web site printout is inherently unreliable and can not be brought into evidence without additional effort. See St. Luke's Cataract & Laser Inst., P.A. v. Sanderson (M.D.Fla.,2006.Slip Copy) 2006 WL 1320242 where an affidavit from an Internet Archive representative with personal knowledge was required (but more on this later), and Telewizja Polska USA v. Echo Star Satellite Corp. 2004 U.S. Dist. Lexis 20845, 2004 WL 2367740 (N.D.Ill.)

As a next step, the attorney may try to bring a witness to authenticate the site content. This witness may be directed to type in the URL in the browser, then testify about what he has read. This approach, however, can be challenged on two points. Web sites today are dynamic, displaying different content to different users. Virus writers use this to hide malicious sites or valid sites which have been infected by them. Such sites display malicious contents to the user only once. Alternatively, the site may change the verbiage in a slight way in a matter of seconds, so that the witness can be challenged on the basis of his inability to correctly preserve every word of the page. If the witness saves the contents in a Word file, we face the problem of authenticating this Word file, which we discussed in another post.

Another attempt may be to subpoena the web site's administrator and make him testify about the site content. Again, this testimony is open to challenge. For one, hackers may get access to the site and modify it contents. To rebut this challenge, we would have to verify the site's defenses, which is not an easy task. Even if we succeed in reasonably proving that the site has not been hacked, there is another beast lying in wait: dynamic modification of site content, known technically as JavaScript DOM injection. This technique was recently used to infect more than 10,000 Italian web sites. Simply put, web sites do not only serve the contents of the web pages residing on the servers. In addition, web servers have cache, which can be modified to show words, links, and images never intended by their owners. In the attack mentioned above, Google search results would display the injected content, offering the users to click on the links leading to hackers' sites.

In addition, in the last example multiple users from many parts of the world were shown the content injected by hackers, for which the owners of the site could hardly be held responsible. Thus, testimony of multiple users from many places in the world would be of no avail.

Finally, let us analyze the conclusions of St. Luke's Cataract & Laser Inst., P.A. v. Sanderson (M.D.Fla.,2006.Slip Copy) 2006 WL 1320242. Here the court decided that websites are not self authenticating and therefore the court required a statement or affidavit from an Internet Archive representative with personal knowledge of the contents of the Internet Archive website.

Note that although the court found this sufficient in 2006, today it could have been open to challenge once again. If the sites can be statically or dynamically made to display any contents that the hacker wants, then the Internet Archive is irrelevant and the testimony of the representative testifying on how his system works does not help. He may know how his system works, but if the system can be easily duped, then his words do not help the problem at hand, that is, the authentication of the contents as the official point of view of the site owners.

Step by step approach

If all or most of the attempts to bring the web site contents into evidence based on technology can be challenged, do we have any way to use the web site content in trial? The answer is yes, and it is based on the combination of legal and technical knowledge which looks deeper into the web site development.

Let us first look at the means provided by the rules of evidence. As explained in Judge Grimm memorandum quoted above,

  1. Authentication also can be accomplished in civil cases by taking advantage of FED. R. CIV. P. 36, which permits a party to request that his or her opponent admit the "genuineness of documents."
  2. At a pretrial conference, pursuant to FED. R. CIV. P. 16(c)(3), a party may request that an opposing party agree to stipulate "regarding the authenticity of documents," and the court may take "appropriate action" regarding that request.
  3. If a party properly makes his or her FED. R. CIV. P. 26(a)(3) pretrial disclosures of documents and exhibits, then the other side has fourteen days in which to file objections. Failure to do so waives all objections other than under Rules 402 or 403, unless the court excuses the waiver for good cause. This means that if the opposing party does not raise authenticity objections within the fourteen days, they are waived.


These were the ways of authentication for web site based on evidence rules, and they would apply to other kinds of evidence as well. It is time now to look at the specific ways for web sites.

Web sites do not exist in vacuum, and their contents, when published, is not pulled from thin air. Rather, it is kept on the web developer computer. Therefore, a discovery request to produce the development environment on the web developer is more germane and is closer to the source. The web developer machine is less likely to get hacked, because it is not directly accessible from the outside web. This answers the hacking challenge. It may also contain multiple copies of the contents, thus helping to establish the authenticity even further. Moreover, in today's development environment, it is often not one but multiple developers that are creating the contents. The production request against all of these computers will cross-confirm the contents.

