A practical guide to e-mail discovery: do you know what to ask for when seeking a defendant's e-mail records? Learning which technology propels e-mail systems and where messages are stored is the first step.Futurist Arthur C. Clarke Sir Arthur Charles Clarke, CBE (born 16 December 1917) is a British science-fiction author and inventor, most famous for his novel , and for collaborating with director Stanley Kubrick on the . said, "Any sufficiently advanced technology is indistinguishable from magic." E-mail is one of those magical technologies most of us use every day without really understanding how it works. In discovery, if you simply make a request for "the e-mail," you may get what you asked for, but if you understand how e-mail systems work, you can better gauge whether something is missing and whether the methods used to gather the e-mail were calculated to locate all responsive messages. E-mail is the watchword in discovery today. Some call the push for production of electronic mail a feeding frenzy feed·ing frenzy n. 1. A period of intense or excited feeding, as by sharks. 2. Excited activity by a group, especially around a focal point: , but it's no more than the recognition of how central to lives and work e-mail has become. More than 50 billion e-mail messages traverse the Internet daily, flu more than the number of messages exchanged via telephone and regular mail combined, and the average businessperson sends and receives between 50 and 150 e-mails every workday. At that rate, a company employing 100,000 people could find itself storing 3 billion e-mails annually. Trial lawyers go after e-mail because it accounts for the majority of business communications and because e-mail users tend to let their guard down and get to the heart of the matter with candor not of ten seen in a paper memo. Aggregate volume is only part of the challenge in discovery and production of e-mail. Unlike paper records, e-mail is usually stored in massive, commingled data blobs. For example, the single file containing my Outlook e-mail is over three gigabytes in size and holds about 35,000 messages--many with multiple attachments--containing discussions about virtually every aspect of my life, and many other people's lives, too. In thousands of those e-mails, the subject line bears only a passing connection to the contents, because threads of "Reply" messages stray far from the original topic without changing the subject line. E-mails sent by absentminded clicks of the "Forward" button also lodge in Verb 1. lodge in - live (in a certain place); "She resides in Princeton"; "he occupies two rooms on the top floor" occupy, reside move in - occupy a place; "The crowds are moving in" stay at - reside temporarily; "I'm staying at the Hilton" my inbox, dragging with them, like toilet paper on a wet shoe, the unsolicited detritus detritus /de·tri·tus/ (de-tri´tus) particulate matter produced by or remaining after the wearing away or disintegration of a substance or tissue. de·tri·tus n. pl. of other people's business. If I had to respond to a discovery request for e-mail on a particular topic, I'd need to speed-read all 35,000 messages or be very confident that a keyword search would flush out responsive material. If the request for production included material no longer kept on my current computers, I'd have to root through old systems, obsolete disks, outgrown hard drives, ancient backup ropes (for which I have no tape reader), and unlabeled CDs, uncertain whether I'd lost the information or just overlooked it. The situation isn't much different in corporate America. Protocols Computer network specialists are always talking about "protocols," but don't let the geek-speak intimidate you. A protocol is just a bit of computer code that facilitates communication between applications--for example, between your e-mail program Software in the user's computer that can access the mail servers in a local or remote network. Also known as an "e-mail client," "mail client," "mail program," and "mail reader," it provides the ability to send and receive e-mail messages and file attachments. and a network or the Internet. When you send a snail-mail letter, the U.S. Postal Service's protocol requires that you put your message in an envelope of certain dimensions, seal it, add address information, and affix affix v. 1) to attach something to real estate in a permanent way, including planting trees and shrubs, constructing a building, or adding to existing improvements. postage to the upper right-hand corner. Only then can the letter be transmitted through the postal system postal system System that allows persons to send letters, parcels, or packages to addressees in the same country or abroad. Postal systems are usually government-run and paid for by a combination of user charges and government subsidies. . Omit the address, the envelope, or the postage--or fail to drop it in a mailbox--and Grandma gets no birthday