Many law firm CIOs are being asked to help attorneys deal with investigation of computers and peripherals in the electronic discovery process. As a law firm CIO responsible for keeping technology operational, do you have the resources to dedicate to this evolving service?

While firms with an entrepreneurial spirit or a strong litigation support team may see the opportunities of offering such services and have no difficulty offering them, firms where IT resources are already stretched should steer attorneys toward professional consulting firms specializing in computer investigations. But as a good start, CIOs can help their attorneys focus on five components:  Situation, Content, Organization, Process, and Expertise.

Situation
Assess the project’s situation. Where are all the places data exist? Identify multiple business locations, offices within homes, vacation homes and ISPs. What type of equipment is involved? Consider computers, laptops, PDAs, network servers, backup tapes, floppies, CD-ROMs, DVDs, Zip® disks, Jaz® disks, fax and copier machine memory and portable hard drives. What types of data will be involved? File types will determine what tools are needed for the discovery process. The list could include documents, spreadsheets, presentations, graphics, e-mail messages, databases, financial records and compressed files. Build a matrix showing all locations, equipment and possible file types; from there priorities can be established.

Content
What is the probability of a crime having been committed? Local, state or federal agencies can become involved if the content of this project crosses the criminal activity line. Some of the most sophisticated computer forensic specialists are employed by government agencies. If there is a high probability of their involvement, plan to take a by-the-book approach to the investigation processes. In many cases, the agency will already be involved and may have preserved original evidence. Assuming your firm is working on behalf of the defense, any opportunity to process the evidence would come from copies of the original sources. As new data sources are identified, wise counsel will understand how forensically to preserve the new discoveries. Refer to the FBI’s Digital Evidence: Standards and Procedures (http://www.fbi.gov/hq/lab/fsc/backissu/ april2000/swgde.htm) for more information.

Too often, IT professionals, untrained in computer forensic processing, fail to follow critical first steps: chain-of-custody processing and bit-stream backups, called mirror images. Backups or images done as part of computer operations, typically, do not copy bit-by-bit. Technologists, while their intentions are honorable, can actually alter the evidence by not following the proper steps or using the proper tools. Don’t allow your staff to be caught in this quagmire.

Organization
Having the right tools, training and experience is critical. There are times when by-the-book processing of computer evidence is needed, and there are times when a simple computer investigation will suffice. Either way, you need to get organized with a plan of action. Referring to documents generated in the first situation assessment step, determine what equipment and software tools are needed. It may be hard drives for mirror images or writable CDs for capturing discovery. Computer investigators have many software tools at their disposal for finding and reviewing files. Some of today’s software tools can extract a single e-mail message, recover portions of deleted files and sweep through the data saved in the normal operation of the operating system; possibly without the knowledge or intent of the user.

Most computer users are unsophisticated in their attempts to delete data. Recovering portions of deleted files can produce surprising results. E-mail systems are good discovery sources, as most users take a casual approach when constructing content.

All investigations should work under a budget. Prioritize what will be done, and document what steps will be taken. When time limits are reached, the financial decision-maker can compare accomplishments to overall objectives, then determine the value of approving contingencies.

Caution! If your firm chooses to provide these services, make sure its professional liability insurance will cover this type of work.

Process
Developing a thorough list of search criteria will make searching easier and results more tangible. Depending on the number of computers/items to be processed and the time period allocated, it may make sense to prioritize your searches and go after critical items first, leaving some criteria to an as-time-permits status.

Document! Document! Document! As attorneys become more sophisticated in electronic discovery, they will begin challenging the processes that opposing parties may have used. In other situations, where both parties may have approved the intended plan, discoveries along the way may alter the process. When that occurs, have clearly documented and logical reasons for deviating from the original outline. Take advantage of every write capability within a software tool by saving your actual searches, the results of the searches and enabling all logging. During the investigation, it can be wise to have a USB-connected drive to capture the audit trail and results.

Think from both sides! While you may be working for the plaintiff, make sure your decisions along the way would be considered fair in the eyes of the court. Stay in contact with the attorney. In some situations, deviations from the original plan will require approval of opposing counsel. While everyone wants to find the digital “smoking gun,” do not jeopardize the case by taking a renegade approach.

There are many approaches to a computer investigation for electronic discovery. Look for professionals or plan to develop professionals who deliver results.

Expertise
The final step of the process may result in providing testimony regarding the investigative process and the results. Documentation is the important supporting component. While some firms have utilized their IT staff to conduct investigations, it can be common for a technology-savvy paralegal to evolve as the in-house electronic discovery resource.

The right person for processing computer investigations in electronic discovery will be a blended professional who understands the guiding principles of the law as well as the complexities of technology.

About our author…

Rebecca Hendricks is President of Mirror Consulting, Inc. (www.mirrorconsulting.com), a Midwestern firm specializing in strategic planning, risk management and business development. She is certified in Computer Forensics and can be reached at rebecca.hendricks@mirrorconsulting.com.