Professional Documents
Culture Documents
Textbook Electronically Stored Information The Complete Guide To Management Understanding Acquisition Storage Search and Retrieval Second Edition David R Matthews Ebook All Chapter PDF
Textbook Electronically Stored Information The Complete Guide To Management Understanding Acquisition Storage Search and Retrieval Second Edition David R Matthews Ebook All Chapter PDF
https://textbookfull.com/product/metadata-for-information-
management-and-retrieval-understanding-metadata-and-its-use-
second-edition-edition-david-haynes/
https://textbookfull.com/product/introduction-to-information-
retrieval-manning/
https://textbookfull.com/product/understanding-formulaic-
language-a-second-language-acquisition-perspective-second-
language-acquisition-research-series-1st-edition-anna-siyanova-
chanturia/
https://textbookfull.com/product/practical-information-security-
management-a-complete-guide-to-planning-and-implementation-1st-
edition-tony-campbell-auth/
Complete Guide to the National Park Lodges David Scott
https://textbookfull.com/product/complete-guide-to-the-national-
park-lodges-david-scott/
https://textbookfull.com/product/c-templates-the-complete-guide-
second-edition-david-vandevoorde-nicolai-m-josuttis-douglas-
gregor/
https://textbookfull.com/product/complete-guide-to-the-national-
park-lodges-9th-edition-david-scott/
https://textbookfull.com/product/iso-13485-2016-a-complete-guide-
to-quality-management-in-the-medical-device-industry-second-
edition-itay-abuhav/
https://textbookfull.com/product/nosql-database-for-storage-and-
retrieval-of-data-in-cloud-1st-edition-deka/
Electronically
Stored
Information
The Complete Guide to
Management, Understanding,
Acquisition, Storage,
Search, and Retrieval
Second Edition
OTHER TITLES FROM AUERBACH PUBLICATIONS AND CRC PRESS
Second Edition
David R. Matthews
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to
copyright holders if permission to publish in this form has not been obtained. If any copyright material has
not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-
ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,
including photocopying, microfilming, and recording, or in any information storage or retrieval system,
without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.
com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,
a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.
FO RE WO RD ix
P R E fA C E xi
ACKNOWLEDGMENTS xiii
AUTHOR xv
C H A p T E R 1 W H AT I S E L E C T R O N i C I N f O R M AT i O N , AND WH Y
S H O U L D YO U C A R E ? 1
1.1 Introduction 1
1.2 Electronically Stored Information and the Federal
Rules of Civil Procedure 1
1.2.1 Changes to the Federal Rules of Civil Procedure 3
1.2.1.1 Rule 1: Scope and Purpose 3
1.2.1.2 Rule 16(b)(5) and (6): Pretrial
Conferences; Scheduling
Management 3
1.2.1.3 Rule 26 4
1.2.1.4 Rule 37 Safe Harbor 11
1.2.1.5 Rule 34(b) Producing Documents
Procedures 13
1.2.1.6 Rule 33(d) Interrogatories to Parties 15
1.2.1.7 Rule 45 Subpoena 15
1.2.1.8 Form 35 15
1.2.2 Federal Rules of Evidence 16
1.2.2.1 FRE 502 17
1.2.2.2 FRE 901 17
1.2.2.3 FRE 802 18
V
VI C O N T EN T S
C H A p T E R 2 TR A N S L AT i N G G E E K : I N f O R M AT i O N
TE C H N O L O GY V E R S U S E V E R YO N E E L S E 63
2.1 Introduction 63
2.2 Role of IT 63
2.3 Information Technologist’s Perspective 72
2.4 Information Technology as an Ally 76
2.5 Translating Geek 77
C H A p T E R 3 W H E R E I S E L E C T R O N i C A L LY S T O R E D
I N f O R M AT i O N ? I T ’ S E V E R Y W H E R E ! 79
3.1 Introduction 79
3.2 Basics 80
3.3 Database Systems 87
3.4 E-Mail Systems 91
3.5 File and Print Servers 94
3.6 Instant Messaging Services 99
3.7 Mobile Devices 101
3.8 Physical Access Records 105
3.9 Telecommunications 109
3.10 Cellular Devices 119
3.11 Digital Video 126
3.12 Internet or Online Data 130
3.13 Storage Media 144
3.14 Internet of Things (IOT) or of Everything (IOE) 147
3.15 Event and System Logs 148
3.16 Desktop Computer Facts 149
3.17 Metadata and Other Nonapparent Data 154
3.18 Conclusion 157
C O N T EN T S VII
C H A p T E R 4 W H O ’ S i N C H A R G E H E R E ? A L L i E S , O W N E R S ,
A N D S TA K E H O L D E R S 159
4.1 Introduction 159