card. Computer networks use protocols similarly to transfer information. You already invoke a protocol--Hyper Text Transfer Protocol (HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. )--every time you type "http://" at the start of a Web page address. Although Microsoft Exchange Server Microsoft Exchange Server is a messaging and collaborative software product developed by Microsoft. It is part of the Microsoft Servers line of server products and is widely used by enterprises using Microsoft infrastructure solutions. rules the roost tot business e-mail and Lotus Notes Messaging and groupware software from IBM Lotus that was introduced in 1989 for OS/2 and later expanded to Windows, Mac, Unix, NetWare, AS/400 and S/390. Notes provides e-mail, document sharing, workflow, group discussions and calendaring and scheduling. is a distant second, these are not the most common e-mail systems used by individuals and small businesses. You probably have a personal e-mail account e-mail account n → cuenta de correo with an Internet Service Provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. ) like Earthlink or America Online See AOL. (AOL (A division of Time Warner, Inc., New York, NY, www.aol.com) The world's largest online information service with access to the Internet, e-mail, chat rooms and a variety of databases and services. ). E-mail may come to you via one of four common protocols: POP, IMAP IMAP - Internet Message Access Protocol , MAPI (Mail API) A programming interface from Microsoft that enables a client application to send to and receive mail from Exchange Server or a Microsoft Mail (MS Mail) messaging system. Microsoft applications such as Outlook, the Exchange client and Microsoft Schedule use MAPI. , or HTTP. Understanding how these protocols work--and differ--helps identify where e-mail can be found. POP (Post Office Protocol) is the oldest and most common approach, supported by Outlook Express, Netscape, and Eudora e-mail programs. With POP, you connect to a mail server and download copies of your messages. The e-mail is then deleted from the server and resides on the hard drive of your computer and on the backup system Noun 1. backup system - a computer system for making backups ADP system, ADPS, automatic data processing system, computer system, computing system - a system of one or more computers and associated software with common storage for the servers that sent, transported, and delivered the messages. In short, POP is locally stored e-mail with limited server storage. IMAP (Internet Message Access Protocol (protocol, messaging) Internet Message Access Protocol - (IMAP) A protocol allowing a client to access and manipulate electronic mail messages on a server. It permits manipulation of remote message folders (mailboxes), in a way that is functionally equivalent to local mailboxes. ) differs from POP in that when you check your e-mail using IMAP, the e-mail program typically downloads just the headers (To, From, Date, Subject) of messages it finds on the server, retrieving the body of a message only when you click to read it. Otherwise, messages stay in your account on the server and on its backup systems. To allow you to read and answer mail without being connected to the Internet, IMAP can synchronize the server files with a counterpart on your hard drive. When you reconnect to the server, the e-mail stored on your computer is updated and messages you drafted while off-line are transmitted. To summarize, IMAP is server-stored e-mail with an option for synchronized local storage. MAPI (Messaging Application Programming Interface (messaging) Messaging Application Programming Interface - (MAPI) A messaging architecture and a client interface component for applications such as electronic mail, scheduling, calendaring and document management. ), used by Microsoft's Exchange Server program, is like IMAP in that e-mail is typically stored on the server. Local computers can be configured to synchronize with the server and keep copies of mail on their hard drives, but not all users turn that feature on. HTTP mail--like Gmail, Hotmail, and Yahoo Mail--is Web- or browser-based. It dispenses with the e-mail program altogether and manages all messages on the server. You get to your e-mail using an Internet browser See Web browser. to view an interactive Web page. Typically, users don't store browser-based e-mail transactions on their hard drive; however, as with any other Web page, browser-based e-mail may be found in the browser's cache (for example, Internet Explorer's Temporary Internet Files In a user's computer, a collection of the most recent Web pages and files downloaded from the Web. The files are stored in a folder that acts as a cache so that subsequent requests are retrieved from the local hard disk. folder) or in sections of the hard drive accessible only by using forensic examination software. Many ISPs and all the national providers offer