Just as important, a production request aimed at the developer machines will turn up email communications between the developer and the management. After all, it is the management who is ultimately responsible for the web site pronouncements.

More often than not, the web site code is also stored in version control system, such as CVS, subversion, or SourceSafe. These systems are designed to keep every version of the files changed by developers, with the developer attribution, and often developer comment.

The requests discussed above should serve as a solid foundation to authenticate the web site content in question. The developer's machine containing email and instant messaging communications with the management will give additional insights into the reasons and timing/contents of the changes.

To summarize, a solid understanding of both the technical and the legal issues involved in web site development will help to lay proper foundation in getting the web site evidence admitted in court.

The author gratefully acknowledges the editing help and numerous suggestions of Kelvin Rocquemore, Esq., of Trial Solutions.

The author is also thankful to his colleagues at the litsupport discussion group, whose discussions provide him with much inspiration and knowledge.

Thursday, August 28, 2008

What is wrong with eDiscovery

The article in the Economist
  1. Argues that US legal system is already a "sick patient", and eDiscovery threatens a lethal "spike in fever";
  2. As an example, talks about a discovery request to produce the MySpace, Facebook, and chat records of teenage girl patients, related to a medical insurance lawsuit;
  3. Explains that many foreign countries limit the discovery due to their inquisitorial system, compared to the US adversarial system;
  4. And suggests that the judges should limit the amounts of eDiscovery.
I could not agree more, and I have seen opinions that the new FRCP rules have failed to stem the deluge of eDiscovery. However, these are lonely voices, and I do not see the easement coming soon. Currently, most of the effort is in coming to grips with eDiscovery, both for lawyers and judges, and not it finding what is wrong and fixing it.

Tuesday, August 26, 2008

litsupport summary for the week ending on 8/24/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. What are the ways to destroy information on a hard drive before disposing of it?
A
. DBAN, EBAN, sledgehammer, blowtorch, gun (for those so inclined), sanding the face of each drive plate, drilling through the drive, commercial hard drive destructors, crashers, and shredders, for fun search youtube for harddrive and thermite.

Q. A simple way to capture video, such as from a bank surveillance tape to convert it to AVI?
A. Quick Media Converter, VideoHelp, VLC, 3GP, M1 Edit for capture and simple editing, remember to export in the correct format per platform you'll be using in court, Camtasia Studio Screen Recorder, ED-Video.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).
A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. Can one use disposed (such as sold on eBay) hard drives for forensics training?
A
.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Monday, August 18, 2008

litsupport summary for the week ending on 08/17/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. Can one use disposed (such as sold on eBay) hard drives for forensics training?
A
.
Yes:
  1. Great for "free range" data to play with;
  2. This is a routine practice with many CCE examiners;
  3. Software licenses are not a problem - do not use the software on the driver, and private data is not a problem - study it for technical reasons but do not use it;
  4. The ethical responsibility is to do good work for the client;
  5. The person who sells the drive has lost his right to data privacy;
  6. There is no case law against this practice;
  7. This is no different from Google reading your gmail and automatically showing you the relevant ads.
No:
  1. You can not post recovered files, because they are not in the public domain;
  2. This is legally questionable, possibly as conversion or identity theft, and ethically bankrupt, because lawyers are held to higher ethical standard, and because it makes a vendor look dirty;
  3. You own the drive but not the data, and you may have a stolen drive;
  4. Used drives do not work well, and one should not sell them anyway, but destroy them instead, and this is the advice to give to clients;
  5. "Nobody knows" is not an excuse, instead, spend the money and prepare legal data sets;
  6. The person who sold the drive did not realize that she was giving away her data, so it is stealing, and most people don't know that formatting their hard drive doesn't protect their data;
  7. Testing the tools on unknown data sources does not validate the tools anyway.
Q. How to track an internet site poster given the poster's IP?
A.
  1. From the IP you can find out the provider detail using software such as PtWhoIs, then you subpoena the provider (sometimes through a John Doe lawsuit) to help you determine the physical address where that IP address was issued. A forensic exam of the computer at the physical address may turn up the remnants you are looking for to ultimately prove what computer was used to make the post;
  2. Road bumps above may include dynamic IP lost after 30 days, wireless router which was used by someone else driving by, spoofing or hacking the IP, or anonymous IP using any anonimizer service;
  3. An article on this and RIAA practices;
  4. New research deals with data preserved in computer memory for a long time (forensics side) and with author probabilistic identification based on comparison to corpus of known email from the user;
  5. In one practical case the combination of ISP information with linguistic analysis led to admission, and no forensics exam was required;
  6. Voluntary disclosure of information on a public website falls outside of any privacy protections one would want to later claim. It is one of the few exceptions to the Stored Communications Act (if you post the information, you cannot be protected from privacy of who you are.)

