Windows 8: Important Considerations for Computer Forensics and Electronic Discovery

Windows 8: Important Considerations for Computer Forensics and Electronic Discovery

Published by Yury Chemerkin

© 2012 Scarab Acquisition LLC
Documents identified by computer forensic investigations in civillitigation typically require review and analysis by attorneys todetermine if the uncovered evidence could support causes of actionsuch as breach of contract, breach of fiduciary duty, misappropriationof trade secrets, tortious interference, or unfair competition. Inaddition, bit-for-bit forensic imaging of workstations is also commonlyused as an efficient method to quickly gather evidence for further disposition in general commercial litigation matters. For example,instead of relying upon individual custodians to self-select and copytheir own files, forensic images of workstations can be accuratelyfiltered down to exclude system files, which only a computer canunderstand, and identify files which humans do use such as MicrosoftWord, Excel, PowerPoint, Adobe PDF files and email. In any of theabove situations, be it a trade secrets type matter or a generalcommercial litigation case, litigants are always highly sensitive to thepotential costs associated with attorney review.Now that Microsoft Windows 8 workstations are available for saleand will likely be purchased for use by corporate buyers, civil casesinvolving the identification and analysis of emails from such machinesis a certainty. Recently, excellent computer forensic research on
Windows 8 performed byJosh Brunty, Assistant Professor of DigitalForensics at Marshall Universityrevealed that “In addition to Webcache and cookies, user contacts synced from various social mediaaccounts such as Twitter, Facebook, and even e-mail clients such asMS Hotmail are cached with the (
Windows 8) operating system(source:http://www.dfinews.com/article/microsoft-windows-8-forensic-first-look?page=0,3). Building on Professor Brunty’sscholarship, I set out to determine the extent, amount, and fileformats email communications exist on a Windows 8 machine. Inaddition, a goal was to identify any potential issues for processinglocally stored communications for attorneys review in the discoveryphase of civil litigation. As you will see, the format in which Windows 8 stores email locallydoes in fact present potentially significant challenges to cost effectivediscovery in both trades secret type matters as well as generalcommercial litigation cases. Fear not as my conclusion offers somepotential solutions as well as other important considerations.