browser-based e-mail access in addition to POP or IMAP connections. The main reason to know what protocol was used to carry e-mail is that it signals the most likely place to find archived e-mail. Companies choose server-based e-mail systems (like IMAP and MAPI) to make it easier to access e-mail from different locations and machines and to be able to back up e-mail from a central location. Because these protocols store all e-mail on the server, server-backup systems can yield a mother lode Mother Lode, belt of gold-bearing quartz veins, central Calif., along the western foothills of the Sierra Nevada. The term is sometimes limited to a strip c.70 mi (110 km) long and from 1 to 6 1-2 mi (1.6–10.5 km) wide, running NW from Mariposa. of e-mail. Conversely, e-mail is less likely to be found on local hard drives, save for fragments found through computer forensic examination. Depending on the company's server-backup procedures, accessing its archived e-mail may be costly and time-consuming, or it may be relatively easy. It's expensive to locate and restore enormous volumes of e-mail from backup tapes, so discovery of e-mail archived this way is a frequent cause of disagreement between litigants. (1) Storage formats and locations Because individual e-mails are just text files, they could be stored as discrete documents. However, that's an inefficient way to manage a large number of messages, so e-mail programs use complex database files to house e-mail. Each of the major e-mail programs has a unique format for its database, usually incorporating encryption and data compression data compression Process of reducing the amount of data needed for storage or transmission of a given piece of information (text, graphics, video, sound, etc.), typically by use of encoding techniques. . The only way to know for sure if email is stored on a local hard drive is to look for it. Merely checking the e-mail program's settings is not enough, since settings change. An e-mail program not configured for local storage today may have been set to keep everything until the new IT person arrived. Users may create new identities on their systems, install different e-mail software, upgrade their computers, add more storage, make backup copies of messages, or otherwise purposefully and accidentally cause messages to be archived on a hard drive. Consider a user who first dipped her toes in the online ocean through Hotmail or AOL. Seeking a faster connection, she switched to a local ISP with cable or DSL DSL in full Digital Subscriber Line Broadband digital communications connection that operates over standard copper telephone wires. It requires a DSL modem, which splits transmissions into two frequency bands: the lower frequencies for voice (ordinary service and started downloading e-mail using Netscape Messenger The e-mail client in Netscape Communicator. It has been superseded by Netscape Mail. See Netscape Communicator. or Microsoft Outlook For the e-mail and news client bundled with certain versions of Microsoft Windows, see . Microsoft Outlook or Outlook (full name Microsoft Office Outlook Express. With growing sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. , a job change, or new technology at the office, she shifts to Microsoft Outlook via an Exchange server, or Lotus Notes via a Domino server. Each of these steps can leave a large "abandoned" cache of e-mail on the user's computer that's fair game for discovery. Accordingly, no producing party should assert that a user has no e-mail unless the user's computers, servers, and backup systems have all been thoroughly searched by someone who knows where active and cached e-mail may reside. In disputes involving medium- to large-sized businesses, the e-mail server is likely to be the principal focus of electronic discovery efforts. It's the crossroads of corporate communications and the most effective chokepoint choke·point or choke point n. 1. A narrow passage, such as a strait, through which shipping must pass. 2. A point of congestion or obstruction. Noun 1. where you can grab the biggest slice of relevant information in the shortest time for the least cost. The server is a productive venue in electronic discovery for many reasons: * Periodic backup procedures tend to shield stored e-mail from anyone who, by error or guile, might delete or falsify falsify, v to forge; to give a false appearance to anything, as to falsify a record. data on computer hard drives. * The ability to recover deleted mail from server backups may obviate ob·vi·ate tr.v. ob·vi·at·ed, ob·vi·at·ing, ob·vi·ates To anticipate and dispose of effectively; render unnecessary. See Synonyms at prevent. the need for costly and sometimes fruitless forensic efforts to restore lost messages. * Data stored on a server is often less prone to tampering because central computer facilities have additional physical and system security measures. * Servers afford access to multiple users' e-mail and