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Tuesday, August 12, 2008

BYOS - Build Your Own Startup - on the Cloud! - Issue 3

The geek world is aglow, but business world is cool

Ask any geek what is new in the world today, and he may drown you with excitement about cloud computing. But ask a technical manager about it, and he will cool you with his talk about the total cost of ownership. Ask a business man, and you may get a "huh?" We are forced to admit that there is a disconnect between the geeks and the business world. Why is this - that is what we have set out to investigate. Google App Engine is the subject today.

B. Pleemo, you look very mysterious today. And why did you invite me to the zoo?
P. Well, Bernard, I could not wait for YOU to come up with an idea, so to spur you on, I invented one myself. To implement it, I will need python. I do not know if this snake is a python, but my Python is a programming language used by Google App Engine.
B. Firstly, I accept the challenge. I do not know what you have in mind with your idea, but I will show you mine at our next meeting. Now continue with yours!
P. Okay, Bernard, as you may remember, I am Jewish, and I had an idea of building a web site where everybody can set Jewish calendar reminders. There is a site or two like it, but my idea is to make it unaffiliated, very flexible, and individualistic, so every person or a group of people can use the site in their personalized way.
B. So why the cloud?
P. I do not expect to make money on this, so I can not spend much. However, I have to plan for an eventuality that it will become popular, and I need my site to be able to handle occasional peak loads.
B. I see...
P. Enter Google App Engine! It allows to upload your application to the Google Cloud. It is free until you get to 5 million page views a month. And Google scales it for you on demand. I have already started my application right here! Not much, admittedly, but give me two weeks - for Python is new to me - you see however some exchanges there and even some hackers.


B. Pleemo! I can tell you the character of the Google Cloud right away myself: it is opaque, simpler to use, and it is free. It fits your purpose perfectly well. You have beaten me to the business idea. My only consolation is that it is not properly business.
P. Bernard, you are a great student of mine. Note, also, that Google makes you use "datastore". It is simpler than a database and it too has no limit.
B. Thank you Pleemo! I will study the links you gave me, and watch for your idea's progress - since here we are back to discussing the speed of development and the risk of failure.
P. Good, Bernard, and if you really want to study, then google about Dell trying to acquire the 'cloud computing' trademark, or read the explanation of cloud vs grid vs distributed computing on Mark's blog. Arrivederci in two weeks.







I enjoyed the trip to the zoo, where I have not been since my youngest children stopped asking for it, and I am curious to see what will happen in two weeks.
My reporting is getting easier, and my homework lighter.

















Monday, August 11, 2008

Technology for Lawyers and Paralegals: Evidence Authentication - Word Documents

Question

Electronic evidence presents unique authentication challenges. What are the specific issues for MS Word files?

Judge Grimm on Evidence


On May 4, 2007, Chief U.S. Magistrate Judge Grimm provided a detailed analysis of evidentiary issues associated with electronic evidence.

As Electronic Discovery Law explains, in Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534 (D. Md. 2007), the parties filed cross-motions for summary judgment but failed to comply with the requirement of Rule 56 that they support their motions with admissible evidence. Chief United States Magistrate Judge Paul W. Grimm denied both motions without prejudice to allow resubmission with proper evidentiary support.

In his memorandum opinion, Magistrate Judge Grimm remarks that "considering the significant costs associated with discovery of ESI, it makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence or rejected from consideration during summary judgment because the proponent cannot lay a sufficient foundation to get it admitted."

Technical homework

The following discussion uses MS Word documents as an example, but it is applicable to most other documents types.

There are two types of data: document data (words, formatting, etc), and metadata, or data about data. Furthermore, there are two types of metadata: application metadata (title, author, last saved by, etc., even custom fields), and OS metadata (file creation date, file last modified, and more).

