Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2011-05-06 04:05:32Format, images and links may no longer function correctly. All of us techies are familiar with strange computer requests from friends and family. I had one today from a good friend in the middle of a business dispute that got me thinking about what we now take for granted in civil discovery. The key question boiled down to, “So can you tell if this Excel 2007 spreadsheet was created or changed right before being sent?” I’m staring at the email with the attached spreadsheet and knowing that my friend will not like the answer. It only takes seconds to check the internal properties and see that the spreadsheet was created three months ago, but modified just prior to being emailed. But what does that really tell us? Not much. The sender could have popped open the original spreadsheet to recheck it and then hit save instead of just closing it. Without the key file system metadata that would have been acquired with any proper discovery collection, there was just no good answer for my friend. Friends, family and counsel all seem to expect that we will be able to do some kind of technical CSI magic to reconstruct every instant of a file’s life. Reality is that improper collection or preservation can effectively destroy any chance of being able to actually authenticate critical properties like dates, authors and more.
This little favor did let me dig through the XML snippets in the new .XLSX format using the .ZIP renaming method that I detailed in Cracking Office Open XML Files. The internal properties are found in the Core.xml file within the DocProps folder inside the compressed file. In this case all I found was Creator, lastModifiedBy, Created and Modified fields that corresponded to the displayed Document Properties from within Excel itself. No buried history or other change management buried in any of the other file parts.
All of this got me thinking about how frequently matters start with someone emailing a file to their attorney. This could be the one key file that makes the case, but unless the original is properly preserved and collected it could be challenged as evidence. How can you prove that it was not altered? That requires a real chain of custody that logs to operating system metadata fields, assuming that information is actually helpful. Loose files on a local or network file share are at continual risk of spoliation from errant users and automated systems. It is a good argument for centralized archives or content management systems to hopefully protect file metadata and contents. I say hopefully, because some historic applications actually alter the very properties that we need. Whenever you look at your overall discovery processes and technologies, you should ask yourself whether file dates and content can be reasonably preserved and authenticated as evidence. Don’t ask your vendor, test it yourself.