may diminish the need to access multiple locations, workstations, laptops, and home computers. * Whereas individual users organize messages in many different formats and folders, a server stores e-mail in a consistent, predictable way. Of course, the biggest advantage of the mail server--that it can deliver thousands or millions of messages--is also its biggest disadvantage: Someone has to extract and review all those messages. Without a carefully crafted discovery plan and sound management, both requesting and responding parties run the risk of runaway costs, overlooked evidence, and wasted time. Server-based e-mail data may comprise easily accessed online or "live" data or less accessible off-line or "archival" data. "Chunks" of data regularly migrate from online to off-line areas--daily, weekly, or monthly--as selected information is copied onto backup media and deleted from the server. The most common backup mechanism is a tape drive, which is like a specialized version of a VCR VCR: see videocassette recorder. VCR in full videocassette recorder Electromechanical device that records, stores on a videotape cassette, and plays back on a TV set recorded images and sound. . These drives store data on magnetic tape cartridges not unlike VHS (Video Home System) A half-inch, analog videocassette recorder (VCR) format introduced by JVC in 1976 to compete with Sony's Betamax, introduced a year earlier. tapes. Though some companies store years of data in thousands of tapes, more commonly these tapes are reused or "rotated," so after a period of days, weeks, or months, the tapes containing the oldest information are overwritten with the newest. Over time, repeated use or improper storage can cause tapes to stretch and deteriorate, so that even archived data may be difficult or impossible to recover. When e-mail is online, it's easy and inexpensive to duplicate the messages and their attachments as files in their original format and copy them to new media for review and production. Offline e-mail can be challenging and costly to retrieve, mainly because of the way computers are backed up. Sometimes a backup will copy everything, including the operating system software and application software, but more often, time and cost constraints mean that only the data that can't be reinstalled from other sources is archived. The most common practice is to copy all the data at intervals (for example, once a month), copying only incremental changes to the data more frequently. The huge volume of duplicate e-mail found on successive backups is a daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin challenge. A complete backup of a user's e-mail folders one day may look very much like the next day's--perhaps 90 percent of the messages will be identical copies of e-mail the user stores in the in-box and other folders. Without the use of specialized software or an e-discovery service provider to filter out identical e-mails (to "de-duplicate" the data), reviewers are obliged to read the same items over and over again. Another pitfall pit·fall n. 1. An unapparent source of trouble or danger; a hidden hazard: "potential pitfalls stemming from their optimistic inflation assumptions" New York Times. of backup tapes is that, depending on how the system is configured, any e-mail received and deleted between backups is often lost. For example, if the defendant's e-mail server is backed up after hours, e-mail received in the morning and deleted in the afternoon is gone when that night's backup begins. Seeking e-mail As the volume of e-mail mounts, producing parties turn to keyword and concept search tools to identify relevant messages. Be wary of searches based on subject lines alone. As an e-mail "conversation" threads from one message to the next, aided by the "Reply" button, discussions can veer far afield of the stated subject. Keyword searches will miss responsive items when correspondents use their own argot ar·got n. A specialized vocabulary or set of idioms used by a particular group: thieves' argot. See Synonyms at dialect. [French. or simply can't spell. If the producing party employs search tools in lieu of human judgment when responding to discovery requests, you have a right to know it and to challenge the methodology if it proves inadequate to the task. Be especially wary of "black-box solutions," promising miracles but lacking empirical performance data as compared to skilled human reviewers. If relevant, be sure to seek production of BCC (Blind Carbon Copy) The field in an e-mail header that names additional recipients for the message. It is similar to carbon copy (cc), but the names do not appear in the recipient's message. Not all e-mail systems support the bcc feature. See fcc. fields, which exist only on the sender's copy of the e-mail. Also, keep in mind that what a user sees in his or her e-mail program is just part of the data in an e-mail. Sometimes (for example, when authenticity