To verify the document data together with its metadata, it is possible to compute and record the document's MD5 or SHA signature. Since the application metadata is stored in the file, it too will go into the hash calculation.

For the OS metadata, one can rely on the collection procedure, which hopefully has been done with a validated tool for the best defensibility.

Lacking this, one may go back to the original and use a safe metadata viewer to pull the original OS info (assuming that it has not been modified in the meantime). One can use a tool like Pinpoint Metaviewer to create screenprints for presentation.

For file system metadata one can create a container (such as a zip file) with all the authenticated files together, and compute the signature of the archive. If the files have not been moved or touched or opened, this will preserve the OS metadata.

The signatures thus collected can be used to prove that the evidence has not been tampered with. One can ask the opposing side for the same hashes, and if they agree, there is no argument that both are looking at the same evidence.

Legal approach

To quote from Judge Grimm,

"Authentication also can be accomplished in civil cases by taking advantage of FED. R. CIV. P. 36, which permits a party to request that his or her opponent admit the "genuineness of documents."

If the other side has some doubts about the possible changes in the document, your file hash will prove that both the document and the metadata are intact.

Furthermore, "...at a pretrial conference, pursuant to FED. R. CIV. P. 16(c)(3), a party may request that an opposing party agree to stipulate 'regarding the authenticity of documents,' and the court may take 'appropriate action' regarding that request."

For example, this may be a case where this document has already been under discussion. More generally, once each counsel has exchanged a description of ESI held by a party, one topic for the "meet and confer" can be some form of agreement as to authenticity or at least some stipulation as to what must be done to avoid objections on this basis.

"Similarly, if a party properly makes his or her FED. R. CIV. P. 26(a)(3) pretrial disclosures of documents and exhibits, then the other side has fourteen days in which to file objections. Failure to do so waives all objections other than under Rules 402 or 403, unless the court excuses the waiver for good cause. This means that if the opposing party does not raise authenticity objections within the fourteen days, they are waived."

This is a very important and easier path, since no action is required from the other side.

If the other side produced the document, then, absent special circumstances, this is tantamount to the admission of authenticity.

So far, we have used the FRCP rules. Of course, the arguments are strengthened by proper collection procedure and by availability of hash signature for verification, but strictly speaking these are not required.

The following, more technical, scenarios can use the hashes discussed above:

  1. Presence of the same document (as authenticated by application hash) as an attachment in email from this custodian;
  2. Presence of the same document (application hash) on another computer or laptop belonging to the same custodian;
  3. Presence of the same document (both application and OS hash) in a backup. In this case you will need somebody to testify about the backup procedures.

Note: Legal information is not legal advice. Top8 provides information pertaining to business, compliance, and litigation trends and issues for educational and planning purposes. Top8 and its consultants do not provide legal advice. Readers should consult with competent legal counsel.

The author gratefully acknowledges the editing help and numerous suggestions of Kelvin Rocquemore, Esq., of Trial Solutions.

The author is also thankful to his colleagues at the litsupport discussion group, whose discussions provide him with much inspiration and knowledge.

litsupport summary for the week ending on 08/10/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. Is there a QuickBooks Viewer?
A
. One can download "Simple Start" application from Intuit website (search there). It's free and should open QuickBook files. For proper chain of custody, one can try to make the file read-only or at least keep a backup version.

Q. How can one study Summation?
A
. One can request an evaluation copy from the web site, if granted, it will be valid for a year; there is a "Lawyer's Guide to Summation (Paperback)", published 2004; and webinars here.

Q. How to authenticate MS Word docs as evidence?
A.
  1. Hashing the file objects will give you their object metadata and content. For file system metadata encapsulate both file objects into an archive (ZIP, RAR, TAR, ISO) and hash the archive;
  2. For the OS info, data should have been collected with a validated tool for the best defensibility. If not, you could go back to the original and use a safe metadata viewer to pull the original OS info (assuming that it has not been modified in the meantime). One can use for example Pinpoint Metaviewer;
  3. Look at Judge Grimm's opinion in Lorraine v. Markel Amer. Ins. Co., 241 F.R.D. 534 (D. Md. 2007);
  4. Summarized and expanded upon in a newsletter here.

