Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2011-03-24 08:16:10Format, images and links may no longer function correctly. I try to read the actual opinions on cases that vendors in our market all too often seize onto, only to emphasize a single point that that does not dive into the full spectrum of issues at hand (case-in-point, Bill Tolson of Iron Mountain writing a blog entry about “Spoliation does not require purposeful destruction of evidence”, which focuses on District Judge Coleman’s $1,000,000 sanction and clear statements that the plaintiffs were responsible for their agents’ actions). Many times the actual fact pattern and conclusions are subject to interpretation. More importantly, there are often little facts or findings that are fascinating. In the case of Rosenthal Collins Group, LLC v. Trading Techs. Int’l, No. 05 C 4088, 2011 WL 722467 (N.D. Ill. Feb. 23, 2011), I chased down this rabbit hole to figure out exactly who had reset the last modified dates and why. The summaries all mention the plaintiff’s “agent” and I expected to find a service vendor, IT contractor or even a hard up consultant in the actual opinion. Instead, I found a tech savvy programmer/contractor/custodian who used utilities to forensically wipe all of his media and then reset his dates by changing his system clock.
Have you cleaned your drives today?
Buried in the depositions from the defendant’s forensic experts were some fascinating bits. In deposition, David Klausner of Impact Forensics asserted that all of the produced media had been wiped prior to production. Moreover, he was able to provide the actual date and time of the wipes because the software used left behind a “fingerprint” that was retrieved from the forensic images. In further deposition, the contractor-custodian admitted to wiping in order to “[t]o make sure that any files on there were not reco-verable other than the ones that I put on there.” (Dkt. # 306-14, Buist Dep. II at 95.) The combination of altered dates and wiped media was sufficient cause for the court to grant default judgment and sanctions under Rule 37.
I will leave others to focus on the obligations of corporations and counsel to properly manage preservation and collection obligations with potential custodians, contractors or employees. The interesting tidbit here is the signature that at least some commercial digital wiping programs leave behind. Our industry lives on portable hard drives. Best practice is for acquisition of forensic images and other bitwise collections to be made onto brand new media. The reality of rapid collection sweeps often departs from best practices, especially when efforts are conducted by in-house IT/Security personnel who are under time and cost pressure. After all, if you have cleaned the hard drive with software that is compliant with any of the various data removal standards (example: DoD 5220.22-M), then why not reuse the drive? Most corporate termination protocols (when one exists) specify wiping and reimaging employee computers and media before reissue. That means that your current employees/custodians may have these digital signatures on the root of their laptop drives already.
Given the adverse nature of our business and the tendency toward technical obfuscation, I can easily imagine scenarios where a sharp investigator raises authenticity questions over drives produced for inspection or imaging. Some service providers recycle their drives after a thorough wipe. As long as it is clear that the production is only a copy of the final ESI, that should not raise any questions. But with eDiscovery duties moving in-house, corporations may be held to an even higher standard of care than their third party providers. After all, the provider has little or no incentive to alter or erase potential evidence. The defendant’s agent seemingly desired to remove personal information and anything that might contradict his testimony from his media. Accidents and data loss by internal litigation support and security groups will always be viewed with under a harsher light than the same action by a provider. I found the “fingerprint” of the drive wipe software interesting. It makes me wonder what other innocent, routine actions could be misinterpreted when corporations take on the full responsibility of preservation through production.