is in doubt), you'll need the complete contents, including header data and routing information. Know that when your opponent claims, "The last 60 days of mail is on the server but the rest is purged," that's not the whole story. E-mail is never all gone, notwithstanding retention policies dictating that it disappear. The true location and extent of e-mail depends on systems configuration; user habits; backup procedures; and other hardware, software, and behavioral factors. This is true for morn-and-pop shops, for large enterprises, and for everything in between. So don't give up. There is always at least one "pack rat pack rat, rodent of the genus Neotoma, of North and Central America, noted for its habit of collecting bright, shiny objects and leaving other objects, such as nuts or pebbles, in their place; also called trade rat or wood rat. " who keeps a copy of every e-mail. For example, he or she may burn old e-mail to CDs or forward it to a free Gmail or Yahoo account. The only way to get to these items is by asking the right questions that compel your opponent to search for them. If you don't, the other side will look at the items on the server and ignore the many other places e-mail lodges. Consider the following e-mail venues, grouped according to relative accessibility, and be sure the search doesn't start and stop with the first item listed. Easily accessible * Online e-mail residing in active files on enterprise servers like Microsoft Exchange (.edb, .stm, .log files), Lotus Notes (.nsf files), and Novell GroupWise (.db files) * E-mail stored in active files on local or external hard drives and network shares, user workstation hard drives (for example, .pst, .ost files for Outlook and .nsf for Lotus Notes), laptops, "local" e-mail data files stored on networked file servers (network shares), mobile devices (PDAs, "smart phones," Blackberries), and home systems, particularly those with remote access to office networks * "Nearline" e-mail like optical "juke box" devices and backups of individual users' e-mail folders (known as "brick level" backups) * Off-line e-mail stored in networked repositories (for example, Zantaz EAS (Electronic Article Surveillance) A security system for preventing theft in retail stores that uses disposable label tags or reusable hard tags attached to the merchandise. , EMC (1) (EMC Corporation, Hopkinton, MA, www.emc.com) The leading supplier of storage products for midrange computers and mainframes. Founded in 1979 by Richard J. Egan and Roger Marino, EMC has developed advanced storage and retrieval technologies for the world's largest companies. EmailXtender, and Waterford MailMeter Forensics See computer forensics. ) Accessible, but often overlooked * E-mail residing on remote servers like ISPs (IMAP, POP, HTTP servers), Gmail, Yahoo Mail, and Hotmail * E-mail forwarded and copied to third-party systems (for example, when an employee forwards e-mail to herself at a personal e-mail account) * E-mail threaded behind subsequent exchanges--the subject and latest contents diverge from earlier exchanges lodged in the body of the e-mail * Off-line local e-mail stored on removable media (for example, external hard drives, thumb drives, and memory cards), optical media (CD-R/RW, DVD-R/RW), floppy drives, and zip drives * Archived e-mail (auto-archived to additional .pst by Outlook or saved under a user-selected file name) * Common user "flubs" (users experimenting with export features and unwittingly creating e-mail archives) * Legacy e-mail (users migrate from e-mail clients, "abandoning" former e-mail stores) * E-mail saved to other formats like .pdf, .tiff, .txt, and .eml * E-mail contained in review sets assembled for other litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. or compliance purposes * E-mail retained by vendors or third parties like former service providers * Printouts to paper More difficult to access * Off-line e-mail on server backup media (backup tapes like DLT (Digital Linear Tape) A magnetic tape technology originally developed by Digital for its VAX line. The technology was later sold to Quantum, which makes it available to other manufacturers. DLT uses half-inch, single-hub cartridges similar to IBM's 3480/3490/3590 line. and AIT) * E-mail in forensically accessible areas of local hard drives (deleted e-mail, internet caches, unallocated clusters) It's rare that an exhaustive e-discovery search is begun before the first motion to compel A motion to compel asks the court to order either the opposing party or a third party to take some action. This sort of motion most commonly deals with discovery disputes, when a party who has propounded discovery to either the opposing party or a third party believes that the and for sanctions. It's rarer still that a later search fails to turn up items that should have been produced. When the other side swears, "There isn't anything else," they may be leveling with you, but that