4.2 The (Long) List of Stakeholders 159
4.2.1 Information Technology Professionals 159
4.2.2 Legal Staff 162
4.2.3 Records Managers 163
4.2.4 Auditors 163
4.2.5 Human Resources 164
4.2.6 Department Heads, Vice Presidents, and
Executives 164
4.2.7 Physical and Information Security Personnel 165
4.3 Ownership of Data 165
4.4 Data Control Considerations 170
4.5 Required Skill Sets and Tools 173
C H A p T E R 6 K E E pi N G YO U R TR E A S U R E S : P R E S E R VAT i O N
AN D MANAG E M E NT 223
6.1 Introduction 223
6.2 Securing the Data 223
6.3 Access Control and Management 226
6.4 Organization and File Management Techniques 232
6.4.1 Day-to-Day Organization 232
6.4.2 Management of Data over Time 236
6.4.3 Response to Litigation or Audits 238
6.5 Safe Storage Issues and Considerations 241
6.6 Litigation Hold 246
6.7 Spoliation: The Loss of Relevant Data 248
6.8 Automated Technical Solutions 250
VIII C O N T EN T S
C H A p T E R 7 S H A R i N G I S G O O D : D i S S E M i N AT i O N AND
REpORTiNG 255
7.1 Introduction 255
7.2 Format Issues: Original or Usable? 255
7.3 Mediums for Transfer 259
7.4 Creating Readable Reports 261
7.5 Tips for Depositions and Expert Witness 264
7.6 Conclusion 266
A pp E N D i X I: L i N KS AND REfERENCES fOR M O R E I N f O R M AT i O N 267
A pp E N D i X II: F O R M S AND GUiDES 273
A pp E N D i X III: L i N K S TO TE C H N i C A L S O f T WA R E S O L U T i O N S 291
INDEX 293
Foreword
IX
Preface
XI
X II P REFAc E
stories and illustrations that will help make sense of these sometimes
difficult ideas.
So r ead on w ithout t repidation, d ear r eader. I p romise it w ill b e
enlightening, a nd p erhaps e ven f un. I f n othing e lse, y ou w ill h ave
some interesting new ways to entertain your geek f riends or impress
your non-geek friends at your next party.
Acknowledgments
This book could not have been written were it not for the many patient
and supportive people in my community in the Puget Sound area of
Washington State.
There a re too many to name them a ll, but the many information
security, legal, and computer forensics professionals with whom I have
shared these ideas have been extremely generous with their thoughts,
wisdom, and advice.
I e specially t hank m y c olleague a nd m entor, M ichael H amilton,
who has given me the support to learn more about these issues and the
time to collaborate with others. He is a font of knowledge and just an
all-around good friend and person.
I also want to add a big thanks to my original Information Security
mentor and guru, Kirk Bailey. I will not f orget the day when, in
answer to my question of what would be the most beneficial skill to
learn, he said “forensics.” It changed my life in many ways.
I would a lso l ike to acknowledge my good f riend, colleague, and
mentor, S teven H ailey, w hose g racious g enerosity, i ncredibly d eep
wisdom and assistance I can always count on whenever I get stuck.
And of course I need to thank my family for putting up with those
long hours of husband and daddy being hunched over the computer
trying to get this all done.
X III
Author
XV
XVI AU T H O R
1.1 Introduction
1
2 EL Ec T R O NI c A L LY S T O RED IN F O RM ATI O N
Figure 1.1 Legal documents in the electronic world have become ubiquitous and overwhelming.
of them included criminal or other courts besides civil law. But any
organization or individual can find themselves in court.
This c hapter s pecifically d iscusses t he F ederal Rules o f C ivil
Procedure (FRCPs) because they were amended in December 2006,
and have been revised several times since then to specifically address
ESI and to better define the ways ESI needs to be handled. However,
it is important to understand that rules in any legal action are going
to be similar to those we will discuss here. Because these rules offer
good examples of what to expect in other legal actions, we specifically
look at all of the pertinent sections of the FRCPs.
We a lso s pend s ome t ime l ooking a t r ules o f e vidence, b ecause
those have also been evolving to address the new frontier of electronic
evidence. We spend time considering some case law as well, because
that is the crux of the way this evolving area of law is changing and
growing.