Q. What is near-deduplication and how reliable is the process?
A
.
  1. Near-duplicate identification is using a similarity measure for grouping versions of an item, applicable to finding almost identical versions of email or MS-Word doc and other documents. It is useful in investigations, and for consistency of review;
  2. Near duplication breaks documents into overlapping shingles of a certain length. A shingle is a sequence of words (or letters) starting with the first word in a file and then starting with the second word, and so forth.The common algorithm then chooses a sample of these shingles from each document using a rule that is likely to yield the same shingles from different documents (if they are present). Simplifying a bit, the probability that two documents are near duplicates is the proportion of the sampled shingles that are shared by the two documents. See more here and here.
  3. There's no such thing as "reliable" near de-duplication. The entire science is subjective and prone to error :)
  4. Although near-dupes are not recommended to bulk code, but the foundation methods of Equivio, Attenex, Syngence, etc are just as scientific/repeatable as full text search for keywords. Every tool has an appropriate use;
  5. Google has a patent for "Method and Apparatus for Estimating Similarity." Google needs it in order not to list in the search results essentially the same pages (as some people use this to direct traffic to their sites). Compared to bottom-up methods described above, Google patent is top-down in that it generates sketches of objects being compared, and similarity is based on these sketches.
This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Monday, August 4, 2008

litsupport summary for the week ending on 08/03/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. What are the recommended forensics certifications for legal work?
A
. CCE is a non-vendor certification, focusing on methodology, terminology, documentation and standards and will come in very handy when in court. Furthermore, it is a PI requirement in some states; at least one product certification, such as EnCE, FTK, X-Ways, Pro-Discover, and GCFA for incident investigation.

Q. Is it a good or a bad idea to use OCR-based searching for first-pass privilege review in lieu of page-by-page review?
A.

GOOD:
  1. Good for a first-pass priv review. Segregate the hits and their associated family docs into a "potentially privileged" review set for 1 or 2 atty's to eyeball. Be careful with search terms: searches for a laundry list of atty names and law firm can be over-inclusive. Thus, as an overall strategy to reduce risk at the outset, it's a good idea;
  2. Great but it depends upon the OCR. Extracted text - yes, paper OCR - no. Use the OCR searches to help your review, but not as a "first pass priv. review."

BAD:
  1. Probably a bad idea if they are going to perform a page-by-page review of only those documents brought back by the search and all other documents will be assumed to be non-privileged and will be produced without a page-by-page review. It is DEFINITELY a bad idea if there is no clawback agreement. This situation was dealt with in Judge Grimm's decision in Stanley v. Creative Pipe and resulted in a waiver of privilege;
  2. The OCR search won't necessarily find potentially privilege documents with client (or attorney) handwritten notes.
This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).

Monday, July 28, 2008

litsupport summary for the week ending on 7/27/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.


Q. What are the gotchas of converting .nsf to .pst?
A. One may desire to convert an .nsf (Lotus Notes) to a .pst (MS Outlook) file, most likely because of the wide availability of tools for .pst analysis. However, while the conversion tools may be good for practical use to get most emails, they may be problematic for eDiscovery. Here is a list of possible problems (but see the last item, which offers a viable solution):
  1. Because Lotus Notes actually contain different views of the same message, it is possible to get a large number of duplicates;
  2. Converting to .PST usually increases the size of the e-mail store and thus the charges;
  3. "All Documents" folder does not always contain all documents, complicating the duplicates problem;
  4. You may not get all e-mails and attachments;
  5. The embedded attachments will be lost - no known tool transfers embedded attachments;
  6. If you have a Domino server in house, then you can use the Microsoft Outlook connector for Lotus Domino. Place the NSF back on a Domino server, create all the necessary credentials along with it, download and install the Microsoft Outlook connector
    for Domino (need to have Notes installed also on the workstation since the connector uses the Notes.ini for the server connection information), set up Outlook 2003 with the connector, download the contents of the NSF to Outlook and export to a PST. Yes, it sounds like a lot of work, but if one already has an existing server, it's not that hard.

Q. Can MD5 hash be forged?
A.
  1. It is mathematically possible, but for the purposes of eDiscovery this is irrelevant, because the information that the forger needs is not available to him;
  2. On the contrary, MD5 is not reliable and can be hacked. Its hash collisions have been found using HashClash, a BOING distributed compute project. Fixes have been suggested, but switching to SHA is preferred.
This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner (mkerzner@top8.biz) and edited by Aline Bernstein (aline.bernstein@gmail.com).