doesn't mean they're right. If you study the systems and learn where evidence hides, you can force them back to the well--or prove they're all wet. RELATED ARTICLE: 20 tips for electronic discovery. E-mail isn't the only type of electronic data you're likely to want for your case. Here are some points to consider to ensure your opponent produces everything you need. 1. Get your preservation letter out immediately and be both specific and general. Assume that the recipients don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. their own systems and don't understand computer forensics. Use the letter to educate them so they can't use ignorance as an excuse for failure to retain relevant evidence. (See Richard J. Arsenault & John Randall Whaley, Gathering Digital Data, page 20.) 2. Do your homework. Check online lawyer resources and ask around to learn the nature and extent of your opponent's systems and practices. You're probably not the first person to pursue e-discovery against the defendant. Others may know where the bodies are buried. 3. Get your e-discovery requests out swiftly. Data will disappear. You'll be in a poor position to complain about spoliation Any erasure, interlineation, or other alteration made to Commercial Paper, such as a check or promissory note, by an individual who is not acting pursuant to the consent of the parties who have an interest in such instrument. if you failed to seek the missing evidence while it was still around. 4. Force broad retention, but pursue narrow discovery. 5. What the defendant must keep in its records and what it must give you are different obligations. Carefully crafted requests for production make it hard for your opponent to buy delays through objection. Narrow requests compel your opponent to search with a spoon instead of a backhoe. Might 10 well-honed requests in five sets be more effective than 50 requests in one? 6. Opposing counsel may not understand the systems as well as you do, but he or she won't want anyone--especially the client--to know. Help the attorney "get it," so he or she can pose the right questions to the defendant. 7. Question the defendant's information technology people and focus on support staff. They've spent less time in the woodshed wood·shed n. A shed in which firewood is stored. intr.v. wood·shed·ded, wood·shed·ding, wood·sheds Slang To practice on a musical instrument. Noun 1. than the managers, and they know the real retention practices. 8. Get the defendant's document retention policies, network topology, and inventory of computing resources (including laptops, home systems, PDAs, smart phones, and removable media, like jump drives and external storage devices). 9. Invoke the court's power early to force preservation. The agreement your opponent offers to avoid a court order may be better than the relief you'll get from the judge. 10. If you can't make any headway, ask to have a neutral expert or special master appointed. 11. Ask all opponent employee witnesses what they were told to do to retain e-documents, then find out what they really did. 12. Distal data is easily forged. Know how and when to check that the data produced is authentic. 13. Learn what metadata (data about data) exists for the items you seek, and don't fail to demand preservation and production of metadata whenever it may be relevant. 14. Don't accept image data (such as .tiff or .pdf files) when you need data in its original format. 15. Have the principal cases on e-discovery and cost-shifting at hand. Tailor your requests using the language in the cases. 16. Set objections for hearing immediately. Require that the defendant support assertions of burden and cost with evidence. 17. Analyze what you get promptly and pin down in writing whether it's being tendered as "everything" that's responsive. Follow up with additional requests based on your analysis. 18. Don't let yourself be railroaded into cost-sharing. If it happens, make sure you're protected from waste and excess by the other side, and leverage your role as underwriter to gain greater access. 19. Be prepared to address claims of privilege. Propose a "claw back" production (where privileged items can be produced without waiver), if this is advantageous. 20. Don't accept the defense's assertions about cost or complexity unless you know they are accurate. Independently evaluate such claims and be prepared to propose alternatives. Note (1.) See, e.g., Zubulake v. UBS UBS Union Bank of Switzerland UBS United Bible Societies UBS United Blood Services UBS United Buying Service UBS Used Bookstore UBS University Business Services UBS Universal Building Society (UK) UBS Ulaanbaatar Broadcasting System Warburg LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control , 217 F.R.D. 309 (S.D.N.Y. 2003). CRAIG BALL is a trial lawyer and computer forensics expert in Montgomery, Texas. His e-mail address is craig @ball.net. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion