This Month’s Installment From Cybercontrols

Contrary to the old phrase, “…be careful of what you ask for you just might get it”, commercial litigators need to be alert to the fact that electronically stored information (ESI) encompasses far more than just e-mails, documents, photos and instant messages. The problem for a requesting party is that a producing party, unless otherwise directed, will only concern itself with identifying, collecting, reviewing and ultimately producing readily accessible “active” files. The yield from this routine approach may not be even close to a full representation of the full extent of the available ESI that relates to the case and the actions of persons of interest while they used the computers in their custody. Computer forensic examiners refer this lesser known category of useful ESI as computer artifacts.

Short of a full computer forensic examination, a requesting party may want to consider including in their initial e-discovery production requests that a number of computer artifacts be included with the

responding party’s production. These artifacts may include:

  1. Each computer’s Windows registry history to include all installed software, and external hardware devices connected to each computer of interest.
  2. Each computer’s Master File Table (MFT), which will clearly identify the complete file structure including distinct folders on each computer for future reference.
  3. Each computer’s Internet History Files, which will disclose the Internet activities of each computer custodian.
  4. Produce all link files (.lnk) from each custodian’s computer, which may show the usage of relevant files that are stored on external storage devices.

This approach has the potential of avoiding a full fledged fight that a computer forensic examination request would surely foster. But, a reasonable request for some of the items listed above would help to eliminate concerns and suspicions that relevant ESI was being withheld. The Windows registry would help establish whether any scrubbing software might have been installed on a particular computer or not.

It also would help identify if any external media devices were connected to the computer-if so, did the producing party conduct their e-discovery on all of those devices for relevant ESI or not?

The Master File Table of each computer will provide a complete road map of the user’s file structure and the folders in which data files were stored. If the Internet activities of certain persons of interest are rerevant, these activity files may prove to be crucial to the requesting party.

Finally, the link files (.lnk) are often the most irrefutable means in which to determine the date and time when specific data files were last accessed and/or modified by the user of a computer whether those files were located locally on the computer or on a network’s file server.

CyberControls has dubbed this added element to the e-discovery production request as the “Computer Artifacts Report.” It’s important to note that a producing party is obligated to take the necessary precautions when collecting these computer artifacts not to modify, alter or corrupt the data itself. An e-discovery or computer forensics specialist can provide the necessary instructions and/or support for this.

Computer artifacts can also prove to be quite helpful to a responding party when counsel is searching for additional elements to help bolster aspects of a case where the production of documents or e-mails is insufficient. Such artifacts can also help to stead off a more intrusive and costly computer forensic examination initiated by the requesting party.

CyberControls is made up of experienced specialists in electronic discovery, They can be reached at 847-756-4890 or on the web at

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s