We b egin w ith a r un-through o f t he s pecific r ules t hat w ere
amended i n D ecember 2 006 a s w ell a s s ome of t he more p ertinent
and i nteresting c hanges a nd c larifications t hat a re being considered
in the current set of amendments (final changes and amendments to
the FRCP were approved by the Supreme Court and Congress and
published in December 2015).*
1.2.1.1 Rule 1: Scope and Purpose The current change to the first rule,
while not specific to e-discovery or electronic evidence is neverthe-
less s ignificant. I n t he n ew r ule, t he l anguage h as b een c hanged
to e mphasize h ow i mportant i t i s f or t he pa rties t o c ooperate.
Specifically i t s ays “ These r ules … s hould b e c onstrued, a dminis-
tered, and employed by the court and the parties to secure the just,
speedy, and inexpensive determination of every action and proceeding”
(emphasis added).
This is, in effect, laying down the theme of the new rules. You will
see this theme reflected throughout the amendments. Parties and the
courts need to consider, first and foremost, how to apply the rules to
ensure t he most e ven playing field, at t he least e xpense a nd burden
possible.
* Cornell University Law School, Legal Information Institute, Federal Rules of Civil
Procedure ( as a mended t o D ecember 1 , 2 010): h ttp://www.law.cornell.edu/rules/
frcp/. Retrieved February 11, 2011.
4 EL Ec T R O NI c A L LY S T O RED IN F O RM ATI O N
on behalf of their client that should not be disclosed). The rule also
discusses the methods that should be employed by all parties to man-
age the discovery of their electronic data.
These discussions and agreements take place in what are called the
Rule 16 pretrial meet a nd c onfer c onferences, w here b oth s ides g et
together and discuss what electronic evidence they expect to acquire
and preserve f or the case at hand, how they would like it to be pro-
duced, and the general management of what is called the electronic
discovery or e-discovery process. Agreements are made between the
parties, and those agreements are recorded and become an important
part of t he c ase at hand. We look at some c ase l aw l ater where t he
agreements t hat were made in t hese pretrial meetings were used by
the court to decide on the correct ruling on a question of evidence.
The bases of the agreements that come out of the Rule 16 meetings
are established by Rule 26, which is discussed next and which governs
the provisions of discovery and the duty to disclose.
In the current amendments, there are two changes to Rule 16(b).
The first is in Section (3)(B)(v), and this is again indicative of the
theme o f c ooperation. I t s tates t hat t he s cheduling o rder m ay
“direct t hat b ef ore m oving f or a n o rder r elating t o d iscovery t he
movant must request a c onference w ith t he court.” A s noted, t his
is to e ncourage t he pa rties to w ork t hings o ut i n a n e fficient a nd
cooperative way.
The second is again in Section (3)(B), but in (iv) a nd it relates to
claw-back. Claw-back rules are about when a pa rty can basically say,
“oops” and ask the other party to return some evidence it produced (or
the court to not admit it in the case) that should have been protected.
In this section, the changes refer to the Federal Rule of Evidence
502, which we’ll discuss later. Basically, it simply allows for any agree-
ments r eached u nder t hat r ule o f e vidence t o a lso b e c onsidered i n
whether produced evidence should be able to be “clawed” back.
of paramount importance (and you should not wait until you have a
legal case at hand before discussing this).
It is equally important to ensure that you and your legal representa-
tives understand where the data are physically and logically and how
the d ata w ill b e a ccessed, a cquired, a nd p reserved i n a f orensically
sound m anner (to p reserve t he i ntegrity a nd n onrepudiation o f t he
evidence). In Chapter 3, we take a detailed look at all of the different
types of electronic evidence and where and how they are stored. This
is i nformation you should use a s you e xplore a nd d iscuss w ith your
attorneys the specific electronic data for which you are responsible.
In a survey commissioned by the Deloitte Forensic Center and con-
ducted by the Economist Intelligence Unit (EIU),* it was found that
40% of respondents did not feel like their organization’s IT and legal
staff communicated well and 35% did not have a team to respond to
e-discovery requests. In f act, in many cases, t he people who should
have k nown ab out e- discovery i ssues w ere f ound t o b e pa inf ully
unaware of the issues. This serves to f urther point out the depth of
this problem and the importance of you and your organization com-
ing to grips with it as soon as possible.
If you have reason to consider data inaccessible, you will need to do
a good job of explaining and documenting why that is the case.
Rule 26(b)(2) was amended to specifically address this issue. It basi-
cally says that if relevant electronic data are not “reasonably accessible”
because the data would cost too much to produce or be too much of a
burden or are simply no longer available, then you are not required to
produce the data as evidence. It also attempts to set some procedures
for how to shift costs if data are considered inaccessible.
