FRCP Rule 34 provides that the requesting party can "inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control … any designated documents or electronically stored information – including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations – stored in any medium from which information can be obtained …".
Generally, the producing party will provide disclosure of responsive data to the requesting party’s ESI production request by physically transferring the data by CD-ROM, DVD, or other storage media. However, amended FED. R.CIV. P. 34 allows testing, sampling, or in some instances for entry onto the property of an adverse party for the purpose of inspecting the property. Depending on the circumstances, Rule 34 has been interpreted to permit an inspection of an individual or corporate computer system by performing searches on computer data or by creating a forensic or "bitstream" image copy of the storage media for later analysis. Under certain circumstances direct seizure of a computer is permitted.
FED. R. CIV.P.45 authorizes similar options for the inspection of ESI of a nonparty.
One of the most fundamental issues about electronic discovery is how a court should respond to requests for electronic materials that have been "deleted." Courts consistently have held that discoverable ESI includes files that have been "deleted". Courts consistently have held that discoverable ESI includes "deleted" files. If restored, this information could be invaluable for exposing patterns of conduct, behavior or motives surrounding its deletion. However, it usually is necessary to present evidence of the relevance and "specific facts" justifying a request for the "deleted" data or the courts may label the request a "fishing expedition".
Forensic images of a hard drive or other storage media can be created to preserve the data for later searching and analysis. The images can then be searched for deleted or altered files, unauthorized copies of software, or other artifacts.
It is normal to allow a party and/or their expert to be present during the imaging process.
Generally, courts hesitate to grant the requesting party on-site access to conduct the actual search because of the risk that data may be inadvertently altered. If access is permitted to the computer system, the producing party’s IT staff or a neutral third party such as a forensic expert is usually retained to perform the necessary computer tasks.
While a sizeable portion of a computer inspection may include conducting a keyword search to locate relevant documents and e-mails, a computer forensic examination of computer hard drives and other storage media has the potential of uncovering a vast amount of lesser known electronic "facts" pertaining to the case that would otherwise never surface. For examples of these ESI artifacts and how they might contribute to a case matter, click on the "Beyond the Smoking Gun" link below.
CyberControls is not a law firm. We are experienced specialists in the in the field of electronic discovery and production, computer forensics and the integration of computer technology and the rules of discovery. Our professional services teams are comprised of pretrial litigation consultants and field technicians and forensic experts. CyberControls’ expertise in computer forensics and investigative experience has proven to be an invaluable resource to hundreds of legal professionals across the country. Visit CyberControls at www.cybercontrols.net.