Unfortunately, t he term “reasonably a ccessible” i s not s pecifically
defined in the rules. However, there is considerable case law that gives
some idea of what the courts are expecting.
Data t hat a re l ive, o nline o n s ervers, d esktops, l aptops, a nd s o
forth, at the time of expected litigation will be considered accessible
of c ourse. B ut a lso, d ata t hat a re w ell d ocumented a nd o rganized,
Figure 1.2 Policies are worth little if they are too complex or too numerous to be understood and
followed.
above when discussing when the court should “limit the frequency or
extent of discovery.”
In Rule 26(C)(1)(b), they have amended the wording to address the
allocation of costs by including “or the allocation of expenses” in the
specific terms a court can add to a protective order.
Once again, the writers are hoping to give the court tools whereby
it c an e ncourage r esponsible a nd i nexpensive o ptions f or d iscovery
from all parties.
Finally, a s i n Ru le 16(b)(3)(B) ab ove, t he n ew a mendments i n
Rule 26(f)(3) include a reference to the Federal Rule of Evidence 502
as a nother reason t hat c an be i ncluded i n a n a greed-upon order f or
production as a r emedy f or the accidental p roduction of privileged
data. This would be included as part of the “Discovery Plan” that is
outlined in this rule.
VOL I.
P. 155.—It was not only as mortar that bitumen was used. Mr.
Rassam tells us that he found at Abou-Abba (Sippara), in Chaldæa,
a chamber paved with asphalte much in the same fashion as a
modern street in London or Paris (Proceedings of the Society of
Biblical Archæology).
P. 200.—From a late communication to the Society of Biblical
Archæology we learn that Mr. Rassam found the Sippara tablet in
the corner of a room, under the floor; it was inclosed in an inscribed
earthenware box.
P. 242, line 12; for Shalmaneser III. read Shalmaneser II.
P. 266, line 8 from foot: for Plate X. read Plate IX.
P. 305.—Intercourse between the valley of the Nile and that of
the Tigris and Euphrates seems to have begun not sooner than the
eighteenth Egyptian dynasty. To this conclusion we are led both by
Egyptian texts and by the tablets in the library of Assurbanipal. Most
of the tablets are reprints—if we may say so—of texts dating
originally from Ur, and from the time of the ancient Chaldæan
monarchy. Now these texts seem to have been written by a people
who knew not Egypt; no mention of that country is to be found in
them. They contain a division of the world into four regions, in none
of which Egypt has a place (Sayce, The Early Relations of Egypt and
Babylonia, in Lepsius’s Zeitschrift, p. 150).
P. 349.—We may here draw attention to an object which may be
compared to that described by M. Clermont Ganneau, both for its
intrinsic character and its probable destination. It is a tablet in brown
limestone, portable, and surmounted by a ring or staple cut in the
material. On one face there is a bas-relief in which the goddess who
occupies the lower register in Péretié’s bronze again appears. She
has the head of a lioness, a snake dangles from each hand, the
arms are outstretched, and two animals, in which Layard recognises
a lioness and a sow, hang to her breasts. This goddess stands
before an animal which has a bull’s head in the engraving given by
Lajard. But its feet are those of a horse, and no doubt we should find
that the animal in question was a horse if we could examine the
original; but we do not know what has become of it. If, as there
seems reason to believe, this goddess is an infernal deity, it is easy
to understand why serpents were placed in her hands. These
reptiles are the symbols of resurrection; every year they quit their old
skins for new ones. The object in question is described in detail in
the Recherches sur le Culte de Vénus, p. 130, and figured in Plate
XVI, Fig. 1. Upon one of the larger faces of the tablet and upon its
edges there are inscriptions, magic formulæ according to M. Fr.
Lenormant.
This tablet was formerly in the cabinet of M. Rousseau, at one
time French consul at Bagdad. It was found in the ruins of Babylon.
Size, 24 inches high by 24 inches wide, and 3⅞ inches thick.
P. 384.—In speaking of the excavations made by Sir H.
Rawlinson at Borsippa, we forgot to mention his paper entitled On
the Birs Nimroud; or, The Great Temple of Borsippa (Journal of the
Royal Asiatic Society, vol. xviii. p. 1–32). Paragraphs 1 and 2 give an
account of the excavations, and we regret that we wrote of the
religious architecture of Chaldæa before having read them. Not that
they contain anything to cause us to change our conceptions of the
staged towers. The excavations seem to have been carried on with
great care, but they hardly gave results as complete as they might
have done had they been directed by a thoroughly-trained architect.
VOL. II.